Home Page
Site Contents

Name: ExcelMacro/Laroux
Type: Excel Macro Virus

ExcelMacro.Laroux, written in Visual Basic for Applications (VBA) is a macro virus which affects Microsoft Excel Spreadsheets under Excel 5.0 or later. It does not appear to replicate on the Macintosh or under Microsoft Word. It consists of two macros, auto_open and check_files. The auto_open macro executes whenever an infected Spreadsheet is opened, followed by the check_files macro which determines the startup path of Excel.

This second macro then performs an infection check and, if there is no file named PERSONAL.XLS in the startup path, the virus creates one. This file contains a module called "laroux". [Note: PERSONAL.XLS is the default macro-record filename under Excel 7.0.] The virus then determines the number of modules in the current workbook. If certain conditions exist, the virus will replicate. Replication is facilitated by an OnEvent procedure within Excel, specifically OnSheetActivate. Macros are copied to the target by adding a new module, which consists of one sheet titled "laroux".

A complete analysis of this virus will be published in this month's Virus Bulletin.

Detection using F-PROT Professional

F-PROT User Defined Strings enable automated checking for this virus. Hex pattern "00 21 00 60 00 27 20 6A 00 20 20 6A 00 AD 00 01 00 5C 00 11" Add .XL? to the file extensions to be scanned.

A manual method for determining the presence of the virus is:

  1. Select Tools/Macro.
  2. If you find the macros auto_open and check_files, infection is likely.
  3. A secondary check is to attempt to edit one of these macros. If you are informed you cannot edit a hidden file, select Window/Unhide and unhide the PERSONAL.XLS file. This should make the laroux sheet visible.