This virus infects Excel spread sheets (XLS files). It contains one module, “Ninja,”
that has two functions: “auto_open” and “Infect_Ninja”.
The virus “auto_open” macro contains just one command that defines the
“Infect_Ninja” macro as a handler of the OnSheetActivate routine. As a result,
the virus hooks sheets activation, and, while opening a sheet, the virus (the
Infect_Ninja macro) takes control.
When the Infect_Ninja macro takes control, it searches for NINJA.XLS files
in the Excel Startup directory and checks the count of modules in the
If the infected macro is an active Workbook and the NINJA.XLS file does not
exist in the Excel Startup directory, the virus decides that it is being executed
for the first time. The virus then creates the NINJA.XLS file in the Excel
Startup directory and saves its code to it by using the “Save As” command.
When Excel loads its modules the next time, it automatically loads all XLS
files from the Startup directory. The infected NINJA.XLS is loaded as well
as other files, and the virus takes control and hooks the sheet activation
If the NINJA.XLS file exists in the Excel directory, the virus copies its
code to the active Workbook. As a result, the active Workbook is infected.