XM/Uedasan.A activates when a sheet is deactivated in an infected
document. At this point it creates a new workbook, infects it and
saves it to Excel's startup directory with a name "TDK-MAC.XLS". Then
it removes the following menu items: "View/Toolbars...",
"Tools/Macro...", "Window/Unhide", "Tools/Protection" and
When this is done, the virus infects every workbook when a sheet is
activated. It adds a hidden sheet to a workbook which will contain the
virus code module. This sheet is protected with a password "uedasan".
It also removes the title, subject, author, keywords and comments from
the summary information of the active workbook.
After the active workbook has been infected, the virus will activate
its payload from August to the end of year.
In August, it attempts to delete everything from the root of "C:"
directory; and from September to December if the time is less than
6:00am, it attempts to delete everything from the current directory.
This variant works in a similar fashion like the XM/Uedasan.A.
When it infects Excel, the file created to the startup directory is
named "#1SLIDER.XLA" and during infection this virus will check for
several specially named modules as well. For example, if it founds a
sheet named "pldt" it shows a message box with the following text:
WARNING : VIRUS DETECTED! NAME : 'MERALCO'
The payload is the same as the XM/Uedasan.A.
XM/Uedasan.D is functionally identical with XM/Uedasan.B.
[Analysis: Sami Rautiainen, F-Secure]