high
Summary
Summary
Action- More Information
| Affected operating systems | Windows |
|---|---|
| Included in our products from | September 2005 (3.97) |
| Protection available since | 14 July 2005 05:42:35 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
WM97/Sundor-A is a file system worm for Microsoft Word.
Upon opening an infected Word document, the worm displays a picture of an alien with the following text:
I'm the alien
Have a happy week
I liked your computer
 |
The worm also deletes programs and documents, changes system settings and disables some security software. WM97/Sundor-A is a file system worm for Microsoft Word.
Upon opening an infected Word document, the worm displays a picture of an alien with the following text:
I'm the alien
Have a happy week
I liked your computer
|
The worm also deletes programs and documents, changes system settings and disables some security software.
WM97/Sundor-A deletes EXE files from the following folders :
C:\
C:\WINDOWS\
C:\WINDOWS\SYSTEM\
C:\WINDOWS\SYSTEM32\
C:\WINDOWS\COMMAND\
and deletes COM files from the following folders :
C:\WINDOWS\COMMAND\
C:\WINDOWS\
C:\
If the date is the 6, 16 or 26 of the month the worm will also delete all files from the following folders :
C:\Program Files\
C:\My Documents\
C:\My Shared Folder\
When the worm document is closed it will display the message :
Your computer has problems!
The worm then copies its code into the Word normal template and copies the infected document to the following files :
C:\Poems\Romance.doc
C:\Windows\Tecno\News.doc
C:\Windows\Visual\Modern.doc
C:\Windows\Study\Books.doc
C:\Windows\Joke\Funny.doc
C:\Windows\Download\Program.doc
C:\Windows\Birthday\Dates.doc
C:\Windows\Texts\Exemple.doc
WM97/Sundor-A also attempts to hide desktop icons, set the system time to 10 a.m., change the computer name, disable functionality of the Windows Security Center, reduce internet browser security and reduce Office 2000 macro security by setting the following registry entries.
HKCU\Software\Microsoft\Office\9.0\Word\Security
Level
1
HKLM\SOFTWARE\Microsoft\Security Center
UpdatesDisableNotify
0xd001
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusOverride
0xd001
HKLM\SOFTWARE\Microsoft\Security Center
FirewallOverride
Oxd001
HKLM\SOFTWARE\Microsoft\Security Center
FirewallDisableNotify
Oxd001
HKLM\SOFTWARE\Microsoft\Security Center
AntiVirusDisableNotify
Oxd001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update
NOptions
0x031
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
0x031
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1201
0
HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
ComputerName
XFL45-Evolution
The worm also sets the following registry entry :
HKLM\SOFTWARE\Microsoft\Roner
Dronus
Activated virus
|
