Virus.MSOffice.Shiver

Class Virus
Platform MSOffice
Description

Technical Details


This macro virus infects two Office97 applications: Word documents and
Excel sheets. To be compatible with different Office97 applications the
virus uses VisualBasic compatibility and uses the same code in both Word
and Excel.


The virus infects the system, documents and sheets when files are opened
(auto-macros AutoOpen in Word and Auto_Open in Excel). While infecting the
virus uses the export/import Office97 functions via the C:SHIVER.SYS file.
It writes (exports) its code to there and then reads (imports) into an
object that is being infected.


Under both Word and Excel the virus replicates itself by using standard
tricks. While infecting Word files the virus copies its code to document or
global macros area (NORMAL.DOT). Under Excel the virus hooks sheets
activation process and sets the infection macros ShiverTime as the handler.
The virus also saves the infected PERSONAL.XLS file in the Excel startup
directory and as a result infects the system Excel area.


One leaving Word (AutoExit) the virus attempts to spread its code from Word
to Excel. The virus uses the DDE functions: it runs Excel in minimized
windows and pass to there data and commands necessary to create the
infected PERSONAL.XLS file in the Excel startup directory. The virus
infects Word from Excel by using similar way: it runs minimized Word, opens
Visual Basic Editor and reads its code from the C:SHIVER.SYS file.


The virus does not delete its C:SHIVER.SYS file after infection and uses
it to re-infect Word if the main virus code was deleted (disinfected) in
documents and NORMAL.DOT. To do that the virus on each Word startup looks
for WORD8.DOT file in the Word startup directory. If there is no such file,
the virus creates it and writes a short FileSaveAs macro to there. This
macro contains just a few commands that import the virus code from the
C:SHIVER.SYS into documents that are saved with new name. As a result the
virus stays active ever if all documents and NORMAL.DOT are disinfected.
The virus uses the same export/import way to create the WORD8.DOT dropper,
as a source code buffer the C:SENTRY.SYS file is used.


To detect its presence in the system the virus uses the system Registry and
writes its ID-values into the key “HKEY_CURRENT_USERSoftwareVB and VBA
Program SettingsOffice8.0”. There are two values that mark virus
presence/absence in the system:


Shiver[DDE] = ALT-F11
Shiver[DDE] = NoNos(

Depending on the system random counter the virus resets this key to
“NoNos(” and forces its infection routines renew the infected WORD8.DOT and
PERSONAL.XLS in the Word and Excel startup directories.


The Virus Internals


The virus contains 18 macros in one “Module1”:

AutoExec – Word auto-function, contains Word re-infection routine
AutoOpen – Word auto-function, contains Word docs infection routine
WordStealth – adds the stealth macros ToolsMacro, FileTemplates, ViewVBCode
into the Word global macros (NORMAL.DOT)
AutoExit – Word auto-function, infects Excel
FindExcel – Excel searching routine
PersonalFun – used on Excel infection
CheckMarker – “Are you here?” function, checks the Registry
MakeMarker – writes virus ID into the Registry
PXL_Done – used on Excel infection
Auto_Open – Excel auto-function, hooks the sheets activation routine
ShiverTime – sheets activation hooker and infector
wdTrigger – Word trigger routine
xlTrigger – Excel trigger routine
Auto_Close – Excel auto-function, spreads the virus to Word
delay – used on Word infection
wdReEvalInfection – looks for infected PERSONAL.XLS in Excel startup-dir
xlReEvalInfection – looks for infected WORD8.DOT in Word startup-dir
DDE_Info – do-nothing macro, contains the “copyright”:
Shiver[DDE] by ALT-F11 with help from ALT-F4
This is the first virus produced by The Alternative Virus Mafia (AVM)
ALT-F4 – “I was born for dying”
ALT-F11 – “Actions without thoughts”


Trigger routines


The virus has stealth abilities. Under Excel it disables the menu items
Window/Unhide… and Tools/Macro. Under Word it also creates the stealth
macros in the NORMAL.DOT: ToolsMacro, FileTemplates, ViewVBCode in the
module “ThisDocument”. As a result the virus hides its code. The virus also
disables the Office97 virus protection.


Depending on the system random counter the virus runs following effects:


  • in Excel it inserts into random selected cell the comments:

    Shiver[DDE] by ALT-F11

  • in Word it creates the C:SISTER.DLL file, writes the text to there and
    runs WRITE to show it:

    Hey Man, I Kinda Like Your Sister
    Hey Man, I Hope That’s Cool
    Hey Man, I Kinda Lose My Mind
    Every Single Time I Find Your Sister
    Suntanned By The Pool
    Hey Man, I Wanna See Her Naked
    Hey Man, I’m Always In Her Room
    All Alone When No One’s There
    Going Through Her Underwear
    Hey Man, I Gotta See Her Soon
    Hey Man, I’ll Never Get Her Pregnant
    But Hey Man, How Can I Resist Her
    The Day I Give Her A Wedding Band
    Are You Going To Be My Best Man?
    Hey Man, I Kinda Like Your Sister
    I Kinda Like Your Sister
    I Kinda Like Your Sister
    I Kinda Like Her

  • in Word it renames the menu items:

    Tools/Macro = “Shiver[DDE] by ALT-F11”
    File/Versions… = “Cum Stained Sheets…”
    Edit/Paste Special… = “Hey Man I Did Your Mom…”
    Insert/Break… = “Wanna do some MDMA ?”
    Help/About Microsoft Word = “Peace, Love and Drugs”
    File/Properties = “I’ll die happy, you’ll just die”
    Edit/Go To… = “Heywood Jablowmi”
    Tools/Word Count… = “Body Count”
    Format/Font… = “Cunt”
    File/Close = “No Clothes”
    Window/Split = “Blow Me”
    Insert/Picture = “Crusty Porn GIF”
    File/Print… = “My Balls Itch”
    Format/Bullets and Numbering… = “Pills And Needles”
    Table/Insert Table… = “Insert and Probe”
    Tools/Customize… = “Sodomize…”
    Tools/Spelling and Grammar… = “Spelling and Your Grandma…”
    View/Toolbars = “Gaybars”
    View/Master Document = “Masturbation”