Threat Description

Barisada

Details

Aliases: Barisada
Category: Malware
Type:
Platform: W32

Summary


X97M/Barisada is an Excel macro virus.


Variant:Barisada.A

When an infected workbook is deactivated, the virus drops its code to the "hjb.xls" file in the Excel startup directory. After Excel has been restarted, every workbook be will infected.

The virus activates its payload at 2 pm on April, 24th. At this time, the virus shows a series of dialogs. The first dialog asks the following question:

     Question : What is the Sword Which Karl Styner(=Gray Scavenger) used?     Answer : Barisada  

If the user selects the "No" button, the following message box is shown:

     Good! You're Authorized now!!  

If the user selects the "Yes" button, the following message box is shown:

     I wil give you one more Chance. Be careful!!  

Next the following dialog is shown:

     Summoning Xavier is the Ultimate Magic. Right?  

Again, selecting "Yes" will only show a message box:

     ok , i will forgive you  

However, selecting "No" will show a message box:

     Wrong Answer, Your file will be deleted!  

and the virus will clear all cells from every open workbook.


Variant:Barisada.B

X97M/Barisada.B is a slightly modified variant of X97M/Barisada.A. The name of the file that it drops is different - "rmc.xls".


Variant:Barisada.C

This variant is modified from X97M/Barisada.A - the name of the file created to Excel startup directory is different: "khm.xls".


Variant:Barisada.J

This variant is functionally identical with X97M/Barisada.A.


Variant:Barisada.AG

This variant is a slightly modified variant of X97M/Barisada.A. The name of the dropped file is changed to "Book1".



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

Detailed instructions for F-Secure security products are available in the documentation found in the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for further assistance.







Technical Details:Katrin Tocheva and Sami Rautiainen, F-Secure; August 2000-April 2003


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More