XM/Extras.Family
Analysis
- Virus hooks Excel event handler of opening or closing
files in order to run its code
- Virus is polymorphic with code variable replacement
instructions
- Virus may become up-converted from Excel95 to Excel97
when opening infected Excel95 workbooks in Excel97
or higher
- Virus exists in a code module with a random name
construction
- Virus verifies if it has infected the Excel environment
by searching for the file “Windows Extras.xls”
in the XLStart folder – if the file does not
exist, a new workbook is created and infected, and
then saved as “Windows Extras.xls” in
the XLStart folder
- Virus can also infect MacIntosh environments by
creating the file “Macintosh Extras” in
the Excel startup path