Home | Site Map | Search | Contacts
About Us
News
Alerts
Events
Services
Resources
Report Incidents
Incident Statistics
Security FAQS
Training
Vacancies
Links

Search NISER
  NISER > Alerts > MyCERT Advisories & Summaries > MA-016.111999: W97M/Prilissa Virus

MA-016.111999: W97M/Prilissa Virus
Original Issue Date: 24th November 1999

1.0 DESCRIPTION

    1.1 Overview

    W97M/Prillissa is a modified variant of two macro viruses: W97M/Pri and W97M/Melissa. Thus, the virus is also known as Melissa.M and Pri.Q. The Prilissa virus is polymorphic and contains several payloads. The first payload occurs when the infected document is opened for the first time. Similar to Melissa virus, it tries to email an infected document to the first 50 users in the Microsoft Outlook address book. The second payload triggers on December 25th. On this date, the virus modifies one of the startup files so that the C: drive is formatted after a system reboot (on Windows 9x). On the same day, Prilissa also overlays a random number of random shaped objects onto the active document (similar to Pri virus).

2.0 TECHNICAL MATTERS

    2.1 Installation and Functionality

    When an infected document is opened, or when a Microsoft Outlook attachment is opened - with macros enabled, it will immediately runs the following:

    1. The virus disables the built-in virus protection and hides the last recently opened files in the "File" menu. It also hooks both "Tools/Macros/Macro" and "Tools/Macros/Visual Basic Editor" menus rending it unusable.

    2. Then, the virus copies itself to the global template in NORMAL.DOT. Once, NORMAL.DOT is infected, the virus infects all documents once the file is closed from Word.

    3. The virus is polymorphic, thus some of the variable and function names in the viral code change upon replication. The virus keeps a list of labels in its code. Upon infection, the virus randomly changes each of the labels to another label in the list.

    The payloads:

    1. This virus checks for the existence of a registry key. The key is:

        "HKEY_CURRENT_USER\Software\Microsoft\Office\" "CyberNET"="(C)1999 - Indonesia by AnomOke!"

      If the entry is not found, Prilissa tries to email an infected document to the first 50 email addresses in the MS Outlook address book. The message that it send looks as follows:

        
        Subject: Message From (User Name) 
        Body:    This document is very Important
                 and you've GOT to read this !!!
        

      where "(User Name)" is replaced with the name of infected user. The message also contains a copy of the infected active document.

      After activation of the first payload, Prilissa modifies the system registry so that it knows the system has been infected. The email propagation is not repeated, if the key does exist.

    2. The second payload is very destructive and activates at 25 December of any year. At that time the virus first overwrites "C:\AUTOEXEC.BAT" with a code that will format the "C:" drive immediately after the system has been restarted. However, this payload does not work in Windows NT.

      "AUTOEXEC.BAT" also contains the following text:

        
        Vine...Vide...Vice...Moslem Power Never End...
        Your Computer Have Just Been Terminated By -= CyberNET =- Virus !!! 
        

      When the virus has overwritten "C:\AUTOEXEC.BAT", it shows a message box with the following text:

        
        Vine...Vide...Vice...Moslem Power Never End...
        You Dare Rise Against Me...The Human Era is Over, The CyberNET
        Era Has Come !!!
        [OK]
        

      After clicking on the OK dialogue box, a random number of randomly colored and random size and type objects fill the document as an overlay. Another virus which uses this overlay is the W97M/Pri virus.

3.0 POSSIBLE STEPS

    3.1 Prevention and Detection

    Follow the guidelines below:

    1. For those that already have an antivirus software running on their machine, it is advisable for them to regularly update their antivirus definition file/library so that the software could detect the presence of a new virus before any infections can occur. The list of known anti-virus vendors are as listed in MyCERT's website (http://mycert.mimos.my/anti-virus.htm). Users that have not installed an antivirus software on their computer is advised to do so.

    2. Run a virus scan on all downloadable files and software application before installing or executing them.

    3. Do the same for all email attachments before opening or executing them even if it came from a known person/source. If in doubt, delete the email including those that are sent to the Trash folder.

    4. As a precaution, configure your antivirus software so that it will do an automatic scan on all email attachments and downloadable files before being executed. Do remember that infections by this virus, can only occur, if the file that contains the virus is executed.

4.0 MORE INFORMATION




Disclaimers and copyright information
Last Update April 19, 2001