Macro.Word97.Beas
Details
Macro.Word97.Beast
This virus has two components: Word macro and Windows32 EXE file. The virus macro has very short size and is placed in the infected documents as ordinary macro program, it has “auto-name” AutoOpen. The EXE component is stored in documents as an embedded object. When an infected document is opened, the AutoOpen macro takes control, gets EXE component, saves it on disk and executed. The EXE component then gets access to Word application and infects other documents. The infection and other important routines are placed in the EXE file, not in AutoOpen macro, so the virus spreads using documents as “carrier”.
When the virus macro gets control (when an infected document is opened), it checks the system registry for its ID stamp. This ID contains the system time and is updated by virus each time its memory resident EXE copy gets control. If this ID was not updated for some period of time (i.e. there is no virus copy in the Windows memory), the virus drops its EXE component to the disk file I.EXE and executes it.
The I.EXE file is the main virus module. It registers itself in the system, stays in the Windows memory and runs the infection routine. To register its copy in the system the virus looks in the Windows system directory for .DLL file that has no .EXE companion, and copies its EXE file to there with this file name and .EXE extension. The virus then registers this EXE in the system registry to run this file on each Windows restart.
The virus then stays in the Windows memory as hidden application and hooks timer events - every second the virus application gets control. Each time the virus “memory resident” copy gets control, it looks for MS Word application and if it is active, the virus runs its infection routine. The virus performs followed actions:
1. counts characters in an active document. If there are no changes during 30 seconds, the virus runs infection procedure.
2. closes Visual Basic Editor window, if it is opened.
3. in period from 09:36pm till 07:12am the virus opens and closes CD-ROM’s door.
The infection procedure gets access to MS Word functions by using OLE automation. It checks every opened document in MS Word, and if it does not contain embedded OLE objects and it have at least one program module the virus infects this document. It embeds it own executable file into document and also creates the “AutoOpen” macro in document’s program module.
The virus contains the encrypted text “3BEPb” (”Beast” in several Slavonic languages). This text is used by virus as the header of its EXE application’s window.
Related Posts