F-Secure Virus Descriptions : Barisada
X97M/Barisada is an Excel macro virus.
When an infected workbook is deactivated, the virus drops its code to
the "hjb.xls" file in the Excel startup directory. After Excel has been
restarted, every workbook be will infected.
The virus activates its payload at 2 pm on April, 24th. At this time,
the virus shows a series of dialogs. The first dialog asks the following
question:
Question : What is the Sword Which Karl Styner(=Gray Scavenger) used?
Answer : Barisada
If the user selects the "No" button, the following message box is shown:
Good! You're Authorized now!!
If the user selects the "Yes" button, the following message box is shown:
I wil give you one more Chance. Be careful!!
Next the following dialog is shown:
Summoning Xavier is the Ultimate Magic. Right?
Again, selecting "Yes" will only show a message box:
ok , i will forgive you
However, selecting "No" will show a message box:
Wrong Answer, Your file will be deleted!
and the virus will clear all cells from every open workbook.
X97M/Barisada.B is a slightly modified variant of X97M/Barisada.A. The
name of the file that it drops is different - "rmc.xls".
This variant is modified from X97M/Barisada.A - the name of the file
created to Excel startup directory is different: "khm.xls".
This variant is functionally identical with X97M/Barisada.A.
This variant is a slightly modified variant of X97M/Barisada.A. The name of
the dropped file is changed to "Book1".
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure; August 2000-April 2003]
|
