For Consumer

Virus Profile: X97M/Fixen.a

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 4/25/2002
Date Added: 4/25/2002
Origin: Japan
Length: N/A
Type: Virus
Subtype: Macro
DAT Required: 4200
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

The presence of the following files in the Excel Application Path:

  • v123.xls
  • v123.vbs
  • v123.bas
The above message displayed after the date and the registry changes.

Methods of Infection

Opening an infected workbook will directly infect the local Excel environment and any workbook opened thereafter.

   

Virus Characteristics

This threat is detected as X97M/Fixen. The virus contains one module v123 which infects Excel97/2000 workbooks. It saves a copy of itself as v123.xls into the Excel Application path. The virus also creates the file v123.vbs which is also found in the Excel Application path. The script file will export the viral code of v123.xls to v123.bas file. This .bas file is not viral. It then finds all .xls files found in the Windows Recent folder and imports the viral code to these files. The virus will then delete all .xls.lnk from the Recent folder.

If the day is greater than the 30th of May 2002 the following message will be displayed:

.


If the user chooses OK, the following registry keys will be changed:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName, "Microsoft Windows 0.1"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization", "Completely no good system company"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Version", "Windows 0.1"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber", "0.00.0001"
  • HKLM\Software\Microsoft\Windows\CurrentVersion\SystemRoot", "C:\"
User should correct these changes manually. The following registry key is also changed: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\v123, EXCEL Path Application\v123.vbs" which will enable the virus to execute on the next reboot of the system.

   
Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)