W97M/Omni.A
Analysis
Specifics
Virus consists of a single macro module named "Ahlghee".
This macro hooks Word system events in order to capture
control. The virus has a date activated payload which
could result in deletion of files from the "C:\Windows"
folder. The virus may write a source code file into
the Windows folder as "Ahlghee.vbs".
Word Action Hooks
The virus uses auto-run and menu-item named routines
to gain run control when opening or closing infected
Word documents -
Organizer
Tools|Options
Tools|Macro
Tools|Customize
Tools|Customize|Keyboard
VBEditor
Autoexec
Autoopen
Fileopen
Filesave
Filesaveas
Fileclose
Fileexit
File Deletion Payload
When working with infected documents on the 2nd, 11th
or 27th of any month, the virus may carry out instructions
to delete the following files -
C:\Windows\Ahlghee.vbs
C:\Windows\Drvspace.exe
C:\Windows\emm386.exe
C:\Windows\System.ini
C:\Windows\Explorer.exe
C:\Windows\Emm386.exe
C:\Windows\Loadqm.exe
C:\Windows\Msnmgsr1.exe
C:\Windows\Net.exe
C:\Windows\Netdde.exe
C:\Windows\NbtStat.exe
C:\Windows\NetStat.exe
C:\Windows\Progman.exe
C:\Windows\Setdebug.exe
C:\Windows\Taskman.exe
C:\Windows\Telnet.exe
C:\Windows\Tracert.exe
The instruction to delete the files is made via WScript, and requires Wscript.exe on the target system in order to function.
Word-proofing Payload
If spell-checking (Spelling and Grammar tool button)
is performed in an infected Word environment, the virus
may exchange the word "Sir" with the word
"John". This is carried out with all open
documents.
Recommended Action
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
Update" option
- Delete the file "Ahlghee.vbs" from the Windows folder