Class Virus
Platform MSExcel

Technical Details

This virus replicates itself by the same manner as other Excel viruses do.
It hooks system events (window activating – OnWindows) and copies its code
to each sheet that is activated. On first start (on first opening an
infected sheet) the virus installs itself into the system: it registers its
host file as Add-In with the XLSHEET.XLA name in the current or in the
C:WINDOWS directory. On such request Excel automatically creates new copy
of infected document (with XLSHEET.XLA name) and on each next Excel start
it will load and activate this Add-In, i.e. virus code. As a result after
creating infected Add-In the virus is active all the time Excel is run and
infects all files that are opened or created.

The virus is of French origin (see routines names below) but is able to
infect and replicate under any local Excel version starting from 4.

The virus has five routines: auto_ouvrir, activation_feuille, protect,
!!!GO, auto_fermer. All of them (except !!!GO) call infection routine.
Depending on the system random counter (with probability 2%) the virus
activate the trigger subroutine (that is places in !!!GO routine). The
trigger routine hides all opened tables and Excel elements (buttons, menus,
status bar) and replaces the “Microsoft Excel” text at the top of the Excel
window with the text: “Enfin la paix …”

It is not possible to detect and disinfect the virus by using standard
methods (entering Tools/Macro and looking for macros) because the virus
sets VeryHidden attribute for its macros. Such attribute cannot be disabled
by using Excel menus. To find and look at virus code that’s necessary to
write special routine on Excel Basic (macro routine).

As a result a user has no tools to detect this virus on its computer, and
all known anti-virus programs are not able to detect it now. The virus can
be found only by its traces:

– in Tools/Add-Ins menu there is reference for the XLSHEET file
– infected files contain the text strings:
Enfin la paix …

Partial protection can be achieved by creating in the C:WINDOWS directory
the Read-Only dummy file with the XLSHEET.XLA name. After that the virus
will be not able to install its Add-In in the C:WINDOWS directory. If it
creates this Add-In in other directories, you should also create the same
dummy XLSHEET.XLA file in these directories.