X97M/Barisada is an Excel macro virus.
When an infected workbook is deactivated, the virus drops its code to the "hjb.xls" file in the Excel startup directory. After Excel has been restarted, every workbook be will infected.
The virus activates its payload at 2 pm on April, 24th. At this time, the virus shows a series of dialogs. The first dialog asks the following question:
Question : What is the Sword Which Karl Styner(=Gray Scavenger) used? Answer : Barisada
If the user selects the "No" button, the following message box is shown:
Good! You're Authorized now!!
If the user selects the "Yes" button, the following message box is shown:
I wil give you one more Chance. Be careful!!
Next the following dialog is shown:
Summoning Xavier is the Ultimate Magic. Right?
Again, selecting "Yes" will only show a message box:
ok , i will forgive you
However, selecting "No" will show a message box:
Wrong Answer, Your file will be deleted!
and the virus will clear all cells from every open workbook.
X97M/Barisada.B is a slightly modified variant of X97M/Barisada.A. The name of the file that it drops is different - "rmc.xls".
This variant is modified from X97M/Barisada.A - the name of the file created to Excel startup directory is different: "khm.xls".
This variant is functionally identical with X97M/Barisada.A.
This variant is a slightly modified variant of X97M/Barisada.A. The name of the dropped file is changed to "Book1".
Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.
More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.