It consist of two parts, a clear text part and an encoded part. The
clear text part will take care of decoding the virus code as needed.
The virus activates when an infected document is opened in Word. It
disables the built-in macro virus protection and infects the global
template. When the global tempate is infected, the virus will infect
all opened Word documents.
When the infected document is closed the virus launches Excel. It
checks if there is a file called "Book1." in the Excel's startup
directory, and if the file does not exist it disables the Excel's
macro virus protection via registry. It then creates and infects the
Within Excel the virus activates when an infected sheet is
deactivated. It uses Word to disable Excel's built-in macro virus
protection via registry, and it attempts to infects Word's global
template. Then the "Book1." file will be created to the Excel's startup
directory if it does not exist.
This virus has a non-destructive payload that activates if user opens
an infected document in Word between 12:10 and 12:25 on any day when
it displays a message box with a title:
Wonder v2.0 by ThE wEiRd GeNiUs
and with a text:
It's time for lunch (UserName)
where (UserName) contains current user name.
This is a corrupted variant that can't infect Excel workbooks.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]