Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » WM/Showoff.D

Overview

Threat Risk LOW LOW
Destructivity NONE NONE
Payload
Detection files published
Description created 14 Nov 1999 03:00:00
Description updated 14 Nov 1999 03:00:00
Malware type VIRUS
Alias
Spreading mechanism FILE_INFECTION
Summary None

WM/Showoff.D

Spreading

WM/Showoff.D infects NORMAL.DOT and documents, and creates identical copies of itself. It infects Office95 documents, but does not survive when the documents are converted to Office97.

The virus has three macros. These have different names if they are in an infected NORMAL.DOT or in an infected document.


NORMAL.DOT Infected document Ofxx AutoOpen AutoClose Cfxx AutoExec Show (usually corrupt)

When starting Word after infection a dialog box with this message is displayed:



Visual Basic Err=7
Out of memory Regardless of this you may continue to work in Word after the message is confirmed by the OK button. The reason why the message appears is that one of the macros in the virus, AutoExec, is corrupt.

Even though the macro AutoExec is corrupt, the virus will propagate because this macro does not copy the virus to other documents. The macro AutoExec includes this text:



at yang kaya dengan uap air bali yang berada di direktori WINDOWS dan WINWORD telah hilang, jangan kaget, ini bukan ulah Anda, tapi ini hasil pekerjaan saya...Barang siapa yang berhasil menemukan cara menangkal virus ini, saya aka j¡n memberi listing virus ini untuk Anda !!! Dan tentu saja saya akan terus datang kesini untuk memberi Anda salam dengan virus-virus terbaru dari saya...selamat ! Bandung, The virus does not use so-called "stealth" functionality to hide. It does however change the setting which informs the user when NORMAL.DOT is changed.

Payload Details

n/a

Analysis

n/a

Removal

n/a


Last Updated: 12 Nov 2015 11:06:12