This macro-virus infects Office97 Word documents and Excel sheets. It was
named after its internal location: “teonanacatl”. It is the second
known macro-virus (after “Access/Word97.Cross”) that is able to
infect several MS Office applications.
The code of the virus is placed in one module named StrangeDays and contains
The virus spreads its code under the “native” application (Word->Word,
Excel->Excel), as well as drops infected files to another application
(Word->Excel and Excel->Word). In both infected Word documents and Excel
sheets, the virus has the same Basic code. It is written in such an accurate
way that is able to be executed with no errors under both Word and Excel
To infect “native” objects (documents or sheets), the virus uses
Import/Export VisualBasic functions: the virus exports its Basic code to
the C:LO.SYS file, and then imports it into non-infected documents (under
Word) and sheets (Excel). In the case of Word, to infect other documents, the
virus intercepts the auto-functions AutoClose and AutoExit and infects
documents that are closed or upon exiting Word. In the case of Excel, the virus
hooks the sheet-activation routine, the auto-function Auto_Open does that when
an infected sheet is opened.
To infect another application, the virus uses a trick with the auto-loading
ability of Word and Excel to load templates (Word) and sheets (Excel) from
the start-up directory. To infect Word from Excel, the virus creates new
NORMAL.DOT (Word) and PERSONAL.XLS (Excel) files in the start-up directory.
Both of these NORMAL.DOT and PERSONAL.XLS contain just a small 17-line
routine that is not the virus itself, but the virus loader. This loader has
an auto-name (Auto_Close in Excel and AutoExec in Word), and is executed by
the system, when Word starts, with an infected NORMAL.DOT, or Excel closes, with an infected
PERSONAL.XLS. In both cases, the loader reads (imports) the complete virus code
from the C:LO.SYS file to the current object (NORMAL template or
PERSONAL.XLS) and as a result, infects it. The loader then saves the
infected result to the original file (NORMAL.DOT or PERSONAL.XLS) and exits. On
next loading, both Word and Excel will load their NORMAL.DOT and
PERSONAL.XLS with the complete virus code inside, and as a result, the virus
will continue its propagation.
The virus has stealth and anti-warning abilities: it disables the
Tools/Macro, Tools/Options, File/Templates and View/VBCode menu items as
well as turns off VisualBasicEditor and VirusProtection. It also changes
VirusProtection instructions in the system registry.
On the 26th of any month, it displays a MessageBox and deletes all files in
the current directory, and the text in the MessageBox is as follows: