Class
Class
Type Macro virus
Creator Vicoden ES
Date Discovered 1998.07
Place of Origin USA
Source Language Visual Basic
Platform MS Word
File Type(s) .doc
Infection Length
Reported Costs

Class also known as Poppy is a macro virus by VicodenES. It is one of the first macro viruses to work successfully under Word 97. This virus is also polymorphic.

Behavior

When a file infected with Class is opened, it creates the file class.sys in the root of the C: drive. This file contains the code it will insert into the the Normal.dot template. Class does not add a new module, but instead adds code to the ThisDocument VBA5 module in Normal.dot, which is in all word documents by default. The macros in Normal.dot will be "AutoClose" and "ToolsMacro", while those in the infected files will be "AutoOpen" and "ViewVBCode".

Class changes its code by inserting comments that include the current user name, date and time and information about the active printer. It also has some stealth techniques, disabling the "Tools\Macro" and "Tools\Macro\VisualBasic Editor" menus by incorporating two empty macros.

On the 31st of every month, it displays a message:

   This Is Class
   o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o
   o      VicodinES     /CB    /TNN      o
   o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o

Variants

There are numerous variants of Class, most of them simply with some variation on the message.

Class.B and D

This variant displays a message on the 14th of any month between June and December:
I Think (Name of the current user) is a big stupid jerk!

VicodinES Loves You / Class.Poppy

Class.D is similar, but changes the registered company name to "Dr. Diet Mountain Dew".

Class.BV

This variant has no payload and does not create a temporary file to replicate.

Class.CN

This variant, also known as Mad Cow is capable of sending itself in email. It arrives in an email with a subject of "Mad Cow Joke". The message body is "Beware of the spread of the Madcow Disease". It uses the file V.SYS. This variant was originally distributed in a file named MADCOW.DOC, but began spreading under other file names as it was executed from the many other files it had infected. It contains the comment in its code "'WORD/VERONICA // thanks to WORD/MELLISA & WORD/CLASS".

Class.EB

Class.EB is non-polymorphic. It uses the file normal.do. Its payload activates on the 11th of any month. It displays a text box with the text "Internal Error! Restart Word."

Name and Origin

Class was coded by the American virus coder VicodenES. VicodenES is suspected of being or having some relation to David L. Smith AKA Kwyjibo, the creator of Melissa. He gave all his viruses a name with .Poppy (Class's full name would be Class.Poppy). VicodenES was a recreational user of prescription drugs and believed the best drugs originated in the poppy plant.

Sources

Katrin Tocheva, Sami Rautiainen. F-Secure, Class.

Cicatrix. VX Heavens, Interview with VicodinES. 1997.08

Symantec, W97M.Class.A.Gen. 1998.08.08

Proland Software, Class virus.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License