X97M/Sugar is an Excel macro virus. It gets control when an infected sheet is activated or if an infected workbook window is deactivated.
Disinfection & Removal
Upon activation it will create two files, "o6.reg" and "o6.bat", to the root directory of the C: drive. It will use these files to disable Excel's built-in macro virus protection by modifying the registry. Then it will check if there is a file named "Book1." in the Excel's startup directory. If the file does not exist, it will be created and infected. On that way the virus will be active every time when Excel is opened.To spread, the virus first copies itself to every workbook. It takes control when an infected workbook is deactivated. Next, it will go though all sheets within the workbook and will get control when an infected sheet is activated.The payload will be triggered in every month from September to December if the day equals the minute of the current system time. In this case it will replace the contents of upto 200 random cells with a text:
-(Dr. Diet Mountain Dew)-
This text is written with random colors. It will also change contents of the top left ("A1") cell to
The -[Sugar.Poppy]- by VicodinES
The virus code contains the following text:
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-' 'The Sugar.Poppy Excel Class Object Virus' ' written by VicodinES' '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-' ' Can I have a bottle of ' ' WARM DIET MOUNTAIN DEW ' '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
This variant uses Microsoft Word to disable the built-in macro virus protection by modifying the registry. It will add a macro (AutoExec) to the normal template that will be executed when Word is started. Anyway, it will not infect any Word documents.While the infection method is the same as X97M/Sugar.A variant, there is additional functionality present. The virus will create a temporary file to the root directory of "C:" drive. The file will have the same name as the current user has in the "Tools/Options/General".If the virus founds user defined modules during infection, it will create a macro that will be executed when the workbook is closed. The macro will attempt to restore the virus from the temporary file mentioned above to each workbook. However, if the temporary file is removed the virus will show a message box with a title
and the following text:
Why did you remove Sugar.Poppy?
This variant has no payload, but it will intentionally remove all macros from the Word's global template.
Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure