X97M/Pinkpick.A is an Excel macro virus that activates on
opening. During that time it executes a subroutine "pink" that is
the main part of the virus.
Pinkpick.A drops its code in Excel's startup directory in a file
B00k1.xls. If a workbook contains one sheet only, the virus does
not infect it.
While infecting different workbooks, Pinkpick uses different
module names. The first letter of the module name it takes from
the first letter of the workbook that it infected. If the first
character is not a letter then it uses 'N'. The second letter in
the module's name is always 'V'. The virus uses this to recognize
itself. If the name of the workbook starts with "Book", then the
virus saves it.
The payload is to set a random password when the sum of the day
and the month is 13 or 22, also if the month is June and the day
is 15. At that time is also changes the cell format, column with,
row height and zoom to 25.
[Analysis: Katrin Tocheva, F-Secure Corporation; May, 2001]
![](/images/pixel.gif"){kind=tracking}
