|Place of Origin|
When a Word document infected with Iron is executed, it creates a file called Iron.tmp at the root of the C: drive. It uses this file to infect the NORMAL.DOT template and any active documents. Any new documents using the Normal template or documents created while an infected file is open. The virus disables the following settings to help its spreading:
- Macro virus protection (VirusProtection)
- The prompt to confirm conversion when opening a document (ConfirmConversion)
- The prompt to confirm saving of the global template, Normal.dot (SaveNormalPrompt)
It has two malicious payloads and one or the other will activate on April 1. It will delete all text in an active document, unless it finds a registry key setting the local machine's registered organization to "IRON". In this case, it erases all files and folders on drive C:.
Iron has going from Iron.A to at least Iron.G.
VS Antivirus, W97M/Nori.A
Atli Gudmundsson. Symantec.com, W97M.Nori.A. 2007.02.13