For Consumer

Virus Profile: X97M/Reten.d

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/11/2002
Date Added: 4/11/2002
Origin: Indonesia
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4197
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Above message is displayed on 26th day of every month if time is after 10:26 am.
The presence of ValeriaNET.XLM in XLSTART folder. Also the following files in C:\

  • AsiaGirls.html
  • Palestina.html
  • AlQuran.txt

    Methods of Infection

    This virus hooks the Excel handler of opening or closing workbooks in order to run its code. Once the file ValeriaNET.XLM has been written to the XLSTART folder, any workbook used on that system may become infected.

       

    Virus Characteristics

    This threat is detected as X97M/Reten.gen. Both Excel97 and Excel2000 workbooks can be infected with this virus. The virus exists in a macro module named Project_P and uses a dropper file in the XLSTART folder named ValeriaNET.XLM.

    On opening the infected workbook Tools/Macro, Tools/Add-Ins and Tools/Customize command bars are disabled. The following message in Indonesian is displayed on the Excel Application status bar :

    Assalammu'alaikum Warrohmatullah..

    On closing the workbook the virus creates the text file C:\AlQuran.txt that contains indonesian messages. The caption for the Excel Application is changed to:

    TELKOMSEL,Begitu Dekat Begitu Nyata....

    The virus also creates Palestina.html and AsiaGirls.html that also contain Indonesian text. These files are not viral.

    On the 26th day of every month if time is after 10:26 am the following message will be displayed:

    If the day is equal to the minute Example: date 20/04/02 and time 13:20, the following message will be displayed:

       
    Use current engine and DAT files for detection and removal.

    It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

    AVERT Recommended Updates:

    * Office 2000 updates

    * Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

       

    PC Infected? Get Expert Help

    McAfee
    Virus Removal Service

    Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

    $89.95