What's the paper theft virus?

Virus description

The macro virus is propagated through an Excel document. The virus consists of a hidden form named "(M1) _ (m2) _ (m3)" and a macro module. When the macro module executes, it takes data from the (M1) _ (m2) _ (M3) Form to generate a temporary file named Cab.cab C: (72606 bytes). Cab.cab contains 5 virus files, which contains five modules: FTP upload module, Excel virus template, Word virus template, send to Floppy "interception module, virus program Setflag.exe."

Viruses use virus templates to replace the Normal template files for Excel and Word. In this way, any Excel and Word documents that the user edits later will be tainted.

The macro virus also modifies the "Send to à floppy" link to point to the virus program Sendto.exe. If a user performs a "Send to floppy" operation after being poisoned, the virus copies the doc document whose file name begins with the letter ' X ' on the floppy disk to the hard drive. The stolen documents will be sent to the virus author in the future.

The virus checks to see if the text in the beginning 2 of the current document contains the words "quiz paper" and "question" when the user closes the Word document. Once found, the document is encrypted and a copy is saved.

The virus modifies the registry startup entry so that the virus program Internet.exe executes every time the system starts. When the program runs, it connects to the FTP site 172.23.**.110 and passes the stolen documents to the virus author.

For the virus, Jiangmin company to remind the majority of users, do not click on an unknown source of Excel documents, and the Office's macro security level set to high (Tools menu à macro à security), can effectively avoid being x97/mthree virus infection. Jiangmin Company on August 13 has upgraded the virus library, please immediately upgrade to August 13 virus library, you can completely kill X97/mthree macro virus and its EXE program components to protect your system from its infringement.

Antivirus method

For the virus, KV2004 has already upgraded the virus database on August 13, the user normal upgrade can be killing.