| Description:
|
Details
Macro.Word.Prizm
This is an encrypted Word macro-virus. It contains nine macros: PRiZM, AutoExec, AutoOpen, FileOpen, FileSave, FilePrint, FileSaveAs, ToolsMacro, and FileTemplates.
It is based on the "Word.Cap" virus, has a similar structure and instructions set. It replicates upon document opening, closing, and saving.
While printing, the virus appends a string to the end of the document that is printed:
Battle of life. Capital!!!
The virus has an unusual method of infection. While infecting, the virus performs several steps, uses the system registry, and drops an additional EXE file. The infection routine is placed in the virus' code as a set of text strings that are DDE (Dynamic Data Exchange) instructions. If needed, the virus executes them, and these instructions copy the virus' code to target the documents and templates.
To execute its DDE instructions, the virus saves them to the system registry in the "HKEY_CLASSES_ROOT###fileshellopenddeexec". The virus then registers a new extension "###", and sets DDEEXEC as a handler of files with such an extension.
The virus then creates a randomly named EXE file in the Windows temporary directory, and writes a short program into it. This program only creates and opens the "PRiZM.###" file. This file-name extension is linked with DDEEXEC, and as a result, Windows activates the virus, DDE instructions, executes them and they copy the virus code to a victim file. |
