Pri
Pri
Type Macro virus
Creator Alt-F11
Date Discovered 1998
Place of Origin Aberdeen, New Jersey USA
Source Language Visual Basic
Platform MS Word
File Type(s) .doc
Infection Length 1 Macro module
Reported Costs

Pri is a polymorphic macro virus for Microsoft Word 97. It was apparently created by coder Alt-F11, who also went by the name VicodenES, and Kwyjibo, famous for the Melissa virus. It is sometimes considered the ancestor of Melissa and some of its variants shared a significant amount of code with that virus. It has an interesting payload that produces colored shapes in a document.

Table of Contents

Behavior

Pri activates when an infected document opens and checks if the global template is infected. It searches the macro storage of host files for the string "Pri", which is part of the syntax "Private Sub", as a means to determine if the host file is already infected. If it finds a clean template, it will copy and modify itself. Once the global template is infected, documents are infected as they are opened or closed. Pri hooks the Tools > Macros > Visual Basic Editor menu rendering it unusable.

When infecting a document, Pri checks if the time on the document is the same as the current time. If so, it will create ten random shapes on the document.

Pri contains algorithmic variable replacement within its code, making it polymorphic. The virus intercepts the ViewVBcode event so that when the infected user attempts to view the Macros of an infected document, it terminates the Word application. It also disables the Word Macro Virus Protection option. The comment can be found within the text:

priashapes.jpg
 Pri's payload
'Psd.a / Pri.a
'W97M/PSD ...porn star dreams? [(c)1998 ALT-F11 code hack]

Variants

Pri.B adds code to the hooked "Tools/Macros/Visual Basic Editor" menu that causes the Word to quit without saving any changes. Its payload creates a random number of shapes instead of ten when activated. It contains the comments:

Psd.b / Pri.b
W97M/PSD.II ...logically delicious! [(c)1998 ALT-F11 code hack] VAMP v1.0 [thanks Vic!]

Pri.Q sometimes also goes by the names Prilissa, Melissa.W, Melissa.AG, and W97M.Antisocial.G. It contains code borrowed from the Melissa virus, particularly the mass mailing code. On the 25th of December, it overwrites Autoexec.bat with code that formats drive C: when restarted. When done overwriting Autoexec.bat, it displays the text:

Vine...Vide...Vice...Moslem Power Never End...
You Dare Rise Against Me...The Human Era is Over, The CyberNET
Era Has Come !!!

This will not work on Windows NT and later versions of Windows.

Sources

F-Secure, Pri.

Fortiguard, W97M/Pri.A.

Trend Micro, W97M_PRI.A. 09-MAR-2000

Trend Micro, W97M_PRI.B. 09-MAR-2000

Eset Hungary, PRI.A 01-NOV-1998

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License