The XM/Laroux.CF virus was first listed as "In The Wild" on The WildList in July 1999. At present there are incident reports originating in India, and USA.
XM/Laroux.IC is a virus for Excel worksheets. It contains the macros GTHMSNZ, auto_open and auto_close. XM/Laroux.IC infects new spreadsheets and spreadsheets upon open and close, however if the user does not save upon exit, the spreadsheet will remain uninfected.
This macro virus will install an infected document into the XLSTART folder. Any Excel document in the XLSTART folder is loaded whenever Excel starts. The name of the file in the XLSTART folder is GTHMSNZ.XLS.
If a file by the name of GTHMSNZ.XLS exists in the XLSTART directory, the virus will not try to infect that system. Thus, this can be used as an inoculation against this particular Laroux variant. However, as there are so many Laroux variants, each with its own named file, this is not a useful general technique. Thus, you should only use this technique against the Laroux variants you have already encountered (if you choose to use this technique).
XM/Laroux.IC changes the document properties, author to GTHOMSONZ, subject to GTHOMSONZ, title to GTHOMSONZ and keywords to GTHOMSONZ. These changes are not reversed during cleaning because VirusScan has no way of know what they were before they were modified. To change them back, open the document, then choose File, then Properties.
Documents infected on the 16th or 30th of the month require the password "GTHOMSONZ197168" to open, but only if the file C:\BOOTLOG.PRV exists. (BOOTLOG.PRV is a hidden file created during one phase of a typical Windows 95 installation. The installation process does not remove it automatically, so in many cases, the file will exist.) If prompted for this password, it is necessary to turn CAPS on, and to use the letter "O", not the number "0".
If the day is 16th or 30th and the file C:\BOOTLOG.PRV does not exist, a different random password is generated based on the following method:
Password = Int((197 * Rnd) + 168)
Thereby generating a random number from 168 to 364, inclusive. In addition, because the author failed to randomize the seed value, the "random" number generated is likely to be the same on the same system each time - most likely being "306".