W97/X97M Shiver

W97/X97M Shiver W97/X97M Shiver is the first Macro virus, which is truly able to infect both Word documents and Excel Spreadsheets created under Word'97 and Excel'97. Previous attempts with Teocatl, also know as Strange Days, and the Cross virus, failed to maintain the ability to cross infect, though they are still consider a threat, cross infectors, and are in the wild. Unlike its two predecessors, which can infect each of the platforms - though dual infection is not imminent - Shiver will infect both platforms if one or the other does becomes infected. This successful "travelling" method is the first seen, by researchers at Network Associates McAfee Labs, in a Macro Virus. The virus infects the Word's NORMAL.DOT via the documents AutoOpen macro. It creates a file named "C:\SHIVER.SYS" which contains all of the VBA code for both WinWord and Excel. Once infected the virus operates its "travel" when Word is exited by creating an Excel macro, which imports "C:\SHIVER.SYS" into \XLSTART\PERSONAL.XLS. The virus runs the macro by calling Excel through the Windows'95 DDE mechanism and deletes the original PERSONAL.XLS. The users Excel program is now infected and all spreadsheets opened from this point forward will be infected until the virus is removed. If the infection takes place through Excel it begins by infecting the PERSONAL.XLS. Upon exiting Excel it will infect Word's Global Template, if not already infected, by using the SendKeys mechanism. To determine if an infection is present the virus modifies the Windows registry by adding a key to "HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\8.0" that is "Shiver [DDE]" = "ALT-F11" or "NoNoNo". This infection process from Excel to Word fairly visible - the virus literally types "C:\SHIVER.SYS" into the Visual Basic editor. All open windows are closed and Word's NORMAL.DOT will be infected as will all documents open thereafter. The virus also disables the ability to view macros in each application. The virus also has two payloads, one for each application. When a document is opened, that the virus has infected, there is a possibility that the virus will modify the Windows registry. The keys affected are "HKEY_CLASS_ROOT\Word.Documet.8\shell\open\ddeexec" and "HKEY_CLASS_ROOT\Excel.Sheet.8\shell\open\ddeexec". If modified when a user accesses a document or spreadsheet through Explorer it will not open. When the Excel spreadsheet is opened there is also a possibility the virus will attach a comment to 30 random cells (in the top left corner of the spreadsheet) and display the message "Shiver [DDE] by ALT-F11". No data is lost but the spreadsheet becomes unreadable. Detection for this virus has been added to the VirusScan Hourly DAT file at http://beta.nai.COM/public/datafiles/ If you are a Dr Solomon user you can find the extra driver for this virus at