Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W97M/Suppl.A


Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Detection files published 19 Sep 1999 03:00:00
Description created 19 Sep 1999 03:00:00
Description updated 15 Nov 2001 08:21:00
Malware type VIRUS
Spreading mechanism EMAIL
Summary None



The worm consists of a seemingly empty Word document named "suppl.doc". However, when it is opened, the document contains macros and an appended compressed binary file that will modify the system in such a way that all outgoing mail after next reboot will have the worm attached to it.

This worm is a threat for users of Windows 95/98. Those who use Windows NT are not vulnerable.

Other files that are created by this worm are:

\WINDOWS\ANTHRAX.INI (a copy of the original document) \WINDOWS\ANTHRAX.HST (a file containing the time of firstinstallation) \WINDOWS\DLL.LZH (compressed temporary file during install) \WINDOWS\DLL.TMP (uncompressed temporary file during install) The worm replaces the WINDOWS\SYSTEM\WSOCK32.DLL with its own copy. This bogus WSOCK32.DLL will listen for email sends and append the original suppl.doc to outgoing mail. The original WSOCK32.DLL will be renamed to WSOCK33.DLL. This way of hooking into the system is similar to the method used by the W32/Ska (also known as Happy99) worm.

Payload Details

This worm is also very destructive. After approximately one week (163 hours) it will search for and destroy all *.TXT, *.DOC, *.XLS, *.RTF, *.DBF, *.ZIP, *.ARJ and *.RAR it can find on any drives it has access to (local and mapped hard drives). If this payload has triggered, the files are only recoverable using special undelete/recovery programs.




If the worm should happen to already have installed itself on your system, you should boot to DOS, go to the WINDOWS\SYSTEM\ directory and copy WSOCK33.DLL back to WSOCK32.DLL after your system has been cleaned by Lumension's antivirus product.

Last Updated: 12 Nov 2015 11:06:11