Details
Macro.PPoint.ShapeMaster

This macro virus infects the MS PowerPoint presentations. The virus contains one macro “actionhook” in the “ShapeMaster” module. The virus is activated on the MouseClick on the infected form, it then runs its installation routine and infects the PowerPoint installed on the computer. The virus then infects other presentations only when they are created.
While affecting the system the virus copies its code to the “Blank Presentation.pot” file in the Templates directory. This file is used as base while creating a new presentation. As a result the virus code is automatically copied to newly created presentations.
Depending on the system random counter the virus shows the previous slide of the infected presentation. Also depending on the random counter the virus displays the MessageBox:
PPT.ShapeMaster v0.1 /1nternal

Details
Macro.PPoint.Kelly

This macro virus infects the MS PowerPoint presentations. The virus contains one macro “Jd” in the “Kelly” module. The virus code is activated on the MouseOver events on the infected form, it then runs its main routine and infects all form in opened presentations. While infecting the virus copies its code to the victim form and sets handler for MouseOver event to its own procedure. As a result the virus code runs automatically when mouse moves over infected form.
This virus does not have payload procedure. The code of virus contains the comment:
Copyright (C) 1998 by FlyShadow ~^^~ – Kelly

Details
Macro.PPoint.Attach

This is the first known macro virus infecting MS PowerPoint presentation files. As well as other viruses infecting MS Office applications this is written in Visual Basic for Applications (VBA) language, and for spreading it uses Basic instructions and MS PowerPoint features.
The virus contains one macro that has event-function “UserForm_Terminate”, this function is activated each time when UserForm is closed. This is the main virus function and it contains the virus infection routine.
When activated the virus infection routine searches for *.PPT files in the “C:\My Documents” directory and subdirectory tree, opens files and copies its macro code to there.
Because of PowerPoint internal structure the virus is able to get control only in case any UserForm exists in target file. The virus checks files for UserForm presence and infects only such presentation. Otherwise the virus skips files and leaves them not infected.
The virus does not manifest itself in any way. It contains the comments, the first line is also used by the virus as the identification text to prevent duplicate infection:

PPT.Attach v0.1 /1nternal

Details
Macro.Office97.Toraja

This macro-virus infects two MS Office applications: Word documents and Excel Office 97 datasheets. For document compatibility, Office 97 uses Visual Basic Script, which is contained in both Word and Excel files.
Upon opening, the virus infects the system, documents and sheets (AutoOpen macros in Word and Auto_Open in Excel). Upon infection, the virus utilizes the Office 97 functions for importing/exporting (reading/writing) the virus code via the text file, copies its exit code to the text, and then imports it to the infected object.
Upon exiting Word (Auto Exit), Excel is attempted to be infected. The virus performs a DDE-exchange: it starts up Excel with a minimized window and transfers all the information and commands necessary for creating the AutoRecover17.XLS infected file in the Excel start-up directory here. Word infection resulting from Excel occurs in a similar way upon opening a datasheet (Auto_Open). The virus starts up Word with a minimized window, opens Visual Basic Editor, and obtains the virus code from the AutoRevolver17.dat file.
The virus contains the following copyright string:
Created : Toraja High Land 1998 by Marsel – Lina
Modified : July 1999

Details
Macro.Office97.Jerk family

These are multi-platform macro-viruses infecting Office97 components: Word documents and Excel workbooks and sheets. The viruses contain two auto-macros in Excel sheets and Word documents: Document_Close in Word documents, and Workbook_Deactivate in case of Excel workbook or Worksheet_Deactivate in case of Excel sheet.
The viruses replicate themselves in Excel upon deactivating workbooks. In Word, the viruses replicate upon document closing. Upon spreading, the viruses infect not only “native” objects, but also export their code to another Office component if it is installed in the system.
The viruses turn off the VirusProtection MS Office option.
Each month from June to December on the 14th ,the “Jerk.a” virus displays the message:
Class.Poppy
I think is a big stupid jerk!

On the same date “Jerk.b” and “Jerk.d” display an encrypted variant of the same message:
www.all.net
V guvax vf n ovt fghcvq wrex!

Details
Macro.Office.Triplicate

When the virus is activated from an infected Word document, it first of all disables Word anti-virus protection, and checks for the NORMAL.DOT template, then it and looks for virus presence in it. If this file is not infected yet, the virus considers the system uninfected, and starts entering other Office components. These operations contain three steps: Word Infection, Excel Infection and PowerPoint infection.
1. Word infection is the simplest operation in this virus. It just copies its code from the current document to normal template (NORMAL.DOT).
2. Excel infection is more complex. First of all, the virus starts a new Excel instance by using the CreateObject(“Excel.Application”) function. The virus then checks for the BOOK1 file in the Excel startup folder. In case this file is not present, the virus infects the Excel. During this, the virus disables the Excel antiviral protection in the system registry, creates a new WorkBook, copies its own code to it and saves this file with the BOOK1 name in the Excel startup folder. Every spreadsheet from this folder is automatically loaded when Excel starts, and Excel, as a result, is infected upon the next restart.
3. PowerPoint infection is quite the same as in Excel: the virus creates a new instance of PowerPoint, checks for a presentation called ‘Blank Presentation.pot’ in the PowerPoint template folder, and tries to locate a module called ‘Triplicate’ in it. If this module is not present, the virus infects PowerPoint: it disables the antiviral protection in the system registry, creates a new module ‘Triplicate’ in the ‘Blank Presentation.pot’, and copies its virus code to it. After this, the virus adds a new ‘shape’ into the presentation with the width and height being the same as the slide’s width and height, and sets the activate procedure for this shape to “actionhook()” (This procedure will activate when a user clicks on this shape).
Finally, the virus checks for current Word document infection, and infects it if it has not been infected yet. This branch of the virus routine is executed only in the case that the virus is loaded from an infected template and a new uninfected document is closed.
Infection via Spreadsheets and Presentations
Excel and PowerPoint procedures are quite the same except for some minor details.
The BOOK1 file in the Excel startup folder is used by the virus as an identificator of the infected Office. So, the virus first of all looks for this file, and infects Office applications if this file does not exist. After this, the virus tries to infect the Word application.
1. The virus obtains ‘Word.Application’ objects. Here, the virus uses another function to obtain an object. Instead of CreateObjects(), the virus uses the GetObject() function. This function obtains objects from the currently active instance of application. The virus needs that to infect NORMAL.DOT, which cannot be accessed for writing if it is already opened by another instance of Word. If Word is not active at the moment, the virus just created new Word sample.
When the Word application is accessed, the virus starts its spreading routine. It deletes all code in the normal template, creates the ‘DisableAV()’ procedure, and copies a block of the virus’ code there, executes and deletes it. This short (just eight lines) procedure disables Excel and PowerPoint antiviral protection. Then the virus copies its code from an infected file to the normal template. The Word infection is complete.
2. At this stage, Excel and PowerPoint applications are infected. The virus infects the Excel startup folder from the PowerPoint presentation, or inserts its code to the PowerPoint template exactly as described above when the virus spreads from an infected Word document.
PowerPoint activation procedure has a small additional detail: the virus activates its infection code on on one-in-seven basis depending on the system’s random counter.

Details
Macro.Office.Teocatl

This macro-virus infects Office97 Word documents and Excel sheets. It was named after its internal location: “teonanacatl”. It is the second known macro-virus (after “Access/Word97.Cross”) that is able to infect several MS Office applications.
The code of the virus is placed in one module named StrangeDays and contains eight functions:
AutoClose – Word auto-function, contains infection routine
AutoOpen – Word auto-function, disables VisualBasic code editor (stealth)
AutoExit – Word auto-function, calls AutoClose to infect document
ToolsMacro – disables macros viewing (stealth)
ToolsOptions – disables macros viewing (stealth)
FileTemplates – disables macros viewing (stealth)
ViewVBCode – disables macros viewing (stealth)
Auto_Open – Excel auto-function, hooks sheet activating routine

The virus spreads its code under the “native” application (Word->Word, Excel->Excel), as well as drops infected files to another application (Word->Excel and Excel->Word). In both infected Word documents and Excel sheets, the virus has the same Basic code. It is written in such an accurate way that is able to be executed with no errors under both Word and Excel from Office97.
To infect “native” objects (documents or sheets), the virus uses Import/Export VisualBasic functions: the virus exports its Basic code to the C:\LO.SYS file, and then imports it into non-infected documents (under Word) and sheets (Excel). In the case of Word, to infect other documents, the virus intercepts the auto-functions AutoClose and AutoExit and infects documents that are closed or upon exiting Word. In the case of Excel, the virus hooks the sheet-activation routine, the auto-function Auto_Open does that when an infected sheet is opened.
To infect another application, the virus uses a trick with the auto-loading ability of Word and Excel to load templates (Word) and sheets (Excel) from the start-up directory. To infect Word from Excel, the virus creates new NORMAL.DOT (Word) and PERSONAL.XLS (Excel) files in the start-up directory.
Both of these NORMAL.DOT and PERSONAL.XLS contain just a small 17-line routine that is not the virus itself, but the virus loader. This loader has an auto-name (Auto_Close in Excel and AutoExec in Word), and is executed by the system, when Word starts, with an infected NORMAL.DOT, or Excel closes, with an infected PERSONAL.XLS. In both cases, the loader reads (imports) the complete virus code from the C:\LO.SYS file to the current object (NORMAL template or PERSONAL.XLS) and as a result, infects it. The loader then saves the infected result to the original file (NORMAL.DOT or PERSONAL.XLS) and exits. On next loading, both Word and Excel will load their NORMAL.DOT and PERSONAL.XLS with the complete virus code inside, and as a result, the virus will continue its propagation.
The virus has stealth and anti-warning abilities: it disables the Tools/Macro, Tools/Options, File/Templates and View/VBCode menu items as well as turns off VisualBasicEditor and VirusProtection. It also changes VirusProtection instructions in the system registry.
On the 26th of any month, it displays a MessageBox and deletes all files in the current directory, and the text in the MessageBox is as follows:
Strange Days by Reptile/29A
Strange days have found us
Strange days have tracked us down
They’re going to destroyall

Details
Macro.Office.Jerk.d

This is a multi-platform macro-virus infecting Office97 components: Word documents and Excel workbooks and sheets. The virus contains two auto-macros in Excel sheets and Word documents: Document_Close in Word documents, and Workbook_Deactivate in case of Excel workbook or Worksheet_Deactivate in case of Excel sheet.
The virus replicates itself in Excel upon deactivating workbooks. In Word, the virus replicates upon document closing. Upon spreading, the virus infects not only “native” objects, but also exports its code to another Office component if it is installed in the system.
The virus turns off the VirusProtection MS Office option.
Each month from June to December on the 14th ,the virus displays the message:
www.all.net
V guvax vf n ovt fghcvq wrex!

Details
Macro.Office.Jerk.b

This is a multi-platform macro-virus infecting Office97 components: Word documents and Excel workbooks and sheets. The virus contains two auto-macros in Excel sheets and Word documents: Document_Close in Word documents, and Workbook_Deactivate in case of Excel workbook or Worksheet_Deactivate in case of Excel sheet.
The virus replicates itself in Excel upon deactivating workbooks. In Word, the virus replicates upon document closing. Upon spreading, the virus infects not only “native” objects, but also exports its code to another Office component if it is installed in the system.
The virus turns off the VirusProtection MS Office option.
Each month from June to December on the 14th ,the virus displays the message:
www.all.net
V guvax vf n ovt fghcvq wrex!

Details
Macro.Office.Hopper

These are multi-platform macro-viruses infecting Office97 components: Word documents and Excel sheets. The viruses contain two auto-macros in Excel sheets and Word documents: Document_Close and Workbook_Deactivate.
The viruses replicate themselves in Excel upon deactivating workbooks. In Word, the viruses replicate upon document closing. The minor virus version spreads only from Excel to Word and not back, and the major virus version migrates from Word to Excel and back with no problems.
The viruses turn off the VirusProtection MS Office option. Depending on the version, the viruses contain the the following text comments or display them in MessageBox:
Ex-cell v0.1 /1nternal
Cross.BadSeed v0.1 /1nternal
Cross.BadSeed v0.2 /1nternal
Cross.BadSeed v0.3 /1nternal
Cross.BadSeed v0.4 /1nternal

Details
Macro.Office.Halfcros.a

This is multi-platform macro-virus. It infects two MS Office97 applications: Word documents and Excel sheets. The main part of the virus code is encrypted and placed in the virus body as a random-letters comments. In case of need, the virus gets these comments, decrypts them, convert to the macro instructions and executes them. As a result, the main replication routines are invisible by viewing macro code in the Tools/Macro menu.
In non-encrypted form, there are just a few virus macros present: events hookers and decryption routine. The virus hooks three events: Excel sheets closing, and Word documents opening and closing (Workbook_Deactivate, Document_Open, Document_Close). In all these cases, the virus decrypts and calls the infection routine. The virus also creates the infected BOOK1 Excel sheet in the Excel auto-start directory.
The virus disables the MS Office virus protection by directly accessing the system registry. Starting from 0:10pm till 0:25pm, the virus displays the message box:
Wonder v2.0 by ThE wEiRd GeNiUs
Its time for lunch

where is the name of current user.

Details
Macro.Office.Cybernet

This is an MS Office97/2000 macro-virus. It targets two Office applications: Word and Excel, and infects Word documents and Excel sheets. The virus also spreads by e-mail messages via the Internet using MS Outlook 98/2000.
So, the virus spreads in infected Word documents, Excel sheets, as well as mails itself by creating infected e-mail messages.
The virus has a dangerous payload routine that triggers on August 17 and on December 25 (see below).
The virus contains the “copyright” text:
W97M/CyberNET (C)2000 – Indonesia By AnomOke!
I’m NOT Responsible For Any Damage That Posible Cause By My Virusall!!!
Spreading in Word and Excel
The virus code in Word documents and Excel sheets is the same set of macros, one of them are auto-macros in Word (Document_Open), and the two other ones are auto-macros in Excel (Wordbook_Open, Workbook_Deactivate), and the other macros contain common virus code.
The virus auto-macros are automatically activated either upon document opening (Document_Open) or on selecting another Excel book (Workbook_Deactivate).
Upon being activated, the virus disables macro-virus protection in Word and Excel. The virus then calls an e-mail spreading routine, MS Office files infection and payload routines.
To infect Word documents, the virus copies itself to a NORMAL template (NORMAL.DOT), and then infects documents that are opened and closed. To infect Excel files, the virus copies its code to opened workbooks.
To infect Excel from a Word document, the virus creates an infected workbook with the CYBERNET.XLS name in the Excel start-up directory. To migrate from Excel to Word, the virus infects the NORMAL.DOT template.
The virus then deletes all “.XL?” files in the Excel start-up directory, as well as .DO? files in the Word startup directory.
E-mail spreading routine
To spread its copies over the Internet, the virus opens MS Outlook, gets access to the Address Book, gets all addresses from there and sends messages with its attached copy to the first 50 recipients from each address list (the same as the “Melissa” virus does).
The virus sends infected e-mails with an infected MS Word document or MS Excel workbook in an attachment. The message has:
Subject: You’ve GOT Mail !!!
Body: Please, saved the document after you read and don’t show to anyone
else. The document is also VIRUS FREE…so DISREGARD the virus
protection warning !!!
The attached file name may be different, because the virus attaches an active document regardless of its name. Then the virus creates a mark in the system registry to prevent duplicate messages being sent from the same computer.
Payload
Depending on the infected application, the routine produces different visual effects:
In MS Word: it creates in active document up to 70 different shapes with random colors, size and position.
In MS Excel: it creates in active workbook 30 comments (they looks like tooltips to cells) with different size and text “(C)2000 – CyberNET From Indonesia” in each of them.
After this, the payload routine overwrites “AUTOEXEC.BAT” and “CONFIG.SYS” files. In the “AUTOEXEC.BAT” file, it writes a command that displays a message on the screen during computer boot-up and deletes all data on disk “C:”. In the “CONFIG.SYS” file, it writes commands that disable “Ctrl-C” keystroke.
The virus then reboots the computer.
The message displayed by the virus during bootup is:
###############################################################################
# #
# Vine…Vide…Vice…Moslem Power Never End… #
# I’m Really Sorry, This System Have Been Recycled By -= CyberNET =- Virus!!! #
# Brought To You From INDONESIA… #
# #
###############################################################################

Details
Macro.Office.Cross.A1

This virus infects MS Access databases and MS Word documents (Office97), as well as transfers infected files from Word to Access and back. This is the first known “multi-macro-partite” virus.
The original package that we got contained two infected files – Access database and Word document. The virus code in each file is able to replicate under native application (Word and Access), so in reality, we have two different viruses in the same package – each of them infects its native objects (documents or databases) without any problems. The common feature of both viruses is the ability to infect another Office application: the Access virus drops the Word macro virus, and the Word virus drops the Access infected database.
There is another common feature in both viruses: they have a similar structure – each virus contains three parts. The first part is a native infection routine, the second one is a routine that transfers the virus to another Office application, the third one is hexadecimal data that is converted to an infected file when the second part infects another Office application:
+——————–+
|Native infection |
|routine |
| |
+——————–+
|Transfer to another |
|Office application |
|routine |
+——————–+
|Hexadecimal data |
| |
| |
+——————–+

Hexadecimal data is present in the virus code in “standard” form for macro viruses – it is prepared to be converted by the DOS DEBUG to binary data file. Because of this standard way the virus writes these data to a temporary file, creates a DOS batch file that runs DEBUG to converts the data to binary disk file, and then deletes all temporary files (see “WM.Nuclear”).
It’s necessary to note that binary data dropped by the virus has CAB (MS Cabinet) format – it is a compressed file that can be unpacked by MS Extract utility that comes with MS Windows.
When we analyzed the hexadecimal data in both infected files, we found that these data contain two other viruses – Word and Access, that also are able to spread themselves under native application and drop infected objects to another application. The replication and transfer routines are identical, but hexadecimal data is not the same as in parent virus!
Going through the next layer of hexadecimal data we found that there is a pair of other Word and Access viruses that have no transfer routines and hexadecimal data, and these viruses are able to spread under native application only.
As a result we have “matreshka” of viruses, each of them has another one inside, and so on. Opening this package matreshka-by-matreshka we found that there are three layers of viruses. The first (root) virus contains a dropper of second-level (child) virus, the second level contains third one – pure Access or Word virus that is not able to spread cross applications.
Access root virus differs from Access child virus only in hexadecimal data part (as well as Word root virus differs from Word child virus only in hex data), both Infection and Transfer routines are the same command-by-command in both Access and Word root/child pairs.
So the original “matreshka”s have three levels of cross-incapsulation with the same routines:
Access root virus Word root virus
+—————-+ +—————-+
|Access Infection| <--\ /--> |Word Infection |
+—————-+ \ / +—————-+
|Transfer | <----\ /----> |Transfer |
+—————-+ \ / +—————-+
|Hexadecimal data| \ / |Hexadecimal data|
+——+———+ \ / +——-+——–+
| \ / |
| \ / |
| \/ |
| /\ |
V / \ V
/ Word child virus / \ Access child virus
/ +—————-+ / \ +—————-+
|Word Infection | <----/ \----> |Access Infection|
+—————-+ / \ +—————-+
|Transfer | <--/ \--> |Transfer |
+—————-+ +—————-+
|Hexadecimal data| |Hexadecimal data|
+——+———+ +——-+——–+
| |
| |
| |
V V
Access pure virus Word pure virus
+—————-+ +—————-+
|Access Infection| |Word Infection |
+—————-+ +—————-+

Looking back from pure Word and Access viruses up to the root (result) ones we found that both pair of Access/Word infection routines are very similar. The only one difference found – pure viruses do not have code and calls to Transfer routine, but both root and child viruses do have. So, the root viruses looks to be a result of two-steps extensions of pure ones to handle another application, and back to handling original ones.
The side effect of such extension is the virus size – the source code of Access stamp of virus is 370K file, the source of Word virus is near of 160K. So we have the largest macro virus that we have ever seen.
Spreading the Word
Infection routines in both Access and Word samples are the same as was found in already known viruses. In case of Word virus it replicates itself by using Import/Export ability of Office97 VBA. The virus saves its source code to the temporary file on the disk and then imports it to all opened documents. This is quite unusual way that was found in very few viruses. Anyway, this way exists, and these viruses do use it.
To complete this part of virus analysis that is necessary to say that the virus has one module named “X” with several subroutines inside: “AutoOpen”, “AutoClose”, “AutoExit”, “AutoExec”, “FindAx”, “MakeBat”, “DropKey”, “DropDetox”, “CheckKey”, “Info”.
AutoOpen macro contains infection routine. This routine at first removes “Tools/Macro”, “Tools/Templates and add-ins” items from Word menus – this is stealth macro ability. The routine then exports its source code to the C:\X.VIC file. After that the virus checks for executing environment (document or normal template) and infects appropriate object by importing exported source code into.
AutoOpen routine in root/child and pure viruses has only one difference: in root and child versions this routine also calls CheckKey subroutine that infects the MS Access, if it is installed. The CheckKey routine tries to find files by the C:\*.YZV mask. If such files not found, the routine calls the FindAx routine (so *.YZV file presence means the system is already infected).
The FindAx routine tries to find the MS Access application in C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\ path. If MS Access found, this routine calls DropKey routine to create C:\AX.YZV file, then calls DropDetox (creates script for DOS DEBUG) and MakeBat (creates DOS batch file to create and unpack DATA.MDB file and execute MS Access with DATA.MDB as parameter) then FindAx routine execute created batch file in hidden window.
The rest of auto macros just call AutoOpen.
Info routine just contains following text:
Cross.Poppy Word Component
–[Cross is a blend of SexR-1 and Detox]–
by VicodinES / Sin Code IV (same person – mixed up letters)

Infected Access
To infect Access databases the virus uses the same way as was found in known Access macro viruses (AccessiV, Detox). TheDetoxUnit function searches for *.MDB files in current directory and affects them with virus code with TransferDatabase command. The unusual is that the virus disables Tools\Optionsall menu items and set several properties for infected database calling SetStartupProperties routine. Only difference between pure and root/child viruses is CheckKey routine call.
CheckKey routine checks for C:\*.YZV files. If such files not found CheckKey calls FindWd routine that tries to find MS Word application in C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\ path. If application found FindWd routine calls DropKey routine to create flag file (C:\AX.YZV), than calls DropSexr1 to create script file for DOS DEBUG, than calls MakeBat to create DOS batch file and execute it.
Accessing Word
For spreading into MS Word from MS Access the virus creates the infected DATA.DOT file in the MS Word startup directory. To do that the virus created the temporary DATA.COM file, converts to there its hexadecimal data with a help of DOS DEBUG utility, unpacks it with standard Windows EXTRACT utility and copies resulting DATA.DOT file into the C:\PROGRA~1\MICROS~1\OFFICE\STARTUP and C:\PROGRA~1\MICROS~2\OFFICE\STARTUP paths, if they exist. If there are no such directories, the virus fails to spread itself to the Word.
When MS Word starts, it loads from its startup directory templates including infected DATA.DOT, and the virus takes control.
Fortunately the root virus has a bug in hexadecimal data (script data overlaps 64K limit and cannot be converted by DEBUG correctly) and cannot infect MS Word. The child Access virus has correct hexadecimal data, and is able to spread from Access to Word.
The root virus is also not able to replicate under some system conditions: when MS Access is executing virus macros in some cases it displays an error message about low memory to execute the macro. This error appeared on PC with 24 megabytes of system memory installed, but there was no error to replicate the virus on PC with 64 megabytes of memory.
A Word for Access
To infect the MS Access from MS Word the virus uses similar way: by DOS DEBUG it creates the temporary DATA.COM file, writes to there its hexadecimal data, unpacks it with EXTRACT utility to the infected DATA.MDB MS Access database. The virus then executes MS Access with START command passing infected DATA.MDB file as parameter. As a result the virus takes control and infects other MS Access databases.

Details
Macro.Office.Corner

Corner is a multi-platform macro-virus, which infects both MS Word (DOC) and MS Project (MPP) files. The ability to infect these two office applications is based on two functions inside of the virus’ program code. One of them is automatically launched by MS Word and another by MS Project. These functions have different names in a NORMAL.DOT template, and infected Word documents and Project files.
The method of virus replicating and spreading is common to all macro-viruses created for MS Office applications: the virus takes control over the active document (or project) and adds to it the virus code by using standard features of the programming language VBA (Visual Basic for Applications).
The virus carries no destructive payload, and does not manifest itself in any other way.
The presence of the virus can be easily detected by the following comment string that the virus inserts into infected documents:
I never realized the lengths I’d have to go
All the darkest corners of a sense
I didn’t know
Just for one moment
hearing someone call
Looked beyond the day in hand
There’s nothing there at all
Project98/Word97-2k Closer

Details
Macro.Office.Confused

This multi-platform macro-virus infects Office97 components: Word documents and Excel workbooks and sheets. The virus contains two auto-macros in Excel sheets and Word documents: Document_Close and Workbook_Deactivate. The virus is Chinese (Taiwan) specific and cannot replicate under other MS Office releases.
The virus replicates itself in Excel on de-activating workbooks, and in Word, the virus infects documents that are being closed. The virus also replicates from Excel workbooks to Word documents (if a Word application is active), as well as from Word documents to Excel workbooks (if Excel is active).
The virus contains the “copyright” text:
Copyright (C) 1998 by FlyShadow ~^^~ – Confused Memories