However, XM.Sofa has unique features. XM.Laroux infects by creating a file called PERSONAL.XLS in the default startup directory. XM.Sofa spreads by way of a file called BOOK.XLT placed in the alternate startup directory.

XM.Sofa contains four macro functions: Auto_Open, Auto_Range, Current_Open and Auto_Close. When you open an infected file, the virus takes control and changes the caption at the top of the screen from Microsoft Excel to Microsofa Excel.

Then the virus checks to see if the system is already infected by looking in the alternate startup directory for a file named BOOK.XLT. If this directory is not defined, it looks in the default directory C:\MSOFFICE\EXCEL\XLSTART. If the file does not exist in the target directory, the virus infects the system and displays the following message:

Microsoft Excel has detected a corrupted add-in file. Click OK to repair this file.

After you click the OK button, the file BOOK.XLT is created in the target startup directory and the virus is ready to infect other spreadsheets.

NOTE: If the alternate startup directory is defined, but does not exist, the virus cannot create the BOOK.XLT file. XM.Sofa will not be infectious upon startup, and will not display the message box.

The virus creates two worksheets, one with a name of 12 blank spaces and the other with 13 blank spaces. Both worksheets contain the text of the macros. However, only one of them is specified as a Visual Basic module, while the other is defined as a normal worksheet.

XM.Sofa does not contain any deliberately harmful payloads.

Description by Chris Formulak - December 6, 1996

The e-mail message describing the virus is similar to the original Good Times virus e-mail hoax. It could even be described as a virus hoax strain.

The Penpal Greetings hoax message includes the following “warning”:

This is a warning for all internet users - there is a dangerous virus propagating across the internet through an e-mail message entitled "PENPAL GREETINGS!" DO NOT DOWNLOAD ANY MESSAGE ENTITLED "PENPAL GREETINGS!"

This message appears to be a friendly letter asking you if you are interested in a penpal, but by the time you read this letter, it is too late. The “trojan horse” virus will have already infected the boot sector of your hard drive, destroying all of the data present. It is a self-replicating virus, and once the message is read, it will AUTOMATICALLY forward itself to anyone who's e-mail address is present in YOUR mailbox!

death69 is not a virus; it is a complete hoax. There is currently no virus that has the characteristics ascribed to death69. As with most virus hoaxes, the message over-exaggerates the necessity to pass the message on to everyone the reader knows, claims that the "virus" can perform physical destruction to computer parts and quotes an authority figure in an attempt to lend more credibility to the often absurd claims.

The hoax was first discovered posted to a newsgroup on Prodigy in early December 1996.

The message includes the following "warning:"

There is a new horrible virus on the loose! created late November by elite hacker "DEATH-BLAZE." The virus is full stealth and Trojan, once thought never possible, it first formats the hard drive, then it physically eats at the materials of the drive. researchers are stunned, they say it is probably the most destructive virus ever created.

The virus's name is "death69" witch as I stated earlier was created by elite hacker "DEATH-BLAZE"

In November of 1996, a false warning was posted to several sites on the Internet that the Microsoft home page was distributing a virus. The creator of the message quoted a well known anti-virus developer, Mikko Hypponen of Data Fellows, to lend credibility to the false claims.

The following statement was issued by Mikko Hypponen:

This is a warning on a nasty hoax that has been distributed on several mailing lists and in usenet news. The hoax message is falsely attributed to me (Mikko.Hypponen@datafellows.com).

This false warning urges people to stay off Microsoft's home page and not to use Microsoft Internet Explorer, because the 'Microsoft home page is possibly infected by a virus'. This is nonsense.

If you have seen this warning, please pass on this message, and please do not redistribute the original warning any more.