WM97/Lahey-A

Category	Viruses and Spyware
Type	Virus
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Infected files
Affected operating systems	Windows
Protection available since	15 May 2006 09:48:44 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for disinfecting macro viruses.

More Information

Summary
Action
More Information

WM97/Lahey-A is a macro virus for Microsoft Word.

When run the following files are created:

\Bvhl\Nd1.doc
\Dpc\Erc4.doc
\Smlp\Fz5.doc
\Tmrh\Ec9.doc
\Vnp\Bt2.doc
<System>\Musical.doc
<Temp>\News.txt - harmless, may be removed
C:\ARQUIV~1\Rolin.bat - harmless, may be removed

WM97/Lahey-A will attempt to remove any files matching the following:

<Windows>\*.xls
<Windows>\*.pdf
<Windows>\*.rar
<Windows>\*.com
<Windows>\*.ini
<Windows>\*.rtf
<Windows>\*.gif
<Windows>\*.pdf
<Windows>\*.mp3
<Windows>\*.avi
<Windows>\*.mpg
<Windows>\*.bmp
\*.xls
\*.pdf
\*.rar
\*.com
\*.ini
\*.txt
\*.rtf
\*.gif
\*.xls
\*.mp3
\*.avi
\*.mpg
\*.bmp

WM97/Lahey-A will modify the system time to 7:15AM.

WM97/Lahey-A attempts to change the computer name to "FD67-Start".

WM97/Lahey-A attempts to create the following registry entry to run "rolin.bat" at startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sb
C:\ARQUIV~1\Rolin.bat

When run, Rolin.bat displays the following message:

"Warning.
Access is denied.
Files unable.
Windows Error Found."

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
0001

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
0001

Registry entries are set as follows:

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoFileOpen
1

HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions
NoPrinting
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoCloseKey
005

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFind
5

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDesktop
005

HKCU\Software\Microsoft\Office\9.0\Word\Security
Level
1

HKCU\Software\Microsoft\Office\10.0\Word\Security
Level
1

Registry entries are created under:

HKCU\Software\Policies\Microsoft\WindowsFirewall\StandardProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile\
HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\

WM97/Lahey-A will attempt to infect the Word normal template.

Get reports about the latest virus and spyware threats delivered to your computer

In this section

WM97/Lahey-A

Summary

Action

More Information