X97M/Phone
Analysis
- Virus exists in the class code module named "ThisWorkbook"
and consists of one macro module with numerous sub
routines and functions
- Virus hooks several Excel event handlers in order
to run its code -
- opening, saving, printing or closing infected workbooks could alter the Excel environment and also the properties of the infected files and host environment
-
Opening infected workbooks could cause the code to infect the host Excel environment - the virus writes its code into a new workbook and saves this workbook as "Office.vir" into the XLSTART folder of Microsoft Office
-
When Excel is started, files in the XLSTART folder are automatically loaded into Excel - macros which may exist in any file in this folder are run
-
If opening infected workbooks on Wednesday, the Excel undefinedUsernameundefined variable may be modified from its present value to " "
-
If printing an infected workbook after 20:00:00, the Excel application may become hidden due to an instruction to hide the application
-
When saving an infected file, the host Workbook properties "Title", "Subject" and "Comments" values change to the following -
Title = " "
Subject = " "
Comments = "Tia Ivanka"
-
When closing infected workbooks on the 26th of any month, the host workbook properties "Title", "Subject" and "Comments" values change to the following -
Title = " "
Subject = " "
Comments = ". .TwentySiX ==> ."
-
Virus is polymorphic with code variable replacement instructions
-
Virus may become up-converted from Excel95 to Excel97 when opening infected Excel95 workbooks in Excel97 or higher