Virus.MSWord.Prism

Class Virus
Platform MSWord
Description

Technical Details


This is an encrypted Word macro-virus. It contains nine macros: PRiZM,
AutoExec, AutoOpen, FileOpen, FileSave, FilePrint, FileSaveAs, ToolsMacro, and FileTemplates.


It is based on the “Word.Cap” virus, has a similar structure and
instructions set. It replicates upon document opening, closing, and saving.



While printing, the virus appends a string to the end of the document that is
printed:




Battle of life. Capital!!!


The virus has an unusual method of infection. While infecting, the virus
performs several steps, uses the system registry, and drops an additional EXE
file. The infection routine is placed in the virus’ code as a set of text
strings that are DDE (Dynamic Data Exchange) instructions. If needed,
the virus executes them, and these instructions copy the virus’ code to target
the documents and templates.



To execute its DDE instructions, the virus saves them to the system registry
in the “HKEY_CLASSES_ROOT###fileshellopenddeexec”. The virus then
registers a new extension “###”, and sets DDEEXEC as a handler of files with
such an extension.



The virus then creates a randomly named EXE file in the Windows temporary
directory, and writes a short program into it. This program only creates and
opens the “PRiZM.###” file. This file-name extension is linked with
DDEEXEC, and as a result, Windows activates the virus, DDE instructions, executes
them and they copy the virus code to a victim file.