Virus.MSExcel.Sofa

Class Virus
Platform MSExcel
Description

Technical Details


This virus infects Excel sheets. It contains only one module (macro). This
module has the name containing 11 spaces and is invisible in system – menu
Microsoft Excel Tools/Macros does not show any macros. The virus module has
four functions: Auto_Open, Auto_Range, Current_Open, Auto_Close.


While opening an infected file the virus function Auto_Open takes control.
This function “renames” Excel – the title “Microsoft Excel” is replaced
with “Microsofa Excel”. This function then infects the system. To do that
it looks for BOOK.XLT file in Startup Path. If there is no such file (the
system is not infected), the virus displays:


Microsoft Excel has detected a corrupted add-in file.
Click ‘OK’ to repair this file.

Not depending on user’s reply, the virus creates there the BOOK.XLT file
containing virus code. After infecting the virus displays:

File successfully repaired!

While loading into the system Excel loads all XLT files (including infected
BOOK.XLT) from Startup Path, and as a result the virus takes control as far
as Excel is loading. The virus then sets its function Auto_Range for system
function OnSheetActivate. On any sheet activation this function takes
control and infects the active file, if it is not infected yet.


The virus does not allow to unload itself from the system – while closing
any file the virus sets the system function OnWindow to its function
Auto_Range. As a result the virus re-installs itself while opening any
file.