For Home

Virus Profile: XM/Laroux.IC

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 7/1/1999
Date Added: 8/10/1999
Origin:
Length:
Type: Virus
Subtype: Macro
DAT Required: 4030
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Methods of Infection

Aliases

X97M/Laroux.IC
   

Virus Characteristics

The XM/Laroux.CF virus was first listed as "In The Wild" on The WildList in July 1999. At present there are incident reports originating in India, and USA.

XM/Laroux.IC is a virus for Excel worksheets. It contains the macros GTHMSNZ, auto_open and auto_close. XM/Laroux.IC infects new spreadsheets and spreadsheets upon open and close, however if the user does not save upon exit, the spreadsheet will remain uninfected.

This macro virus will install an infected document into the XLSTART folder. Any Excel document in the XLSTART folder is loaded whenever Excel starts. The name of the file in the XLSTART folder is GTHMSNZ.XLS.

If a file by the name of GTHMSNZ.XLS exists in the XLSTART directory, the virus will not try to infect that system. Thus, this can be used as an inoculation against this particular Laroux variant. However, as there are so many Laroux variants, each with its own named file, this is not a useful general technique. Thus, you should only use this technique against the Laroux variants you have already encountered (if you choose to use this technique).

XM/Laroux.IC changes the document properties, author to GTHOMSONZ, subject to GTHOMSONZ, title to GTHOMSONZ and keywords to GTHOMSONZ. These changes are not reversed during cleaning because VirusScan has no way of know what they were before they were modified. To change them back, open the document, then choose File, then Properties.

Documents infected on the 16th or 30th of the month require the password "GTHOMSONZ197168" to open, but only if the file C:\BOOTLOG.PRV exists. (BOOTLOG.PRV is a hidden file created during one phase of a typical Windows 95 installation. The installation process does not remove it automatically, so in many cases, the file will exist.) If prompted for this password, it is necessary to turn CAPS on, and to use the letter "O", not the number "0".

If the day is 16th or 30th and the file C:\BOOTLOG.PRV does not exist, a different random password is generated based on the following method:

Password = Int((197 * Rnd) + 168)

Thereby generating a random number from 168 to 364, inclusive. In addition, because the author failed to randomize the seed value, the "random" number generated is likely to be the same on the same system each time - most likely being "306".

   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.