Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

Chantal

Summary

W97M/Chantal is a Word 97 macro virus that drops a Visual Basic Script and a batch virus. It also has a destructive payload.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:Chantal.A

When an infected document is opened, the virus disables the built-in macro virus protection. It also disables the "Tools\Macro" menu and lowers the security settings from Word 2000.

It drops a batch virus to "C:\CB2.BAT". The execution of this batch file is added to the end of the "C:\Autoexec.bat". The batch virus is able to replicate to other batch (*.bat) files in the current directory. Therefore, it infects only files in the root of the "C:" drive.

The virus creates another two files, "c:\windows\cb4.vxd" and "c:\windows\system\cb1999.vbs". It modifies the registry in a such way that the script file will be executed every time when the system is restarted if the Windows Scripting Host is installed. The script will infect the Word's global template, if it is not yet infected.

The virus changes the registed owner of Windows to:

 Chantal 4ever!

It also changes the comment from the document summary to:

	Chantal B. 4ever - Hennie & Mark

The payload of this virus activates on year 2000. Then it deletes files from the current directory and from the root of the "C:" drive. Then it shows a message box with the following text:

	Chantal 4ever!

Futher, in every 31st day of each month it shows an Office Assistant with the same message but does not delete any files.

Variant:Chantal.B

This variant is slightly modified. The payload of Chantal.B also activates on year 2000 when it deletes all files from the root directory of "C:\" drive and from the current directory, but the message box that this variant shows is:


 Welcome To Y2K

If the day is 31st of each month, Chantal.B shows Office Assistant with the following text and heading:

	Heading: MK Words V.2 	Text:

Y2K is Coming Soon...

Also the following text has been added on the top of the code:

MK-Words 2

From the MKVG - The Lion City

and


 MKVG had present MK Words Version 2
 (C) May 1999

at the end.

This variant uses "MKV" instead of "CB" for all files that it drops.