Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 5: Macro Viruses

The Laroux Excel Macro Virus

Version 3.01/rev.5 (11/12/97)

Content

Introduction *

How the Virus Operates *

How to Detect the Virus *

How to Disinfect Infected Files *

Disinfection, using antivirus software *

Manual disinfection *

Disinfection using Microsoft Excel XLSCAN tool *


Introduction

Laroux is a macro virus that infects Microsoft Excel spreadsheets. It contains no payload and just replicates, so the result of infection is lost time and, in case of panic, possibly some data.

Laroux infects Excel versions 5 (included in Office 4.3), version 6 (Excel95 from Office 95) including localized (German, French, etc.) versions. Version 8 (Excel 97 from Office 97) has a built-in tool to detect macros and will warn users. During conversion to VBA5, Laroux will be detected and disabled. As such, Excel 97 is to a certain extent protected from Laroux (it was especially written for older versions of Excel). At the same time, various versions of Laroux that are manually converted to VBA5 can spread in the Excel 97 environment. LAROUX is platform dependent and because of the way it searches for PERSONAL.XLS (PERSONAL..XLS is a DOS filename), it does not function properly on Macintosh platforms.

Attention: If user has PERSONAL.XLS file in the Excel XLSTART directory, then Laroux virus will not infect this file. So creation of the PERSONAL.XLS is a very effective measure for preventing spread of Laroux.A. The simplest way to create it is to install Microsoft XLSCAN add-on available from Microsoft site and from NETWARE95_US server (in the directory DOS\UTILS\BBS\ANTIVIR\EXCEL\ )

lso if Excel is infected with Laroux, after disinfection Excel became immune to further infections as Laroux.A creates the PERSONAL.XLS file in the Excel XLSTART directory that contain the virus body and check for the presents of this for on further infections. When a user opens an infected attachment the virus checks for the presence of this file and if it is present does not infect Excel environment. As after the first disinfection the file PERSONAL.XLS is always present in the XLSTART directory Excel became immune to further infections.

The virus exists in several modifications: Laroux, Laroux.B, Laroux.E, etc. Only Laroux B has the same effects as Laroux, but can also overwrite macros in Personal.XLS.

Excel macro viruses are quite close relatives of MS Word macro viruses, and the knowledge of how to fight MS Word macro viruses can be easily transferred to this new type of virus. For example, LAROUX consist of two macros, namely auto_open and check_files. They are visible in the Tools|Macro menu and can be deleted manually (See below).

The infected spreadsheets are usually spread via e-mail attachments.

How the Virus Operates

Laroux virus checks the XLSTART directory to see if PERSONAL.XLS is present. If it is there, the virus won't infect it. If it is not there, the virus creates it and copies its Macros to the hidden sheet called "laroux". Macros from PERSONAL.XLS are loaded when Excel is started much like templates in the STARTUP directory in MS Word. This means that if PERSONAL.XLS is infected, virus macros will be loaded each time Excel is started.

PERSONAL.XLS is the default filename for any macros recorded under Microsoft Excel and is similar to NORMAL.DOT in MS Word. One can (and probably should, as it will protect him/her from the virus) have PERSONAL.XLS even he/she is not infected by this virus.

The startup path is by default set as \MSOFFICE\EXCEL\XLSTART, but it can be changed from Microsoft Excel's Tools|Options|General|Alternate Startup File menu option.

How to Detect the Virus

1. Start Microsoft Excel.

2. Click Macro on the Tools menu.

3. Infection is likely if the following macro names are listed:

Auto_Open

Check_files

PERSONAL.XLS!auto_open

PERSONAL.XLS!check_files

4 .If you have any infected workbooks open in the background, you may also see the following names listed:

<bookname>!auto_open

<bookname>!check_files

(where <bookname> is the name of the opened workbook).

5. The virus also creates the personal.xls file in the C:\MSOFFICE\EXCEL directory if one does not exist. Infected PERSONAL.XLS includes a hidden worksheet named "laroux." To make it visible, use Windows|Hide, File|UnHide.

How to Disinfect Infected Files

There are several methods for Laroux disinfection:

Disinfection, using antivirus software

F-macro 2.12b or later will disinfect infected spreadsheets from the virus. Earlier versions of F-macro are not recommended.

Manual disinfection

To manually disinfect Excel Macro/Laroux:

1. Start Microsoft Excel.

2. Click Macro on the Tools menu.

3. Delete any of the following macro names that appear in your workbook:

Auto_Open

Check_files

PERSONAL.XLS!auto_open

PERSONAL.XLS!check_files

4. Click Exit on the File menu and click "Yes" to save all changes. Excel is now clean. Note: If the user does not have any macros stored in PERSONAL.XLS, he/she can simply delete PERSONAL.XLS using file manager or file explorer to make Excel clean.

5. Continue to open all infected workbooks one by one, starting with the workbooks from the "recently used list" (at the bottom of the File menu). Press and hold the shift key while you open them to bypass any automacros.

6. For each workbook, click Macro on the Tools menu. If Auto_open and Check_files macros exist, delete these macros.

7. Click Save on the File menu to save disinfected file.

Disinfection using Microsoft Excel XLSCAN tool

Microsoft Virus Tool is now available for Microsoft Excel 5, 6(Excel 95) and 7(Excel 97). This tool is called XLSCAN.XLA (XLSCAN97 for Excel 97) It is available from: http://www.microsoft.com/excel/productinfo/vbavirus/add_in.htm and from NETWARE95_US. server (in the directory DOS\UTILS\BBS\ANTIVIR\EXCEL\ ).   Documentation on how to install it is in the file XLSCAN.HTM.

The latest one is XLSCAN97, designed for Excel 97 is also available.



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May, 08, 2017