Classification

Category :

Malware

Type :

Virus

Platform :

X97M

Aliases :

Sugar

Summary

X97M/Sugar is an Excel macro virus. It gets control when an infected sheet is activated or if an infected workbook window is deactivated.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Upon activation it will create two files, "o6.reg" and "o6.bat", to the root directory of the C: drive. It will use these files to disable Excel's built-in macro virus protection by modifying the registry. Then it will check if there is a file named "Book1." in the Excel's startup directory. If the file does not exist, it will be created and infected. On that way the virus will be active every time when Excel is opened.To spread, the virus first copies itself to every workbook. It takes control when an infected workbook is deactivated. Next, it will go though all sheets within the workbook and will get control when an infected sheet is activated.The payload will be triggered in every month from September to December if the day equals the minute of the current system time. In this case it will replace the contents of upto 200 random cells with a text:

-(Dr. Diet Mountain Dew)-

This text is written with random colors. It will also change contents of the top left ("A1") cell to

The -[Sugar.Poppy]- by VicodinES

The virus code contains the following text:

'=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
 'The Sugar.Poppy Excel Class Object Virus'
 '
written by VicodinES'
 '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'
 ' Can I have a bottle of

 '
 ' WARM DIET MOUNTAIN DEW

 '
 '=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-'

Variant:Sugar.B

This variant uses Microsoft Word to disable the built-in macro virus protection by modifying the registry. It will add a macro (AutoExec) to the normal template that will be executed when Word is started. Anyway, it will not infect any Word documents.While the infection method is the same as X97M/Sugar.A variant, there is additional functionality present. The virus will create a temporary file to the root directory of "C:" drive. The file will have the same name as the current user has in the "Tools/Options/General".If the virus founds user defined modules during infection, it will create a macro that will be executed when the workbook is closed. The macro will attempt to restore the virus from the temporary file mentioned above to each workbook. However, if the temporary file is removed the virus will show a message box with a title

VicodinES wonders...

and the following text:

Why did you remove Sugar.Poppy?

This variant has no payload, but it will intentionally remove all macros from the Word's global template.