Virus.MSOffice.Teocatl

Class Virus
Platform MSOffice
Description

Technical Details

This macro-virus infects Office97 Word documents and Excel sheets. It was

named after its internal location: “teonanacatl”. It is the second

known macro-virus (after “Access/Word97.Cross”) that is able to

infect several MS Office applications.

The code of the virus is placed in one module named StrangeDays and contains

eight functions:

AutoClose – Word auto-function, contains infection routine

AutoOpen – Word auto-function, disables VisualBasic code editor (stealth)

AutoExit – Word auto-function, calls AutoClose to infect document

ToolsMacro – disables macros viewing (stealth)

ToolsOptions – disables macros viewing (stealth)

FileTemplates – disables macros viewing (stealth)

ViewVBCode – disables macros viewing (stealth)

Auto_Open – Excel auto-function, hooks sheet activating routine

The virus spreads its code under the “native” application (Word->Word,

Excel->Excel), as well as drops infected files to another application

(Word->Excel and Excel->Word). In both infected Word documents and Excel

sheets, the virus has the same Basic code. It is written in such an accurate

way that is able to be executed with no errors under both Word and Excel

from Office97.

To infect “native” objects (documents or sheets), the virus uses

Import/Export VisualBasic functions: the virus exports its Basic code to

the C:LO.SYS file, and then imports it into non-infected documents (under

Word) and sheets (Excel). In the case of Word, to infect other documents, the

virus intercepts the auto-functions AutoClose and AutoExit and infects

documents that are closed or upon exiting Word. In the case of Excel, the virus

hooks the sheet-activation routine, the auto-function Auto_Open does that when

an infected sheet is opened.

To infect another application, the virus uses a trick with the auto-loading

ability of Word and Excel to load templates (Word) and sheets (Excel) from

the start-up directory. To infect Word from Excel, the virus creates new

NORMAL.DOT (Word) and PERSONAL.XLS (Excel) files in the start-up directory.

Both of these NORMAL.DOT and PERSONAL.XLS contain just a small 17-line

routine that is not the virus itself, but the virus loader. This loader has

an auto-name (Auto_Close in Excel and AutoExec in Word), and is executed by

the system, when Word starts, with an infected NORMAL.DOT, or Excel closes, with an infected

PERSONAL.XLS. In both cases, the loader reads (imports) the complete virus code

from the C:LO.SYS file to the current object (NORMAL template or

PERSONAL.XLS) and as a result, infects it. The loader then saves the

infected result to the original file (NORMAL.DOT or PERSONAL.XLS) and exits. On

next loading, both Word and Excel will load their NORMAL.DOT and

PERSONAL.XLS with the complete virus code inside, and as a result, the virus

will continue its propagation.

The virus has stealth and anti-warning abilities: it disables the

Tools/Macro, Tools/Options, File/Templates and View/VBCode menu items as

well as turns off VisualBasicEditor and VirusProtection. It also changes

VirusProtection instructions in the system registry.

On the 26th of any month, it displays a MessageBox and deletes all files in

the current directory, and the text in the MessageBox is as follows:

Strange Days by Reptile/29A

Strange days have found us

Strange days have tracked us down

They’re going to destroy…