Virus.MSVisio.Unstable

Class Virus
Platform MSVisio
Description

Technical Details

This is the second macro-virus that also has pretensions to be The Number
One in the “Macro.Visio” family. This virus is more complex than
Macro.Visio.Radiant – it uses encryption and special
tricks to hide its body in infected files.

The virus infects Visio documents, and stencils and templates upon opening an
infected document. It enumerates all opened documents, stencils and
templates and infects them by coping the virus body into them. To mark already
infected documents, the virus writes “Visio2k.Unstable” into their
description and does not infect documents with such a mark.

To hide itself, the virus closes all opened widows in the VBA editor, disables
Visual Basic Editor’s menus and “Standard” toolbar. In case a user tries to
edit the macros inside infected documents, he/she will see just the empty editor’s
main window without any menus, toolbars and child windows.

The virus has a payload that triggers on the 31st, and it displays the message:

  Visio2000.Unstable
   Unstable, it's hard to be the one who's strong
   Who's always got a shoulder to cry on
   Who's got a shoulder for me?

The virus contains three procedures in module “ThisDocument” –
“Document_DocumentOpened()”, “Unstable()” and “ci()”. Inside infected
documents second procedure is unreadable because of encryption. The virus
decrypts this procedure only just before its call.