| Description:
|
Details
Macro.Office.Triplicate
When the virus is activated from an infected Word document, it first of all disables Word anti-virus protection, and checks for the NORMAL.DOT template, then it and looks for virus presence in it. If this file is not infected yet, the virus considers the system uninfected, and starts entering other Office components. These operations contain three steps: Word Infection, Excel Infection and PowerPoint infection.
1. Word infection is the simplest operation in this virus. It just copies its code from the current document to normal template (NORMAL.DOT).
2. Excel infection is more complex. First of all, the virus starts a new Excel instance by using the CreateObject("Excel.Application") function. The virus then checks for the BOOK1 file in the Excel startup folder. In case this file is not present, the virus infects the Excel. During this, the virus disables the Excel antiviral protection in the system registry, creates a new WorkBook, copies its own code to it and saves this file with the BOOK1 name in the Excel startup folder. Every spreadsheet from this folder is automatically loaded when Excel starts, and Excel, as a result, is infected upon the next restart.
3. PowerPoint infection is quite the same as in Excel: the virus creates a new instance of PowerPoint, checks for a presentation called 'Blank Presentation.pot' in the PowerPoint template folder, and tries to locate a module called 'Triplicate' in it. If this module is not present, the virus infects PowerPoint: it disables the antiviral protection in the system registry, creates a new module 'Triplicate' in the 'Blank Presentation.pot', and copies its virus code to it. After this, the virus adds a new 'shape' into the presentation with the width and height being the same as the slide's width and height, and sets the activate procedure for this shape to "actionhook()" (This procedure will activate when a user clicks on this shape).
Finally, the virus checks for current Word document infection, and infects it if it has not been infected yet. This branch of the virus routine is executed only in the case that the virus is loaded from an infected template and a new uninfected document is closed.
Infection via Spreadsheets and Presentations
Excel and PowerPoint procedures are quite the same except for some minor details.
The BOOK1 file in the Excel startup folder is used by the virus as an identificator of the infected Office. So, the virus first of all looks for this file, and infects Office applications if this file does not exist. After this, the virus tries to infect the Word application.
1. The virus obtains 'Word.Application' objects. Here, the virus uses another function to obtain an object. Instead of CreateObjects(), the virus uses the GetObject() function. This function obtains objects from the currently active instance of application. The virus needs that to infect NORMAL.DOT, which cannot be accessed for writing if it is already opened by another instance of Word. If Word is not active at the moment, the virus just created new Word sample.
When the Word application is accessed, the virus starts its spreading routine. It deletes all code in the normal template, creates the 'DisableAV()' procedure, and copies a block of the virus' code there, executes and deletes it. This short (just eight lines) procedure disables Excel and PowerPoint antiviral protection. Then the virus copies its code from an infected file to the normal template. The Word infection is complete.
2. At this stage, Excel and PowerPoint applications are infected. The virus infects the Excel startup folder from the PowerPoint presentation, or inserts its code to the PowerPoint template exactly as described above when the virus spreads from an infected Word document.
PowerPoint activation procedure has a small additional detail: the virus activates its infection code on on one-in-seven basis depending on the system's random counter. |
