VirusW97M/Kolop
Analysis
- The virus is coded in VBA and is infectious to Word97
and above environments
- The virus code activates when closing an infected
document - the virus code hooks the Word event handler
of closing documents
- The virus checks the potential host file for the
presence of the string "'ORAGON" - failing
to locate the string, the virus will assume the host
file is not infected and will attempt to copy its
code to the host file into the class module macro
storage
- The virus will first remove any code from the host
file before infecting it - this in essence would remove
user macros which may exist
- When closing an infected document on the 1st of
any month, the Microsoft Assistant may activate
