Welcome to the Virus Encyclopedia of Panda Security.
Clippo.A puts a password to all the Office documents it finds in the computer and even in the removable drives, so that users cannot open them.
This way users will have to enter a password when they want to open Word or Excel documents, PowerPoint presentations or Outlook emails.
Unlike other similar malware samples, the purpose of this worm is not to obtain financial gains but just to annoy users, as it does not request any rescue for providing the password.
Clippo.A puts the same password to all the Office files and in the code of the worm it can be easily found, as can be seen in the image below:
The password, in a red square, is 721709031350.
Clippo.A creates the file FILM.EXE, in the root directory of the C: drive. This file is a copy of the worm and has the icon of a Windows folder:
Additionally, it creates copies of itself with the names PICTURE.EXE and SOUND.EXEin the mapped and removable drives, and in the folders it finds.
On the other hand, it creates a script called 1.VBE in the root directory of the C: drive, which copies the Windows Registry entry it modifies to be run whenever the computer is started, as can be seen in the following image:
Clippo.A modifies the following entry from the Windows Registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
It changes this entry to:
load = c:\film.exe
By modifying this entry, Clippo.A ensures that it is run whenever Windows is started.
Means of transmission
Clippo.A spreads making copies of itself in the system drives, both removable and mapped drives. The names it uses to copy are PICTURE.EXE and SOUND.EXE.
Clippo.A is 86,016 bytes in size.>