The following has been derived from information provided by Network Associates.

Virus Characteristics

This virus infects Word 97 (and above) documents and templates. Unlike many viruses it is able to replicate under the SR-1 release of Word 97. It will turn off the macro warning feature of Word 97. This virus consists of a module called "BornCobra". It is a copy-cat of the W97M/Melissa.a virus in that there is a payload to send the infected file via MS Outlook. This is the first variant of the W97M/Cobra to use this payload mechanism.

This virus hooks the system event of opening documents by the subroutine "autoopen" thereby running its code. Other system events hooked are "autoclose", "fileopen", "fileclose" and "filenew". Attempts to use menu items of the same name within Word97 will run the macro code routine.

Comments within the autoexec routine are the following:

'Cobra Version 1.0E

When opening an infected document and allowing the macro virus to run, registry keys are created or modified:

"HKEY_CURRENT_USER\Software\Microsoft\Office\"
"Cobra" = "Cobra"

"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
"RegisteredOwner" = "Cobra"
"RegisteredOrganization = "DHK/BD"


Payload

The Outlook email routine is designed to create an email message with the first 30 recipients to be selected from the Outlook address book, the subject of the message is "Important Message From Microsoft Via (Word registered username)" and the body of the message is "Important document;-". The message is then sent with the attached infected document.

Infected documents and the global template contain a damaging payload. A routine is created by the system event name "FileNew". This routine checks if the current day of the month equals the month - if so, a hidden task is run with the instruction "deltree /y c:\". This is a Windows 95/98 file and thus does not work on WinNT.

This file deletion payload triggers in two conditions:
* if creating new documents AND
* the day equals the month (ex: Jan 1, Feb 2, Mar 3 etc)