Iron | |
---|---|
Type | Macro virus |
Creator | |
Date Discovered | 2002.06.13 |
Place of Origin | |
Source Language | |
Platform | Microsoft Word |
Infection Length | |
Reported Costs |
Iron, also known as Nori, is a Word macro virus. This virus contains a malicious payload that can either delete text from a Word document or erase the entire hard drive.
Behavor
When a Word document infected with Iron is executed, it creates a file called Iron.tmp at the root of the C: drive. It uses this file to infect the NORMAL.DOT template and any active documents. Any new documents using the Normal template or documents created while an infected file is open. The virus disables the following settings to help its spreading:
- Macro virus protection (VirusProtection)
- The prompt to confirm conversion when opening a document (ConfirmConversion)
- The prompt to confirm saving of the global template, Normal.dot (SaveNormalPrompt)
It has two malicious payloads and one or the other will activate on April 1. It will delete all text in an active document, unless it finds a registry key setting the local machine's registered organization to "IRON". In this case, it erases all files and folders on drive C:.
Variants
Iron has going from Iron.A to at least Iron.G.
Sources
VS Antivirus, W97M/Nori.A
Atli Gudmundsson. Symantec.com, W97M.Nori.A. 2007.02.13