McAfee Labs AVERT - CLASS Virus Information

CLASS Virus Info

this page last updated 11-11-98

Virus Aliases:	CLASS, W97M/CLASS
Area of Infection:	Word97 macro virus
Characteristics:	Increase in document size, CLASS.SYS in root directory
Payload Date:	NOT APPLICABLE - (message box displays on different dates, see variant info below)
Origin:	USA, found in early September 1998
Variants:	CLASS.A will message on 31st of any month CLASS.B, CLASS.D will message on the 14^th of any month

The CLASS virus originated in parts of the United States in early September 1998 and quickly spread. It was for the most part unnoticed except for the date trigger of a message box display. This virus uses a new infection method within Word97 called class modules. Due to this change of infection method, a requirement to modify the location of detection was necessary. Engine changes of VirusScan beginning with v3.2.0a allowed detection and cleaning of the first variants of the CLASS virus and v3.2.1 scan engine will detect and remove the CLASS virus and known variants.

In the known variants, the CLASS virus uses an anti-SERVICE RELEASE1 Office 97 method of infection, by exporting the Visual Basic virus code to an "export/import" file (in some variants, the file is C:\CLASS.SYS). The exported file is not a virus itself, only a temporary holding area containing the code of the virus.

CLASS.A virus
On the first infection it will drop an exported copy of the virus code in an ascii file c:\class.sys. When working with the infected files on the 31st of the month a message box like

|- This Is Class -|
VicodinES /CB /TNN
| OK |

is displayed.

CLASS.B virus
On the first infection it will drop an exported copy of the virus code in an ascii file c:\class.sys. When working with the infected files on the 14TH of the month a message box like

|- VicodinES Loves You / Class.Poppy -|
I Think " (word97 reg. User name) " is a big stupid jerk!
| OK |

is displayed.

CLASS.D virus
On the first infection it will drop an exported copy of the virus code in an ascii file c:\class.sys. When working with the infected files on the 14TH of the month and the current month is not January through April, a message box like

|- Class.Poppy -|
I Think " (word97 reg. User name) " is a big stupid jerk!
| OK |

is displayed. Also this virus modifies the RegisteredOwner and RegisteredOrganization values in the registry at the following location-

HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion
RegisteredOwnder="VicodinES/VB/TNN"
RegisteredOrganization="-(Dr. Diet Mountain Dew)-"

McAfee Labs is continuing to analyze the virus and will update this document as necessary.
To date, the most common variant of the virus is the CLASS.D variant. To be protected please be sure to download the latest DAT file (3110) for detection and cleaning in companion with the v3.2.1 update.