Iron
Iron
Type Macro virus
Creator
Date Discovered 2002.06.13
Place of Origin
Source Language
Platform Microsoft Word
Infection Length
Reported Costs

Iron, also known as Nori, is a Word macro virus. This virus contains a malicious payload that can either delete text from a Word document or erase the entire hard drive.

Table of Contents

Behavor

When a Word document infected with Iron is executed, it creates a file called Iron.tmp at the root of the C: drive. It uses this file to infect the NORMAL.DOT template and any active documents. Any new documents using the Normal template or documents created while an infected file is open. The virus disables the following settings to help its spreading:

  • Macro virus protection (VirusProtection)
  • The prompt to confirm conversion when opening a document (ConfirmConversion)
  • The prompt to confirm saving of the global template, Normal.dot (SaveNormalPrompt)

It has two malicious payloads and one or the other will activate on April 1. It will delete all text in an active document, unless it finds a registry key setting the local machine's registered organization to "IRON". In this case, it erases all files and folders on drive C:.

Variants

Iron has going from Iron.A to at least Iron.G.

Sources

VS Antivirus, W97M/Nori.A

Atli Gudmundsson. Symantec.com, W97M.Nori.A. 2007.02.13

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License