1. Symantec/
  2. Security Response/
  3. W97M.Chameleon.I

W97M.Chameleon.I

Discovered:
February 6, 2004
Updated:
February 13, 2007 12:17:06 PM
Also Known As:
Macro.Word97.Chameleon.c [Kasp, W97M/Chameleon.I [F-Prot], W97M_CHAMELEON.C [Trend], W97M/Chameleon.C.dr [GeCAD]
Systems Affected:
Mac, Windows

When a document infected with W97M.Chameleon.I is opened, the virus performs the following actions:
  1. Checks the value:

    "Level"

    in the registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security

    to see if it is set with non-empty, string data. If so, the virus disables the Word's menu items:
    • Tool > Macro
    • Tool > Templates and Add-ins...
    • Format > Style Gallery...


      otherwise it disables the menu item:
    • Macro > Security...

  2. Disables user interrupts to Visual Basic for Application procedures, which can be done by pressing ESC, or the CTRL + BREAK keys.

  3. Disables the built-in warning message in Microsoft Word, which is displayed when opening a document that might contain macro viruses.

  4. Disables the option to display a prompt message when you open documents that are not in Microsoft Word format.

  5. Disables the option to display a prompt message when saving changes to the Normal.dot template.

  6. Disables the option to display a prompt message for document property information when saving a document.

  7. Infects the Normal.dot template.

  8. Drops the file, Quiet.vbs, in the C:\Windows\Start Menu\Programs\Startup folder, if present.


    Note: The Quiet.vbs file contains the virus known as VBS.Chameleon.C.

  9. Creates the Quiet.dll file in the folder C:\Windows\System, if present.


    Note: This file is empty and does not contain virus code.


Writeup By: Keiichi Ito
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube