To run, the virus first lowers the security settings. Then it
saves its code in a file Maike.sys which it places in Windows
System folder. Then Ekiam.A uses this file to import the virus
code during the infection.
The payload of the virus activates when the system date is 1st,
14th or 28th of each month. In that case Ekiam.A changes Windows
registry so the registered owner, the registered organization and
the Product Id are changed respectively to "Maike you are", "the
most beautiful", "girl in the world".
The changed regitry are as follows:
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOwner="Maike you are"
"HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RegisteredOrganization="the most beautiful"
"HKELM\SOFTWARE\Microsoft\Windows\CurrentVersion\ProductId="girl in the world"
To hide the virus code from the user, Ekiam intercepts Tools
Macro, File Templates and View VBCode menus.
Eikam also contains a commented text that it never shows.
F-Secure Anti-Virus detects Ekiam.A with the heuristics. Exact
detection was published in update:
[Analysis: Katrin Tocheva; F-Secure Corp.; February 25th, 2003]