This threat is detected as X97M/Reten.gen. Both Excel97 and Excel2000 workbooks can be infected with this virus. The virus exists in a macro module named Project_P and uses a dropper file in the XLSTART folder named ValeriaNET.XLM.
On opening the infected workbook Tools/Macro, Tools/Add-Ins and Tools/Customize command bars are disabled. The following message in Indonesian is displayed on the Excel Application status bar :
On closing the workbook the virus creates the text file C:\AlQuran.txt that contains indonesian messages. The caption for the Excel Application is changed to:
TELKOMSEL,Begitu Dekat Begitu Nyata....
The virus also creates Palestina.html and AsiaGirls.html that also contain Indonesian text. These files are not viral.
On the 26th day of every month if time is after 10:26 am the following message will be displayed:
If the day is equal to the minute Example: date 20/04/02 and time 13:20, the following message will be displayed: