An opening of an infected workbook, the virus first creates an executable file "c:\demiurg.exe" and executes it.
It is advised to disinfect the virus from DOS using a DOS-based scanner as KERNEL32.DLL and some infected files might be locked while Windows is active.
Then the virus first infects KERNEL32.DLL file (one of the main Windows components). As this file is always locked by Windows, the virus copies it from \System\ directory to the root \Windows\ directory and infects it there (on NT and Win2k systems the KERNEL32.DLL is copied from \System32\ folder). The virus does not attempt to copy the infected KERNEL32.DLL file back to \System\ folder, but the system gets infected on next startup anyway as Windows first checks for this DLL in the root folder an d runs the infected copy if it was found there.
Then, if Excel is installed in a system, the virus creates the DEMIURG.SYS file in root C:\ folder and also the DEMIURG.XLS file in Microsoft Excel startup folder.
After that, the virus imports the previosly dropped "c:\demiurg.sys" when a workbook is opened in Excel. This file contain the macro virus code.
Also just after startup the virus accesses Windows Registry and sets a value of 'Options6' subkey in 'HKCU\Software\Microsoft\Office\8.0\Excel\Microsoft Excel' key to zero. If Excel is not installed, the SYS and XLS files are not created and the virus acts as a normal Win32 resident appending virus.
After system restart the infected KERNEL32.DLL is loaded into memory, the virus traps several file access functions (run, copy, create, rename) and infects BAT (batch), DOS COM, DOS EXE, Windows NE EXE and Windows PE EXE files. The BAT files are infected the following way - the virus writes several batch commands and its body in a binary form to the end of the file. When the infected batch file is executed, the virus creates a file called DEMIURG.EXE in root C:\ folder and runs it. The DOS COM files are con verted by the virus to EXE format and then infected. When an infected file is run it creates the DEMIURG.EXE file in root C:\ folder and runs it. Then the control is passed to the original file code.
The DOS EXE and Windows NE EXE files are infected in a bit different way. The virus writes a piece of code and its body to the end of these files and redirects entry point to that code. When an infected file is run the code creates the DEMIURG.EXE file in root C:\ folder and runs it. Then the control is passed to the original file code. The Windows PE EXE files are infected the standard way - the virus writes its body to the end of the file (to the last file's section) and redirects entry point to its start up code. The virus is not encrypted or polymorphic though it can change the API addresses call table and some ASCII data (location of XLS startup directory) inside its body during infection.
Technical Details:Katrin Tocheva, Alexey Podrezov and Sami Rautiainen; F-Secure Corp., January 2001