Summary

X97M/Anis is a simple Excel macro virus.

When an infected workbook is opened, X97M/Anis.A creates "AutoRun.xla" into Excel's startup directory and infects it.

The virus infects all workbooks that are opened, closed or saved.

It attempts to disable items from the "Tools" menu and attempts to hook items in the "File" menu.

Anis has two different payloads. When saving a workbook or exiting the program it checks if the current day is 5th, 10th, 15th, 20th, 25th or 30th, and if so, it shuts down Windows. The virus also displays a message on 26th of every month, written in Japanese. Therefore message is not readable on versions of Excel that do not support doublebyte characters, such as the the English version.



VARIANT:Anis.C

This variant does not infect workbooks when an infected workbook is opened. Otherwise it is identical to X97M/Anis.A.



VARIANT:Anis.D Anis.D variant is slightly modified Anis.C. Functionally it is similar to Anis.C



F-Secure Anti-Virus detects Anis.C since June 14th, 2002 and Anis.D since August 5th, 2002.

[Analysis: Katrin Tocheva and Veli-Jussi Kesti; F-Secure Corp.; June 14th, 2002]