Class Virus
Platform MSVisio

Technical Details

This is the first known macro-virus infecting Visio documents, stencils and
templates (Visio is the system to create, edit and store business drawing
and diagrams – see To automate data processing, Visio
uses macro-programs written in VBA language (Visual Basic for Applications)
– the same that is used in MS Office applications. As a result, the viruses
in Visio are very similar to MS Office viruses, and they are able to infect
Visio files in a very similar ways.

The virus itself is rather simple. It contains one procedure that is
assigned with the “BeforeDocumentClose” event (it is activated upon document
closing). When the virus procedure gains control, it enumerates and infects
all opened documents. Because of the internal structure of Visio, the virus,
while searching for documents, enumerates not only document files, but also
stencils and templates as well.

The Visio stencils are similar to, for example, Word templates. These files
contain library data for common use while creating and editing Visio
documents. These stencils are automatically opened and processed by Visio
in case of need (if a document uses them). In case these stencils are
infected, the virus is loaded when a document accesses an infected
stencil, and is activated upon this stencil’s closing. At this moment, the virus
infects all Visio files that are opened. As a result, if Visio stencils are
infected, every document that is created or edited will be infect upon

Because of this Visio feature, the virus can spread very quickly through
Visio files.

The virus has a payload procedure: upon every launch, it creates the INDEX.HTML
file in the root directory of the C: drive. This file contains following

       A Multitude of Suns
      Orbit in Empty Space
   They Speak with their light
       to all that is dark.
    To me they remain silent.

  Greets to all the VX Community
        And Radiant Angels



At the very end of the virus macro-code there is a short line of symbols (a
comment). It seems this line is encrypted information about the virus author,
but the type of cipher and the key used for encryption of the text string
are unknown.