Summary

X97M/Barisada is an Excel macro virus.

When an infected workbook is deactivated, the virus drops its code to the "hjb.xls" file in the Excel startup directory. After Excel has been restarted, every workbook be will infected.

The virus activates its payload at 2 pm on April, 24th. At this time, the virus shows a series of dialogs. The first dialog asks the following question:

 
    Question : What is the Sword Which Karl Styner(=Gray Scavenger) used?
    Answer : Barisada

If the user selects the "No" button, the following message box is shown:

 
    Good! You're Authorized now!!

If the user selects the "Yes" button, the following message box is shown:

 
    I wil give you one more Chance. Be careful!!

Next the following dialog is shown:

 
    Summoning Xavier is the Ultimate Magic. Right?

Again, selecting "Yes" will only show a message box:

 
    ok , i will forgive you

However, selecting "No" will show a message box:

 
    Wrong Answer, Your file will be deleted!

and the virus will clear all cells from every open workbook.

X97M/Barisada.B is a slightly modified variant of X97M/Barisada.A. The name of the file that it drops is different - "rmc.xls".

This variant is modified from X97M/Barisada.A - the name of the file created to Excel startup directory is different: "khm.xls".

This variant is functionally identical with X97M/Barisada.A.

This variant is a slightly modified variant of X97M/Barisada.A. The name of the dropped file is changed to "Book1".

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; August 2000-April 2003]