Virus:X97M/Laroux

Classification

Category :

Malware

Type :

Virus

Platform :

X97M

Aliases :

PLDT, Laroux, X97m.laroux.a

Summary

A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Virus:X97M/Laroux is the first real Microsoft Excel macro virus was found in July 1996.

Laroux was written in Visual Basic for Applications (VBA), a macro language based on Visual Basic. This virus is be able to operate under Excel 5.x and 7.x under Windows 3.x, Windows 95 and Windows NT. It also works under localized version of Excel (for example, versions of Excel translated to French or German). This virus does not work under any version of Excel for Macintosh or Excel 3.x or 4.x for Windows.

ExcelMacro/Laroux is not intentionally destructive and contains no payload; it just replicates.

At the time, Laroux was one of the most common viruses.

Infection

Laroux consists of two macros, auto_open and check_files. The auto_open macro executes whenever an infected Spreadsheet is opened, followed by the check_files macro which determines the startup path of Excel.

If there is no file named PERSONAL.XLS in the startup path, the virus creates one. This file contains a module called "laroux".

Once the Excel environment has been infected by this virus, the virus will always be active when Excel is loaded and will infect any new Excel workbooks that are created as well as old workbooks when they are accessed.

If an infected workbook resides on a write-protected floppy, an error will occur when Excel tries to open it and the virus will not be able to replicate.

Note

PERSONAL.XLS is the default filename for any macros recorded under Excel. Thus you might have PERSONAL.XLS on your system even though you are not infected by this virus.

The startup path is by default set as \MSOFFICE\EXCEL\XLSTART, but it can be changed from Excel's Tools/Options/General/Alternate Startup File menu option.

Some of the Laroux variants use PLDT.XLS instead of PERSONAL.XLS and thus are sometimes called XM/PLDT virus.

See also: Concept.