SLAM.008: ExcelMacro/Laroux virus info
WORD.EXCEL.LAROUX
A year after the first widespread Microsoft Word macro virus, the first real Microsoft Excel macro was found in July 1996. Word macro viruses have demonstrated that viruses spreading in macro format inside document files can spread far and wide: WordMacro/Concept is the most commonly reported virus in the world. The first Excel macro virus was named ExcelMacro/Laroux.
Once the Excel environment has been infected by this virus, the virus will always be active when Excel is loaded and will infect any new Excel workbooks that are created as well as old workbooks when they are accessed. The virus spreads from a machine to another when XLS files are exchanged over a local network, over the internet, in e-mail or on diskettes.
ExcelMacro/Laroux was written in Visual Basic for Applications (VBA). This is a macro language based on the Visual Basic language from Microsoft. This virus is be able to operate under Excel 5.x and 7.x under Windows 3.x, Windows 95 and Windows NT. This virus does not work under any version of Excel for Macintosh or Excel 3.x or 4.x for Windows. It also fails under some localized versions of Excel, but works fine under other (for example, it won't work under French Excel, but replicates fine under Finnish Excel). This depends on how the translation is done.
ExcelMacro/Laroux consists of two macros, auto_open and check_files. The auto_open macro executes whenever an infected Spreadsheet is opened, followed by the check_files macro which determines the startup path of Excel. If there is no file named PERSONAL.XLS in the startup path, the virus creates one. This file contains a module called "laroux".
PERSONAL.XLS is the default filename for any macros recorded under Excel. Thus you might have PERSONAL.XLS on your system even though you are not infected by this virus. The startup path is by default set as \MSOFFICE\EXCEL\XLSTART, but it can be changed from Excel's Tools/Options/General/Alternate Startup File menu option.
If an infected workbook resides on a write-protected floppy, an error will occur when Excel tries to open it and the virus will not be able to replicate.
ExcelMacro/Laroux is not intentionally destructive and contains no payload; it just replicates.
Detecting ExcelMacro/Laroux manually
Select Tools/Macro from Excel menus. If you find the macros auto_open, check_files, PERSONAL.XLS!auto_open and PERSONAL.XLS!check_files (and possibly 'bookname'!auto_open and 'bookname'!check_files from any infected workbook you have open), infection is likely. Re-check this by selecting the Window/Unhide menu and unhide the Personal file. This should make the Personal sheet visible, with text laroux in in the sheet tab.
To disinfect Laroux, delete these macros and exit Excel, saving all changes. Now Excel itself is clean. Next, open all infected workbooks one by one, keeping the left shift pressed down while opening them (according to Excel documentation, this bypasses automacros, but unfortunately it doesn't seem to always work). Then open Tools/Macro and delete the virus macros and re-save the file.
Macro.Excel.Laroux
This virus infects Excel sheets (XLS files). It contains two macros: auto_open and check_files. While loading an infected document Excel executes auto macros auto_open, and the virus receives the control. The virus auto_open macro contains just one command that defines the check_files macro as a handler of OnSheetActivate routine. As a result the virus hooks the sheet activate routine, and while opening a sheet the virus (the check_files macro) receives the control.
When the check_files macro receives the control, it searches for the PERSONAL.XLS files in the Excel Startup directory and checks the count of modules in the current Workbook.
If the infected macro is an active Workbook, and the PERSONAL.XLS file does not exist in the Excel Startup directory (the virus is executed for the first time), the virus creates that file there and saves its code to that file by using the SaveAs command. When Excel is loading its modules for the next time, it automatically loads all XLS files from the Startup directory. As a result, the infected PERSONAL.XLS is loaded as well as other files, the virus receives the control and hooks the sheet activation routine.
If the active macro is not infected (there are no modules in the active Workbook) and the PERSONAL.XLS file exists it the Excel directory, the virus copies its code to the active Workbook. As a result the active Workbook gets infection.
To check your system for the virus one should to check PERSONAL.XLS and other XLS files for the string "laroux" that presents in infected sheets.
--- Aurodreph ---
