This is multi-platform macro-virus. It infects two MS Office97
applications: Word documents and Excel sheets. The main part of the virus code
is encrypted and placed in the virus body as a random-letters comments. In
case of need, the virus gets these comments, decrypts them, convert to the
macro instructions and executes them. As a result, the main replication
routines are invisible by viewing macro code in the Tools/Macro menu.
In non-encrypted form, there are just a few virus macros present: events
hookers and decryption routine. The virus hooks three events: Excel sheets
closing, and Word documents opening and closing (Workbook_Deactivate,
Document_Open, Document_Close). In all these cases, the virus decrypts and
calls the infection routine. The virus also creates the infected BOOK1
Excel sheet in the Excel auto-start directory.
The virus disables the MS Office virus protection by directly accessing the
system registry. Starting from 0:10pm till 0:25pm, the virus displays the