This threat is detected as X97M/Fixen. The virus contains one module v123 which infects Excel97/2000 workbooks. It saves a copy of itself as v123.xls into the Excel Application path. The virus also creates the file v123.vbs which is also found in the Excel Application path. The script file will export the viral code of v123.xls to v123.bas file. This .bas file is not viral. It then finds all .xls files found in the Windows Recent folder and imports the viral code to these files. The virus will then delete all .xls.lnk from the Recent folder.
If the day is greater than the 30th of May 2002 the following message will be displayed: .
If the user chooses OK, the following registry keys will be changed:
- HKLM\Software\Microsoft\Windows\CurrentVersion\ProductName, "Microsoft Windows 0.1"
- HKLM\Software\Microsoft\Windows\CurrentVersion\RegisteredOrganization", "Completely no good system company"
- HKLM\Software\Microsoft\Windows\CurrentVersion\Version", "Windows 0.1"
- HKLM\Software\Microsoft\Windows\CurrentVersion\VersionNumber", "0.00.0001"
- HKLM\Software\Microsoft\Windows\CurrentVersion\SystemRoot", "C:\"
User should correct these changes manually. The following registry key is also changed: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\v123, EXCEL Path Application\v123.vbs"
which will enable the virus to execute on the next reboot of the system.