When an infected workbook is opened, the virus first removes several
menus from the Excel.
Then it creates an infected workbook, "DOLLAR.XLM", to the Excel
startup directory. After that every workbook that is opened with
Excel will be infected.
The virus activates its payload if the infected workbook is closed on
the 13th day of any month. On this date it appends a small code to
the "C:\AUTOEXEC.BAT" file. On the next restart, this code will delete
all "*.com", "*.vxd", "*.drv" and "*.dll" files from the Windows
directory "C:\WINDOWS". The payload does not work in Windows NT. Then
the virus shows a message box with the following text:
Excellent!!! now 1 dollar = 10000 rupiah
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
![](/images/pixel.gif"){kind=tracking}
