W97M.Verlor

W97M.Overlord is a macro virus, which infects Microsoft Word97 (including SR-1) and Word2000 documents. This virus places its code in a macro module named Module. The virus has stealth capabilities so, when opening the Visual Basic Editor or selecting Tools | Macro, the virus will remove all infectious code from open documents and the NORMAL.DOT and then will re-infect them at a later time.

The virus may also insert these files into your Windows directory: OVERLORD.B.VBS, OVERLORD.B.DLL, TEMPAD.DLL, and TEMPNT.DLL.

OVERLORD.B.DLL, TEMPAD.DLL, and TEMPNT.DLL cannot cause any viral infection. These files should be deleted.

The virus may also add the registry key:

HKLM\software\RegisteredOwner = "the Overlord"

and may modify the WIN.INI, adding the line:

run = <Windows directory>\overlord.b.vbs

This virus has no other payload.

5/15/2003 7:30:47 AM -- John Bollinger -- <Outsourcer> -- New Suggestion
Customer had Protector Plus virus software that supposedly found and removed virus. Initially we searched for "overlord" and there was nothing. We checked the registry and win.ini and there was nothing. Thinking through the process the virus takes, I opened Word, then tools and started Visual Basic Editor and closed, then closed Word. I then searched for "overlord" and found both OVERLORD.B.VBS and OVERLORD.B.DLL and deleted both. The entry RegisteredOwner = "the Overlord" was not a "KEY" under KLM\software\, but was an entry on the right hand side below Default Value - we deleted. Then, we checked win.ini and the run= c:\Windows\overlord.b.vbs was there - deleted that line too. We then looked in c:\himem.sys (not to be confused with himem.sys in c:\windows) - all it contained was references to .doc files - we deleted file and rebooted. We repeated the steps again (IE open Word and VB and closed - searched for overlord and it was not found, nothing in reg and nothing in win.ini.

So apparently the virus was repaired in the Word files infected, but the macro still existed. So regardless, it might be a good idea to go through the steps of opening VB and then searching for "overlord" to see if macro still is active.

Since the macro stealths itself and removes itself when you open VB, and doesn't re-create itself until you re-start Windows, you can remove the macro/virus this way. Follow up by running a virus scan with current defs.