Name
W97M/Class.B

Aliases
Class, Class.Poppy, Poppy, W97M/Class, WM97/Class.b

Variants
None

Date Added
11/24/98

Information

	Discovery Date:	10/15/98
	Type:	Virus
	SubType:	Macro
	Risk Assessment:	Medium
	Risk Justification:
	Minimum Engine:	4.0.25

Characteristics
This is a virus for Word 97 documents. It is able to replicate under the SR-1 and above release of Word 97. It will turn off the macro warning feature of Word 97. This virus uses the "ThisDocument" stream, or class module, of a document or template during infection routine. This family of viruses was the first to use the class module stream for infection, hence the name W97M/Class.

This virus hooks the system event of opening documents in Word97 by the subroutine "Autoopen" thereby running its code. The NORMAL.DOT global template contains the routine "Autoclose" which is a system event of closing documents.

This virus writes a temporary file to the local machine to contain the virus source code named "c:\class.sys". The virus uses VBA to copy the code from the temp file to the new document host. The SYS file is not an executable file, but is in ASCII format. This file will be detected as "W97M/Class.src.b" and is safe to delete.

This virus attempts to use polymorphism by inserting comment lines between every line of VBA code with system variables representing the Office97 registered user name and also the variable representing the name of the mapped printer.

The virus is otherwise unnoticeable until a message box pops up to insult the user - this will occur on infected systems on the 14th of months between May and December.

Symptoms
When working with the infected files on the 14TH of the month a message box like

Also existence of the file C:\CLASS.SYS in the root of the hard drive.

Method Of Infection/Installation
General Macro Virus Information

Removal Instructions
Use current engine and DAT files for detection and removal.