VirusX97M/Barisada.B
Analysis
- This virus is exactly like X97M/Barisada.A except
the name of the workbook created in the XLStart folder
is of a different name
- Virus hooks Excel event handler which prevents
the opening of infected files in order to run its
code
- Virus exists in the class code module, normally
named "ThisWorkbook"
- Virus verifies if it has infected the Excel environment
by searching for the file "rmc.xls" in the
XLStart folder - if the file does not exist, a new
workbook is created, infected and then saved as "rmc.xls"
in the XLStart folder
- On April 24th at 2PM, when working with infected
files, this virus may display a query message box
asking a YES/NO question -
"Summoning Xavier is the Ultimate Magic. Right?"
-
If the user chooses "NO", the virus may clear all cells from all sheets and from all open workbooks
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |