F-Secure Virus Descriptions : Sugar
|
|
|
X97M/Sugar is an Excel macro virus. It gets control when an infected
sheet is activated or if an infected workbook window is deactivated.
Upon activation it will create two files, "o6.reg" and "o6.bat", to
the root directory of the C: drive. It will use these files to disable
Excel's built-in macro virus protection by modifying the registry.
Then it will check if there is a file named "Book1." in the Excel's
startup directory. If the file does not exist, it will be created and
infected. On that way the virus will be active every time when Excel
is opened.
To spread, the virus first copies itself to every workbook. It takes
control when an infected workbook is deactivated. Next, it will go
though all sheets within the workbook and will get control when an
infected sheet is activated.
The payload will be triggered in every month from September to
December if the day equals the minute of the current system time. In
this case it will replace the contents of upto 200 random cells with a
text:
-(Dr. Diet Mountain Dew)-
This text is written with random colors. It will also change contents
of the top left ("A1") cell to
The -[Sugar.Poppy]- by VicodinES
The virus code contains the following text:
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
'The Sugar.Poppy Excel Class Object Virus'
' written by VicodinES '
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
' Can I have a bottle of '
' WARM DIET MOUNTAIN DEW '
'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
This variant uses Microsoft Word to disable the built-in macro virus
protection by modifying the registry. It will add a macro (AutoExec)
to the normal template that will be executed when Word is started.
Anyway, it will not infect any Word documents.
While the infection method is the same as X97M/Sugar.A variant, there
is additional functionality present. The virus will create a temporary
file to the root directory of "C:" drive. The file will have the same
name as the current user has in the "Tools/Options/General".
If the virus founds user defined modules during infection, it will
create a macro that will be executed when the workbook is closed. The
macro will attempt to restore the virus from the temporary file
mentioned above to each workbook. However, if the temporary file is
removed the virus will show a message box with a title
VicodinES wonders...
and the following text:
Why did you remove Sugar.Poppy?
This variant has no payload, but it will intentionally remove all
macros from the Word's global template.
[Analysis: Katrin Tocheva and Sami Rautiainen, F-Secure]
|
