W97M.Class.A.Gen

One of the first of the W97M families of virus that works well under Microsoft Word 97, SR1, this polymorphic W97M macro virus does not add a new VBA5 module. Instead, it adds its viral code to the "ThisDocument" VBA5 module, which by default is always in Word 97 documents and templates. It also uses various stealth techniques, such as a do-nothing ToolsMacro.

Most variants have a payload that displays messages on certain dates of the year. The "D" variant modifies the Windows registry, replacing the registered owner with the name of the virus writer.

Protection

• Initial Rapid Release version August 8, 1998
• Latest Rapid Release version July 20, 2009 revision 052
• Initial Daily Certified version August 8, 1998
• Latest Daily Certified version July 20, 2009 revision 065
• Initial Weekly Certified release date pending

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low