|Type||Word macro virus|
|Place of Origin|
|File Type(s)||.doc, .sys|
|Infection Length||1,105 bytes|
When an infected document is opened, Rash intercepts the Document_Close macro and copies itself to the ThisDocument module. The virus disables the virus protection option and the prompt to save the document upon closing. Rash then infects the Normal template and all active documents.
The virus drops a file named AA*.SYS at the root of the C: drive. This contains code that changes the virus's attributes.
This variant is known to some antivirus products as Asder. It drops a copy of the Onehalf virus in a file named COMMàND.COM and modifies the AUTOEXEC.BAT file so this file is executed at next startup. It infects the global template when an infected document is closed.
Trend Micro, W97M_RASH.A. 2002.01.11
-, W97M_ASDER.A. 2000.10.26