Subscribe0 0
This virus spreads as an ordinary macro-virus and at the same time, it has the ability for spreading via e-mail. The e-mail spreading routine is very similar to that which the Macro.Word97.Melissa virus uses. Each time the virus gains control, it runs an e-mail-spreading routine. This routine attempts to gain access to the MS Outlook application. If the attempt is successful, the routine creates new e-mail messages sent to the first 50 recipients from each address list in the Outlook address book. The virus messages contain:
Subject: Message FromBody: This document is very Important and you've GOT to read this !!!
The messages also contain an attached infected document.
To prevent duplicate messages being sent from the same computer, the virus creates a registry key. Each time before spreading via e-mail, the virus checks this key and if it is present, the virus does not create messages. The registry key is:
"HKCU\Software\Microsoft\Office\CyberNET" = "(C)1999 - Indonesia by AnomOke!"
The virus has a payload that triggers on 25 December. On this day, the virus overwrites the "C:\AUTOEXEC.BAT" file by putting in commands that attempt to format the C: drive upon the next reboot. The virus then displays the following message:
(C)1999 - CyberNET Vine...Vide...Vice...Moslem Power Never End... You Dare Rise Against Me...The Human Era is Over, The CyberNET Era Has Come !!!
The payload routine also inserts up to 70 different shapes of random colors into the active document.
The virus uses a VAMP-based polymorphic engine that changes variable names in the virus code randomly.
Hot Articles