Virus:X97M/Mailcab.A is a macro virus that infects Microsoft Excel documents. The virus drops an infected workbook named "K4.xls" in the Microsoft Excel Startup folder.
The "X97M" in the virus's name means that this virus uses spreadsheets created in Microsoft Office 97 and later.
Installation
When a file infected with Virus:X97M/Mailcab.A is opened using Microsoft Excel, the virus saves a copy of the file to the Microsoft Excel Startup folder (usually located at "%AppData%\Microsoft\Excel\XLSTART"). This ensures that the infected file is run every time Microsoft Excel starts.
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the %APPDATA% folder for Windows 9x, Me, NT, 2000, XP and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista, 7 and Server 2008, the default location is "C:\Users\<user>\AppData\Roaming".
In the wild we have seen the virus with the file name "K4.xls".
Virus:X97M/Mailcab.A may arrive on your computer if you open an attachment that is infected with the virus.
Spreads via...
File infection
Virus:X97M/Mailcab.A copies itself into all open Microsoft Excel files as a macro module with the name "ToDOLE".
Email
Virus:X97M/Mailcab.A will send a copy of itself as an email attachment. Between 10:00 and 11:00, and 14:00 and 15:00, the virus obtains the email addresses from messages in your Microsoft Outlook inbox, with the help of VBS (VBScript) files. In the wild we have seen the following file names for the VBS files:
- _Search.vbs - this script helps in gathering the email messages
- _Key.vbs - this script helps in sending the email messages
- _clear.vbs - this script helps in creating the email messages by sending keystroke commands to Microsoft Outlook
The email it sends might look like the following:
To: <email address>
Subject: <attachment name>
Body:
Dear all,
<attachment name>
FYI
Attachment: <attachment name>.cab
Note: the attachment's name is the same as the Microsoft Excel file on your computer that is infected by the virus.
Payload
Lowers system security settings
The virus modifies the following registry entries so that all macros are allowed to run automatically without notifying you in Microsoft Office:
In subkey: HKCU\Software\Microsoft\Office\%Application.Version%\Excel\Security\
Sets value: "AccessVBOM"
With data: "1"
In subkey: HKCU\Software\Microsoft\Office\%Application.Version%\Security\
Sets value: "Level"
With data: "1"
In subkey: HKLM\Software\Microsoft\Office\%Application.Version%\Excel\Security\
Sets value: "AccessVBOM"
With data: "1"
In subkey: HKLM\Software\Microsoft\Office\%Application.Version%\Excel\Security\
Sets value: "Level"
With data: "1"
Note: %Application.Version% is a variable that refers to the version of Microsoft Office installed on your computer. For example, if you have Microsoft Office 2003 on your computer, the malware would change the subkey to "HKCU\Software\Microsoft\Office\11.0\Excel\Security".
Additional information
The Microsoft Excel Startup folder is a special folder where you can place workbooks containing macros and Microsoft Excel will automatically load those workbooks when starting the application. The location of the folder varies depending on the version of Microsoft Office you have installed:
- %APPDATA%\Microsoft\Excel\XLSTART (for post-Microsoft Office XP versions of Microsoft Office)
- %ProgramFiles%\Microsoft Office\Office10\XLStart (for Microsoft Office XP)
- %ProgramFiles%\Microsoft Office\Office\XLStart (for earlier versions of Microsoft Office)
Note: %APPDATA% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Application Data folder for Windows 2000, XP, and 2003 is "C:\Documents and Settings\<user>\Application Data". For Windows Vista and 7, the default location is "C:\Users\<user>\AppData\Roaming".
Note: %ProgramFiles% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the Program Files folder for Windows 2000, XP, 2003, Vista and 7 is "C:\Program Files".
Analysis by Francis Allan Tan Seng
