macro.visio.radian
Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.
Description:
Details
Macro.Visio.Radiant
This is the first known macro-virus infecting Visio documents, stencils and templates (Visio is the system to create, edit and store business drawing and diagrams - see http://www.visio.com). To automate data processing, Visio uses macro-programs written in VBA language (Visual Basic for Applications) - the same that is used in MS Office applications. As a result, the viruses in Visio are very similar to MS Office viruses, and they are able to infect Visio files in a very similar ways.
The virus itself is rather simple. It contains one procedure that is assigned with the "BeforeDocumentClose" event (it is activated upon document closing). When the virus procedure gains control, it enumerates and infects all opened documents. Because of the internal structure of Visio, the virus, while searching for documents, enumerates not only document files, but also stencils and templates as well.
The Visio stencils are similar to, for example, Word templates. These files contain library data for common use while creating and editing Visio documents. These stencils are automatically opened and processed by Visio in case of need (if a document uses them). In case these stencils are infected, the virus is loaded when a document accesses an infected stencil, and is activated upon this stencil's closing. At this moment, the virus infects all Visio files that are opened. As a result, if Visio stencils are infected, every document that is created or edited will be infect upon closing.
Because of this Visio feature, the virus can spread very quickly through Visio files.
The virus has a payload procedure: upon every launch, it creates the INDEX.HTML file in the root directory of the C: drive. This file contains following message:
A Multitude of Suns
Orbit in Empty Space
They Speak with their light
to all that is dark.
To me they remain silent.
Greets to all the VX Community
And Radiant Angels
itsall...
Radiant
At the very end of the virus macro-code there is a short line of symbols (a comment). It seems this line is encrypted information about the virus author, but the type of cipher and the key used for encryption of the text string are unknown.
Copyright @2006 macro.visio.radian