Class Virus
Platform MSWord

Technical Details

This virus contains two macros in one Module, “ThisDocument,” and the macros have

different names in documents and NORMAL.DOT:

Documents NORMAL.DOT

AutoOpen AutoClose – infection and trigger routines

ViewVBCode ToolsMacro – stealth, disables viewing macro code

The virus infects the global macros area upon the opening of an infected document.

While infecting, the virus exports virus code to the C:CLASS.SYS and inserts it

into NORMAL.DOT. Documents are infected in the same way.

The virus mutation (polymorphic) routine inserts comments into virus code, containing a user name, current date and time, and information about the active


The virus uses an effective way to hide its code. By using special WordBasic

operators, the virus installs its module, not into the standard area of macro

programs, but into the area of Word classes – the area of standard routines that

handle Word events, i.e., Word kernel. The virus appends its code to

documents and templates, not as a user application (macro program), but as a

“native” Word component. As a result, the virus is not visible in

Tools/Macro and File/Templates (for what reason does the virus then hook


The virus disables the AutoProtection. On the 31st, the virus displays the


This Is Class


? VicodinES /CB /TNN ?



Each month from June until December on day 14, the virus displays the message:


I think is a big stupid jerk!

The virus also changes values in the registry keys:

HKLMSoftwareMicrosoftWindowsCurrentVersionRegisteredOwner = “VicodinES /CB /TNN”

RegisteredOrganization = “-(Dr. Diet Mountain Dew)-”

Upon infection, this virus modifies the system registry by writing “Clazz” as

the registered owner of this Windows copy. Upon trying to view, the virus codes it

with a probability of 25% and sets the “Clazz” password for active document, or, with

the same probability, deletes all files in the current folder.

Find out the statistics of the threats spreading in your region