Virus

W97M/Ramiel.A@mm

Analysis

  • Infects Microsoft Word 97 and later Word documents.
  • Polymorphic mass-mailing Word macro virus.
  • As its polymorphic mechanism, it Inserts a line of randomly-generated characters between every other line of source code.
  • Inside Microsoft Word:

    Disables Macro virus protection
    Disables Tools|Macro toolbar and hotkey
    Disables Tools|Templates and Add-ins... and hotkey
    Disables Tools|Customize and hotkey
    Disables Tools|Options and hotkey

  • Disables Alt+F11 (VBA Editor) hotkey. If user attempts this key combination, a dialog box with the following text is displayed:

    Se Trato de acceder a un componente no valido

  • Upon infecting a document, will set or change document properties to:

    Author: Machinedramon
    Subject: Ramiel
    Comments: Derechos Reservados
    Organization: GEDZAC

    Marcas Registradas: GEDZAC
    Hecho en el Peru, Calidad Mundial
    Sachiel2015@latinmail.com

    Contrasenas: Ramiel, leimaR, Rlaemi

  • If it is the 3rd day of the week (Tuesday), inserts the following text into the document:

    Mientras Dios se quede en su cielo, todo en la tierra estara bien. Geofronte - Dist 1 de Tokio3 Ramiel

  • If it is the 21st day of the month, sets Application username to "Ramiel", and sets the document password to one of the three following passwords:

    Ramiel
    leimaR
    Rlaemi

  • As an aside, December 21st, 2004 is both a Tuesday and is the 21st. Both of the above trigger conditions will exist.
  • Contains code to use Microsoft Outlook to send itself as an email attachment to all users found in the Outlook Address book. The subject and message body are random, chosen from the following possibilities:

Subject

Articulo de interes
Te envio este documento
Encontre un articulo interesante
Consejo
Preocupacion

Message Body

Te envio este articulo, tal vez te interese,
me escribes para saber como te parecio
Adios

Quisiera que me des tu opinion sobre este documento,
que te envio, espero tu opinion
Adios

Te envio este articulo lo encontre
en una paginaWeb y lo copie en word,
tal vez te sea de utilidad
Adios

Hola, nesecito que me des tu opinion sobre un asunto,
Te envio el documento que recibi, lo pase a Word
estoy indeciso, te agradeceria si me dieras tu opinion, Adios

Me tiene preocupado un documento que recibi, lo transcribi a computadora
quisiera que me des tu opinion, tal vez no sea para tanto.
Adios

  • Sets IE Explorer startup page to:

    http://www.gratisweb.com/machinedramon1/sachiel.jpg.scr.

  • When the user launches the IE browser, they will be taken to this site where the file sachiel.jpg.scr is downloaded and executed. The aforementioned page is no longer valid.
  • Scans Windows registry, searching for the following known entries of some common antivirus and firewall software. For each instance that is found this threat attempts to delete "*.exe" (within the path) in attempt to disable the application.

    HKEY_LOCAL_MACHINE\Software\Hacksoft\The Hacker Anti-Virus\THDAT\
    HKEY_LOCAL_MACHINE\Software\PER Systems\PER Antivirus\Instalación\dirPrincipal
    HKEY_LOCAL_MACHINE\Software\Command Software\F-PROT32\Location
    HKEY_LOCAL_MACHINE\Software\FRISK Software International\FP-Win\Program Root
    HKEY_LOCAL_MACHINE\Software\McAfee\VirusScan\Location
    HKEY_LOCAL_MACHINE\Software\Cybec\VET Antivirus for Win32\Resident\VetPath
    HKEY_LOCAL_MACHINE\Software\ALWIL Software\Avast32\Path
    HKEY_USERS\.DEFAULT\Software\MooSoft Development\The Cleaner\tcshellex
    HKEY_LOCAL_MACHINE\Software\Panda Software\Panda Antivirus 6.0\Path
    HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components\100\Folder
    HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps\NAV
    HKEY_LOCAL_MACHINE\Software\Norman Data Defense Systems\RootPath
    HKEY_LOCAL_MACHINE\Software\ComputerAssociates\Anti-Virus\Resident\VetPath
    HKEY_LOCAL_MACHINE\Software\Zone Labs\ZoneAlarm\InstallDirectory
    HKEY_LOCAL_MACHINE\Software\Network ICE\BlackICE\Installer
    HKEY_LOCAL_MACHINE\Software\TinySoftware\Tiny Personal Firewall\2.00\DestPath
    HKEY_LOCAL_MACHINE\Software\Sygate Technologies, Inc.\Sygate Personal Firewall\smc_install_path

Recommended Action

Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option