Threat behavior
Virus:X97M/Laroux.OU is a macro virus that infects Microsoft Excel spreadsheets.
Installation
The virus resides in a module called "StartUp" and consists of four macros:
- auto_open
- ycop
- escape
- back
When a file infected with Virus:X97M/Laroux.OU is opened using Microsoft Excel, the virus saves a copy of the file to the Excel Startup folder (usually "%AppData%\Microsoft\Excel\XLSTART") as "StartUp.xls". This ensures that the infected file is run every time Microsoft Excel starts.
Virus:X97M/Laroux.OU avoids multiple infections by checking for the presence of a hidden first sheet named "StartUp".
Spreads via…
File infection
Whenever an uninfected spreadsheet is opened, Virus:X97M/Laroux.OU infects it by running the "ycop" macro, which copies the macro module "StartUp" from the infected file to the uninfected file.
The virus disinfects the file to hide its presence using the "escape" macro; the "back" macro is then called upon to activate any sheet, which sets up the keyboard shortcuts again, and opens the infected "Startup.xls" inside the "XLSTART" folder.
Additional information
Stealth techniques
Virus:X97M/Laroux.OU uses stealth techniques to avoid detection. When a user uses the keyboard shortcut to open Visual Basic Editor (Alt+F11), for example if there is suspicion that an unauthorized macro is running, the macro "escape" is executed. This macro removes the virus module from all open workbooks and closes the infected file "StartUp.xls".
Analysis by Rodel Finones
Prevention
