Virus.MSOffice.Halfcros

Detect Date 01/11/2002
Class Virus
Platform MSOffice
Description

This is multi-platform macro-virus. It infects two MS Office97

applications: Word documents and Excel sheets. The main part of the virus code

is encrypted and placed in the virus body as a random-letters comments. In

case of need, the virus gets these comments, decrypts them, convert to the

macro instructions and executes them. As a result, the main replication

routines are invisible by viewing macro code in the Tools/Macro menu.

In non-encrypted form, there are just a few virus macros present: events

hookers and decryption routine. The virus hooks three events: Excel sheets

closing, and Word documents opening and closing (Workbook_Deactivate,

Document_Open, Document_Close). In all these cases, the virus decrypts and

calls the infection routine. The virus also creates the infected BOOK1

Excel sheet in the Excel auto-start directory.

The virus disables the MS Office virus protection by directly accessing the

system registry. Starting from 0:10pm till 0:25pm, the virus displays the

message box:

Wonder v2.0 by ThE wEiRd GeNiUs

Its time for lunch

where is the name of current user.