Threat Encyclopedia

X97M/Phone

Analysis

  • Virus exists in the class code module named "ThisWorkbook" and consists of one macro module with numerous sub routines and functions
  • Virus hooks several Excel event handlers in order to run its code -

    - opening, saving, printing or closing infected workbooks could alter the Excel environment and also the properties of the infected files and host environment

  • Opening infected workbooks could cause the code to infect the host Excel environment - the virus writes its code into a new workbook and saves this workbook as "Office.vir" into the XLSTART folder of Microsoft Office

  • When Excel is started, files in the XLSTART folder are automatically loaded into Excel - macros which may exist in any file in this folder are run

  • If opening infected workbooks on Wednesday, the Excel undefinedUsernameundefined variable may be modified from its present value to " "

  • If printing an infected workbook after 20:00:00, the Excel application may become hidden due to an instruction to hide the application

  • When saving an infected file, the host Workbook properties "Title", "Subject" and "Comments" values change to the following -

    Title = " "
    Subject = " "
    Comments = "Tia Ivanka"

  • When closing infected workbooks on the 26th of any month, the host workbook properties "Title", "Subject" and "Comments" values change to the following -

    Title = " "
    Subject = " "
    Comments = ". .TwentySiX ==> ."

  • Virus is polymorphic with code variable replacement instructions

  • Virus may become up-converted from Excel95 to Excel97 when opening infected Excel95 workbooks in Excel97 or higher