[danleonida]

Yesterday I started a similar topic on this forum.

While developing the spreadsheet [MS Excel & OpenOffice] I contracted something that I would really want to know what the hell it is. Here they are:

2012.08.22...VisiVirus - 2.3 meg empty file.xls
2012.08.22...VisiVirus - Selection too large.xls

The first is an empty xls file which, somehow, saves to 2.3 megs. The second is an older version of VisiCrypt which does not allow a copied line to be pasted more than 3-400 times. I contracted this one soo...oo many times, it is no longer funny!

VisiCrypt works by asking the user to copy one line then paste it as many times as there characters in the plaintext/cryptogram. I eventually got rid of unwanted digital life forms by extracting all of my equations in a dot-csv file then pasting them in a fresh spreadsheet.

BTW, I automated this process and am advocating it to the end user. The link I gave above is to a clean spreadsheet - to the best of my knowledge - and is to be used for evaluation only. For max security the end-user should recreate the files. Nobody can bug a text file heavily commented and checksummed!!

My very strong suspicion is that parties with a stake in not having strong, email encryption available to all have created and deployed an Excel macro capable of running in a spreadsheet even when macros are disabled.

A poster of the other forum I mentioned said that if anyone can help me, then I'll find him/her here.

So, here I am! Can anyone help?

Please do disturb!
Not disturbed enough yet.

danleonida-at-yahoo-dot-com

[danleonida]

I've added a dowload pwd to the two VisiVirus files in above post: "infected"

It was suggested to me on another forum, but...

I've know these viruses to affect the PC! Only the ecryption Excel running on them!

Just cautious, I guess!

[danleonida]

The second last line in the previous post: "I've know these viruses to affect the PC!..."

Should read: "I've NOT known these viruses to affect the PC!..."

Sorry about the mistake!

[dumb110]

Reply from a virus analyst at avast! :

Hello,
we analyzed that, but found nothing like macrovirus or exploit. Don't know why the file is too big, when it's saved again it has about 50 KB.

Milos

[danleonida]

thx 110!

Avast is a maker of commercial virus scan s/w. What I contracted was a 'custom' backdoor into an unbreakable/uninfectable and free email encryption s/w that can be run from a public library, if need be! It is, IMHO, a one-of-a-kind s/w 'effort'! I got that one years ago when VisiCrypt was using a lookup table for the XOR function to optimize speed. Since then I modified it to actually calculate the XOR and eliminate one vulnerability. I also developed the dot-csv distribution method which prevents this kind of infections from happening to anyone else.

I just tried saving an empty Excel to see its size. 15.5 KB one tab, Excel 2007 saved as 97-2003 compatible file. Do you remember what you/Avast used?! It makes a diff.! Even 50 KB is more than 3 times the size it should be!

Once I developed the dot-csv distribution method, the next infection I contracted looked like the one in the file below. Again, download pwd=’infected’

2012.08.22...VisiVirus - Selection too large.xls

VisiCrypt requires the user to copy a certain line and paste it as many times as there are characters to encrypt/decrypt. This particular life form - which I contracted countless of times - displays an Excel-like message saying “Selection too large” if one tries to paste the line more than 3-400 times. The actual number varied quite a bit. Have you tried this file?

I WANT TO MENTION AGAIN FOR THE BENEFIT OF ALL READERS/DOWNLOADERS: I HAVE NEVER KNOWN THE BUGS I HAVE CONTRACTED WHILE DEVELOPING VISICRYPT TO INFECT THE COMPUTER. ONLY MY SPREADSHEET! ALSO, OpenOffice Calc SEEMED TO GET RID OF AT LEAST SOME OF THEM.

To get to the bottom of things, I think I need a MS Excel decompiler to be used against the infected files. Do you know a place, or a person that may have access to one?

[danleonida]

I contracted what seems to be a brand new virus and started a topic about it on an Excel Forum hoping they might be more interested in such thing. No luck!

It looks as if a simple, long character sting pasted in one cell, somehow gets something very time-intensive to be executed.

It did not manifest itself in the main VisiCrypt file, but rather in the key generation one.

To avoid the PSEUDOrandom attribute of the built-in RAND() function, I decided to xor its output with a small dot-png file. The dot-png file is the "long character sting" mentioned above.

I did not include a download psw on this file but, again:

I WANT TO MENTION AGAIN FOR THE BENEFIT OF ALL READERS/DOWNLOADERS: I HAVE NEVER KNOWN THE BUGS I HAVE CONTRACTED WHILE DEVELOPING VISICRYPT TO INFECT THE COMPUTER. ONLY MY SPREADSHEET!

Unlike the previous two "life forms", this one DOES seem to affect OpenOffice as well!

I hope MS is listening...

[EP_X0FF]

Not Malware. I didn't looked 2 file but your 2.5 mb xls perfectly saves to 24 Kb file. You probably copy-pasted some structure from other xls or some cells contain previous data / format. Thread moved.

[danleonida]

... but your 2.5 mb xls perfectly saves to 24 Kb file. ...

Thank you! You likely saved it in a 'modern' Excel which partially, at least, eliminated the problem. An empty worksheet saves into 15.5 Kbytes in Excel 12.0 (2007). The file was originally saved in 2003, if I remember correctly.

The following link is to a more detailed explanation [post #24] of one of the other two viruses which is much more obvious:

https://www.wilderssecurity.com/showthr ... 7&t=331075

If you have the time and the inclination, please, have a look!

[clarisha]

How to get a free spreadsheet softwear to save as a web page? I need to save a spreadsheet as a webpage. It needs to be on this computer for a project and just have Microsoft works spreadsheet. This doesn't let me save it as a webpage. Does anyone know of a free spreadsheet softwear simular to Excel that I could download to use?

[danleonida]

Here's what you want: http://portableapps.com/apps/office/openoffice_portable

Good luck!