Class Virus
Platform MSExcel

Technical Details

This is an Excel macro virus. It contains one module DON that contains one
function AutoOpen. The infection routine present in the virus code consists of 49 encrypted text strings. In case of need (on infection) the virus decrypts
them, saves to the DON.TXT file, then copies this file to the macros area
with name “Replicate” and executes it. After executing (i.e. after
infecting a file or system) the virus deletes the “Replicate” module.

If an infected file is opened from Excel startup directory (i.e. the system
is already infected) it sets its AutoOpen function on sheets deactivating
(OnSheetDeactivate function) and infects the Workbooks on changing active
sheet. Otherwise the virus creates an infected
file with name .DON in Excel startup directory, i.e. infects the system.

The virus can be easily detected by the presence of a file in the
XLSTART directory. The virus also creates the DON2.TXT file and writes to
there the name of active Workbook.

Find out the statistics of the threats spreading in your region