Virus.MSExcel.Laroux

This virus infects Excel sheets (XLS files). It contains two macros:

auto_open and check_files. While loading an infected document, Excel

executes the auto macros auto_open, and the virus gains control. The

virus auto_open macro contains just one command that defines the

check_files macro as a handler of the OnSheetActivate routine. As a result, the

virus hooks the sheet-activate routine, and while opening a sheet, the virus

(the check_files macro) gains control.

When the check_files macro gains the control, it searches for PERSONAL.XLS files in the Excel Startup directory, and checks the module count in the current Workbook.

If the infected macro is an active Workbook, and the PERSONAL.XLS file does

not exist in the Excel Startup directory (the virus is executed for the

first time), the virus creates that file there, and saves its code to that

file using the SaveAs command. When Excel is loading its modules the

next time, it automatically loads all XLS files from the Startup directory.

As a result, the infected PERSONAL.XLS is loaded as well as other files,

the virus gains control, and hooks the sheet activation routine.

If the active macro is not infected (there are no modules in the active

Workbook), and the PERSONAL.XLS file exists in the Excel directory, the

virus copies its code to the active Workbook. As a result the active

Workbook is infected.

To check your system for the virus, you should to check PERSONAL.XLS and

other XLS files for the string “laroux” that is present in infected sheets.