Home / malwarePDF  

Virus:X97M/Mailcab.B


First posted on 18 December 2012.
Source: Microsoft

Aliases :

Virus:X97M/Mailcab.B is also known as X97M/Ecsys (AhnLab), X97M/MailCab (Command), Virus.MSExcel.Agent.f (Kaspersky), W97MMailcab.A (Norman), X97M.Mailcab.A@mm (BitDefender), X97M/Mailcab.A worm (ESET), X97.DelAll (Ikarus), Trojan.Script.VBS.Dole.e (Rising AV), XM97/MailCab-A (Sophos), XM.Mailcab@mm (Symantec), X97M_OLEMAL.A (Trend Micro).

Explanation :



Virus:X97M/Mailcab.B is a virus that infects Microsoft Office Excel documents. It can spread to other computers via email.



Installation

Virus:X97M/Mailcab.B copies itself as the following file in this location so that it runs every time Excel is opened:

%UserProfile%\Application Data\Microsoft\Excel\XLSTART\K4.XLS

It modifies the following registry entries that lower macro security levels, allowing the malicious macro code to run:

In subkey: HKCU\Software\Microsoft\Office\<Office version>\Excel\Security\
Sets value: "AccessVBOM
With data: "1"

In subkey: HKCU\Software\Microsoft\Office\<Office version>\Excel\Security\
Sets value: "AccessVBOM
With data: "1"

In subkey: HKCU\Software\Microsoft\Office\<Office version>\Security\ Sets value: "Level"
With data: "1"

In subkey: HKLM\Software\Microsoft\Office\<Office version>\Excel\Security\
Sets value: "AccessVBOM"
With data: "1"

in subkey: HKLM\Software\Microsoft\Office\<Office version>\Excel\Security\
Sets value: "Level"
With data: "1"

Virus:X97M/Mailcab.B creates a folder named "E:\Sorce". It drops an .XLS copy of itself into this path, and a .VBS file used to execute its copy. It also creates another folder named "E:\KK", in which it drops another copy of itself, and another .VBS file that can simulate keystrokes in an Outlook application as part of its mailing routine.

Spreads via...

Email

Virus:X97M/Mailcab.B sends a copy of itself to all email addresses in your Microsoft Outlook address book. The email may have the following format:

To: <email address>
Subject: <attachment name>
Body:
Dear all,
<attachment name>
FYI
Attachment: <attachment name>.cab

Email addresses are gathered between the times 10:00, 11:00, 14:00 and 15:00, with the aid of a .VBS file that searches for email address in your Outlook inbox. The addresses are saved in a file named "D:\Collected_Address\log.txt".

File infection

Virus:X97M/Mailcab.B infects Excel files by copying itself as a macro module with name "ToDOLE" in all open Excel files.

Other information

Virus:X97M/Mailcab.B creates an input box in a hidden sheet in .XLS files it infects. The input box has the message "Warning! You are going to open a confidential file". Additionally, it instructs the user to open the .VBS file capable of gathering email addresses, which opens the hidden worksheet, which in turn runs one of its copies.



Analysis by Marianne Mallen

Last update 18 December 2012

 

TOP

Malware :

Family: