Threat behavior
Virus:W97M/Relax.C is a macro virus that infects Microsoft Word documents and templates. It is designed to display a message during the infected computer's boot process at certain times; however, due to an error in the code, the message is never displayed.
Installation
This macro virus can infect the Microsoft Word environment by copying its macro code to the global template ("normal.dot"). Virus:W97M/Relax.C stores a copy of the macro virus as the following temporary file:
C:\temp.tmp
Files opened in the infected Word environment become infected.
Payload
Displays deceptive message
This macro virus has a date-activated payload to display messages during the infected computer's boot process. The date payload is based on the following algorithms:
- If day modulo 100 equals zero
- If month modulo 44 equals zero
If the two above conditions are met, the virus appends instructions to "c:\autoexec.bat" to display the following:
The message is designed to display during the infected computer's boot process when the configuration file "c:\autoexec.bat" is processed. File deletion does not occur.
However, due to an error in the coding, the message are never displayed.
Analysis by Francis Allan Tan Seng
Prevention
