Virus.MSWord.Layla

Class Virus
Platform MSWord
Description

Technical Details



It is a dangerous stealth macro virus. It contains ten macros in one module
“TJ”: AutoOpen, LAYLA, AutoExec, AutoExit, AutoClose, FileClose,
ToolsMacro, ToolsCustomize, FileTemplates, ViewVBCode.


It infects the global macros area on opening an infected document
(AutoOpen) and infects other documents on opening and closing (AutoOpen,
AutoClose).


The virus turns off the Word virus protection (the VirusProtection option)
and deletes “NewMacros” module that contains user defined macros. It also
disables the Tools/Macro, Tools/Customize menus (stealth). On opening the
Visual Basic editor the virus closes Word without saving changes in
documents.


On 27th or 29th of any month on closing documents the virus runs its
payload procedure. On opening Word at these days the virus displays in the
status bar the text:



Excellent day… for me… 🙂


The payload procedure is also run on opening document at 27th or 29th
second of minute. This procedure replaces all digits by text “Tj” or
“Layla” depends on day of month. Also it replaces every 9th character in
document by Aries sign.


On exiting Word the virus searches in subdirectories of “c:”, “c:program
files”, “d:” and “e:” for files by wildcard “*d*r*w*.*” (looking for
DrWeb anti-virus) and deletes all files in directories where suitable files
were found. Then it searches for “*a*v*p*.*” and deletes “*.avc” and
“*.key” files (AVP anti-virus databases and key file). As a result of quite
scrappy wildcards the virus can delete many other files.


The virus also changes following information:



UserName = “”
UserInitials = “TJ_LAYLA”
UserAddress = “”