Intro

Surabaya is a macro virus that infects Word 98 documents and NORMAL.DOT document template file.

Modules

There are 6 modules: AutoExec (runs on startup), AutoOpen (runs when document is opened), FileSaveAs (replaces "File > Save as..." option), FileTemplates (replaces "Tools > Templates and Add-ins..."), Plong (comment from author) and ToolsMacro (replaces "Tools > Macro > Macros...").

AutoExec displays the following message in status bar:

Lontong Micro Device (c) 1993 By ICE-Man

The message displays with scrolling effect from right to left and vice versa.

AutoOpen checks if "Plong" macro exists. If it doesn't, then it performs infection. Along with that, it stores key-value in WIN.INI file with following method:

WordBasic.SetProfileString "Author", "Name", "TeBeYe`93 The ICE-Man"

This contains the name of author (presumably, "The ICE-Man"), as it's written.

FileSaveAs only has function to infect documents and nothing else, though it didn't work well for me. It's possible that there was an error that skipped infection process.

FileTemplates and ToolsMacro display a message as shown in following method:

WordBasic.MsgBox "Sorry..."

It disables these options by replacing them with this message.

Plong only contains comments from author:

This Macro was created by : The ICE - "Yes" Man

Allah Swt always be with All of You ....

Surabaya, 09-09-1996

Notes

Surabaya is a port city and the capital of East Java province of Indonesia with a high percentage of Islamic religion citizens.

Plong is an Indonesian movie released in 1991.

Lontong is a dish made of compressed Rice cake in the form of a cylinder wrapped inside a banana leaf that's commonly found in Indonesia.

Total file size of this malware is measured with the size of exported modules of the virus itself.

Links

Analysis (VirusTotal)

Demo (Tom.K)

Description (Kaspersky)

Description (F-Secure)

Description (IPA)

Description (Trend Micro)

Description (Dr.Web)