Chameleon is a macro virus created by UK hacker Total Konfuzion. It is a polymorphic, though unrelated to the polymorphic DOS Chameleon virus from 1990.

Behavior

When a file infected with Chameleon is opened with Word, it checks for the registry key "HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsCurrentVersion\MVP = Enabled by Total Konfuzion" and will either quit if it doesn't find it or continue if it does. It adds its module, ThisDocument to the Normal.dot template. It then disables Microsoft's macro virus protection, the save prompt for the Normal.dot template and confirmation of older version prompt.

It the creates a file in the Windows system folder named Chameleon.dll and inserts its code into it. This file will be used as a reference to infect other files. It also inserts the file Chameleon.vbs to the startup folder, which contains messages that pop up at certain times in dialog boxes. On any startup, it displays the message:

W97M/Chameleon":
"Greetz from Chameleon :)"

In the 18th of any month, it displays the message:

"Let me slip into something"
"a little more comfortable... :)"

Variants

By Total Konfuzion

The variant Chameleon.B does not drop any .dll or .vbs files. It changes the title of the infected document to "Mum.. Dad.. Fuck U !!". If the day of the month is greater than 25, it replaces all instances of the word "the" to "Mum.. Dad.. Fuck U !!". Documents also may contain such strings as "Mum.. Dad.. all u given me in the few monthz iz shit !!.. this 1'z 4 u !!" and "Mum.. Dad.. all u given me in the few monthz iz shit !!.. so I dedic8 this 1 4 u !!.. Fuck U all !! Don't worry.. this WILL find its way to ur work systemz!!"

Chameleon.Quiet or Chameleon.C writes the files Quiet.dll and Quiet.vbs. Quiet.vbs is the file responsible for infecting Normal.dot. It will also display a dialog box entitled W97M/Quiet.

Chameleon.I checks the value "Level" in the registry key HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security to begin performing some of its actions. If it finds it non-empty, it will disable the menu items Tool > Macro, Tool > Templates and Add-ins… and Format > Style Gallery. It disables user interrupts to Visual Basic for Application procedures, which can be done by pressing ESC, or the CTRL + BREAK keys.

Chameleon.Chrome contains the text "The day of the Chrome is comming…"

Chameleon.EasterBunny contains the text "Happy Easter from the Easter Bunny.. !!", "Your system is infected with the Easter Bunny virus.", and "Greetingz from the Easter Bunny".

Chameleon.Laura displays the text "Laura, I love you." on the 17th of the month.

Chameleon.Matrix contains the text "The Matrix has you." and "Are YOU looking for it !!".

By Others

Chameleon.LMA appears to be coded by Sir Dystyk It contains the text "Todays the day !!" and displays a message box saying "Hello, London Virus Crew !!".

Origin

Chameleon was coded and discovered in late summer to early autumn of 2000. It's coder goes by the handle Total Konfuzion, some of whose other works indicate he lives in the UK. His others mostly consist of other macro and Visual Basic Script viruses, such as Small and Freenet.

Sources

McAfee Antivirus, W97M/Chameleon.a. 2000.09.26

Keiichi Ito. Symantec.com, W97M.Chameleon.I. 2007.02.13

McAfee Antivirus, VBS/SWVK.ow.gen.