W97M/ColdApe
| W97M/ColdApe |
Destructivity:  Spreading:  Overall risk:
|
| • Detected by virus detection files published: 4/18/2000 | • Type: Virus |
| • Virus characteristics first published: 4/18/2000 | • Spreading mechanism: File Infection |
| • Virus characteristics latest update: 12/17/2003 | • Overall risk: Low |
| • Infection type: Microsoft Word 97/2000/XP/2003 |
| Virus type |
Spreading mechanism |
Destructivity and payload |
Additional descriptions |
Detection and removal |
||||||||||
|
A good indication of this virus is the presence of the files C:\Happy.vbs and C:\A4.vbs. W97M/ColdApe is the first virus to combine VBS virus and Visual Basic for Application (VBA) virus techniques, and also one of the first virus to use the "AddFromString" method to infect documents. W97M/ColdApe starts to disable Word's VirusProtection. Then it performs a check for the presence of the comment "'AVM" in the NormalTemplate. If this does not exist, it will infect the GlobalTemplate (usually Normal.dot) in the "ThisDocument" stream, thus, all documents that are opened will be infected with this virus. First time the viral code is interpreted under any Windows version running Windows Scripting host (WSH) it drops the VBS/Happy virus to C:\Happy.vbs. VBS/Happy can infect all .vbs files in the directories C:\ |
||||||||||||||