Class Virus
Platform MSOffice

Technical Details

When the virus is activated from an infected Word document, it first of all disables Word anti-virus protection, and checks for the NORMAL.DOT template, then it

and looks for virus presence in it. If this file is not infected yet, the

virus considers the system uninfected, and starts entering other

Office components. These operations contain three steps: Word Infection,

Excel Infection and PowerPoint infection.

1. Word infection is the simplest operation in this virus. It just copies

its code from the current document to normal template (NORMAL.DOT).

2. Excel infection is more complex. First of all, the virus starts a new

Excel instance by using the CreateObject(“Excel.Application”) function. The

virus then checks for the BOOK1 file in the Excel startup folder. In case

this file is not present, the virus infects the Excel. During this,

the virus disables the Excel antiviral protection in the system registry,

creates a new WorkBook, copies its own code to it and saves this file with the

BOOK1 name in the Excel startup folder. Every spreadsheet from this folder

is automatically loaded when Excel starts, and Excel, as a result, is infected upon the next restart.

3. PowerPoint infection is quite the same as in Excel: the virus creates

a new instance of PowerPoint, checks for a presentation called ‘Blank

Presentation.pot’ in the PowerPoint template folder, and tries to locate

a module called ‘Triplicate’ in it. If this module is not present, the

virus infects PowerPoint: it disables the antiviral protection in the

system registry, creates a new module ‘Triplicate’ in the ‘Blank

Presentation.pot’, and copies its virus code to it. After this, the virus adds

a new ‘shape’ into the presentation with the width and height being the same as the slide’s

width and height, and sets the activate procedure for this shape to

“actionhook()” (This procedure will activate when a user clicks on this


Finally, the virus checks for current Word document infection, and infects

it if it has not been infected yet. This branch of the virus routine is executed

only in the case that the virus is loaded from an infected template and a new uninfected document is closed.

Infection via Spreadsheets and Presentations

Excel and PowerPoint procedures are quite the same except for some minor details.

The BOOK1 file in the Excel startup folder is used by the virus as an

identificator of the infected Office. So, the virus first of all looks for this file, and infects Office applications if this file does not

exist. After this, the virus tries to infect the Word application.

1. The virus obtains ‘Word.Application’ objects. Here, the virus uses

another function to obtain an object. Instead of CreateObjects(), the virus

uses the GetObject() function. This function obtains objects from the currently

active instance of application. The virus needs that to infect NORMAL.DOT,

which cannot be accessed for writing if it is already opened by another

instance of Word. If Word is not active at the moment, the virus just

created new Word sample.

When the Word application is accessed, the virus starts its spreading

routine. It deletes all code in the normal template, creates the

‘DisableAV()’ procedure, and copies a block of the virus’ code there,

executes and deletes it. This short (just eight lines) procedure disables

Excel and PowerPoint antiviral protection. Then the virus copies its code

from an infected file to the normal template. The Word infection is complete.

2. At this stage, Excel and PowerPoint applications are infected. The virus

infects the Excel startup folder from the PowerPoint presentation, or inserts

its code to the PowerPoint template exactly as described above when the

virus spreads from an infected Word document.

PowerPoint activation procedure has a small additional detail: the virus

activates its infection code on on one-in-seven basis depending on the system’s

random counter.

Find out the statistics of the threats spreading in your region