Virus

W97M/Opey.BK

Analysis

Fortinet researchers were made aware of a false-positive detection in some XLS files after updating with v4.469 AV db update. The false-positive was corrected in v4.470 AV db update. Fortinet apologizes for any inconvenience this may have caused.
Specifics
This macro virus is coded for Word97 environments which are also pre-SR1. The virus uses an instruction which is not supported in SR1 update for Office97.
Once the global template NORMAL.DOT becomes infected, all documents created or used on the infected system are at risk of becoming infected with this macro virus.
Antivirus Component Deletion Routine
The virus runs a file deletion routine when its virus code is initiated. The routine attempts to delete the following files -
c:\Program Files\Norton Antivirus\Navw32.exe
c:\PC-Cillin 95\Scan32.dll
C:\Program Files\McAfee\VirusScan95\Mcscan32.dll
C:\Program Files\Command Software\F-PROT95\Dvp.vxd
C:\Program Files\AntiViral Toolkit Pro\*.Wmc
In some cases, the file(s) may not be deleted, particularly if they are in use or in memory.
DoS Routine
The virus carries a denial-of-service attack payload. The method of attack is PING. The virus runs a hidden process of PING against the following web sites -
sentro.com
filipino.com
philippines.com
phil-air-force.com
ncc.gov.ph
The instruction is in the following format -
ping -l 9000 -t undefinedweb site nameundefined
Miscellaneous
This virus exists in a single macro module named "MNLF". The virus uses a method of polymorphism that defeats simplistic VBA module CRC detection methods. The virus inserts a comment line every two lines with the following user-specific system variables -
' + Word User Initials + Infection Date + Infection Time + Word User Name +
Word Printer Name + Infection Date + Infection Time
An example of the comment line might be as follows -
'JB9/22/2004 4:03:56 PMJoe BlowHP PSC1350 on \\PRNSRV9/22/2004 4:03:56 PM

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option