Symantec United States
 global sites
products
purchase
service and support
security updates
downloads
about symantec
search
feedback


©1995-2009 Symantec Corporation.
All rights reserved.

Legal Notices
Privacy Policy
security updates

W97M.Class.A.Gen

Category 1

One of the first of the W97M families of virus that works well under Microsoft Word 97, SR1, this polymorphic W97M macro virus does not add a new VBA5 module. Instead, it adds its viral code to the "ThisDocument" VBA5 module, which by default is always in Word 97 documents and templates. It also uses various stealth techniques, such as a do-nothing ToolsMacro.

Most variants have a payload that displays messages on certain dates of the year. The "D" variant modifies the Windows registry, replacing the registered owner with the name of the virus writer.

Also Known As: Class.Poppy, W97M.Class
Type: Macro
Infection Length: 1 VBA5 module

protection
  • Virus Definitions (Intelligent Updater)

    • August 08, 1998

    threat assessment

    Wild

    Threat Metrics
    Low Low Low

    Wild:
    Low

    Damage:
    Low

    Distribution:
    Low

    Distribution

    technical details

    W97M.Class.A.Gen changes its own code constantly by inserting comments that contain the current user's name, current date and time, and information about the active printer. By using special WordBasic operators, the virus installs its module into Word classes. The virus code is appended as a native Word component. As a result, the virus is not visible in the Tools, Macro menu.

    To replicate, the virus creates the file C:\Class.sys. This file can be safely deleted after the system has been disinfected.

    W97M.Class.A.Gen activates on the 31st of every month. At this time it displays this message:

      This Is Class
      o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
      o      VicodinES     /CB    /TNN      o
      o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o

    Variants
    Some of the variants that are in the wild are:
    • W97M.Class.B.Gen: Replication and polymorphism is the same as W97M.Class.A. On the 14th of any month after May, it displays the following message:

      I think <user name> is a big stupid jerk!
      VicodinES Loves You / Class.Poppy

      where <user name> is taken from the user name on the system.
    • W97M.Class.C.Gen: Replication and polymorphism is the same as W97M.Class.A. On 14th of any month after May, it displays the following message:

      I think <user name> is a big stupid jerk!
      Class.Poppy

      where <user name> is taken from the user name on the system.
    • W97M.Class.D.Gen: This variant has a different payload. On 14th of any month after May, it displays the following message:

      <user name> is a big stupid jerk

      where <user name> is taken from the user name on the system.
      A second payload modifies following registry entry:

      HKEY_LOCAL_MACHINE,"Software\Microsoft\Windows\CurrentVersion

      and changes "RegisteredOwner" to "VicodinES /CB /TNN" and "RegisteredOrganization" to "-(Dr.Diet Mountain Dew)-"
    • W97M.Class.E.Gen: Uses a temporary text file, C:\Clinton.sys. The virus contains references to Clinton and Monica throughout the code. At random times (1 of 100), it displays the message:

      Monica Blows Clinton! -=News@11=-

      On 17th of any month after August, it displays the following message:

      Today is Clinton & Monica F___-Fest Day!"

    recommendations

    Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

    • Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
    • If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
    • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
    • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
    • Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
    • Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
    • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

    removal instructions

    The temporary text file does nothing, so you can delete it. Most variants of this macro virus use C:\Class.sys as the name of the temporary text file. Of the wild ones, variant "E" uses C:\Clinton.sys.

    To remove this virus, run a full system scan, and repair any infected files. Delete all Class.sys and Clinton.sys files that are in the root of the C drive. If this does not fix specific documents, follow the instructions in the document How to repair Microsoft Word documents infected with macro viruses and then run a scan again.