Virus

W97M/Omni.A

Analysis


Specifics
Virus consists of a single macro module named "Ahlghee". This macro hooks Word system events in order to capture control. The virus has a date activated payload which could result in deletion of files from the "C:\Windows" folder. The virus may write a source code file into the Windows folder as "Ahlghee.vbs".


Word Action Hooks
The virus uses auto-run and menu-item named routines to gain run control when opening or closing infected Word documents -

Organizer
Tools|Options
Tools|Macro
Tools|Customize
Tools|Customize|Keyboard
VBEditor
Autoexec
Autoopen
Fileopen
Filesave
Filesaveas
Fileclose
Fileexit


File Deletion Payload
When working with infected documents on the 2nd, 11th or 27th of any month, the virus may carry out instructions to delete the following files -

C:\Windows\Ahlghee.vbs
C:\Windows\Drvspace.exe
C:\Windows\emm386.exe
C:\Windows\System.ini
C:\Windows\Explorer.exe
C:\Windows\Emm386.exe
C:\Windows\Loadqm.exe
C:\Windows\Msnmgsr1.exe
C:\Windows\Net.exe
C:\Windows\Netdde.exe
C:\Windows\NbtStat.exe
C:\Windows\NetStat.exe
C:\Windows\Progman.exe
C:\Windows\Setdebug.exe
C:\Windows\Taskman.exe
C:\Windows\Telnet.exe
C:\Windows\Tracert.exe

The instruction to delete the files is made via WScript, and requires Wscript.exe on the target system in order to function.


Word-proofing Payload
If spell-checking (Spelling and Grammar tool button) is performed in an infected Word environment, the virus may exchange the word "Sir" with the word "John". This is carried out with all open documents.


Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
  • Delete the file "Ahlghee.vbs" from the Windows folder