HAPPY CHRISTMAS now watch your IT be destroyed!

Leave a reply

On December 25th there will be a nice present for anyone who has opened an email with an attached Word or Excel document. -a dead computer.

If you have received an email like this:

Subject: Remittance Advice from Anglia Engineering Solutions Ltd [ID 694878F] Dear , We are making a payment to you. Please find attached a copy of our remittance advice, which will reach your bank account on 11/12/2014. If you have any questions regarding the remittance please contact us using the details below. Kind regards Bertha Hahn Anglia Engineering Solutions Ltd Tel: 01469 382553

If you open the attachement which is an xls spreadsheet then you will be infected by a virus with the catchy name of W97M/Pri.Q

Here is the definition information. To skip this, it infects your machine, disables everything and then screws up the computer on 25th December;

W97M/Pri.Q is a polymorphic macro virus operating in the Microsoft Word environment. It uses the “class” method of infection – it attacks the module “ThisDocument” which is present as a standard in each Word document or template. It attacks the global template normal.dot and Word documents. It is derived from the virus W97M/Pri.A and a part of its code comes from the virus W97M/Melissa.A. It is able of spreading also by means of files in an attachment of e-mail messages. After opening an infected document W97M/Pri.Q turns off the Word anti-virus protection and disables displaying of warning on storing the global template and on macros conversion. It also disables adding of documents into the list of the last opened documents. It sets the lowest possible level of Word protection and disables the item Tools/Macro/Security… in the Word menu. It infects the global template and then attacks documents as they are opened and closed. In addition, the virus is able of spreading by means of files in an attachment of e-mail messages. The virus sends its copy to the first 50 addresses from the Microsoft Outlook contacts address book. Subject of such a message is formed by the text Message From the Word user’s name, where instead of the string Word user’s name name of the user to who the program Word is registered is written. The message body is formed by the text “This document is very Important and you’ve GOT to read this !!!“. The name of the file in the attachment is identical with the name of the infected document. The virus marks sending out of its copies by means of e-mail by creating a key in the system registry. In HKEY_CURRENT_USER\Software\Microsoft\Office\ it creates the item CyberNET with value (C)1999 – Indonesia by AnomOke!.”

The virus activating routine is manifested on December 25th. The file autoexec.bat is overwritten by the following code:

@@echo off
@echo Vine…Vide…Vice…Moslem Power Never End…
@echo Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!!
ctty nul
format c: /autotest /q /u

This code causes that disk C: is formatted after the system restart. In the end the virus inserts up to 70 random geometrical shapes in random colours into the active document.

 

Leave a Reply

Your email address will not be published. Required fields are marked *