Class
Virus
Platform
MSOffice

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: MSOffice

Microsoft Office is a multiplatform suite of productivity applications published by Microsoft. Office applications are compatible with many types of files and content.

Description

Technical Details

This macro virus infects two Office97 applications: Word documents and Excel sheets. To be compatible with different Office97 applications the virus uses VisualBasic compatibility and uses the same code in both Word and Excel.

The virus infects the system, documents and sheets when files are opened (auto-macros AutoOpen in Word and Auto_Open in Excel). While infecting the virus uses the export/import Office97 functions via the C:SHIVER.SYS file. It writes (exports) its code to there and then reads (imports) into an object that is being infected.

Under both Word and Excel the virus replicates itself by using standard tricks. While infecting Word files the virus copies its code to document or global macros area (NORMAL.DOT). Under Excel the virus hooks sheets activation process and sets the infection macros ShiverTime as the handler. The virus also saves the infected PERSONAL.XLS file in the Excel startup directory and as a result infects the system Excel area.

One leaving Word (AutoExit) the virus attempts to spread its code from Word to Excel. The virus uses the DDE functions: it runs Excel in minimized windows and pass to there data and commands necessary to create the infected PERSONAL.XLS file in the Excel startup directory. The virus infects Word from Excel by using similar way: it runs minimized Word, opens Visual Basic Editor and reads its code from the C:SHIVER.SYS file.

The virus does not delete its C:SHIVER.SYS file after infection and uses it to re-infect Word if the main virus code was deleted (disinfected) in documents and NORMAL.DOT. To do that the virus on each Word startup looks for WORD8.DOT file in the Word startup directory. If there is no such file, the virus creates it and writes a short FileSaveAs macro to there. This macro contains just a few commands that import the virus code from the C:SHIVER.SYS into documents that are saved with new name. As a result the virus stays active ever if all documents and NORMAL.DOT are disinfected. The virus uses the same export/import way to create the WORD8.DOT dropper, as a source code buffer the C:SENTRY.SYS file is used.

To detect its presence in the system the virus uses the system Registry and writes its ID-values into the key "HKEY_CURRENT_USERSoftwareVB and VBA Program SettingsOffice8.0". There are two values that mark virus presence/absence in the system:

Shiver[DDE] = ALT-F11
Shiver[DDE] = NoNos(
Depending on the system random counter the virus resets this key to "NoNos(" and forces its infection routines renew the infected WORD8.DOT and PERSONAL.XLS in the Word and Excel startup directories.

The Virus Internals

The virus contains 18 macros in one "Module1":
AutoExec - Word auto-function, contains Word re-infection routine
AutoOpen - Word auto-function, contains Word docs infection routine
WordStealth - adds the stealth macros ToolsMacro, FileTemplates, ViewVBCode
into the Word global macros (NORMAL.DOT)
AutoExit    - Word auto-function, infects Excel
FindExcel   - Excel searching routine
PersonalFun - used on Excel infection
CheckMarker - "Are you here?" function, checks the Registry
MakeMarker  - writes virus ID into the Registry
PXL_Done    - used on Excel infection
Auto_Open   - Excel auto-function, hooks the sheets activation routine
ShiverTime  - sheets activation hooker and infector
wdTrigger   - Word trigger routine
xlTrigger   - Excel trigger routine
Auto_Close  - Excel auto-function, spreads the virus to Word
delay       - used on Word infection
wdReEvalInfection - looks for infected PERSONAL.XLS in Excel startup-dir
xlReEvalInfection - looks for infected WORD8.DOT in Word startup-dir
DDE_Info  - do-nothing macro, contains the "copyright":
Shiver[DDE] by ALT-F11 with help from ALT-F4
This is the first virus produced by The Alternative Virus Mafia (AVM)
ALT-F4 - "I was born for dying"
ALT-F11 - "Actions without thoughts"

Trigger routines

The virus has stealth abilities. Under Excel it disables the menu items Window/Unhide... and Tools/Macro. Under Word it also creates the stealth macros in the NORMAL.DOT: ToolsMacro, FileTemplates, ViewVBCode in the module "ThisDocument". As a result the virus hides its code. The virus also disables the Office97 virus protection.

Depending on the system random counter the virus runs following effects:

  • in Excel it inserts into random selected cell the comments:
    Shiver[DDE] by ALT-F11
    
  • in Word it creates the C:SISTER.DLL file, writes the text to there and runs WRITE to show it:
    Hey Man, I Kinda Like Your Sister
    Hey Man, I Hope That's Cool
    Hey Man, I Kinda Lose My Mind
    Every Single Time I Find Your Sister
    Suntanned By The Pool
    Hey Man, I Wanna See Her Naked
    Hey Man, I'm Always In Her Room
    All Alone When No One's There
    Going Through Her Underwear
    Hey Man, I Gotta See Her Soon
    Hey Man, I'll Never Get Her Pregnant
    But Hey Man, How Can I Resist Her
    The Day I Give Her A Wedding Band
    Are You Going To Be My Best Man?
    Hey Man, I Kinda Like Your Sister
    I Kinda Like Your Sister
    I Kinda Like Your Sister
    I Kinda Like Her
    
  • in Word it renames the menu items:
    Tools/Macro = "Shiver[DDE] by ALT-F11"
    File/Versions... = "Cum Stained Sheets..."
    Edit/Paste Special... = "Hey Man I Did Your Mom..."
    Insert/Break... = "Wanna do some MDMA ?"
    Help/About Microsoft Word = "Peace, Love and Drugs"
    File/Properties = "I'll die happy, you'll just die"
    Edit/Go To... = "Heywood Jablowmi"
    Tools/Word Count... = "Body Count"
    Format/Font... = "Cunt"
    File/Close = "No Clothes"
    Window/Split = "Blow Me"
    Insert/Picture = "Crusty Porn GIF"
    File/Print... = "My Balls Itch"
    Format/Bullets and Numbering... = "Pills And Needles"
    Table/Insert Table... = "Insert and Probe"
    Tools/Customize... = "Sodomize..."
    Tools/Spelling and Grammar... = "Spelling and Your Grandma..."
    View/Toolbars = "Gaybars"
    View/Master Document = "Masturbation"
    

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.