The following has been derived from information provided by Sophos and Network Associates.

Virus Characteristics

W97M/Cybernet@MM is a Word/Excel 97/2000 macro virus which arrives via an e-mail sent by Outlook. NAI likens this virus to the Melissa virus in that when first activated, it sends itself to the first 50 entries in the available address book. Sophos reports that the virus is sent to all entries in the address book.

This virus will arrive in an e-mail similar to the following:

Subject: You've GOT Mail !!!
Body: Please, saved the document after you read and don't show to
anyone else. The document is also VIRUS FREE...so DISREGARD the
virus protection warning !!!
Attachment: infected .DOC file

If an infected file is opened and the macro is permitted to run, this virus will attempt to lower the existing macro warning settings using a registry import file. This file is first written to the root of c: as "CyberNET.reg" then it is imported using REGEDIT.EXE.

When an infected workbook or document are opened on the host system, an attempt is made to remove the global template NORMAL.DOT. A new template will be generated which contains the virus code.

A file will be created in the XLSTART folder named "CYBERNET.XLS" which will be used to infect workbooks used on the system. This virus will remove files residing in the XLSTART folder.

Email propagation will occur on systems using Outlook.

The author of this virus attempted to write this virus in an effort to avoid heuristic detection by either Symantec or NAI as evident by the following comment lines included in the virus code:

'anti-heuristic for stupid Norton antivirus scanner
'anti-heuristic for stupid McAfee antivirus scanner


Manual Detection

Discovery of the file CYBERNET.XLS in the XLSTART folder of Office indicates that your machine is infected.


Payload

If this virus is run on August 17 or December 25:

1. A number of random shapes are inserted into the currently open Word or Excel document in a similar way to WM97/Melissa-AG.

2. The AUTOEXEC.BAT file is overwritten with code to (re)format the C: drive of Windows 98 systems. The following comments are also inserted:

##########################################
# Vine...Vide...Vice...Moslem Power Never End... #
# I'm Really Sorry, This System Have Been Recycled By -=
CyberNET =- Virus!!! #
# Brought To You From INDONESIA... #
##########################################

3. The CONFIG.SYS file will also contain instructions which prevent the user from aborting or stopping the execution of the AUTOEXEC.BAT file.

4. The following message box is displayed:



after the user clicks on the OK button, this virus will attempt to exit Windows.


Additional Information

This virus contains a comment line in the code which is not displayed:

'W97M/CyberNET (C)2000 - Indonesia By AnomOke!
"I'm NOT Responsible For Any Damage That Posible Cause By My
Virus...!!!"