Threat Description

Sugar

Details

Aliases:Sugar
Category:Malware
Type:Virus
Platform:X97M

Summary



X97M/Sugar is an Excel macro virus. It gets control when an infected sheet is activated or if an infected workbook window is deactivated.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Upon activation it will create two files, "o6.reg" and "o6.bat", to the root directory of the C: drive. It will use these files to disable Excel's built-in macro virus protection by modifying the registry. Then it will check if there is a file named "Book1." in the Excel's startup directory. If the file does not exist, it will be created and infected. On that way the virus will be active every time when Excel is opened.To spread, the virus first copies itself to every workbook. It takes control when an infected workbook is deactivated. Next, it will go though all sheets within the workbook and will get control when an infected sheet is activated.The payload will be triggered in every month from September to December if the day equals the minute of the current system time. In this case it will replace the contents of upto 200 random cells with a text:

-(Dr. Diet Mountain Dew)-

This text is written with random colors. It will also change contents of the top left ("A1") cell to

The -[Sugar.Poppy]- by VicodinES

The virus code contains the following text:

'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
  'The Sugar.Poppy Excel Class Object Virus'
  '  written by VicodinES'
  '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
  ' Can I have a bottle of  '
  ' WARM DIET MOUNTAIN DEW  '
  '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

Variant:Sugar.B

This variant uses Microsoft Word to disable the built-in macro virus protection by modifying the registry. It will add a macro (AutoExec) to the normal template that will be executed when Word is started. Anyway, it will not infect any Word documents.While the infection method is the same as X97M/Sugar.A variant, there is additional functionality present. The virus will create a temporary file to the root directory of "C:" drive. The file will have the same name as the current user has in the "Tools/Options/General".If the virus founds user defined modules during infection, it will create a macro that will be executed when the workbook is closed. The macro will attempt to restore the virus from the temporary file mentioned above to each workbook. However, if the temporary file is removed the virus will show a message box with a title

VicodinES wonders...

and the following text:

Why did you remove Sugar.Poppy?

This variant has no payload, but it will intentionally remove all macros from the Word's global template.





Technical Details: Katrin Tocheva and Sami Rautiainen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Scan & clean your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

Learn More