Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: MSOffice

Microsoft Office is a multiplatform suite of productivity applications published by Microsoft. Office applications are compatible with many types of files and content.


Technical Details

When the virus is activated from an infected Word document, it first of all disables Word anti-virus protection, and checks for the NORMAL.DOT template, then it and looks for virus presence in it. If this file is not infected yet, the virus considers the system uninfected, and starts entering other Office components. These operations contain three steps: Word Infection, Excel Infection and PowerPoint infection.

1. Word infection is the simplest operation in this virus. It just copies its code from the current document to normal template (NORMAL.DOT).

2. Excel infection is more complex. First of all, the virus starts a new Excel instance by using the CreateObject("Excel.Application") function. The virus then checks for the BOOK1 file in the Excel startup folder. In case this file is not present, the virus infects the Excel. During this, the virus disables the Excel antiviral protection in the system registry, creates a new WorkBook, copies its own code to it and saves this file with the BOOK1 name in the Excel startup folder. Every spreadsheet from this folder is automatically loaded when Excel starts, and Excel, as a result, is infected upon the next restart.

3. PowerPoint infection is quite the same as in Excel: the virus creates a new instance of PowerPoint, checks for a presentation called 'Blank Presentation.pot' in the PowerPoint template folder, and tries to locate a module called 'Triplicate' in it. If this module is not present, the virus infects PowerPoint: it disables the antiviral protection in the system registry, creates a new module 'Triplicate' in the 'Blank Presentation.pot', and copies its virus code to it. After this, the virus adds a new 'shape' into the presentation with the width and height being the same as the slide's width and height, and sets the activate procedure for this shape to "actionhook()" (This procedure will activate when a user clicks on this shape).

Finally, the virus checks for current Word document infection, and infects it if it has not been infected yet. This branch of the virus routine is executed only in the case that the virus is loaded from an infected template and a new uninfected document is closed.

Infection via Spreadsheets and Presentations

Excel and PowerPoint procedures are quite the same except for some minor details.

The BOOK1 file in the Excel startup folder is used by the virus as an identificator of the infected Office. So, the virus first of all looks for this file, and infects Office applications if this file does not exist. After this, the virus tries to infect the Word application.

1. The virus obtains 'Word.Application' objects. Here, the virus uses another function to obtain an object. Instead of CreateObjects(), the virus uses the GetObject() function. This function obtains objects from the currently active instance of application. The virus needs that to infect NORMAL.DOT, which cannot be accessed for writing if it is already opened by another instance of Word. If Word is not active at the moment, the virus just created new Word sample.

When the Word application is accessed, the virus starts its spreading routine. It deletes all code in the normal template, creates the 'DisableAV()' procedure, and copies a block of the virus' code there, executes and deletes it. This short (just eight lines) procedure disables Excel and PowerPoint antiviral protection. Then the virus copies its code from an infected file to the normal template. The Word infection is complete.

2. At this stage, Excel and PowerPoint applications are infected. The virus infects the Excel startup folder from the PowerPoint presentation, or inserts its code to the PowerPoint template exactly as described above when the virus spreads from an infected Word document.

PowerPoint activation procedure has a small additional detail: the virus activates its infection code on on one-in-seven basis depending on the system's random counter.

Read more

Find out the statistics of the vulnerabilities spreading in your region on

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.