Threat Description



Aliases:Pinkpick, X97M/Pinkpick, X97M.Pink.A.Gen


Pinkpick is an Excel macro virus.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.


You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.

Technical Details


X97M/Pinkpick.A is an Excel macro virus that activates on opening. During that time it executes a subroutine "pink" that is the main part of the virus.

Pinkpick.A drops its code in Excel's startup directory in a file B00k1.xls. If a workbook contains one sheet only, the virus does not infect it.

While infecting different workbooks, Pinkpick uses different module names. The first letter of the module name it takes from the first letter of the workbook that it infected. If the first character is not a letter then it uses 'N'. The second letter in the module's name is always 'V'. The virus uses this to recognize itself. If the name of the workbook starts with "Book", then the virus saves it.

The payload is to set a random password when the sum of the day and the month is 13 or 22, also if the month is June and the day is 15. At that time is also changes the cell format, column with, row height and zoom to 25.

Technical Details: Katrin Tocheva, F-Secure Corporation; May, 2001


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More