An opening of an infected workbook, the virus first creates an
executable file "c:\demiurg.exe" and executes it.
Then the virus first infects KERNEL32.DLL file (one of the main
Windows components). As this file is always locked by Windows, the
virus copies it from \System\ directory to the root \Windows\
directory and infects it there (on NT and Win2k systems the
KERNEL32.DLL is copied from \System32\ folder). The virus does not
attempt to copy the infected KERNEL32.DLL file back to \System\
folder, but the system gets infected on next startup anyway as Windows
first checks for this DLL in the root folder an d runs the infected
copy if it was found there.
Then, if Excel is installed in a system, the virus creates the
DEMIURG.SYS file in root C:\ folder and also the DEMIURG.XLS file in
Microsoft Excel startup folder.
After that, the virus imports the previosly dropped "c:\demiurg.sys"
when a workbook is opened in Excel. This file contain the macro virus
Also just after startup the virus accesses Windows Registry and sets a
value of 'Options6' subkey in
'HKCU\Software\Microsoft\Office\8.0\Excel\Microsoft Excel' key to
zero. If Excel is not installed, the SYS and XLS files are not created
and the virus acts as a normal Win32 resident appending virus.
After system restart the infected KERNEL32.DLL is loaded into memory,
the virus traps several file access functions (run, copy, create,
rename) and infects BAT (batch), DOS COM, DOS EXE, Windows NE EXE and
Windows PE EXE files. The BAT files are infected the following way -
the virus writes several batch commands and its body in a binary form
to the end of the file. When the infected batch file is executed, the
virus creates a file called DEMIURG.EXE in root C:\ folder and runs
it. The DOS COM files are con verted by the virus to EXE format and
then infected. When an infected file is run it creates the DEMIURG.EXE
file in root C:\ folder and runs it. Then the control is passed to the
original file code.
The DOS EXE and Windows NE EXE files are infected in a bit different
way. The virus writes a piece of code and its body to the end of these
files and redirects entry point to that code. When an infected file is
run the code creates the DEMIURG.EXE file in root C:\ folder and runs
it. Then the control is passed to the original file code. The Windows
PE EXE files are infected the standard way - the virus writes its body
to the end of the file (to the last file's section) and redirects
entry point to its start up code. The virus is not encrypted or
polymorphic though it can change the API addresses call table and some
ASCII data (location of XLS startup directory) inside its body during
It is advised to disinfect the virus from DOS using a DOS-based
scanner as KERNEL32.DLL and some infected files might be locked while
Windows is active.
[Analysis: Katrin Tocheva, Alexey Podrezov and Sami Rautiainen; F-Secure Corp., January 2001]