This virus is similar to many other Microsoft Word macro viruses. It changes the following Microsoft Word settings:
It disables the Visual Basic Editor to prevent you from viewing or editing the macro code.
It disables Microsoft Word warning message that appear when you open a document or template that contains macros.
It prevents other alerts or messages from being displayed. When a macro runs, if the running of the macro would normally cause a message to be displayed, the default value is chosen and the macro continues.
It enables AutoMacros, so that the macro virus runs automatically when you start Word or open a document.
If the day is the 1st or the 22nd of any month and it is Friday, the virus detects the \Windows folder by searching for the Welcome.exe file. If the file is found, the virus drops an HTML page with the header
Jangan padamkan..
into the StartUp folder. This causes the page to be displayed each time that Windows starts. In a default installation, the path and file name are as follows:
C:\Windows\Programs\StartUp\Jauh di Relung Hatiku.HTM
If the virus detects any macro module in a document or template that it attempts to infect, it removes that module to avoid any conflicts with other possible macro viruses. Then the virus infects the Normal.dot template. After this, all other documents are infected through the template unless "Doc" is the first three letters of the file name. (That means that the macro virus will not infect files that have names such as Document1.doc, Doc2.doc, or Document for Calif trip.doc. Note that the "D" must be capitalized; all other documents will be infected.)
Other than causing these changes, W97M.Candle.Gen virus does not contain any additional malicious payload.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":
Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
Run LiveUpdate to make sure that you have the most recent virus definitions.
Start Norton AntiVirus (NAV), and run a full system scan, making sure that NAV is set to scan all files.
If any files are detected as infected by W97M.Candle.Gen, choose Repair.
Click Start, point to Find, and click Files or Folders.
Make sure that Look in is set to (C:) and that Include subfolders is checked.
In the Named box, type (or copy and paste) the following file name:
"Jauh di Relung Hatiku.htm"
NOTE: Make sure that you include the quotes.
Click Find Now. Windows will find the files and display them in the lower pane of the Find dialog box.
Delete all copies of or shortcuts to this file.
(Optional) Re-enable Microsoft Word MacroVirusProtection. To do this, click Tools, click Options, and then click the General tab. (The exact steps may vary depending your version of Word.)
