Virus:W97M/Tookiechief.E is a minor variant of Virus:W97M/Tookiechief.A. This is a Microsoft Office Word97 macro virus that infects MS Word97 files, and also steals personal files by uploading selected documents to a remote FTP server.
Installation
This virus is present in infected documents and templates in a VBA macro module called 'cdrom'. If the macro is allowed to execute, the virus infects the global template (NORMAL.DOT), and all documents used in the infected Word environment. Documents are infected as they are opened.
The virus performs different functions by hooking the Word events for opening files, closing files, and exiting Word.
The virus drops a template copy of itself as 'C:\Windows\cookies\cdrom.dot'.
Payload
This macro virus carries two payloads. One is to lower the macro security settings of the Word environment, and the other is to collect documents containing keywords, and upload them to a remote FTP site.
Lowers MS Word Macro Security Settings
If the virus code is allowed to perform its routines, it will lower Word macro security by modifying certain registry key values:
Modifies these keys, with values:
AccessVBOM = 1
Level = 1
Within subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security
The virus then blocks changing macro security via Word menu choices by
Alters Word Environment Settings
This virus will change settings in Word - this is done by setting environment values within Word using the code within the VBA macro:
-
disable prompt to save NORMAL.DOT upon modification
-
disable screen updating (status bar notification)
-
disable 'Cancel' key
-
disable "Read-only recommended" for the current document
Steals Sensitive Information
Virus:W97M/Tookiechief.E searches infected documents for strings from the following list:
Prova
avaliação
copeve
concurso
exceto
exame
If any documents are found, the virus copies the document to the folder 'C:\Windows\cookies' with the same name but with the extension .JPG. The virus then deletes that document's entry in the 'recent files' list.
When closing infected documents, the virus deletes all listed entries of files with extension .JPG and .DOT from the recent files list. When MS Word is closed, the virus will create an FTP script and Batch script to send collected files to a remote FTP server named 'ocdrom.servegame.com'. To perform this function, the virus:
-
Creates 2 files under c:\windows\cookies\ folder:
c%d.bat - Batch script instructions for command console FTP.EXE
c%d.ftp - FTP import script
where '%' is a randomly picked letter
-
Executes the previously dropped Batch script file, in a hidden console window, which uploads every jpg file in c:\windows\cookies\ folder (previously copied and renamed Word97 documents which contain the above keywords) to the server specified in the ftp import script file.
Lastly, the virus deletes all listed entries of files with extension .JPG and .DOT from the recent files list.
