ExcelMacro/Laroux
This virus was reported at sites in Alaska and Africa in mid July 1996. This virus is be able to infect documents of Microsoft Excel 5.x for Windows 3.x, Microsoft Excel 5.x for Windows NT and Microsoft Excel 7.x for Windows 95 and Windows NT. It also infects nonEnglish versions of Excel. Does not infect under any version of Microsoft Excel for Macintosh or Microsoft Excel 3.x or 4.x for Windows.Damage
None reported. Simply appends a macro sheet called "laroux" to workbooks. It does not affect data or anything else in the workbook.Infection
Infects Excel sheets (XLS files). Propagates across machines when infected files are transmitted as Email attachments, distributed on floppy disks, or shared on networks. It contains two macros: auto_open and check_files. When Excel first loads an infected document, Excel executes the auto macro "auto_open", giving the virus control. The auto_open virus macro contains a single command that defines the macro "check_files" as a handler of the OnSheetActivate routine. With this simple change, the virus has hooked the sheet activate routine, and any further opening of worksheets gives the virus temporary control through the check_files macro.The check_files macro contains instructions to search for PERSONAL.XLS in the Excel Startup directory and check the count of modules in the current Workbook.
When the virus is executed for the first time, the virus attempts to create PERSONAL.XLS in the Excel startup directory if it does not exist (explaining the error that occurs if the spreadsheet is loaded from a writeprotected floppy.) Once this file exists, the virus copies its code to a module named "laroux" in PERSONAL.XLS using the SaveAs command.
When Excel loads its modules, it automatically loads all .XLS files located in the Startup directory. So on the next loading of Excel, the PERSONAL.XLS file containing the virus will load. At this time, the virus again hooks the OnSheetActivate routine.
Once the Excel environment is infected, the virus is active whenever
MS Excel is loaded. All new Excel workbooks, and any that are updated,
will be infected by copying the "laroux" module to all workbooks that are
created or opened and saved. PERSONAL.XLS is the default filename for any
macros recorded under Excel. Thus you might have PERSONAL.XLS on your system
even though you are not infected by this virus. The startup path is by
default set as MSOFFICEEXCELXLSTART, but it can be changed from Excel's
Tools| Options| General| Alternate Startup File menu option.
Here are steps for manual detection:
1. Start Microsoft Excel.2. Click Macro on the Tools menu.
3. Infection is likely if the following macro names are listed:
Auto_Open
Check_files
PERSONAL.XLS!auto_open
PERSONAL.XLS!check_files
4. If you have any infected workbooks open in the background, you may also see the following names listed:
"bookname"!auto_open
"bookname"!check_files
(where "bookname" is the name of the open workbook).
Before disinfecting your files, confirm the existence of the macro by clicking Unhide on the Window menu and unhide the Personal.xls file. This should make the Personal sheet visible, and display "laroux" on the sheet tab.
Removal
1. Start Microsoft Excel.2. Click Macro on the Tools menu.
3. Delete any of the following macro names that appear in your workbook:
Auto_Open
Check_files
PERSONAL.XLS!auto_open
PERSONAL.XLS!check_files
4. Click Save on the File menu and resave the file. Click Exit on the Microsoft Excel File menu and click Yes to save all changes. Microsoft Excel is now clean.
5. Open all infected workbooks one by one, keeping the left shift key depressed while opening them (according to Excel documentation, this bypasses automacros, but unfortunately it doesn't seem to always work).
6. For each workbook, click Macro on the Tools menu, and delete the virus macros, and resave the file.
It is not likely that antivirus vendors will offer removers for this or other Excel macro viruses anytime soon. Excel uses a proprietary file format. Because Microsoft offered no help to antivirus vendors who needed to understand the format of Word documents, we are not optimistic concerning their help with the Excel format.
False Alarms
If your search for macros reveals "auto_open" but no macro named "check_files", the file is not infected by Laroux. Auto_open is a perfectly legitimate and common macro name in Excel.Prevention
1. When examining new spreadsheets you have received, copy them to a floppy disk, writeprotect the diskette, and then load them. Watch for writeprotect error messages when you open the file with Excel. If such an error occurs, you might have this virus or some other macro in the spreadsheet which is attempting to write to disk. The virus will not spread if it cannot write to the current drive.2. Reset the attributes for PERSONAL.XLS to readonly, preventing infection. If PERSONAL.XLS does not exist on your system, create an empty PERSONAL.XLS file and writeprotect it.
