Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/Seqnum.A

Overview

Threat Risk LOW LOW
Destructivity LOW LOW
Payload
Detection files published 21 Dec 1999 03:00:00
Description created 21 Dec 1999 03:00:00
Description updated 21 Dec 1999 03:00:00
Malware type VIRUS
Alias
Spreading mechanism FILE_INFECTION
Summary None

W97M/Seqnum.A

Spreading

W97M/Seqnum.A is a small virus. The first actions taken by the virus are disabling the Virus protection and the menu-item Tools | Macro in Microsoft Word. After that, it will open a file in the Application Directory, the directory where the Office executables reside, and write a modified version of the viral code into a file with the format .BAS. After doing this, the virus will check if the global template Normal.Dot is already infected. If not, it will write a small loader module to this template. Every time a document is closed, the virus will write the stored .BAS to the document, thus infecting it.The polymorphism used in W97M/Seqnum.A is trivial, but sufficient to cause problems for some anti-virus vendors. Within infected files, there is a line seqnum = xxxxwhere 'xxxx' is an integer number. This number is varying from infection to infection, making the code polymorphic. In global templates, usually only Normal.Dot, this number is used in conjunction with the Office directory, making it polymorphic, even from one machine to another, depending on where the Office application is stored.

Payload Details

W97M/Seqnum.A contains two payloads. On the 1st of January, the virus will search the C drive for WIN.INI and copy its content to the ApplicationPath\Seqnum file. As this file is used to copy into documents which are to be infected, Word may show VBA errors (Visual Basic for Applications) when loading these documents. Since this virus is just discovered, 1 January 2000 will be the first target date. Every Wednesday, W97M/Seqnum.A will add "xxx".@hnet.pen into the footer of infected documents, where "xxx" is the 'ConsecutiveHyphensLimit'. Though this payload is not destructive, it can cause a lot of problems, as all documents need to be reviewed if the footer has changed.

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:11