Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/ColdApe

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published
Description created 17 Apr 2000 03:00:00
Description updated 17 Apr 2000 03:00:00
Malware type VIRUS
Alias
Spreading mechanism FILE_INFECTION
Summary None

W97M/ColdApe

Spreading

A good indication of this virus is the presence of the files C:\Happy.vbs and C:\A4.vbs.W97M/ColdApe is the first virus to combine VBS virus and Visual Basic for Application (VBA) virus techniques, and also one of the first virus to use the "AddFromString" method to infect documents. W97M/ColdApe starts to disable Word's VirusProtection. Then it performs a check for the presence of the comment "'AVM" in the NormalTemplate. If this does not exist, it will infect the GlobalTemplate (usually Normal.dot) in the "ThisDocument" stream, thus, all documents that are opened will be infected with this virus.First time the viral code is interpreted under any Windows version running Windows Scripting host (WSH) it drops the VBS/Happy virus to C:\Happy.vbs. VBS/Happy can infect all .vbs files in the directoriesC:\C:\WindowsC:\Windows\DesktopC:\MyDocumentsC:\Startup

Payload Details

W97M/ColdApe also drops another VBS program, C:\A4.vbs. If this program, which is not a virus, is executed, it will use MS Outlook (not MS Outlook Express) and send an email message from the infected user to a former editor of Virus Bulletin magazine.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12