WM97/Sundor-A

Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


Affected operating systems	Windows
Protection available since	14 July 2005 05:42:35 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

WM97/Sundor-A is a file system worm for Microsoft Word.

Upon opening an infected Word document, the worm displays a picture of an alien with the following text:

I'm the alien
Have a happy week
I liked your computer

The worm also deletes programs and documents, changes system settings and disables some security software. WM97/Sundor-A is a file system worm for Microsoft Word.

Upon opening an infected Word document, the worm displays a picture of an alien with the following text:

I'm the alien
Have a happy week
I liked your computer

The worm also deletes programs and documents, changes system settings and disables some security software.

WM97/Sundor-A deletes EXE files from the following folders :

C:\
C:\WINDOWS\
C:\WINDOWS\SYSTEM\
C:\WINDOWS\SYSTEM32\
C:\WINDOWS\COMMAND\

and deletes COM files from the following folders :

C:\WINDOWS\COMMAND\
C:\WINDOWS\
C:\

If the date is the 6, 16 or 26 of the month the worm will also delete all files from the following folders :

C:\Program Files\
C:\My Documents\
C:\My Shared Folder\

When the worm document is closed it will display the message :

Your computer has problems!

The worm then copies its code into the Word normal template and copies the infected document to the following files :

C:\Poems\Romance.doc
C:\Windows\Tecno\News.doc
C:\Windows\Visual\Modern.doc
C:\Windows\Study\Books.doc
C:\Windows\Joke\Funny.doc
C:\Windows\Download\Program.doc
C:\Windows\Birthday\Dates.doc
C:\Windows\Texts\Exemple.doc

WM97/Sundor-A also attempts to hide desktop icons, set the system time to 10 a.m., change the computer name, disable functionality of the Windows Security Center, reduce internet browser security and reduce Office 2000 macro security by setting the following registry entries.

HKCU\Software\Microsoft\Office\9.0\Word\Security
Level
1

HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
0xd001

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
0xd001

HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
Oxd001

HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
Oxd001

HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
Oxd001

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
NOptions
0x031

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0x031

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1201
0

HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
ComputerName
XFL45-Evolution

The worm also sets the following registry entry :

HKLM\SOFTWARE\Microsoft\Roner
Dronus
Activated virus

Get reports about the latest virus and spyware threats delivered to your computer

In this section

WM97/Sundor-A

Summary

Action

More Information