Virus consists of a single macro module named "Ahlghee". This macro hooks Word system events in order to capture control. The virus has a date activated payload which could result in deletion of files from the "C:\Windows" folder. The virus may write a source code file into the Windows folder as "Ahlghee.vbs".
Word Action Hooks
The virus uses auto-run and menu-item named routines to gain run control when opening or closing infected Word documents -
File Deletion Payload
When working with infected documents on the 2nd, 11th or 27th of any month, the virus may carry out instructions to delete the following files -
The instruction to delete the files is made via WScript, and requires Wscript.exe on the target system in order to function.
If spell-checking (Spelling and Grammar tool button) is performed in an infected Word environment, the virus may exchange the word "Sir" with the word "John". This is carried out with all open documents.
- Check the main screen using the web interface for
your FortiGate unit to ensure that the latest AV/NIDS
database has been downloaded and installed on your
system - if required, enable the "Allow Push
- Delete the file "Ahlghee.vbs" from the Windows folder