A year after the first widespread Microsoft Word macro virus, the first
real Microsoft Excel macro was found in July 1996. This macro virus was
named ExcelMacro/Laroux.
Once the Excel environment has been infected by this virus, the virus
will always be active when Excel is loaded and will infect any new Excel
workbooks that are created as well as old workbooks when they are
accessed.
ExcelMacro/Laroux was written in Visual Basic for Applications (VBA).
This is a macro language based on the Visual Basic language from
Microsoft. This virus is be able to operate under Excel 5.x and 7.x
under Windows 3.x, Windows 95 and Windows NT. It also works under
localized version of Excel (for example, versions of Excel translated to
French or German). This virus does not work under any version of Excel
for Macintosh or Excel 3.x or 4.x for Windows.
ExcelMacro/Laroux consists of two macros, auto_open and check_files. The
auto_open macro executes whenever an infected Spreadsheet is opened,
followed by the check_files macro which determines the startup path of
Excel. If there is no file named PERSONAL.XLS in the startup path, the
virus creates one. This file contains a module called "laroux".
PERSONAL.XLS is the default filename for any macros recorded under
Excel. Thus you might have PERSONAL.XLS on your system even though you
are not infected by this virus. The startup path is by default set as
\MSOFFICE\EXCEL\XLSTART, but it can be changed from Excel's
Tools/Options/General/Alternate Startup File menu option.
If an infected workbook resides on a write-protected floppy, an error
will occur when Excel tries to open it and the virus will not be able to
replicate.
ExcelMacro/Laroux is not intentionally destructive and contains no
payload; it just replicates.
Laroux is one of the most common viruses.
Some of the Laroux variants use PLDT.XLS instead of PERSONAL.XLS and
thus are sometimes called XM/PLDT virus.
