Laroux Excel Macro Virus Discovered

Home Page
Site Contents

Laroux Excel Macro Virus Discovered

Jupiter, FL (July 24, 1996) - - Command Software Systems, Inc., a leading anti-virus and security vendor, today announced their July 15, 1996 discovery of the first virus in the wild to exploit Microsoft's popular Excel spreadsheet program. First reported to Command's virus research laboratory, the ExcelMacro.Laroux virus was found to replicate in the Microsoft Excel environment via the powerful Visual Basic for Applications macro language. This distinguishes it from WordMacro.Concept, which uses Microsoft Word Basic macros to spread in the Microsoft Word environment. The virus is easily identified by F-PROT Professional, Command's award-winning anti-virus product.

"Viruses which affect spreadsheets threaten the integrity of the data on those spreadsheets. We take this threat seriously, although this particular virus is unremarkable, has no payload, and is easily identified by F-PROT Professional," stated Command Software president Dyan Dyer.

Expressing concern over the apparent panic of some product vendors, Dyer further commented "This virus is certainly a concern, but there is no need to panic. Our F-PROT Professional easily identifies this virus, and information regarding this virus has been made available on our web page, at no charge to the public."

Information on the Laroux Virus

ExcelMacro.Laroux, written in Visual Basic for Applications (VBA) is a macro virus which affects Microsoft Excel Spreadsheets under Excel 5.0 or later. It does not appear to replicate on the Macintosh or under Microsoft Word. It consists of two macros, auto_open and check_files. The auto_open macro executes whenever an infected Spreadsheet is opened, followed by the check_files macro which determines the startup path of Excel.

This second macro then performs an infection check and, if there is no file named PERSONAL.XLS in the startup path, the virus creates one. This file contains a module called "laroux". [Note: PERSONAL.XLS is the default macro-record filename under Excel 7.0.] The virus then determines the number of modules in the current workbook. If certain conditions exist, the virus will replicate. Replication is facilitated by an OnEvent procedure within Excel, specifically OnSheetActivate. Macros are copied to the target by adding a new module, which consists of one sheet titled "laroux".

If you are infected with this virus, Command Software is asking that you contact Sarah Gordon, F-PROT Professional Research and Development.

Command Software Systems, Inc., develops, markets and supports a complete line of leading anti-virus and information security products for the IBM personal computers, compatibles and networks. Founded in 1983, the company has offices in the United States and the United Kingdom. For additional information please contact, Therese Padilla at 561-575-3200.