This virus infects Excel sheets (XLS files). It contains two macros:
auto_open and check_files. While loading an infected document, Excel
executes the auto macros auto_open, and the virus gains control. The
virus auto_open macro contains just one command that defines the
check_files macro as a handler of the OnSheetActivate routine. As a result, the
virus hooks the sheet-activate routine, and while opening a sheet, the virus
(the check_files macro) gains control.
When the check_files macro gains the control, it searches for PERSONAL.XLS files in the Excel Startup directory, and checks the module count in the current Workbook.
If the infected macro is an active Workbook, and the PERSONAL.XLS file does
not exist in the Excel Startup directory (the virus is executed for the
first time), the virus creates that file there, and saves its code to that
file using the SaveAs command. When Excel is loading its modules the
next time, it automatically loads all XLS files from the Startup directory.
As a result, the infected PERSONAL.XLS is loaded as well as other files,
the virus gains control, and hooks the sheet activation routine.
If the active macro is not infected (there are no modules in the active
Workbook), and the PERSONAL.XLS file exists in the Excel directory, the
virus copies its code to the active Workbook. As a result the active
Workbook is infected.
To check your system for the virus, you should to check PERSONAL.XLS and
other XLS files for the string “laroux” that is present in infected sheets.
|Find out the statistics of the threats spreading in your region|