This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Indication of Infection
Existence of the file CYBERNET.XLS in the XLSTART folder of Office.
This virus contains the following date activated damaging payloads.
If this virus is run on August 17 (also known as Indonesia Independence Day) or December 25:
* the active document will be overlaid with randomly generated, random size and colored shapes
* the AUTOEXEC.BAT file is overwritten with code to (re)format the hard drive
* that the CONFIG.SYS file will also contain instructions which prevent the user from aborting or stopping the execution of the AUTOEXEC.BAT file
* NOTE: the modification of AUTOEXEC.BAT and CONFIG.SYS will only affect Windows 9x clients due to Windows NT not using either of these startup configuration files.
* a message box is displayed with this detail:
"(C)2000 - CyberNET"
"Assalamualaikum Li Kulli Muslim...Moslem Power Never End..."
"Nothing Can Stop « CyberNET » Virus. Your System Has Already Infected !!!"
"Now...I Am Outta Here..."
* after the user clicks on the OK button, this virus will attempt to exit Windows.
Methods of Infection
If an infected file is opened and the macro is allowed to run, this virus attempts to lower the existing macro warning settings using a registry import file. This file is first written to the root of c: as "CyberNET.reg" then it is imported using REGEDIT.EXE.
Once an infected workbook or document are opened on the host system, the global template NORMAL.DOT is first attempted to be removed, then a new template is generated which contains an the infectious code.
Additionally, a file is created in the XLSTART folder named "CYBERNET.XLS" which will infect workbooks used on the system. This virus will remove files which may exist in the XLSTART folder.
Email propagation will occur also on applicable systems. This virus will check for the registry modification:
"CyberNET"="(C)2000 - Indonesia By AnomOke!"
If the key does not exist, or the value does not match, the email routine is executed. After sending copies of itself via email, it then sets the registry with the setting above.
Cybernet, OF97/Cybernet-A, X97M/Cybernet@mm