病毒名稱:w97m_class_d
別名:W97M/Class.D,Word97Macro.Class病毒特點:
該病毒通過感染在windows和macintosh平台運行的word6.x/7.x版本進行自我複製。在自動宏運行的時候,病毒會被激活。在剛剛感染的時候,病毒會把它的代碼輸出到ASCII檔案C:/CLASS.SYS中。在五月到十二月的十四日如果運行被感染檔案,就會又一個信息框會顯示出來,內容如下:
- Class.Poppy X
I Think " (word97 reg. User name) " is a big stupid jerk!
OK
同時病毒在以下位置修改登錄用戶和登錄組織的信息:
HKLM/Software/Microsoft/Windows/CurrentVersion
RegisteredOwnder="VicodinES/VB/TNN"
RegisteredOrganization="-(Dr. Diet Mountain Dew)
該病毒和KRIZ.3836病毒很相似,不同的是增加了一些程式,而且,如果SoftIce調試程式安裝在系統中的時候,病毒的破壞程式會被激活;病毒含有的字元串也有不同,這個病毒的字元串是:T-2000 / Immortal Riot 。
當一個被該病毒感染的程式檔案執行時,病毒首先感染KERNELL32.DLL,在此後,每次啟動Windows病毒立即變為常駐記憶體的,並感染每一個Win32的可執行程式。
病毒在每次感染前都查找檔案,如果與下列檔案名稱匹配,感染就不會發生。(AVP32.EXE,avpm.exe,AlertSvc.exe,AMON.EXE,AVP32.EXE,AVPM.EXE,N32SCANW.EXE,NAVAPSVC.EXE,NAVAPW32.EXE,NAVLU32.EXE,NAVRUNR.EXE,NAVWNT.EXE,NOD32.EXE,npssvc.exe,NSCHEDNT.EXE,NSPLUGIN.EXE,SCAN.EXE,SMSS.EXE)
該病毒具有相當破壞性的有效載荷,當12月25日病毒被觸發,它將毀壞CMOS數據,向染毒機器的所有檔案寫入垃圾數據並破壞Flash BIOS。該病毒使用秘密技術來加密它的代碼,在解密以後,你會在病毒體中發現下面的文本:
=( 【c】 1999 【t】 )=
YOU CALL IT RELIGION, YOU'RE FULL OF SHIT
YOU NEVER KNEW, YOU NEVER DID, YOU NEVER WILL
YOU'RE SO FULL OF SHIT, I DON'T WANT TO HEAR IT
ALL YOU DO IS TALK ABOUT YOURSELF
I DON'T WANNA HEAR IT, COZ I KNOW NONE OF IT'S TRUE
I'M SICK AND TIRED OF ALL YOUR GODDAMN LIES
LIES IN THE NAME OF GOD
WHEN ARE YOU GOING TO REALIZE THAT I DON'T
WANT TO HEAR IT?!
I KNOW YOU'RE SO FULL OF SHIT, SO SHUT YOUR FUCKING MOUTH
YOU KEEP ON TALKING, TALKING EVERYDAY FIRST YOU'RE TELLING STORIES, THEN YOU'RE TELLING LIES
WHEN THE FUCK ARE YOU GOING TO REALIZE THAT I DON'T WANT TO HEAR IT!!
AH, SHUT THE FUCK UP...
