O97M/Tristate is a VBA macro virus that is able to infect three Office 97 applications: Word documents, Excel spreadsheets and PowerPoint presentations.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
When the virus activates in Word, it will first check if the global template is already infected. If this is not the case, it will disable the built-in macro virus protection for both Excel and Word. It does not, however, disable macro virus protection for PowerPoint. The virus also removes all the existing macros from the Word's global template.
Then it performs a check if there is a file named "Book1." at the Excel's startup directory. If the file is present, it assumes that Excel is already infected, but if the file is not present it launches Excel and saves an infected worksheet to the startup directory.
Finally it attempts to infect the "Blank Presentation" template in PowerPoint. The virus will launch PowerPoint and check if it is already infected by checking the existence of the module named "Triplicate". If the module is not found it will add an invisible shape to the first slide and copies itself to the template.
The infection process is similar in all three applications while the activation differs in every application. In Word it will activate when a document is closed as mentioned above. In Excel it activates when the infected workbook is deactivated and in PowerPoint there is a 1/7 chance that it will activate when the invisible shape is clicked with a mouse.
This virus does not have a payload but it will intentionally remove all macros from Word's global template.
The following text is visible in all infected documents:
Triplicate v0.1 /1nternal
This variant almost indentical with O97M/Tristate.A. There is some minor modifications in the virus code and the visible text has been changed to:
Triplicate v0.21 /1nternal
This variant slightly modified from O97M/Tristate.A, and the text in the virus code has been changed to:
Triplicate v0.2 /1nternal
O97M/Tristate.F is partially modified variant of O97M/Tristate.C. The modification causes that this variant is unable to infect PowerPoint from Excel. However, the infection of Excel is functional from Word.
O97M/Tristate.H is a slightly modified variant from O97M/Tristate.C. This variant infects the global template every time when an infected document is closed, regardless of its contents.
O97M/Tristate.I is functionally identical with O97M/Tristate.C.
O97M/Tristate.L is functionally identical with O97M/Tristate.C.
O97M/Tristate.W is functionally identical with O97M/Tristate.C.
O97M/Tristate.X is almost identical with O97M/Tristate.C, except instead of disabling the built-in macro virus protection it enables it.
This variant is functionally identical with O97M/Tristate.C.
This is a slightly modified variant of O97M/Tristate.F.
This is a corrupted variant of O97M/Tristate. Due the corruption, this variant is able to replicate only within PowerPoint.