July killer

Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

July killer

Summary

The W97M/JulyKiller.A is a rather unremarkable macro virus for Word 97. The virus is obviously of Far Eastern origin - probably Chinese. It is a native W97M virus but, like many other such Chinese viruses, most of it is upconverted WordBasic code - obviously its author was not familiar with Visual Basic for Applications - the programming language of Office 97 applications.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The virus consists of a single VBA5 module named "a". The module contains 4 subroutines with identical contents - AutoOpen, AutoClose, AutoNew and AutoExec. Therefore, the virus receives control each time a document is opened, closed, created, or when Word is started.

When it receives control, the first thing the virus does is to examine all add-ins (accessible via Tools/Templates and Add-Ins of Word 97's menus) and unload all of those, whose name is not Autoexec.dot. The virus then changes the path of Word's Startup folder (accessible via Tools/Options/File Locations of the menus of Word 97) to C:\. Then it turns off the built-in macro virus protection of Word 97.

If the virus is running from a document containing the word "Autoexec" anywhere in its name, the virus checks whether any of the opened documents or the global template is infected. (This is determined by checking for the presence of a module named "a".) If neither of them is, the virus opens the document C:\Autoexec.dot (in a way which prevents it from appearing on the list of Most Recently Used files on Word's menu) and copies itself from that document to all opened documents and templates, the VBA projects in which are not protected.

The virus then checks whether a file named "Autoexec.dot" is present in the root directory of drive C:. If it is not, a new template is created, it is infected, and is saved in a file with this name. Again, the virus takes care to prevent the name of this file from appearing on the MRU list.

The next action of the virus is to inspect all opened documents (except the one it is running from) and templates. If their VBA projects are not protected, it looks there for modules named AutoOpen, AutoClose, AutoNew and FileSave and removes them. This might be a measure against another, competing virus, or against some unknown anti-virus product. The virus then proceeds to infect these documents and templates.

Next, the virus performs some key and menu redirections. The key shortcuts Alt-F8 (default for Tools/Macro/Macros) and Alt-F11 (default for Tools/Macro/Visual Basic Editor) are redirected to perform File/Save As (both of them). Instead, Alt-F1 and Alt-F2 are set to perform their actions (start the ToolsMacro dialog and VBA Editor respectively) - a kind of "backdoor", so that the virus author (and those "in-the-know") could still use them.

The virus also rebinds the Tools/Customize, Tools/Options, Tools/Templates and Add-Ins, Tools/Macro/Macros and Tools/Macro/Visual Basic Editor menu items to execute its AutoClose subroutine. However, the virus accesses these menu items by name - and it uses the Chinese names for them - so, this rebinding will be successful only under the Chinese language version of Word 97. Finally, the virus rebinds all items on the "Visual Basic" command bar to its AutoClose subroutine and proceeds to save all opened documents.

The payload of the virus activates when the system date indicates the the current month is July. If this is the case, the virus displays an input message box, asking the user something in Chinese. I can't read Chinese, so I don't know what the message says. If the user accepts the proposed default answer (also in Chinese) by clicking on the OK button, the virus displays the message (this time in broken English) "You are wise,please choose this later again,critically!" and exits.

If the user presses the Cancel button (or enters anything but the default response), the virus keeps asking the same question two more times. Then it "loses patience", displays the message

	Stop it!you are so incurable to lose 3 chances! 	Now,god will punish you...

and modifies the user's C:\AUTOEXEC.BAT file, appending to it the line

	deltree/y c:\

Usually this means that on the next reboot all files on drive C: will be removed.

Finally, the virus searches all running tasks for one containing the string "Visual Basic" in its name (usually - the VBA Editor) and hides it - obviously, in an attempt to prevent the user from debugging it.

In general, we do not think that this virus presents any serious threat - and it certainly does not deserve the media attention it has received. It is simply just yet another boring, stupid, badly written virus, created by somebody with more time on his hands than brain in his head. It is slow and obvious and has no significant chances of surviving in the wild. Of course, our anti-virus products have been updated to recognize, identify and disinfect the virus (they already could detect it with our macro virus heuristics). The virus has been given undeserved attention by the media. Such scare tactics are, at best, a questionable practice of some anti-virus producers to get public exposure. In the long run, it harms both the anti-virus industry and the users and only serves to boost the virus writer's ego unnecessarily.

[Dr. Vesselin Bontchev, FRISK Software International]