XF/Paix is a simple virus written with Microsoft Excel's Formulas. It only spreads under Office 95 - and fails under Office 97. Although it's made in France, it is able to replicate under other language versions of Excel as well.
Excel viruses: second circle ============================
Disinfection & Removal
All PC users (all most of them) know about macro viruses that affect Word documents and Excel sheets. All used to know that these viruses write themselves to some "macro modules area", and virus macros are visible by entering Tools/Macro menu (of course, if it is not disabled by virus - some "stealth" macro viruses do that. Most of anti-virus scanners are able to extract macros from these "macro modules areas", detect and ever disinfect them. The news are that there are more macros areas in Excel - the viruses that affect Excel sheets are able spread not only through standard macros area, but also by using special area - Excel 4 macros area.
Despite on the fact that in modern Excel versions (starting from version 5) there are more complex and perfect technologies, the ability to create and use old-style macros (Excel 4 macros) is still supported. Because of these "Excel 4 traces" all macros that were written in Excel 4 format still are able to work in all new versions, despite on the fact that Microsoft does not recommend to use them and there is no necessary documentation in Excel package.
The virus of new type (that's better to say "new type but old format") replicates itself by the same manner as other Excel viruses do. It hooks system events (window activating - OnWindows) and copies its code to each sheet that is activated. On first start (on first opening an infected sheet) the virus installs itself into the system: it registers its host file as Add-In with the XLSHEET.XLA name in the current or in the C:\WINDOWS directory. On such request Excel automatically creates new copy of infected document (with XLSHEET.XLA name) and on each next Excel start it will load and activate this Add-In, i.e. virus code. As a result after creating infected Add-In the virus is active all the time Excel is run and infects all files that are opened or created.
The virus has five routines: auto_ouvrir, activation_feuille, protect, !!!GO, auto_fermer. All of them (except !!!GO) call infection routine. Depending on the system random counter (with probability 2%) the virus activate the trigger subroutine (that is places in !!!GO routine). The trigger routine hides all opened tables and Excel elements (buttons, menus, status bar) and replaces the "Microsoft Excel" text at the top of the Excel window with the text: "Enfin la paix ..."
Detection and Disinfection --------------------------
That is not possible to detect and disinfect the virus by using standard methods (entering Tools/Macro and looking for macros) because the virus sets VeryHidden attribute for its macros. Such attribute cannot be disabled by using Excel menus. To find and look at virus code that's necessary to write special routine on Excel Basic (macro routine).
As a result a user has no tools to detect this virus on its computer, and all known anti-virus programs are not able to detect it now. The virus can be found only by its traces:
- in Tools/Add-Ins menu there is reference for the XLSHEET file - infected files contain the text strings: Enfin la paix ... !!!GO
Some protection can be done by creating in the C:\WINDOWS directory the Read-Only dummy file with the XLSHEET.XLA name. After that the virus will be not able to install its Add-In in C:\WINDOWS directory. If it creates this Add-In in other directories, you should also create the same dummy XLSHEET.XLA file in these directories.
F-Secure Anti-Virus detects the XF/Paix virus with it's AVP engine's latest FORMULA update.
Technical Details: Eugene Kaspersky, AVP