Christmas is coming and no doubt you are cleaning and tidying all ready for visitors? Well there’s an IT Christmas visitor we spoke about yesterday which might just be waiting to pop up.
It’s the cutely named W97M/Pri.Q which on December the 25th will wipe your system, screw up your data and give you a happy Christmas message below:
Don’t blame the Muslim’s, it might be them or it might be someone who thinks they deserve all the blame – Don’t ask me to comment more.
Is your IT infected?
Only your computer knows the answer to that one, If it is then files will be changed and settings altered, the clock will be ticking and if you do nothing then watch out.
How did I get it?
You received an email probably telling you that you had received a payment by BACS and the details were contained in a word document or excel spreadsheet attachment and then you opened the document. This then ran a macro, a small routine that disabled your security and anti-virus which started all the bad stuff that is loaded and ready to roll.
What can I do?
Relax, it’s all OK, we or rather you can sort it all out easily, with our help. Make a backup ring us if you don’t know how, there are hundreds of ways of getting it wrong. Download the free version of Malwarebytes antimalware from www.malwarebytes.org/antimalware and install it. Be sure you have unchecked the trial / premium. Now run a scan using it. If it comes up with problems then you can fix them or ring us for advice. Go to either of the next sites and run a virus sweep. These have the latest detection methods and just download a small package without installing anything on your equipment. Its like having a remote PC smear test.
(32 bit computers) http://go.trendmicro.com/housecall7/HousecallLauncher.exe
(64 bit computers) http://go.trendmicro.com/housecall7/HousecallLauncher64.exe
Either one is good or both is best. If it comes up clean then you can have a happier Christmas than you may have done.
What is the best anti-virus?
I can talk on this for hours. Basically at the moment ESET either the anti-virus or the Smart Security. Contact us about a free trial.
If you want to know more.
We did a complete page on everything that we do when we have a system to examine. It tells you what happens to an infected system and what to do. Why not subscribe to get all the topical blogs and if you want the latest news then we publish on Facebook, twitter and LinkedIn. The links are on the main website, oh!, that link I mentioned is; How do we spring clean your computer for malware, viruses etc? http://www.cmx.co.uk/blog/2014/06/9.html
On December 25th there will be a nice present for anyone who has opened an email with an attached Word or Excel document. -a dead computer.
If you have received an email like this:
Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 694878F] Dear , We are making a payment to you. Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014. If you have any questions regarding the remittance please contact us using the details below. Kind regards Bertha Hahn Anglia Engineering Solutions Ltd Tel: 01469 382553
If you open the attachement which is an xls spreadsheet then you will be infected by a virus with the catchy name of W97M/Pri.Q
Here is the definition information. To skip this, it infects your machine, disables everything and then screws up the computer on 25th December;
“W97M/Pri.Q is a polymorphic macro virus operating in the Microsoft Word environment. It uses the “class” method of infection – it attacks the module “ThisDocument” which is present as a standard in each Word document or template. It attacks the global template normal.dot and Word documents. It is derived from the virus W97M/Pri.A and a part of its code comes from the virus W97M/Melissa.A. It is able of spreading also by means of files in an attachment of e-mail messages. After opening an infected document W97M/Pri.Q turns off the Word anti-virus protection and disables displaying of warning on storing the global template and on macros conversion. It also disables adding of documents into the list of the last opened documents. It sets the lowest possible level of Word protection and disables the item Tools/Macro/Security… in the Word menu. It infects the global template and then attacks documents as they are opened and closed. In addition, the virus is able of spreading by means of files in an attachment of e-mail messages. The virus sends its copy to the first 50 addresses from the Microsoft Outlook contacts address book. Subject of such a message is formed by the text Message From the Word user’s name, where instead of the string Word user’s name name of the user to who the program Word is registered is written. The message body is formed by the text “This document is very Important and you’ve GOT to read this !!!“. The name of the file in the attachment is identical with the name of the infected document. The virus marks sending out of its copies by means of e-mail by creating a key in the system registry. In HKEY_CURRENT_USER\Software\Microsoft\Office\ it creates the item CyberNET with value (C)1999 – Indonesia by AnomOke!.”
The virus activating routine is manifested on December 25th. The file autoexec.bat is overwritten by the following code:
@echo Vine…Vide…Vice…Moslem Power Never End…
@echo Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!
format c: /autotest /q /u
This code causes that disk C: is formatted after the system restart. In the end the virus inserts up to 70 random geometrical shapes in random colours into the active document.