|
Threat Center |
| Threat Center Threats Explained Threat Encyclopedia Threat Blog Security Tips Case Studies White Papers Newsletter Signup |
W97M/FtipW97M/Ftip is a worm written in Visual Basic. It spreads as an email attachment in the Microsoft Office environment. It arrives as a file ftip.doc in attachment of an email message with subject "elekRE:". In the message body is the following text: Chtel si ftipy, tak tady je mas!!! ;))) [doc] (Meaning: You wanted jokes so here you have some! Outgoing message does not contain viruses. Checked by the AVG anti-virus system (http://www.grisoft.cz). Instead of writing letters doc the worm writes the name of the current computer user. The code of the worm itself starts by two lines with a commentary. In the commentary we can identify the title which the author wanted to give to his creation and his signature. The two lines are as follows: S' W97/2k.i0nSt0rm After reading the infected document in, the worm turns off displaying of warnings that could reveal its presence. It prohibits, for example, displaying errors in Visual Basic, information on macros conversion and anti-virus protection. In addition the worm sets the safety level for Microsoft Office to the value of 1 (the lowest value). That is followed by sending out copies to the first 30 e-mail addresses from the address book. It records the fact that from this computer the worm has already been sent by creating a key in the system registry HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\i0nSt0rm. It sets the value of the registry to ...by gl. This ensures that the worm will not send out more copies. In one of three cases the following window is displayed after the infected document is closed:
PROTECT YOUR COMPUTER!
|
|
Solutions -
Products -
Purchase -
Download -
Support -
Threat Center -
Partners -
Company -
Global Sites
Copyright© 2006 by ESET, LLC. All rights reserved. |