Kaspersky Threats

Class

Platform

Description

Technical Details

This is the second macro-virus that also has pretensions to be The Number
One in the “Macro.Visio” family. This virus is more complex than
Macro.Visio.Radiant – it uses encryption and special
tricks to hide its body in infected files.

The virus infects Visio documents, and stencils and templates upon opening an
infected document. It enumerates all opened documents, stencils and
templates and infects them by coping the virus body into them. To mark already
infected documents, the virus writes “Visio2k.Unstable” into their
description and does not infect documents with such a mark.

To hide itself, the virus closes all opened widows in the VBA editor, disables
Visual Basic Editor’s menus and “Standard” toolbar. In case a user tries to
edit the macros inside infected documents, he/she will see just the empty editor’s
main window without any menus, toolbars and child windows.

The virus has a payload that triggers on the 31st, and it displays the message:

  Visio2000.Unstable
   Unstable, it's hard to be the one who's strong
   Who's always got a shoulder to cry on
   Who's got a shoulder for me?

The virus contains three procedures in module “ThisDocument” –
“Document_DocumentOpened()”, “Unstable()” and “ci()”. Inside infected
documents second procedure is unreadable because of encryption. The virus
decrypts this procedure only just before its call.

Find out the statistics of the threats spreading in your region

Class	Virus
Platform	MSVisio
Description	Technical Details This is the second macro-virus that also has pretensions to be The Number One in the “Macro.Visio” family. This virus is more complex than Macro.Visio.Radiant – it uses encryption and special tricks to hide its body in infected files. The virus infects Visio documents, and stencils and templates upon opening an infected document. It enumerates all opened documents, stencils and templates and infects them by coping the virus body into them. To mark already infected documents, the virus writes “Visio2k.Unstable” into their description and does not infect documents with such a mark. To hide itself, the virus closes all opened widows in the VBA editor, disables Visual Basic Editor’s menus and “Standard” toolbar. In case a user tries to edit the macros inside infected documents, he/she will see just the empty editor’s main window without any menus, toolbars and child windows. The virus has a payload that triggers on the 31st, and it displays the message: Visio2000.Unstable Unstable, it's hard to be the one who's strong Who's always got a shoulder to cry on Who's got a shoulder for me? The virus contains three procedures in module “ThisDocument” – “Document_DocumentOpened()”, “Unstable()” and “ci()”. Inside infected documents second procedure is unreadable because of encryption. The virus decrypts this procedure only just before its call.
	Find out the statistics of the threats spreading in your region

Virus.MSVisio.Unstable

Technical Details