Excel files are allergic to the Dutan worm

The Dutan.A worm primarily seeks to destroy files created with the Excel spreadsheet.

The Dutan.A worm is most often transmitted to selected computers via network drives or removable storage devices. It then creates some files and modifies the registration database. The worm copies two files to each available network and removable drive. These are communicated by one containing the malware, while the other ensures that the worm can be loaded automatically when the storage devices are reconnected.

Dutan.A scans all available .xls files on infected PCs and appends a 2 KB random string to them. This can make Excel files unusable.

When the Dutan.A worm starts, it performs the following actions:

1. Create the following files:
   % System% \ winxpsp2.dll
   % System% \ csrsss.exe
   % System% \ svchosts.exe
2. Copy the following two files to the root directory of each network and removable drive:
   svchosts.exe
   autorun.inf
3. The following entries are added to the registration database:
   HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows \ CurrentVersion \ Run \
   “Microsoft OfficeTool” = “svchosts.exe”
   HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer
   \MountPoints2\{56999cec-3c1d-11db-a335-806d6172696f}”BaseClass”
   = “Drive”
   HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer
   \MountPoints2\{6dd31b68-fe5a-11db-9fd3-806d6172696f}”BaseClass”
   = “Drive”

4. Search for files with an .xls extension to which you add a 2 KB randomly assembled string.