1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Shiver

Shiver

Summary

This macro virus infects two Office97 applications: Word documents and Excel sheets. To be compatible with different Office97 applications the virus uses VisualBasic compatibility and uses the same code in both Word and Excel.

Additional Details

The virus infects the system, documents and sheets when files are opened (auto-macros AutoOpen in Word and Auto_Open in Excel). While infecting the virus uses the export/import Office97 functions via a temporary C:\SHIVER.SYS file. It writes (exports) its code to this file and then reads (imports) into the object that is being infected.

Under both Word and Excel the virus replicates itself by using standard tricks. While infecting Word files the virus copies its code to document or global macros area (NORMAL.DOT). Under Excel the virus hooks sheets activation process and sets the infection macros ShiverTime as the handler. The virus also saves the infected PERSONAL.XLS file in the Excel startup directory and as a result infects the system Excel area.

When leaving Word (AutoExit) the virus attempts to spread its code from Word to Excel. The virus uses the DDE functions: it runs Excel in minimized windows and pass to there data and commands necessary to create the infected PERSONAL.XLS file in the Excel startup directory. The virus infects Word from Excel by using similar way: it runs minimized Word, opens Visual Basic Editor and reads its code from the C:\SHIVER.SYS file.

The virus does not delete its C:\SHIVER.SYS file after infection and uses it to re-infect Word if the main virus code was deleted (disinfected) in documents and NORMAL.DOT. To do that the virus on each Word startup looks for WORD8.DOT file in the Word startup directory. If there is no such file, the virus creates it and writes a short FileSaveAs macro to there. This macro contains just a few commands that import the virus code from the C:\SHIVER.SYS into documents that are saved with new name. As a result the virus stays active ever if all documents and NORMAL.DOT are disinfected. The virus uses the same export/import way to create the WORD8.DOT dropper, as a source code buffer the C:\SENTRY.SYS file is used.

To detect its presence in the system the virus uses the system Registry and writes its ID-values into the key "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0". There are two values that mark virus presence/absence in the system: 

        Shiver[DDE] = ALT-F11
        Shiver[DDE] = NoNos(

Depending on the system random counter the virus resets this key to "NoNos(" and forces its infection routines renew the infected WORD8.DOT and PERSONAL.XLS in the Word and Excel startup directories.

The virus contains these texts: 

  Shiver[DDE] by ALT-F11 with help from ALT-F4
  This is the first virus produced by The Alternative Virus Mafia (AVM)
  ALT-F4 - "I was born for dying"
  ALT-F11 - "Actions without thoughts"

The virus has stealth abilities. Under Excel it disables the menu items IWindow/Unhide... and Tools/Macro. Under Word it also creates the stealth macros in the NORMAL.DOT: ToolsMacro, FileTemplates, ViewVBCode in the module "ThisDocument". As a result the virus hides its code. The virus also disables the Office97 virus protection.

Depending on the system random counter the virus runs following effects:

- in Excel it inserts into random selected cell the comments: 

 Shiver[DDE] by ALT-F11

- in Word it creates the C:\SISTER.DLL file, writes the text to there and runs WRITE to show it: 

  Hey Man, I Kinda Like Your Sister
  Hey Man, I Hope That's Cool
  Hey Man, I Kinda Lose My Mind
  Every Single Time I Find Your Sister
  Suntanned By The Pool
  Hey Man, I Wanna See Her Naked
  Hey Man, I'm Always In Her Room
  All Alone When No One's There
  Going Through Her Underwear
  Hey Man, I Gotta See Her Soon
  Hey Man, I'll Never Get Her Pregnant
  But Hey Man, How Can I Resist Her
  The Day I Give Her A Wedding Band
  Are You Going To Be My Best Man?
  Hey Man, I Kinda Like Your Sister
  I Kinda Like Your Sister
  I Kinda Like Your Sister
  I Kinda Like Her

- in Word it renames the menu items: 

  Tools/Macro = "Shiver[DDE] by ALT-F11"
  File/Versions... = "Cum Stained Sheets..."
  Edit/Paste Special... = "Hey Man I Did Your Mom..."
  Insert/Break... = "Wanna do some MDMA ?"
  Help/About Microsoft Word = "Peace, Love and Drugs"
  File/Properties = "I'll die happy, you'll just die"
  Edit/Go To... = "Heywood Jablowmi"
  Tools/Word Count... = "Body Count"
  Format/Font... = "Cunt"
  File/Close = "No Clothes"
  Window/Split = "Blow Me"
  Insert/Picture = "Crusty Porn GIF"
  File/Print... = "My Balls Itch"
  Format/Bullets and Numbering... = "Pills And Needles"
  Table/Insert Table... = "Insert and Probe"
  Tools/Customize... = "Sodomize..."
  Tools/Spelling and Grammar... = "Spelling and Your Grandma..."
  View/Toolbars = "Gaybars"
  View/Master Document = "Masturbation"

[Analysis by Kaspersky Labs]