XM/Uedasan is a macro virus that infects Microsoft Excel 95 workbooks. It contains a destructive payload.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
XM/Uedasan.A activates when a sheet is deactivated in an infected document. At this point it creates a new workbook, infects it and saves it to Excel's startup directory with a name "TDK-MAC.XLS". Then it removes the following menu items: "View/Toolbars...", "Tools/Macro...", "Window/Unhide", "Tools/Protection" and "Format/Sheet/Unhide".
When this is done, the virus infects every workbook when a sheet is activated. It adds a hidden sheet to a workbook which will contain the virus code module. This sheet is protected with a password "uedasan". It also removes the title, subject, author, keywords and comments from the summary information of the active workbook.
After the active workbook has been infected, the virus will activate its payload from August to the end of year.
In August, it attempts to delete everything from the root of "C:" directory; and from September to December if the time is less than 6:00am, it attempts to delete everything from the current directory.
This variant works in a similar fashion like the XM/Uedasan.A.
When it infects Excel, the file created to the startup directory is named "#1SLIDER.XLA" and during infection this virus will check for several specially named modules as well. For example, if it founds a sheet named "pldt" it shows a message box with the following text:
WARNING : VIRUS DETECTED! NAME : 'MERALCO'
The payload is the same as the XM/Uedasan.A.
XM/Uedasan.D is functionally identical with XM/Uedasan.B.
Description Created: Analysis: Sami Rautiainen, F-Secure