X97M/Papa is a macro virus which is based on the code of W97M/Melissa. The virus replicates under Excel 97, but it does not infect other workbooks. The worm is intended to send copies of itself via email messages by using MS Outlook. Due to its infection method, this is much more of a worm than an ordinary macro virus.

X97M/Papa was posted on March 29, 1999 to the newsgroups alt.sex.bondage and alt.binaries.pictures.erotica in a file named PASS.XLS, claiming to contain passwords. When opened with Excel 97, the program is supposed to start Outlook (not Outlook Express) and send itself to the first 60 addresses in every address book, using code obviously copied from the W97M/Melissa virus. However, due to a bug, it cannot compile, let alone run.

The worm code contains one procedure named Workbook Open in the module ThisDocument that automatically runs on opening the workbook. To send copies of itself via email the virus attempts to use VisualBasic abilities to activate other MS Windows applications and use their routines. The virus gets access to MS Outlook (if it is installed on the computer) and calls its functions.

The message is created with the subject:

"Fwd: Workbook from all.net and Fred Cohen"

The message body of text reads:

"Urgent info inside. Disregard macro warning."

The worm-workbook is attached and the email is sent. The name of the workbook is PASS.XLS. Please note that filenames are easily changeable, and that in future this worm may be seen under a different filename.

Depending on the system random counter (with a probability of 1/3) the worm floods either the "Fred Cohen & Associates" web site or the site with IP address 24.1.84.100 potentially causing a denial of service and additional network congestion.

In order for this worm to self-propagate, one must have both Microsoft Excel and Microsoft Outlook installed on their computer system.

At the time of this posting, X97M/Papa does not present any immediate threat, as it is unable to run. Reports indicate that the mistakes in the virus can be easily fixed. It is suspected that we are likely to see more such viruses in the future. The virus author has publicly posted that the bug has been fixed.