The following has been derived from information provided by Network Associates.

Virus Characteristics

W97M/Opey.a is a macro virus for Word97 documents and templates. The virus lowers macro warning options and modifies user settings and has a date activated payload to display a message through the AUTOEXEC.BAT.

This virus consists of a single macro module named "KRF". This virus contains code to remove any non-class modules which may exist in the host file or global template NORMAL.DOT. If a user macro exists before infection, after infection it may be removed.

This virus hooks the following Word event handlers in order to run its code:

Opening, closing, saving a document
Creating a new document
Printing a document
The menu option "File|Page Setup"

Once the NORMAL.DOT is infected, any document used on the system will become infected.


Payload

When this virus infects a system, the Word environment settings are changed:

UserName = "Young Kim"
UserAddress = "PLM"
UserInitials = "KRF"

Menu options disallowed or deleted, settings modified, function keys disabled:

Prompt when saving NORMAL.DOT = no
"Tools|Macro"
"Tools|Customize"
"Tools|Options"
ALT-F11 Disabled
ALT-F8 Disabled

when this virus infects a document, some settings are changed:

Author = "Young Kim"
Title = "RIA"

This virus will modify the startup file AUTOEXEC.BAT to display this message:

"from: Young Kim (PLM) 1999-2000"
"Press any key when ready..."

This will only affect Win9x systems as WinNT does not use AUTOEXEC.BAT. This virus contains a date activated payload. If the year is 2001 or higher and the day of the month is 22, the AUTOEXEC.BAT is modified to display this message:

"echo Happy KRF Day 12-22 !!!"