W97M.JulyKiller

W97M.JulyKiller is a MS Word 97 macro virus that was first discovered in Taiwan. Although the virus has received media attention, Symantec AntiVirus Research Center does not believe it presents any serious threat. There has not been a single report of a W97M.JulyKiller infection, nor has Symantec received any submissions of the virus from our worldwide customers as of July 2, 1999.

This macro virus infects Global Template (NORMAL.DOT), opened documents, and adds a new start-up template: "C:\AUTOEXEC.DOT". The payload is triggered on opening or closing document, creating a new document, or loading MS Word during the month of July. As described in detail below, the payload may replace "C:\AUTOEXEC.BAT" with one that includes a command to delete all files from "C:" drive. It has been confirmed that the virus can infect non-Chinese versions of MS Word 97.

Also Known As:	Autoexec, JulyKill
Type:	Macro, Virus
Infection Length:	One VBA Module

Wild Number of infections: 0 - 49 Number of sites: 0 - 2 Geographical distribution: Low Threat containment: Easy Removal: Easy

Threat Metrics Wild: Low Damage: Low Distribution: Low

Damage

• Payload Trigger: July
• Payload: During the month of July, it displays an input box in Chinese. The message in the input box is about injustice in this corrupt society. The provided default answer means "Absolutely True". Accepting the default answer will make the virus display a message box: "You are wise, please choose this later again, critically!" Changing the default answer or clicking Cancel three times will make the virus replace AUTOEXEC.BAT file with one that contains a DELTREE instruction to delete all files on C: drive the next time the system boots. It also displays the following message box: "Stop it! You are so incurable to lose 3 chances! Now God will punish you..."
  • Deletes files: C:\*.*
  • Modifies files: Autoexec.bat

This macro virus uses one viral module "A". The viral module has four identical sub-functions: AutoOpen, AutoNew, AutoClose, and AutoExec. These sub-functions are executed by MS Word upon opening a file, creating a new file, closing a file, or loading MS Word. Once the viral sub function gets control, it:

1. Creates a new startup or add-in template in "C:\AUTOEXEC.DOT". It modifies the startup path to "C:\". The startup path is normally set to
   C:\...\MSOffice\Office\STARTUP".
2. Turns off the VirusProtection setting.
3. Removes any module named AutoOpen, AutoNew, AutoClose, or FileSave from all opened documents and templates, including the Global Template "NORMAL.DOT".
4. Copies the viral module "A" into all opened documents and templates, including the Global Template "NORMAL.DOT".
5. Modifies the shortcut keys ALT-F8 and ALT-F11 to do FileSaveAs, instead of Tools-Macro-Macros and Tools-Macro-VisualBasicEditor, respectively. Then, it sets the shortcut keys ALT-F1 and ALT-F2 to Tools-Macro-Macros and Tools-Macro-VisualBasicEditor, respectively.
6. Modifies the following Tools menu entries: Customize, Templates-and-Add-Ins, Options, Macro-Macros, and Macro-VisualBasicEditor. All of these entries will now call AutoClose. It also modifies the VisualBasic Toolbar to call AutoClose.
7. Sets all visible Tool Bars to 'no-customization allowed'.
8. If the current month is July, the payload is triggered.

9. 
   

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

NAV is able to remove the viral macro from C:\AUTOEXEC.DOT that the virus creates. Since this file has no use, you can safely delete this file.

Because the virus disables all menu and toolbar customizations, deleting NORMAL.DOT is recommended. After deleting NORMAL.DOT, the startup path setting needs to be changed. The virus sets it to "C:\". The default setting is usually "C:\…\MSOffice\Office\STARTUP". You can set this in Tools-Options-FileLocations.

The malicious AUTOEXEC.BAT needs to be deleted. The original AUTOEXEC.BAT is overwritten, so it needs to be restored.

Write-up by: Raul K. Elnitiarta and Peter Pak