Summary

XM/Neg is an Excel macro virus. When an infected workbook is opened, the virus first removes several menus from the Excel.

Additional Details

Then it creates an infected workbook, "DOLLAR.XLM", to the Excel startup directory. After that every workbook that is opened with Excel will be infected.

The virus activates its payload if the infected workbook is closed on the 13th day of any month. On this date it appends a small code to the "C:\AUTOEXEC.BAT" file. On the next restart, this code will delete all "*.com", "*.vxd", "*.drv" and "*.dll" files from the Windows directory "C:\WINDOWS". The payload does not work in Windows NT. Then the virus shows a message box with the following text:

    Excellent!!! now 1 dollar = 10000 rupiah

[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]