Triplicate | |
---|---|
Type | Macro virus |
Creator | 1nternal |
Date Discovered | 1999.02.22 |
Place of Origin | Brisbane, Australia |
Source Language | Visual Basic |
Platform | MS Office |
File Type(s) | .doc, .xls, .ppt |
Infection Length | 3 macro modules |
Reported Costs |
Triplicate is the first virus capable of infecting across MS Office specifically Word, Excel and Power Point.
Behavior
Triplicate behaves differently depending on what type of file it is executed from. It always turns off the antivirus protection in Word, Excel and PowerPoint. The virus does not infect documents that are already infected.
From Word
When executed from a Word document, it looks for a line of code indicating infection, "'". If it does not find this code, it clears the global template and completely replaces it with its own code.
To cross over to Excel, it checks for the file BOOK1 in the Excel startup folder. Any files in this folder will be opened whenever Excel is started. If it does not find this file, it places one in the folder with the virus code.
To cross over to PowerPoint, it opens the file "Blank Presentation.pot" and checks for the module Triplicate, indicating infection. If it does not find the module, it places an infected module with that name in Blank Presentation.pot. It adds an auto shape to the presentation, which activates the virus when the user clicks it.
From Excel
When executed from an Excel spreadsheet, Triplicate infects spreadsheets in the same way an infected Word document does. The same goes for how it infects PowerPoint.
When infecting a Word document, it opens NORMAL.DOT. The virus clears the template and replaces it with the macro code DisableAV and runs the code, which as the name implies, disables the antivirus protection. It then clears the template a second time to insert the complete virus code.
From PowerPoint
When a user opens an infected presentation and clicks on an infected presentation shape, the virus is triggered with an "actionhook" macro procedure. It will choose a random number between 0 and 0. If the number is 0, it will then check if BOOK1 exists in the Excel startup folder. Triplicate will then continue its infection routines.
When infecting a Word document from an infected PowerPoint presentation, it behaves in the same way as an infected Excel spreadsheet infecting a Word document. Also, when infecting an Excel spreadsheet from PowerPoint, it behaves like a Word document infecting an Excel spreadsheet.
Variants
1nternal himself created at least three variants of this virus with version numbers visible inside the code (0.1, 0.11 and 0.21). There are numerous other variants, most of them likely created by others.
Origin
Triplicate was created by 1nternal, a University student of computer science and engineering. He briefly had it on his site as a link named "sexlist". Of all of his viruses, this one is his favorite. Later that year, 1nternal would create Cross, a cross-platform infector capable of infecting Word documents, Visual Basic scripts and html files.
Sources
Trend Micro Antivirus, O97M_TRISTATE.
Rhape79. Interview with 1nternal. 1999.03
Douglas Knowles. Norton Antivirus, O97M.Tristate.