When the virus is activated from an infected Word document, it first of all disables Word anti-virus protection, and checks for the NORMAL.DOT template, then it
and looks for virus presence in it. If this file is not infected yet, the
virus considers the system uninfected, and starts entering other
Office components. These operations contain three steps: Word Infection,
Excel Infection and PowerPoint infection.
1. Word infection is the simplest operation in this virus. It just copies
its code from the current document to normal template (NORMAL.DOT).
2. Excel infection is more complex. First of all, the virus starts a new
Excel instance by using the CreateObject(“Excel.Application”) function. The
virus then checks for the BOOK1 file in the Excel startup folder. In case
this file is not present, the virus infects the Excel. During this,
the virus disables the Excel antiviral protection in the system registry,
creates a new WorkBook, copies its own code to it and saves this file with the
BOOK1 name in the Excel startup folder. Every spreadsheet from this folder
is automatically loaded when Excel starts, and Excel, as a result, is infected upon the next restart.
3. PowerPoint infection is quite the same as in Excel: the virus creates
a new instance of PowerPoint, checks for a presentation called ‘Blank
Presentation.pot’ in the PowerPoint template folder, and tries to locate
a module called ‘Triplicate’ in it. If this module is not present, the
virus infects PowerPoint: it disables the antiviral protection in the
system registry, creates a new module ‘Triplicate’ in the ‘Blank
Presentation.pot’, and copies its virus code to it. After this, the virus adds
a new ‘shape’ into the presentation with the width and height being the same as the slide’s
width and height, and sets the activate procedure for this shape to
“actionhook()” (This procedure will activate when a user clicks on this
Finally, the virus checks for current Word document infection, and infects
it if it has not been infected yet. This branch of the virus routine is executed
only in the case that the virus is loaded from an infected template and a new uninfected document is closed.
Infection via Spreadsheets and Presentations
Excel and PowerPoint procedures are quite the same except for some minor details.
The BOOK1 file in the Excel startup folder is used by the virus as an
identificator of the infected Office. So, the virus first of all looks for this file, and infects Office applications if this file does not
exist. After this, the virus tries to infect the Word application.
1. The virus obtains ‘Word.Application’ objects. Here, the virus uses
another function to obtain an object. Instead of CreateObjects(), the virus
uses the GetObject() function. This function obtains objects from the currently
active instance of application. The virus needs that to infect NORMAL.DOT,
which cannot be accessed for writing if it is already opened by another
instance of Word. If Word is not active at the moment, the virus just
created new Word sample.
When the Word application is accessed, the virus starts its spreading
routine. It deletes all code in the normal template, creates the
‘DisableAV()’ procedure, and copies a block of the virus’ code there,
executes and deletes it. This short (just eight lines) procedure disables
Excel and PowerPoint antiviral protection. Then the virus copies its code
from an infected file to the normal template. The Word infection is complete.
2. At this stage, Excel and PowerPoint applications are infected. The virus
infects the Excel startup folder from the PowerPoint presentation, or inserts
its code to the PowerPoint template exactly as described above when the
virus spreads from an infected Word document.
PowerPoint activation procedure has a small additional detail: the virus
activates its infection code on on one-in-seven basis depending on the system’s