Demiurg

Classification

Malware

Virus

X97M

Demiurg, W32/Demiurg, Demig.16354, X97M/Demiurg

Summary

An opening of an infected workbook, the virus first creates an executable file "c:\demiurg.exe" and executes it.

Removal

It is advised to disinfect the virus from DOS using a DOS-based scanner as KERNEL32.DLL and some infected files might be locked while Windows is active.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Then the virus first infects KERNEL32.DLL file (one of the main Windows components). As this file is always locked by Windows, the virus copies it from \System\ directory to the root \Windows\ directory and infects it there (on NT and Win2k systems the KERNEL32.DLL is copied from \System32\ folder). The virus does not attempt to copy the infected KERNEL32.DLL file back to \System\ folder, but the system gets infected on next startup anyway as Windows first checks for this DLL in the root folder an d runs the infected copy if it was found there.

Then, if Excel is installed in a system, the virus creates the DEMIURG.SYS file in root C:\ folder and also the DEMIURG.XLS file in Microsoft Excel startup folder.

After that, the virus imports the previosly dropped "c:\demiurg.sys" when a workbook is opened in Excel. This file contain the macro virus code.

Also just after startup the virus accesses Windows Registry and sets a value of 'Options6' subkey in 'HKCU\Software\Microsoft\Office\8.0\Excel\Microsoft Excel' key to zero. If Excel is not installed, the SYS and XLS files are not created and the virus acts as a normal Win32 resident appending virus.

After system restart the infected KERNEL32.DLL is loaded into memory, the virus traps several file access functions (run, copy, create, rename) and infects BAT (batch), DOS COM, DOS EXE, Windows NE EXE and Windows PE EXE files. The BAT files are infected the following way - the virus writes several batch commands and its body in a binary form to the end of the file. When the infected batch file is executed, the virus creates a file called DEMIURG.EXE in root C:\ folder and runs it. The DOS COM files are con verted by the virus to EXE format and then infected. When an infected file is run it creates the DEMIURG.EXE file in root C:\ folder and runs it. Then the control is passed to the original file code.

The DOS EXE and Windows NE EXE files are infected in a bit different way. The virus writes a piece of code and its body to the end of these files and redirects entry point to that code. When an infected file is run the code creates the DEMIURG.EXE file in root C:\ folder and runs it. Then the control is passed to the original file code. The Windows PE EXE files are infected the standard way - the virus writes its body to the end of the file (to the last file's section) and redirects entry point to its start up code. The virus is not encrypted or polymorphic though it can change the API addresses call table and some ASCII data (location of XLS startup directory) inside its body during infection.