Welcome to the Virus Encyclopedia of Panda Security.
It carries out damaging actions on the affected computer.
It infects Word's global template and documents.
It does not spread automatically using its own means.
|Detection updated on:||May 2, 2001|
| W97M/Broken.A is macro virus - belonging to the W97M group of viruses - that infects Microsoft Word 97 documents as well as the NORMAL.DOT global template that this application uses as a basis for all its documents. This virus uses polymorphic techniques, so as to make it more difficult to detect.|
The virus presents two payloads. The first of these payloads consists of a dialog box with a text when user access the About option in the Help menu in Word. The second payload replaces the text in the current document and disables certain MS Word options.
Some of the polymorphic techniques can be detected, but the virus does not contain a polymorphic engine. This means that fortunately, the propagation of the virus does not have any polymorphic characteristics.
The virus prevents users from editing macros through the Visual Basic Editor. When users attempt to access this option the following dialog box is displayed.
This dialog box containing the "Word Basic Err = 7" message is displayed as a result of the execution of the following three macros: Sub ToolMacro(), Sub FileTemplate() and Sub ViewVBCode().
Similarly, W97M/Broken.A displays a dialog box with another error message when users attempt to access the About option in the Help menu in Word. This action will occur once infection has taken place or when the infected documents are in use.
This dialog box appears due to action of another macro defined in the virus. This macro is called as follows: Sub HelpAbout().
The last of the ten macros that make up the virus is called: Sub FileSaveAs(). This macro enables the display of the "wdDialogFileSaveAs" dialog box, which leads to the execution of the next macro called CAPut (). This is the macro that actually contains the viral code.
Besides these on-screen messages, the virus also carries out the following actions:
It disables the macro virus protection in Word. This means that the dialog box that allows users to enable or disable the macros defined in Word documents will not be displayed.
The virus prevents users from saving the changes made to the NORMAL.DOT global template.
W97M/Broken.A attempts to convert the format of a file.
The virus also modifies the properties of the infected document. More exactly, the following text string will be inserted in the Comments field: "JU$t bEEn CAPuted!".
W97M/Broken.A also replaces the text in the current documents. In this sense, the virus replaces the "19" strings found in the current document with the following text string: "CAPut!".