high
Summary
Summary
Action- More Information
| Detected by | All Sophos products |
|---|---|
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for disinfecting macro viruses.
More Information
Once documents are infected with WM97/ZMK-J, message boxes entitled "Virus WorldCup98" are displayed containing text in French.
The virus payload is triggered on the 12th of any month, or on the 12th month, (depending on the date format of the machine) or at a random time based on the seconds, or hundredths of a second, depending on the time format selected.
When the payload is triggered, 50% of the time the virus displays the rotating text "World Cup 98"
and the remainder of the time it prompts the user to select a team.
In the latter case, if the selection is the same as a random selection made by the virus, the message "Vive le football!!!, Vive la Coupe du Monde 98!!!" is displayed in the status bar.
If it is not, one of three malicious payloads is triggered:
- There is a 40% chance that lines are inserted into AUTOEXEC.BAT to cause drive C to be formatted on next boot-up.
- There is a 27% chance all of the files are deleted from the DOS and WINDOWS\COMMAND directories together with IO.SYS and MSDOS.SYS.
- There is a 27% chance the text in the current document is replaced with 98 copies of the line "Vive la coupe du monde 98!!!!!" and one final line saying "ZeMacroKiller98 aime beaucoup le football...". It also dumps the document to the printer.
|
