McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BadSeed

• Cross.BadSeed

• Hopper.r

• W97M/Hopper

• W97M/Hopper.r

• X97M/Hopper

• X97M/Hopper.r

Characteristics

This is a cross application virus for Word documents in Microsoft Word 97 and 2000, workbooks in Microsoft Excel 97 and 2000. It is able to replicate under the SR-1 release of Office 97. It will turn off the macro warning feature of both Word/Excel 97. This virus consists of a module called "ThisDocument" in Word97 and "ThisWorkbook" in Excel97.

In Word, this virus stays resident in the normal.dot file; in Excel, it creates a Workbook called "Book1." in the XLStart directory. Due to the extension-less file in the XLStart folder, AVERT recommends scanning ALL files to detect and remove.

This virus has payloads which are date activated.

In Word97 when a document is closed:
On the 1st of any month, there is a one-in-ten chance of changing all occurrences of "I" to "1".
On the 5th of any month, there is a one-in-ten chance of deleting all occurrences of the word "not".
On the 10th of any month, there is a one-in-fifteen chance of displaying a modified "Office Assistant Balloon" with the heading "Cross.BadSeed v0.41" and the following text:
"Programmer: 1nternal"
"Class Infection: VicodenES"
"ActiveX Concept: 1nternal"
"Book1. Concept: VicodenES"
"1nternal also wishes to thank all contributors and supporters which have made Cross.BadSeed possible."
On the 15th of any month, there is a one-in-ten chance of opening the author's web page.
On the 20th of any month, there is a one-in-five chance of displaying "Cross.BadSeed v0.41/1nternal" on the status bar.

In Excel97 they payloads are more severe - when a workbook is closed:
On the 1st of any month, there is a one-in-ten chance of adding the comment "Cross.BadSeed v0.41" to ten randomly selected cells.
On the 10th of any month, there is a one-in-three chance of performing up to 30 random cell swapping in up to 5 different columns.
On the 10th of any month, it will change the author to "1nternal" for the workbook.
On the 20th of any month, there is a one-in-five chance of displaying "Cross.BadSeed v0.41/1nternal" on the status bar.

Symptoms

Macro warning if opening infected documents and workbooks, increase in size to global template, creation of BOOK1. file as mentioned above. Various messages and file changes as mentioned above.

Method of Infection

Opening infected documents will infect global template normal.dot; opening infected workbooks will create the BOOK1. file in the XLStart folder. Using files in either Excel or Word will infect.

Removal

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• BadSeed

• Cross.BadSeed

• Hopper.r

• W97M/Hopper

• W97M/Hopper.r

• X97M/Hopper

• X97M/Hopper.r

Characteristics

Characteristics -

This is a cross application virus for Word documents in Microsoft Word 97 and 2000, workbooks in Microsoft Excel 97 and 2000. It is able to replicate under the SR-1 release of Office 97. It will turn off the macro warning feature of both Word/Excel 97. This virus consists of a module called "ThisDocument" in Word97 and "ThisWorkbook" in Excel97.

In Word, this virus stays resident in the normal.dot file; in Excel, it creates a Workbook called "Book1." in the XLStart directory. Due to the extension-less file in the XLStart folder, AVERT recommends scanning ALL files to detect and remove.

This virus has payloads which are date activated.

In Word97 when a document is closed:
On the 1st of any month, there is a one-in-ten chance of changing all occurrences of "I" to "1".
On the 5th of any month, there is a one-in-ten chance of deleting all occurrences of the word "not".
On the 10th of any month, there is a one-in-fifteen chance of displaying a modified "Office Assistant Balloon" with the heading "Cross.BadSeed v0.41" and the following text:
"Programmer: 1nternal"
"Class Infection: VicodenES"
"ActiveX Concept: 1nternal"
"Book1. Concept: VicodenES"
"1nternal also wishes to thank all contributors and supporters which have made Cross.BadSeed possible."
On the 15th of any month, there is a one-in-ten chance of opening the author's web page.
On the 20th of any month, there is a one-in-five chance of displaying "Cross.BadSeed v0.41/1nternal" on the status bar.

In Excel97 they payloads are more severe - when a workbook is closed:
On the 1st of any month, there is a one-in-ten chance of adding the comment "Cross.BadSeed v0.41" to ten randomly selected cells.
On the 10th of any month, there is a one-in-three chance of performing up to 30 random cell swapping in up to 5 different columns.
On the 10th of any month, it will change the author to "1nternal" for the workbook.
On the 20th of any month, there is a one-in-five chance of displaying "Cross.BadSeed v0.41/1nternal" on the status bar.

Symptoms

Symptoms -

Macro warning if opening infected documents and workbooks, increase in size to global template, creation of BOOK1. file as mentioned above. Various messages and file changes as mentioned above.

Method of Infection

Method of Infection -

Opening infected documents will infect global template normal.dot; opening infected workbooks will create the BOOK1. file in the XLStart folder. Using files in either Excel or Word will infect.

Removal -

Removal -

All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

Additional Windows ME/XP removal considerations

Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

Variants

Variants -

N/A