|
|
Formula.Excel.Pai Viruses Information
| Name: |
Formula.Excel.Pai |
| Category: |
Viruses |
| Description:
|
Details
Formula.Excel.Paix
This virus replicates itself by the same manner as other Excel viruses do. It hooks system events (window activating - OnWindows) and copies its code to each sheet that is activated. On first start (on first opening an infected sheet) the virus installs itself into the system: it registers its host file as Add-In with the XLSHEET.XLA name in the current or in the C:WINDOWS directory. On such request Excel automatically creates new copy of infected document (with XLSHEET.XLA name) and on each next Excel start it will load and activate this Add-In, i.e. virus code. As a result after creating infected Add-In the virus is active all the time Excel is run and infects all files that are opened or created.
The virus is of French origin (see routines names below) but is able to infect and replicate under any local Excel version starting from 4.
The virus has five routines: auto_ouvrir, activation_feuille, protect, !!!GO, auto_fermer. All of them (except !!!GO) call infection routine. Depending on the system random counter (with probability 2%) the virus activate the trigger subroutine (that is places in !!!GO routine). The trigger routine hides all opened tables and Excel elements (buttons, menus, status bar) and replaces the "Microsoft Excel" text at the top of the Excel window with the text: "Enfin la paix all"
It is not possible to detect and disinfect the virus by using standard methods (entering Tools/Macro and looking for macros) because the virus sets VeryHidden attribute for its macros. Such attribute cannot be disabled by using Excel menus. To find and look at virus code that's necessary to write special routine on Excel Basic (macro routine).
As a result a user has no tools to detect this virus on its computer, and all known anti-virus programs are not able to detect it now. The virus can be found only by its traces:
- in Tools/Add-Ins menu there is reference for the XLSHEET file
- infected files contain the text strings:
Enfin la paix ...
!!!GO
Partial protection can be achieved by creating in the C:WINDOWS directory the Read-Only dummy file with the XLSHEET.XLA name. After that the virus will be not able to install its Add-In in the C:WINDOWS directory. If it creates this Add-In in other directories, you should also create the same dummy XLSHEET.XLA file in these directories. |
Top Viruses Visited Pages:
Invader. - 239 visits
not-a-virus:RiskWare.Tool.RegPatch. - 72 visits
Worm.P2P.Harex. - 66 visits
not-a-virus:RemoteAdmin.Win32.RAdmin.2 - 60 visits
Small.58. - 56 visits
Coito.64 - 54 visits
I-Worm.Mapson. - 48 visits
Win16.Klon.1177 - 42 visits
Win32.Hidra - 42 visits
Marine.500 - 35 visits
Random Viruses Pages:
Win32.Idele.210
BAT.PG9
Demonhyak Famil
Macro.AmiPro.Gree
Murcia.465
AMD.394
Tip.55
VBS.FreeLin
Backdoor.win32.Small.c
Bad.38
|
|
