This page shows details and results of our analysis on the malware X97M/Pink

Download Current DAT

Threat Detail

  • Malware Type: Virus
  • Malware Sub-type: Macro
  • Protection Added: 2001-05-03

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Minimum Engine


File Length

Description Added


Description Modified


Malware Proliferation

This is a polymorphic macro virus affecting Microsoft Excel 97 (and higher) spreadsheets. When an infected document is opened the subroutine "pink" is run which creates the file B00k1.xls in the XLStart folder. On June 15th, each cell of the active worksheet is cleared, the column width is set to 2.75, the row height is set to 15, and the zoom percentage is set to 25. If the month plus the day is equal to 13 or 22, a random password is set on the workbook.
- Unexpected password protected Excel documents
- Data loss on June 15th

Opening an infected workbook and allowing the macro code to run will copy a loader workbook named "B00k1.xls" to the XLSTART folder. Any workbook opened on this, now infected, system will become infected.

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)