Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

VMPCK1, VMPC-based

Summary

This is a family of Word viruses generated with a macro virus construction kit.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Variant:VMPCK1.E

Cartman, Poppy, Kenny

Cartman is a Word 97 macro virus similar to Blee.B. This virus appeared in the beginning of January, 1998. The virus makes several references to the TV comic series "South Park" and its character "Kenny".

Like Blee.B, this virus changes the document Summary Info, but the information inside is different:


 Author = "VicodinES"
Title = "Another W97M/Cartman.Poppy Infected Document"
Subject = "Macro Virus Infection by The Narkotic Network"
Comments = "Hello from VicodinES and The Narkotic Network
...we mean you no harm"
Keywords = " | VicodinES | Klonopin.Jones | Fastin.Blee | "
 

The virus contains the following text, which it never displays:


 W97M/Cartman.Poppy
By VicodinES (The Kyle of The Virus Underground)
Macro Virus for Word 97
"The Fat-a** Macro97 Engine v2.3 featuring Starvin'
Marvin Technology"
 

Cartman creates the msfile.bat file, executes it and then deletes it. If the global template is write-protected, msfile.bat tries to delete all files from c:\progra~1\micros~1\templa~1 and from c:\progra~1\micros~2\templa~1 directories.

Any attempt to open either Tools/Macro or Tools/Templates menu will destroy all information in the active document. In this case, Cartman displays a dialog box prompting to save the file and then it tries to connect to the Yahoo web site searching for:

http://www.yahoo.com/News_and_Media/Television/Shows/Cartoons/South_Park/
 

Finally Cartman displays a message box with the following text:

The Narkotic Network

You Killed Kenny, You Bastard!

OK
 

After this, the virus exits Word.

If there are no documents currently open in Word, the virus does not attempt to connect to Yahoo. It will only display the same message box.

Variant:VMPCK1.I

Edds

W97M/VMPCK1.I gets control when an infected document is opened. At this point it disables the built-in macro virus protection and infects the global template.

After that every document opened in Word will be infected.

This virus has a destructive payload that activates on every Thursday. On that day, it replaces "c:\autoexec.bat" with the following text file:

This should be your Autoexec.bat file

 But now, I'm afraid, it's just a text file

 That will teach you to feed me with fish

 STOP ALL NUCLEAR TESTING IN THE THIRD WORLD
 

When an infected document is saved with "File/Save As" there is a 1/3 chance that the virus displays an input box with the following text:

Hello! I'm Food.Eddshead, and I am hungry! If you want to

 continual using Word you must feed me. Be careful, some foods make

 me ill, and you don't want to make me angry - do you?
 

This dialog can be passed with a pass phrase "chips". However, phrases "fish", "sausages", "beef burgers" and "ham burgers" will cause the payload to activate at once.

When Word is closed, the virus attempts to infect all documents with extension ".doc" from the current directory.

Variant:VMPCK1.BG

W97M/VMPCK1.BG is a macro virus that activates when an infected document is opened.

When it gets control, it disables the built in macro virus protection and the following menu selections: "Tools/Macro", "Tools/Templates & Add-Ins...", "Tools/Customize", "View/Toolbars" and "Edit/Select All".

Then it infects the global template. After that it will infect every document that is created, opened, closed or saved. It also hooks "Tools/AutoCorrect" and "Tools/Options" menus to avoid detection.

This virus has a payload that activates when the minutes of the system time are more than 54 or less than 6. When this happens, the virus switches the setting "Tools/Options/General/Blue background, white text" on and adds a number of AutoCorrect entries in different colors.

Variant:VMPCK1.BR

W97M/VMPCK1.BR is a slightly modified variant of W97M/VMPCK1.BG.

Variant:VMPCK1.BU

W97M/VMPCK1.BU is a slightly modified variant of W97M/VMPCK1.I.

Variant:VMPCK1.BY

When an infected document is opened, W97M/VMPCK1.BY creates a temporary file "C:\XIX.DRV" and infects the global template. After that it infects every document that is opened.

The virus makes the following modifications to the document summary information:

Author:
 "VOTA NAO A REGIONALIZACAO! SIM AO REFORCO DO MUNICIPALISMO!"

 Subject:
"JOAO JARDIM x8?! PORRA! DIA 8 VOTA NAO!"

 Comments: "A REGIONALIZACAO E UM ERRO COLOSSAL!"
 

Furthermore, it hooks "Tools\Macros\Macro", "Tools\Macros\Visual Basic Editor" and "File\Templates" menu selections making them unusable. When the virus infects or when the user attempts to access one of the menus mentioned above, there is a 1:100 chance that the virus displays a message box with the following text:

Dia 8 de Novembro VOTA NAO a regionalizacao!
 

W97M/VMPCK1.BY hooks the "Help/About" menu as well, replacing the About dialog with a message box:

Joao Jardim x8?! Porra! Dia 8 Vota NAO!
 

On every 8th day of each month the virus activates its payload. The payload searches for the text:

sim
 

and replaces it with the following text:

nao a regionalizacao!
 

Then the virus removes "Edit/Undo", "Edit/Repeat Replace..." and "Edit/Replace..." menu selections and saves the active document.

Variant:VMPCK1.DD

W97M/VMPCK1.DD is similar to W97M/VMPCK1.BY.

This variant replaces the "Help/About" dialog with a message box that contains the following text:

CAPut!
by --=|| N|c0t|N ||=-- (c) 1998
 

It also hooks "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus with a message box:

Word Basic Err = 7
 

W97M/VMPCK1.DD activates its payload at random times. When the payload activates, the virus replaces all occurences of "19" in the active document with a text "CAPut!'".

The virus also replaces the comment from the document summary with a text:

JU$t bEEn CAPuted!