For Home

Virus Profile: X97M/Jal.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/9/2000
Date Added: 8/11/2000
Origin: Indonesia
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4091
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

If the key sequence CTRL-ALT-D is pressed, the following message is displayed:

About Dajjal virus
Diprogram oleh: ~Akut Wajuxacqupi~
Programed by: ~Akut Wajuxacqupi~
Nama proyek: Program eksperimental virus komputer
Project name: Computer virus experimental program
Nama virus: Dajjal
Virus name: Dajjal
Tempat pembuatan: Jakarta, Indonesia
Made in: Jakarta, Indonesia"
Saat pembuatan: Mei 1998"
Created in: May 1998
Dipersembahkan untuk: Umat manusia"
Dedicated for: All human being
Waktu tampil: Mulai Bulan Nopember 1998;
Tiap hari Senin sebelum pukul 12; dan
Pada hari istimewa
Show messages: Start in November 1998;"
Every Monday before 12 am; and
At special date
[OK]

Infected workbooks will have these properties:

Title = "Tokoh pengendali dunia yang tersembunyi"
Subject = "Yahudi"
Author = "Dajjal"
Keywords = "Malapetaka Fitnah; Akhir zaman"
Comments = "Dia bukan tuhan! Dia akan terbunuh oleh Isa Al Masih"

This virus contains date activated messages.

May 14

"REFORMASI"
[Year - 1998]" tahun yang lalu terjadi penjarahan, perampokan, perusakan, dan pembakaran atas nama reformasi di Jakarta."
"Reformasi itu harus dilakukan di setiap saat demi kesempurnaan suatu sistem."
"Kesemuanya itu akan berpulang pada kepentingan rakyat banyak."
"Tapi janganlah reformasi yang mulia itu ternodai oleh anarkisme yang biadab!"
[OK]

August 17

"HUT RI"
"Negeri kita tercinta sedang berulang tahun hari ini."
"Mari kita rayakan!"
[OK]

December 10

"Ulang tahun 51268"
"Saya berulang tahun hari ini."
"Tolong doakan agar saya menjadi manusia yang berguna."
"Terima kasih."
[OK]

This virus contains one other possible message display mechanism. If the day is Monday and the hour is before 12pm, one of 17 randomly chosen messages will display.

Methods of Infection

This virus creates an infectious workbook in the XLSTART folder named "PJDAPKIR.XLS". Any workbook opened on the system will become infected. This virus hooks the Excel event handler of opening workbooks in order to run its code.

Aliases

X97M/Jal
   

Virus Characteristics

This is a macro virus for Excel workbooks. This virus does not have a destructive payload however does contain several date activated messages.

If the macro code of this virus executes, it will create an infectious workbook in the XLSTART folder named "PJDAPKIR.XLS". This virus exists within a macro module named "SURIV_PJD_APKIR" - presumably this is some reference when spelled backwards as in "RIKPA_DJP_VIRUS".

On an infected system and while Excel is running, these key sequences are hooked and remapped:

ALT-F8, ALT-F11 - no action
CTRL-ALT-D - display message
CTRL-ALT-Z - Enable toolbar "Tools|Customize"

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.