high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting macro viruses.
More Information
WM97/Chronic-A has a complex trigger mechanism and under some circumstances can overwrite the CMOS settings.
The virus maintains a count of the number of times the viral code is executed. Every 25th time the code runs (25, 50, 75, etc) the virus runs the payload.
The payload consists of a complex series of checks on the day part of the date.
If the day part of the date can be divided exactly by 5, the virus will attempt to set the write password for the current document to a value gained from the system. The password will normally be "1297307460".
The main part of the payload consists of modifying the first 1020 bytes of specific files and also appending the text "Karachi_y2k7" to those same files. The specified file paths are generally only found under the Windows 95 and Windows 98 operating systems. This corrupts the files such that they no longer work.
Every time the payload runs the following files are affected:
"C:\WINDOWS\SOL.EXE"
"C:\WINDOWS\MSHEARTS.EXE"
"C:\WINDOWS\FREECELL.EXE".
If the day can be divided exactly by 3 the following files are affected:
"C:\WINDOWS\ROUTE.EXE"
"C:\WINDOWS\PING.EXE"
"C:\WINDOWS\SYSTEM\NETOS.DLL"
"C:\WINDOWS\SYSTEM\NETDI.DLL"
"C:\WINDOWS\SYSTEM\NETBIOS.DLL"
"C:\WINDOWS\SYSTEM\NETAPI.DLL"
"C:\WINDOWS\SYSTEM\NETAPI32.DLL".
If the day can be divided exactly by 3 and by 6 the following files are affected:
"C:\WINDOWS\SYSTEM\NETCPL.CPL"
"C:\WINDOWS\SYSTEM\INETCPL.CPL"
"C:\WINDOWS\SYSTEM\MODEM.CPL"
"C:\WINDOWS\SYSTEM\URL.DLL"
"C:\WINDOWS\SYSTEM\SENDMAIL.DLL"
"C:\WINDOWS\SYSTEM\MAPI32.DLL"
"C:\WINDOWS\SYSTEM\INETCOMM.DLL"
"C:\WINDOWS\SYSTEM\INETCFG.DLL"
"C:\WINDOWS\SYSTEM\INETAB32.DLL"
"C:\WINDOWS\SYSTEM\INET16.DLL".
If the day can be divided exactly by 3 and by 6 and by 9 the following files are affected:
"C:\WINDOWS\SYSTEM\LPT.VXD"
"C:\WINDOWS\SYSTEM\SPOOL32.EXE"
"C:\WINDOWS\SYSTEM\MSPRINT.DLL"
"C:\WINDOWS\SYSTEM\MSPRINT2.DLL".
If the day can be divided exactly by 2, the virus will attempt to print between 1 and 9 copies of the current document.
If the day can also be divided exactly by 4, the virus will modify "C:\WINDOWS\WIN.COM" to contain the Trojan Troj/KillCMOS-E which is a Trojan that overwrites the CMOS settings with random data. This will be run the next time Windows is restarted.
If the day can also be divided exactly by 6, the virus will copy "C:\WINDOWS\WIN.COM" to "WIN.ORG" and then create a new "C:\WINDOWS\WIN.COM" with the Trojan Troj/KillCMOS-E which is a Trojan that overwrites the CMOS settings with random data. This will be run the next time Windows is restarted.
|
