Home / malware Virus:W97M/DocCopy.L
First posted on 09 August 2011.
Source: SecurityHomeAliases :
There are no other names known for Virus:W97M/DocCopy.L.
Explanation :
Virus:W97M/DocCopy.L is a macro virus that infects the Microsoft Word global template and documents that are opened or closed in Word. The virus lowers Microsoft Word security by disabling the macro warning associated with opening files that contain macros and removes password protection of Word documents.
Top
Virus:W97M/DocCopy.L is a macro virus that infects the Microsoft Word global template and documents that are opened or closed in Word. The virus lowers Microsoft Word security by disabling the macro warning associated with opening files that contain macros and removes password protection of Word documents.
Spreads via...
File infection
When opening an infected document with macros enabled, the virus infects the global template file named "normal.dot" by copying its VB module named "Dark" to the template file. The macro module "Dark" contains the following macros, some of which execute during certain Word events:
- FileOpen
- Mac
- Setup
- AutoNew
- AutoOpen
- AutoClose
The virus creates an infected Word document as the following file:
<Microsoft Word path>\Dark.dll
where 'Microsoft Word path' is commonly %ProgramFiles%\Microsoft Office\Office11. When infecting documents, the virus creates a copy of the infected documents the folder <Microsoft Word path>\Dark. The virus may also delete a recently accessed document.
Payload
Lowers Microsoft Word security
The virus lowers Microsoft Word security by disabling the macro warning associated with opening files that contain macros. The virus also removes password protection of Word documents, allowing the macro virus to infect the unprotected document.
Analysis by Rodel Finones
Last update 09 August 2011
