This page shows details and results of our analysis on the malware W97M/Nebo

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Macro
  • Protection Added: 2000-02-02

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum Engine


File Length


Description Added


Description Modified


Malware Proliferation

This threat is detected as W97M/Generic. The virus contains one module - Kefko. It will disable the macro warning protection for Word and exports its code to c:\Kefko.sys. This file is not infected.

The virus will change the Username to Dr.Virus. It will also add the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion RegisteredOwner = Dr.Virus
The following information will be added to File/Summary/Author = Dr.Virus, Comments = WM97.Kefko and Keywords = Vetko je OK.

The following AntiVirus files will be deleted:

  • C:\Programme\Dr Solomon's\Anti-Virus Toolkit\*.*
  • C:\Programme\Norton Antivirus\V32scan.dll
  • C:\Programme\Norton Antivirus\Virscan.dat

On the 19th of any month, the following message will be displayed:

Tools/Macro, Tools/Visual Basic Editor, Format/Style and File/Templates will display the following message:

The above messages displayed. The presence of c:\Kefko.sys.

Opening an infected document will directly infect the local Word environment and any document opened thereafter.

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)