X97M/Anis is a simple Excel macro virus.
When an infected workbook is opened, X97M/Anis.A creates "AutoRun.xla"
into Excel's startup directory and infects it.
The virus infects all workbooks that are opened, closed or saved.
It attempts to disable items from the "Tools" menu and attempts to
hook items in the "File" menu.
Anis has two different payloads. When saving a workbook or exiting the
program it checks if the current day is 5th, 10th, 15th, 20th, 25th or
30th, and if so, it shuts down Windows. The virus also displays a
message on 26th of every month, written in Japanese. Therefore message
is not readable on versions of Excel that do not support doublebyte
characters, such as the the English version.
This variant does not infect workbooks when an infected workbook is
opened. Otherwise it is identical to X97M/Anis.A.
Anis.D variant is slightly modified Anis.C. Functionally it is
similar to Anis.C
F-Secure Anti-Virus detects Anis.C since June 14th, 2002 and
Anis.D since August 5th, 2002.
[Analysis: Katrin Tocheva and Veli-Jussi Kesti; F-Secure Corp.; June 14th, 2002]