Triplicate
Triplicate
Type Macro virus
Creator 1nternal
Date Discovered 1999.02.22
Place of Origin Brisbane, Australia
Source Language Visual Basic
Platform MS Office
File Type(s) .doc, .xls, .ppt
Infection Length 3 macro modules
Reported Costs

Triplicate is the first virus capable of infecting across MS Office specifically Word, Excel and Power Point.

Behavior

Triplicate behaves differently depending on what type of file it is executed from. It always turns off the antivirus protection in Word, Excel and PowerPoint. The virus does not infect documents that are already infected.

From Word

When executed from a Word document, it looks for a line of code indicating infection, "'". If it does not find this code, it clears the global template and completely replaces it with its own code.

To cross over to Excel, it checks for the file BOOK1 in the Excel startup folder. Any files in this folder will be opened whenever Excel is started. If it does not find this file, it places one in the folder with the virus code.

To cross over to PowerPoint, it opens the file "Blank Presentation.pot" and checks for the module Triplicate, indicating infection. If it does not find the module, it places an infected module with that name in Blank Presentation.pot. It adds an auto shape to the presentation, which activates the virus when the user clicks it.

From Excel

When executed from an Excel spreadsheet, Triplicate infects spreadsheets in the same way an infected Word document does. The same goes for how it infects PowerPoint.

When infecting a Word document, it opens NORMAL.DOT. The virus clears the template and replaces it with the macro code DisableAV and runs the code, which as the name implies, disables the antivirus protection. It then clears the template a second time to insert the complete virus code.

From PowerPoint

When a user opens an infected presentation and clicks on an infected presentation shape, the virus is triggered with an "actionhook" macro procedure. It will choose a random number between 0 and 0. If the number is 0, it will then check if BOOK1 exists in the Excel startup folder. Triplicate will then continue its infection routines.

When infecting a Word document from an infected PowerPoint presentation, it behaves in the same way as an infected Excel spreadsheet infecting a Word document. Also, when infecting an Excel spreadsheet from PowerPoint, it behaves like a Word document infecting an Excel spreadsheet.

Variants

1nternal himself created at least three variants of this virus with version numbers visible inside the code (0.1, 0.11 and 0.21). There are numerous other variants, most of them likely created by others.

Origin

Triplicate was created by 1nternal, a University student of computer science and engineering. He briefly had it on his site as a link named "sexlist". Of all of his viruses, this one is his favorite. Later that year, 1nternal would create Cross, a cross-platform infector capable of infecting Word documents, Visual Basic scripts and html files.

Sources

Trend Micro Antivirus, O97M_TRISTATE.

Rhape79. Interview with 1nternal. 1999.03

Douglas Knowles. Norton Antivirus, O97M.Tristate.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License