Threat Description



Aliases:Anis, Bdoc2


X97M/Anis is a simple Excel macro virus.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details


When an infected workbook is opened, X97M/Anis.A creates "AutoRun.xla" into Excel's startup directory and infects it.

The virus infects all workbooks that are opened, closed or saved.

It attempts to disable items from the "Tools" menu and attempts to hook items in the "File" menu.

Anis has two different payloads. When saving a workbook or exiting the program it checks if the current day is 5th, 10th, 15th, 20th, 25th or 30th, and if so, it shuts down Windows. The virus also displays a message on 26th of every month, written in Japanese. Therefore message is not readable on versions of Excel that do not support doublebyte characters, such as the the English version.


This variant does not infect workbooks when an infected workbook is opened. Otherwise it is identical to X97M/Anis.A.


Anis.D variant is slightly modified Anis.C. Functionally it is similar to Anis.C

F-Secure Anti-Virus detects Anis.C since June 14th, 2002 and Anis.D since August 5th, 2002.

Description Created: Analysis: Katrin Tocheva and Veli-Jussi Kesti; F-Secure Corp.; June 14th, 2002


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More