X97M/Barisada is an Excel macro virus.
When an infected workbook is deactivated, the virus drops its code to the "hjb.xls" file in the Excel startup directory. After Excel has been restarted, every workbook be will infected.
The virus activates its payload at 2 pm on April, 24th. At this time, the virus shows a series of dialogs. The first dialog asks the following question:
Question : What is the Sword Which Karl Styner(=Gray Scavenger) used? Answer : Barisada
If the user selects the "No" button, the following message box is shown:
Good! You're Authorized now!!
If the user selects the "Yes" button, the following message box is shown:
I wil give you one more Chance. Be careful!!
Next the following dialog is shown:
Summoning Xavier is the Ultimate Magic. Right?
Again, selecting "Yes" will only show a message box:
ok , i will forgive you
However, selecting "No" will show a message box:
Wrong Answer, Your file will be deleted!
and the virus will clear all cells from every open workbook.
X97M/Barisada.B is a slightly modified variant of X97M/Barisada.A. The name of the file that it drops is different - "rmc.xls".
This variant is modified from X97M/Barisada.A - the name of the file created to Excel startup directory is different: "khm.xls".
This variant is functionally identical with X97M/Barisada.A.
This variant is a slightly modified variant of X97M/Barisada.A. The name of the dropped file is changed to "Book1".
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
More information on scanning and removal options available in your F-Secure product can be found in the Help Center.
You may also refer to the Knowledge Base on the F-Secure Community site for more information.
Technical Details:Katrin Tocheva and Sami Rautiainen, F-Secure; August 2000-April 2003