Detect Date | 01/11/2002 |
Class | Virus |
Platform | MSExcel |
Description |
This virus infects Excel sheets (XLS files). It contains two macros: auto_open and check_files. While loading an infected document, Excel executes the auto macros auto_open, and the virus gains control. The virus auto_open macro contains just one command that defines the check_files macro as a handler of the OnSheetActivate routine. As a result, the virus hooks the sheet-activate routine, and while opening a sheet, the virus (the check_files macro) gains control. When the check_files macro gains the control, it searches for PERSONAL.XLS files in the Excel Startup directory, and checks the module count in the current Workbook. If the infected macro is an active Workbook, and the PERSONAL.XLS file does not exist in the Excel Startup directory (the virus is executed for the first time), the virus creates that file there, and saves its code to that file using the SaveAs command. When Excel is loading its modules the next time, it automatically loads all XLS files from the Startup directory. As a result, the infected PERSONAL.XLS is loaded as well as other files, the virus gains control, and hooks the sheet activation routine. If the active macro is not infected (there are no modules in the active Workbook), and the PERSONAL.XLS file exists in the Excel directory, the virus copies its code to the active Workbook. As a result the active Workbook is infected. To check your system for the virus, you should to check PERSONAL.XLS and other XLS files for the string “laroux” that is present in infected sheets. |
Find out the statistics of the threats spreading in your region |