Virus Database

Crucifixion.2888

Description Crucifixion.2888

It's a not dangerous memory resident parasitic virus. It hooks INT 9, 21h and writes itself to the end of .COM-files that are opened by INT 21h function ExtendedOpen (AH=6Ch). On pressing Alt-Ctrl-Del, depending on the system date it draws the picture, plays the tune and displays the messages:
If you're the Messiah and you know it,
Clap your hands!
Then your face will surely show it,
(rucifixion Virus 1.0
(c) 1994, by Jesus of The Trinity

Check other viruses! Be aware! Use Antiviral Software

Formula.Excel.Paix

Description Formula.Excel.Paix

All PC users (or most of them) know about macro viruses that affect Word documents and Excel sheets. All used to know that these viruses write themselves to some "macro modules area", and virus macros are visible by entering Tools/Macro menu (only of course, if it is not disabled by the virus - some "stealth" macro viruses do that. Most anti-virus scanners are able to extract macros from these "macro modules areas", detect and disinfect them. The news are that there are more macros areas in Excel - the viruses that affect Excel sheets are able to spread not only through standard macros area, but also by using a special area - Excel 4 macros area.
Despite the fact that in modern Excel versions (starting from version 5) there are more complex and perfect technologies, the ability to create and use old-style macros (Excel 4 macros) is still supported. Because of these "Excel 4 traces" all macros that were written in Excel 4 format still are able to work in all new versions, despite the fact that Microsoft does not recommend to use them and there is no necessary documentation in Excel package.
Tech
The virus of new type (that's better to say "new type but old format") replicates itself by the same manner as other Excel viruses do. It hooks system events (window activating - OnWindows) and copies its code to each sheet that is activated. On first start (on first opening an infected sheet) the virus installs itself into the system: it registers its host file as Add-In with the XLSHEET.XLA name in the current or in the C:WINDOWS directory. On such request Excel automatically creates new copy of infected document (with XLSHEET.XLA name) and on each next Excel start it will load and activate this Add-In, i.e. virus code. As a result after creating infected Add-In the virus is active all the time Excel is run and infects all files that are opened or created.
The virus is of French origin (see routines names below) but is able to infect and replicate under any local Excel version starting from 4.
The virus has five routines: auto_ouvrir, activation_feuille, protect, !!!GO, auto_fermer. All of them (except !!!GO) call infection routine. Depending on the system random counter (with probability 2%) the virus activate the trigger subroutine (that is places in !!!GO routine). The trigger routine hides all opened tables and Excel elements (buttons, menus, status bar) and replaces the "Microsoft Excel" text at the top of the Excel window with the text: "Enfin la paix all"
Detection and Disinfection
That is not possible to detect and disinfect the virus by using standard methods (entering Tools/Macro and looking for macros) because the virus sets VeryHidden attribute for its macros. Such attribute cannot be disabled by using Excel menus. To find and look at virus code that's necessary to write special routine on Excel Basic (macro routine).
As a result a user has no tools to detect this virus on its computer, and all known anti-virus programs are not able to detect it now. The virus can be found only by its traces:
in Tools/Add-Ins menu there is reference for the XLSHEET file
infected files contain the text strings:
Enfin la paix ...
!!!GO

Today it is also not possible to protect the system. A partial protection can be done by creating in the C:WINDOWS directory a Read-Only dummy file with the name XLSHEET.XLA. After that the virus will be not able to install its Add-In in C:WINDOWS directory. If it creates this Add-In in other directories, you should also create the same dummy XLSHEET.XLA file in these directories.
"Kaspersky Lab" is working with detection and disinfection routines right now. The detection module for AVP will be available soon.

Formula.Excel.Sic.e

Description Formula.Excel.Sic.e

This is one of the few macro viruses which does not use macros to penetrate Excel tables, which is the usual method. Instead it uses formalas.
It is impossible to detect this virus using a normal method (by viewing macros), because the virus ascribes the attritube VeryHidden to its module; this characteristic cannot be detected from an Excel menu.
The virus infects MS Excel tables when they are opened and closed.
The virus itself is one macro with two functions, Auto_Close and Auto_Open.
It contains several variables:
_Fill
Bust
Continue
Document_array
Documents_array
Hello
MakeIt
Morning
TaxTV
TaxXL
Test5
When it infects tables, it creates a hidden page called XL4Test5 where it saves its code.
It also creates an infected file called Book1 in the autorun catalogue.

Home