X97M/Divi.A
Analysis
- Virus hooks Excel event handler which prevents
the opening of infected files in order to run its
code
- Virus exists in the class code module, normally
named "ThisWorkbook"
- Virus verifies if it has infected the Excel environment
by searching for the file "BASE5874.XLS"
in the XLStart folder - if the file does not exist,
a new workbook is created, infected and then saved
as "BASE5874.XLS" in the XLStart folder
- Virus adds a custom property to the infected workbook named "IVID" - this value is visible by checking the file properties of workbooks