X97M/Pink

This page shows details and results of our analysis on the malware X97M/Pink

Download Current DAT

Threat Detail

Malware Type: Virus

Malware Sub-type: Macro

Discovery Date: 2001-05-03

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum DAT

4137 (2001-05-09)

Updated DAT

4137 (2001-05-09)

Minimum Engine

5400.1158

File Length

Description Added

2001-06-13

Description Modified

2002-01-22

Malware Proliferation

Characteristics

This is a polymorphic macro virus affecting Microsoft Excel 97 (and higher) spreadsheets. When an infected document is opened the subroutine "pink" is run which creates the file B00k1.xls in the XLStart folder. On June 15th, each cell of the active worksheet is cleared, the column width is set to 2.75, the row height is set to 15, and the zoom percentage is set to 25. If the month plus the day is equal to 13 or 22, a random password is set on the workbook.

Symptoms

- Unexpected password protected Excel documents
- Data loss on June 15th

Method of Infection

Opening an infected workbook and allowing the macro code to run will copy a loader workbook named "B00k1.xls" to the XLSTART folder. Any workbook opened on this, now infected, system will become infected.

Removal

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)