Overview
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
|
Minimum DAT
4030 (1999-06-16) Updated DAT4416 (2004-12-22) |
Minimum Engine
5.1.00 File Length
|
Description Added
1999-11-18 Description Modified2002-09-18 |
Malware Proliferation
Characteristics
In Word, this virus stays resident in the normal.dot file; in Excel, it creates a Workbook called "Book1." in the XLStart directory. Due to the extension-less file in the XLStart folder, AVERT recommends scanning ALL files to detect and remove.
This virus has payloads which are date activated.
In Word97 when a document is closed:
On the 1st of any month, there is a one-in-ten chance of changing all occurrences of "I" to "1".
On the 5th of any month, there is a one-in-ten chance of deleting all occurrences of the word "not".
On the 10th of any month, there is a one-in-fifteen chance of displaying a modified "Office Assistant Balloon" with the heading "Cross.BadSeed v0.41" and the following text:
"Programmer: 1nternal"
"Class Infection: VicodenES"
"ActiveX Concept: 1nternal"
"Book1. Concept: VicodenES"
"1nternal also wishes to thank all contributors and supporters which have made Cross.BadSeed possible."
On the 15th of any month, there is a one-in-ten chance of opening the author's web page.
On the 20th of any month, there is a one-in-five chance of displaying "Cross.BadSeed v0.41/1nternal" on the status bar.
In Excel97 they payloads are more severe - when a workbook is closed:
On the 1st of any month, there is a one-in-ten chance of adding the comment "Cross.BadSeed v0.41" to ten randomly selected cells.
On the 10th of any month, there is a one-in-three chance of performing up to 30 random cell swapping in up to 5 different columns.
On the 10th of any month, it will change the author to "1nternal" for the workbook.
On the 20th of any month, there is a one-in-five chance of displaying "Cross.BadSeed v0.41/1nternal" on the status bar.
Symptoms
Method of Infection
Opening infected documents will infect global template normal.dot; opening infected workbooks will create the BOOK1. file in the XLStart folder. Using files in either Excel or Word will infect.
Removal
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.
PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:
Additional Windows ME/XP removal considerations
Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.
AVERT Recommended Updates :
* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )
* scriptlet.typelib/Eyedog vulnerability patch
* Outlook as an email attachment security update
* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield
For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .
It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.
Variants