X97M/VCX.A activates when an infected workbook is closed or a
worksheet is deactivated.
It creates a temporary file, "C:\Windows\System\Xlscan.386", and
disables the macro virus protection via registry. Then the virus
creates a new workbook, infects it and saves it to the Excel's startup
directory with a name "Xlscan.xls". After that it infects every
workbook using the temporary file.
It also creates eleven additional files to "C:\Windows\System"
directory every time it gets control. Ten of these files will named
after the current date and time, a number from 1 to 10 and the
extension ".VCX"; while the last file will have a constant name
"Xlscan.idx".
X97M/VCX.C is a modified variant of X97M/VCX.A. The file names are
changed: Temporary file is "C:\Windows\System\MsOffice.386" and the
file created to Excel's starup directory is "MsOffice.xls". Also the
last file created to the Windows' System directory has a different
name, "MsOffice.idx".
![](/images/pixel.gif"){kind=tracking}
