X97M/Divi.D
Analysis
- Virus hooks Excel event handler which prevents
the opening of infected files in order to run its
code
- Virus exists in the class code module, normally
named "ThisWorkbook"
- Virus verifies if it has infected the Excel environment
by searching for the file "874.XLS" in the
XLStart folder - if the file does not exist, a new
workbook is created, infected and then saved as "874.XLS"
in the XLStart folder
- Virus adds a custom property to the infected workbook named "IVID" - this value is visible by checking the file properties of workbooks