Virus

XM/Extras.Family

Analysis

  • Virus hooks Excel event handler of opening or closing files in order to run its code
  • Virus is polymorphic with code variable replacement instructions
  • Virus may become up-converted from Excel95 to Excel97 when opening infected Excel95 workbooks in Excel97 or higher
  • Virus exists in a code module with a random name construction
  • Virus verifies if it has infected the Excel environment by searching for the file “Windows Extras.xls” in the XLStart folder – if the file does not exist, a new workbook is created and infected, and then saved as “Windows Extras.xls” in the XLStart folder
  • Virus can also infect MacIntosh environments by creating the file “Macintosh Extras” in the Excel startup path