Articles, Blog

Virus.MSExcel.Neg

December 16, 2019


Hello, everyone! Today we’re taking a look at “Neg”, a macro virus written for Excel, rather than Word. I like this one quite a bit, because with Excel, there are different ways to hide your work, and this macro virus employs some pretty interesting techniques to try to avoid detection by the user. As you can see here we have three variants: We have B, C, and E, and we’ll run each one and they’ll ALL infect Excel, and so we will end up with a very thoroughly infected spreadsheet before the end of this video. We will go ahead and open the B variant, and nothing much appears to happen. We have our spreadsheet open, we can navigate to our macros, we can see here that we have three macros in this file. And three in a file called lore.xlm. However, we do not see that file anywhere. But thankfully, the virus does not lock it down, And we can jump right into the code and see what’s happening. So we have some nice credits here at the top of the macro Uh, ‘NEG’ is a trademark of NoMercy. Please include this text, generated with NEG. Uh, i’m not sure what NEG is but.. We have a website and I tried visiting it, unfortunately it does not exist anymore. UNFORTUNATELY. Virus name is apparently supposed to be Lord, but Kaspersky decided it should be ‘Neg’ And was written my Foxx with Neg So, moving right along and moving clippy right out of the way, we can see in this code that it employs one technique It uh, actually checks to see if lord.xlm is running And creates this as a hidden worksheet And this is where it actually infects new worksheets and if this is running it’s able to infect other stuff that is happening in Excel So in the sub fuck, we can see that it turns off screen updating so that you can’t see what’s happening, It activates the lord.xlm window, and makes it visible, activates it, makes sure that the sheet is visible, and then copies it to your current workbook so it is infected And then turns them all off and makes the invisible and then reactivates screen updating. so you won”t see this actually happen, but it will actually create this worksheet, and attach it to the one you’re attempting to use, and infect it and then hide everything that it did. And we can actually see this if we go back here, we goto window, and on hide, we can see unhide the workbook ‘lord’ where we now have two workbooks open, and this one is trying to infect everything that runs. And finally we have a payload for this variant. Close out of it real quick here. If you close one it closes both. And we change it to the first of the month, Run it again, and close. It says, ‘get the best execel scanner, NVT-98’ So, pretty much referring to antivirus software you can get, because you’re infected dOOd Press OK, it goes away. Move along to NEG-E now, and uh, we get some interesting notice from excel, that blablabla we don’t care. [inhale] macros aren’t stored in the document, and we can see that this a sacrificial goat file from Sophos And once again we can take a look at our macros, however we seem to be gaining some we’ve got lord running, because it appends itself to every excel spreadsheet we open Now I’ve also got ‘neg.xlm’ Which is also infecting everything that we open. If we edit it, we can see that it attempts to uh, hide everything we were just in. uhhhh It did not successfully delete all of these menu bars because we are here reading this code. So.. you try. If we keep on scrolling, things are generally pretty much the same. And we just have a different message when we close out of excel on the 13th of the month. So let’s do that 😀 We can see here ‘Get the best Excel Scanner’ because we are still infected with the first variant. [Sexy Beats]

100 Comments

  • Reply Mason Kiernan July 11, 2017 at 10:46 pm

    Lound The Speaker We Want Dance

  • Reply Dyo Kasparov July 14, 2017 at 10:25 am

    a virus that can DOS-ify your PC, awesome

  • Reply Reece Orton July 24, 2017 at 3:13 pm

    I like clippy, but he can be annoying. Every time I misspell a word, he says how to correct it. I did learn from him that ctrl and backspace removes full words. He also has various fun tips of the day.

  • Reply Sam Hue July 24, 2017 at 6:46 pm

    The end looks like ms dos prompt style 😛

  • Reply PK Snowstorm July 27, 2017 at 8:19 am

    One day, I hope everyone can eat my tits

  • Reply The Reptilian Wizard Lizard July 28, 2017 at 2:42 pm

    Can you lend a negga a pencil?

  • Reply Hunter Turcin July 28, 2017 at 5:34 pm

    If inFuckIt() Then
    GoTo bye2

    Amazing names.

  • Reply Drakonn August 10, 2017 at 4:20 pm

    1:28 fucksheet.

  • Reply Tomasz Adamowicz August 19, 2017 at 5:11 pm

    Excel: Virus
    danooct: Virus broke
    Excel: understandable. restarting windows

  • Reply RubyPiec September 1, 2017 at 8:30 pm

    0:47 Sub [censored]
    oactivebook = acriveworkbook.name
    If in[censored]It () Then
    why isnt it "[censored]YourGirlfriend"
    oh wait thats just wrong

  • Reply Joshua Mccutcheon September 2, 2017 at 9:14 pm

    I thought Clippit was part of the virus for like two seconds

  • Reply Purple dreemurr September 4, 2017 at 2:38 pm

    One of the macros is called fuck lol your computer is fucked

  • Reply Snow September 29, 2017 at 10:09 pm

    NEG is my initials (first, middle, and last name)

    Am I part of a virus :O

  • Reply A. Valentine October 6, 2017 at 7:07 pm

    What are those things called? The paper clip on a ruled paper creature. When I was a kid, my dad had this paper clip creature but one day he changed it to a dog. I loved that dog. My dad used to work on Excel and I sat beside him and watched the dog.

  • Reply nascar88ford October 12, 2017 at 1:23 pm

    Came here to see "Clippy!"

  • Reply DZHEX October 24, 2017 at 8:14 pm

    dur.w

  • Reply TheDoginator October 29, 2017 at 3:12 am

    2 billion bytes left.

  • Reply Cynda October 31, 2017 at 11:52 pm

    Thank you…

    You saved Clippy.

  • Reply Andrey Tv Show November 10, 2017 at 1:34 pm

    Говори по-русски, если умеешь

  • Reply VMan_ 2002 November 21, 2017 at 11:43 am

    Where did A go

  • Reply __ November 21, 2017 at 10:37 pm

    Clippy “oh is that a virus? It’s ok, my life sucks anyways”

  • Reply Reperak November 24, 2017 at 6:11 pm

    Fuck

  • Reply Bitch fuckass December 14, 2017 at 11:02 am

    fuck

  • Reply Bitch fuckass December 14, 2017 at 11:03 am

    can anyone gimme a link for a virus pls

  • Reply Pedro da silva January 2, 2018 at 7:50 pm

    PaperClip: Hello! I see you trying to run a virus! You like help to make antivirus delete the Excel to stop that?

    () Shut up
    () Fucking
    () I Hate you
    () Yes
    () nope
    () Delete Manually
    (Selected) Delete System32 from the Excel

    PaperClip: Ok! Creating a macro to do that….
    Complete!

    PaperClip: Executing the macro……

    Restarting……

    BSOD
    Another BSOD
    MORE BSOD
    FUCKING BSODs
    SHUT UP

    Terminal Command: Your Computer has been Fucked by the Excel Macro Virus!!!!!!!

  • Reply Sub G January 11, 2018 at 7:03 pm

    anyone else notice when he typed 'dur.w'?

  • Reply Spencer Foucart February 14, 2018 at 10:28 pm

    Hey, they didn’t lound the music! I wanted dance!

  • Reply Pietrão February 17, 2018 at 8:49 pm

    WAWA

  • Reply vishmita suvarna February 20, 2018 at 11:07 am

    Oh, don't do that Baillie2715… #lol

  • Reply KudaKeileon February 21, 2018 at 2:51 am

    Me watching this video:

    "Okay so that just self-reproduces… what does this virus even do except make more of itself? […] OH. Oh. It formats the C drive. Okay. Neat. Boring, but neat."

  • Reply Xzaratherg March 6, 2018 at 6:40 pm

    ga

  • Reply Arthur costa guerra March 9, 2018 at 9:41 pm

    You hot wednesday the may talking chomp virus 164 the 2 virus jam chomp virus hot wednesday the Windows talking may the 2 virus you

  • Reply Arthur costa guerra March 9, 2018 at 9:42 pm

    Jassis9 kwie nine ???????

  • Reply Arthur costa guerra March 9, 2018 at 9:43 pm

    TEN Virus

  • Reply Shark Owen March 21, 2018 at 7:00 pm

    Has anyone tried to call that number

  • Reply Aleksandra Pljonkina March 30, 2018 at 8:04 am

    "Woah, what happened. I think it did the thing." -Danooct1

  • Reply pineapplepizza19 April 3, 2018 at 8:16 pm

    The way he said fuck

  • Reply HĒLL CÄT April 4, 2018 at 11:14 am

    WUT THE &$^# MY A$$ IS A D4MN

  • Reply CaveGame April 8, 2018 at 2:29 pm

    L0|

  • Reply luca009 // l9 April 14, 2018 at 6:50 pm

    NegC should be renamed to DowngradeToDos

  • Reply tyler shar83 April 23, 2018 at 4:54 pm

    sub.to danooct1

  • Reply Hùng THV Trần April 27, 2018 at 10:38 am

    Fuckiest Fucked Fucking Fucker Fucky Fuck thing

  • Reply Goblin 01 May 2, 2018 at 1:48 pm

    6:15 so it means that virus "downgrades" the system to MS-DOS

  • Reply Kevin Ta May 19, 2018 at 2:40 am

    we doa

  • Reply Matthew Studios May 26, 2018 at 2:53 am

    0:47 | Well, At least they were seeing the other thing..

  • Reply tanookimack June 9, 2018 at 5:09 am

    idk about anyone else, but if i was writing a virus, i would definitely codename a part it "fuck"

  • Reply Nick Stalburg June 11, 2018 at 11:36 pm

    "Worlds best computer"

  • Reply Common Skrublord June 12, 2018 at 7:03 am

    When I heard neg, I accidentally said "er"

  • Reply Filip's World June 19, 2018 at 9:16 pm

    Neg = New Excel Generator 3:58

  • Reply Matthew Brian June 27, 2018 at 12:40 pm

    Seems like the virus was made in Indonesia, judging from the sourcefiles that say "cek" (=check, in Indonesian), and the phone number area code 0341 followed by six-digit number.

  • Reply Matúš Chochúl July 8, 2018 at 7:42 pm

    office 97,2000,2002 or 2003?

  • Reply Pretty Bowser July 9, 2018 at 12:46 pm

    Lol this is my virus

  • Reply thepizzacar pizza July 12, 2018 at 5:16 am

    Neg… but what about Nag

  • Reply Boopy August 14, 2018 at 12:53 am

    i like this

  • Reply ParPar August 23, 2018 at 12:20 pm

    upgrade said worlds best computer to windows 7 then game on it

  • Reply m3nchie August 27, 2018 at 4:05 am

    R.i.p clippy..

    Hugged Kids
    Hugged Wife

  • Reply mr coder September 16, 2018 at 5:02 pm

    I feel like you work for Microsoft's Security Department

  • Reply Josh8230 October 2, 2018 at 3:08 pm

    I don't know who the author of the virus is, but judging by the comments in the code, I like him already.

  • Reply Walki Acid October 16, 2018 at 6:29 pm

    COMPTER: how dare you run the worm that's it you grouneded for 500000000000000years!

  • Reply Samuel Richter October 20, 2018 at 8:48 pm

    Sub FUCK

  • Reply Game & Watchster November 3, 2018 at 1:42 pm

    Sub Fuck ()

  • Reply Luka's tube November 4, 2018 at 6:47 pm

    in the sub FUCK

  • Reply Light Plays November 6, 2018 at 6:30 pm

    >win.dir.play.mario/:Cdrive

    Attempt to play this comment,
    >DOS/:viruses
    (blah) 8,498 viruses scanned.

  • Reply Kirby Universe November 15, 2018 at 6:48 pm

    T H A T ' S R A C I S T ! Y O U C A N ' T S A Y T H A T !

  • Reply [GD]GDark December 3, 2018 at 10:59 am

    Wtf My Pc Blue Screened while watching this video

  • Reply Lutfi Halim December 24, 2018 at 4:17 pm

    that virus is from malang,indonesia

  • Reply Vin Crafter December 31, 2018 at 8:28 am

    so this virus turns a windows 98 computer to a ms dos one.
    great virus, would infect again

  • Reply Liott L January 3, 2019 at 6:22 pm

    ЗАЧЕМ ПЕРЕВОДИТЬ НАЗВАНИЕ ПРИ НЕПЕРЕВЕДЕННЫХ СУБТИТРАХ???? В ЧЁМ ЧЕРТОВ СМЫСЛ?? Я нажимаю на русский заголовок, потому что логично предполагаю, что и субтитры тут тоже будут переведены, а мне вежливо говорят ХУЙ ТЕБЕ, ТУТ ТОЛЬКО АНГЛИЙСКИЙ И МАТЬ ЕГО ПОЛЬСКИЙ! Это какой-то особый вид издевательств, господа

  • Reply Cat Incoat January 13, 2019 at 8:56 am

    Блять не аххуели перевод названия сделали а видео нет!

  • Reply ThreeG January 14, 2019 at 9:19 am

    Genius.

  • Reply Hector Luevano January 26, 2019 at 8:45 pm

    Clippy watches you when you opened Excel. He does not close when you close office.

  • Reply satan April 30, 2019 at 6:36 am

    ninja is that you?

  • Reply Walki Acid May 11, 2019 at 11:24 am

    with mr AWAWAWAWAWAWAWAWAWAWAWAWAWAWAWA

  • Reply ko x May 31, 2019 at 12:21 pm

    Microsoft: makes spreadsheet program
    Microsoft employees: Should we give it access to system files and code?

    Microsoft: What's the worst that can happen?

  • Reply Hunter June 3, 2019 at 5:01 pm

    shut up neg

  • Reply Daniel Norsworthy July 9, 2019 at 3:33 am

    After all this time, I still havent seen one comment referencing Family Guy, so I'll do it.

    "Shut up, Neg."

  • Reply Alireza w0nder August 6, 2019 at 8:53 pm

    S U B F U C K

  • Reply C: DOS August 7, 2019 at 12:45 am

    GoTo FuckSheet:

  • Reply DUNG August 11, 2019 at 11:11 am

    Fuck()

  • Reply sixfront August 13, 2019 at 1:45 am

    Lound The Speaker We Want Virus

  • Reply SexyWoody August 20, 2019 at 2:25 pm

    How to make?

  • Reply LuaConstructor August 21, 2019 at 1:05 am

    meanwhile clippit just sits there with his cute eyes

  • Reply Роман Макакий August 22, 2019 at 6:27 am

    0:45 Macro called "The F word"

  • Reply Destroyer August 24, 2019 at 10:38 pm

    Telling us to shut up in the description well HOW ABOUT YOU SHUT YOUR BITCH ASS UP !!!

  • Reply CJ Londonio August 24, 2019 at 10:42 pm

    Is this an April Fools joke?

  • Reply Umaru Kashiwazaki August 24, 2019 at 11:09 pm

    Negga

  • Reply Meowshanya August 25, 2019 at 2:05 am

    Скрепка прикольная

  • Reply Jasmixd August 25, 2019 at 10:09 pm

    Lound the speaker we want dance : )

  • Reply Darian Kimberly August 26, 2019 at 5:13 am

    have you tried the wayback machine for the website?

  • Reply Stephen Wilson August 26, 2019 at 1:36 pm

    say… neg… again

  • Reply Con Cena August 28, 2019 at 1:43 pm

    Now we are getting scams on calender events

  • Reply Dane Maricic August 29, 2019 at 4:18 am

    "Begin of fuck HDD routine"

    Stellar

  • Reply Good day August 29, 2019 at 4:38 am

    Is there an excel in windows 98?

  • Reply Jay Brooks August 29, 2019 at 5:09 am

    You know what you should do is add debugging and unhide all actions to display all the havoc

  • Reply TARYN HARTWIG HOWEIIS August 29, 2019 at 5:55 am

    i know how to delete the system system do you

  • Reply ferdinandrcj August 31, 2019 at 6:00 am

    hell, from the phone number and the initial that the virus creator used (Mr. Nawaw), i know the exact country he lived in.

  • Reply ESFAndy011 September 2, 2019 at 8:15 pm

    Oh God a Geocities web page to boot… can't get better than that.

  • Reply mahchymk93 October 7, 2019 at 4:32 am

    Poor clippy

  • Reply M Nafis Naufally November 16, 2019 at 6:27 am

    That phone number,, i bet it's my country's old telephone number format used a more than a decade ago

  • Reply Kre November 21, 2019 at 12:59 am

    clippy: hehe Im in danger

  • Leave a Reply