macro.excel.ne
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Macro.Excel.Neg
This virus infects Excel sheets. It contains six functions in one module Dollar: Auto_Open, Fuck, Auto_Close, cek_global, infectglobal, and inFuckIt.
While loading an infected document, Excel executes auto macros auto_open, and the virus takes control. The virus auto_open macro contains a command that defines the F*ck macro as a handler of the OnSheetActivate routine. As a result, the virus hooks the sheet activate routine, and while opening a sheet, the virus takes control.
When the auto_open macro takes control, it searches for DOLLAR.XLM files in the Excel Startup directory. If the infected macro is an active Workbook and the DOLLAR.XLM file does not exist in the Excel Startup directory when the virus is executed for the first time, the virus creates this file and saves its code to it by using the SaveAs command. When Excel loads its modules the next time it automatically loads all XLS files from the Startup directory. The infected DOLLAR.XLM is loaded along with other files, and the virus takes control and hooks the sheet activation routine. Upon activation of a sheet, the virus copies its code to the active Workbook and as a result, spreads its code to this sheet.
The virus deletes 25 menu items related to macro viewing/editing/etc, if they exist. On the 13th of any month, it appends to the C:\AUTOEXEC.BAT file commands that erase Windows files:
@ECHO OFF
CLS
cd\windows
del *.com >nul
del *.vxd >nul
del *.drv >nul
del *.dll >nul
The virus contains the comments:
------------------------------------------------
Generated with NEG !!. Please include this text
------------------------------------------------
NEG is Trademark of NoMercy
Date generated : 27- 3- 1998
VirusName: Dollar
Author: NEG
Module Name: Dollar
Template: DOLLAR.XLM
Copyright @2006 macro.excel.ne