Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

Osm

Summary

W97M/Osm.A is a companion macro virus discovered at the end of May 1999. It doesn't infect "Normal.dot" or documents. This macro virus replicates attaching a template "Default.dot" in the documents. This template is a separate file that contains the macro virus code.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When an infected document is opened, the virus attempts to copy the "Default.dot" file from the active document's directory to the Word's startup directory with the name "Startup.dot". This way the macro virus code executes every time when Word is opened. Once installed the virus replicates by copying the "Startup.dot" as "Default.dot" to the active document's directory, and attaching this template to the document during the save operation.

The virus will not spread further on another computer if the "Default.dot" template is deleted and the user opens the document.

W97M/Osm.A virus hides the "Tools/Macro" dialog by creating its own dialog box similar to the original one. Any attempt to change or create a macro fails and the virus shows a message box:

You do not have permission to create macros on this computer.

The virus code is invisible via "Tools/Macro/Visual Basic Editor", because the template project is originally password protected.

Additionally the attached template contains a hidden embedded executable file "A:\osm32.EXE" that contains a dropper of Back Orifice trojan which is infected twice with W95/Marburg.8582 virus. The macro virus executes this embedded file by activating it, using Visual Basic command.

Since the embedding of the executable file contains the reference to drive "A:", the virus may cause an error when the macro virus is executed from another drive or directory. However, this doesn't stop the macro virus to replicate and to execute the infected embedded executable file.

As a result of all these attached and embedded virus codes, the macro virus will cause infection with tree different viruses/trojans.