Pri | |
---|---|
Type | Macro virus |
Creator | Alt-F11 |
Date Discovered | 1998 |
Place of Origin | Aberdeen, New Jersey USA |
Source Language | Visual Basic |
Platform | MS Word |
File Type(s) | .doc |
Infection Length | 1 Macro module |
Reported Costs |
Pri is a polymorphic macro virus for Microsoft Word 97. It was apparently created by coder Alt-F11, who also went by the name VicodenES, and Kwyjibo, famous for the Melissa virus. It is sometimes considered the ancestor of Melissa and some of its variants shared a significant amount of code with that virus. It has an interesting payload that produces colored shapes in a document.
Behavior
Pri activates when an infected document opens and checks if the global template is infected. It searches the macro storage of host files for the string "Pri", which is part of the syntax "Private Sub", as a means to determine if the host file is already infected. If it finds a clean template, it will copy and modify itself. Once the global template is infected, documents are infected as they are opened or closed. Pri hooks the Tools > Macros > Visual Basic Editor menu rendering it unusable.
When infecting a document, Pri checks if the time on the document is the same as the current time. If so, it will create ten random shapes on the document.
Pri contains algorithmic variable replacement within its code, making it polymorphic. The virus intercepts the ViewVBcode event so that when the infected user attempts to view the Macros of an infected document, it terminates the Word application. It also disables the Word Macro Virus Protection option. The comment can be found within the text:
Pri's payload |
---|
'Psd.a / Pri.a
'W97M/PSD ...porn star dreams? [(c)1998 ALT-F11 code hack]
Variants
Pri.B adds code to the hooked "Tools/Macros/Visual Basic Editor" menu that causes the Word to quit without saving any changes. Its payload creates a random number of shapes instead of ten when activated. It contains the comments:
Psd.b / Pri.b
W97M/PSD.II ...logically delicious! [(c)1998 ALT-F11 code hack] VAMP v1.0 [thanks Vic!]
Pri.Q sometimes also goes by the names Prilissa, Melissa.W, Melissa.AG, and W97M.Antisocial.G. It contains code borrowed from the Melissa virus, particularly the mass mailing code. On the 25th of December, it overwrites Autoexec.bat with code that formats drive C: when restarted. When done overwriting Autoexec.bat, it displays the text:
Vine...Vide...Vice...Moslem Power Never End...
You Dare Rise Against Me...The Human Era is Over, The CyberNET
Era Has Come !!!
This will not work on Windows NT and later versions of Windows.
Sources
F-Secure, Pri.
Fortiguard, W97M/Pri.A.
Trend Micro, W97M_PRI.A. 09-MAR-2000
Trend Micro, W97M_PRI.B. 09-MAR-2000
Eset Hungary, PRI.A 01-NOV-1998