All PC users (all most of them) know about macro viruses that affect Word
documents and Excel sheets. All used to know that these viruses write
themselves to some "macro modules area", and virus macros are visible by
entering Tools/Macro menu (of course, if it is not disabled by virus -
some "stealth" macro viruses do that. Most of anti-virus scanners are able
to extract macros from these "macro modules areas", detect and ever
disinfect them. The news are that there are more macros areas in Excel -
the viruses that affect Excel sheets are able spread not only through
standard macros area, but also by using special area - Excel 4 macros area.
Despite on the fact that in modern Excel versions (starting from version 5)
there are more complex and perfect technologies, the ability to create and
use old-style macros (Excel 4 macros) is still supported. Because of these
"Excel 4 traces" all macros that were written in Excel 4 format still are
able to work in all new versions, despite on the fact that Microsoft does
not recommend to use them and there is no necessary documentation in Excel
The virus of new type (that's better to say "new type but old format")
replicates itself by the same manner as other Excel viruses do. It hooks
system events (window activating - OnWindows) and copies its code to each
sheet that is activated. On first start (on first opening an infected
sheet) the virus installs itself into the system: it registers its host
file as Add-In with the XLSHEET.XLA name in the current or in the
C:\WINDOWS directory. On such request Excel automatically creates new copy
of infected document (with XLSHEET.XLA name) and on each next Excel start
it will load and activate this Add-In, i.e. virus code. As a result after
creating infected Add-In the virus is active all the time Excel is run and
infects all files that are opened or created.
The virus has five routines: auto_ouvrir, activation_feuille, protect,
!!!GO, auto_fermer. All of them (except !!!GO) call infection routine.
Depending on the system random counter (with probability 2%) the virus
activate the trigger subroutine (that is places in !!!GO routine). The
trigger routine hides all opened tables and Excel elements (buttons, menus,
status bar) and replaces the "Microsoft Excel" text at the top of the Excel
window with the text: "Enfin la paix ..."
Detection and Disinfection
That is not possible to detect and disinfect the virus by using standard
methods (entering Tools/Macro and looking for macros) because the virus
sets VeryHidden attribute for its macros. Such attribute cannot be disabled
by using Excel menus. To find and look at virus code that's necessary to
write special routine on Excel Basic (macro routine).
As a result a user has no tools to detect this virus on its computer, and
all known anti-virus programs are not able to detect it now. The virus can
be found only by its traces:
- in Tools/Add-Ins menu there is reference for the XLSHEET file
- infected files contain the text strings:
Enfin la paix ...
Some protection can be done by creating in the C:\WINDOWS
directory the Read-Only dummy file with the XLSHEET.XLA name. After
that the virus will be not able to install its Add-In in C:\WINDOWS
directory. If it creates this Add-In in other directories, you should
also create the same dummy XLSHEET.XLA file in these directories.
F-Secure Anti-Virus detects the XF/Paix virus with it's AVP engine's
latest FORMULA update.
[Analysis by Eugene Kaspersky, AVP]