Threat Description

CSV

Details

Aliases: CSV, Galadriel, Gala
Category: Malware
Type:
Platform: W32

Summary



CSC/CSV is the first Corel Script virus.

Corel Script is the built-in script language of several Corel applications, including Corel Draw. These scripts are stored in plain text files with extension "*.csc".



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details




Variant:CSV.A

CSC/CSV.A is a quite simple prepending virus and the virus attempts to infect all files that have extension "*.csc" from current directory when an infected script is executed.

Before the virus attempts to infect the file, it checks if the file is already infected. It tests if the first line of the file starts with the following text:

 REM ViRUS

If this text does not exist, the virus first renames the target file to "mallorn.tmp". Then it creates a new file using the name of target file. Next it copies itself to this new file and finally appends the contents of the "mallron.tmp" to the end of the file.

After this has been done, the virus will delete the "mallorn.tmp" file, and proceed to the next file.

The payload is supposed to activate at June 6th. However, the activation depends of the current date format settings in the Control Panel and it fails with certain settings. If the payload activates, then it will show the following message box:

The message is taken from the book "Lord of the Rings" written by J.R.R. Tolkien. It is a part of "Galadriel's Song of Eldamar" and it is written in the language of High Elves.

English translation of the text above is as follows:

 Ah! like gold fall the leaves in the wind, long years numberless
    as the wings of trees! The long years have passed like swift
    draughts of the sweet mead in lofty halls beyond the West, beneath
    the blue vaults of Varda wherein the stars tremble in the song of
    her voice, holy and queenly.

If the virus infects the built-in scripts of Corel Draw, it causes that some of these scripts will no longer work. Instead they give the following Corel Script error message:

 Script <script name> contains an error and could not be run.





Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More