Discovered: February 26, 2001
Updated: February 13, 2007 11:35:24 AM
This virus is similar to many other Microsoft Word macro viruses. It changes the following Microsoft Word settings:
- It disables the Visual Basic Convert File dialog box before it opens or inserts a file that is not a Word document or template.
- It sets Microsoft Word to automatically save changes to Normal.dot before Word closes.
- It disables the Visual Basic Editor to prevent you from viewing or editing the macro code.
- It sets the way that Word handles Ctrl+Break user interruptions to prevent Ctrl+Break from interrupting a macro.
- It enables AutoMacros, so that the macro virus runs automatically when you start Word or open a document.
If the day is February 25th of any year, the virus performs the following actions:
- It changes the following document settings:
- Title
- Subject
- Author Name
- Keywords
- Comments.
- It displays a message with the caption [HamPehS] and the picture "Evil Inside."
- It drops the C:\Zalim.det file, the contents of which start with the following string:
===>>>!!HAMPEHS!!<<<>>>!!HAMPEHS!!<<<>>>!!HAMPEHS!!<<<====
- It also adds several commands to the C:\Autoexec.bat file. The commands are designed to delete the \Program Files and \Windows folders, and to display the contents of the C:\Zalim.det file. Due to a bug in the code, this does not work in Windows NT, but it does work in Windows 95, 98, Me, and 2000.
Writeup By: Serghei Sevcenco
Technorati
Digg
Delicious
Reddit
StumbleUpon
Yahoo Buzz
Twitter
Facebook
Newsvine
