W97M.Killboot

W97M.Killboot is a macro virus that infects the currently active document and the Microsoft Word Normal.dot template when an infected document is closed. So, once the Normal.dot is infected, clean documents will be infected when they are closed.

W97M.Killboot creates the file C:\Setver.exe, which the Symantec antivirus products detect as Trojan.Killboot. If Trojan.Killboot is run, it writes the viral code into the Master Boot Record (MBR); this code can overwrite the MBR on all the physical hard drives with zeroes. Symantec antivirus products detect the viral code in the MBR as Killboot.145 (b).

Protection

• Initial Rapid Release version December 31, 2002
• Latest Rapid Release version December 31, 2002
• Initial Daily Certified version December 31, 2002
• Latest Daily Certified version December 31, 2002
• Initial Weekly Certified release date December 31, 2002

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: High

Distribution

• Distribution Level: Low