..
Click anywhere to stop
Click anywhere to stop
Class | Virus |
Platform | MSOffice |
Description |
Technical DetailsThis macro-virus infects Office97 Word documents and Excel sheets. It was named after its internal location: “teonanacatl”. It is the second known macro-virus (after “Access/Word97.Cross”) that is able to infect several MS Office applications. The code of the virus is placed in one module named StrangeDays and contains eight functions:
The virus spreads its code under the “native” application (Word->Word, Excel->Excel), as well as drops infected files to another application (Word->Excel and Excel->Word). In both infected Word documents and Excel sheets, the virus has the same Basic code. It is written in such an accurate way that is able to be executed with no errors under both Word and Excel from Office97. To infect “native” objects (documents or sheets), the virus uses Import/Export VisualBasic functions: the virus exports its Basic code to the C:LO.SYS file, and then imports it into non-infected documents (under Word) and sheets (Excel). In the case of Word, to infect other documents, the virus intercepts the auto-functions AutoClose and AutoExit and infects documents that are closed or upon exiting Word. In the case of Excel, the virus hooks the sheet-activation routine, the auto-function Auto_Open does that when an infected sheet is opened. To infect another application, the virus uses a trick with the auto-loading ability of Word and Excel to load templates (Word) and sheets (Excel) from the start-up directory. To infect Word from Excel, the virus creates new NORMAL.DOT (Word) and PERSONAL.XLS (Excel) files in the start-up directory. Both of these NORMAL.DOT and PERSONAL.XLS contain just a small 17-line routine that is not the virus itself, but the virus loader. This loader has an auto-name (Auto_Close in Excel and AutoExec in Word), and is executed by the system, when Word starts, with an infected NORMAL.DOT, or Excel closes, with an infected PERSONAL.XLS. In both cases, the loader reads (imports) the complete virus code from the C:LO.SYS file to the current object (NORMAL template or PERSONAL.XLS) and as a result, infects it. The loader then saves the infected result to the original file (NORMAL.DOT or PERSONAL.XLS) and exits. On next loading, both Word and Excel will load their NORMAL.DOT and PERSONAL.XLS with the complete virus code inside, and as a result, the virus will continue its propagation. The virus has stealth and anti-warning abilities: it disables the Tools/Macro, Tools/Options, File/Templates and View/VBCode menu items as well as turns off VisualBasicEditor and VirusProtection. It also changes VirusProtection instructions in the system registry. On the 26th of any month, it displays a MessageBox and deletes all files in the current directory, and the text in the MessageBox is as follows:
|
Find out the statistics of the threats spreading in your region |