Home / malware Virus:X97M/Laroux.gen!A
First posted on 17 May 2012.
Source: MicrosoftAliases :
Virus:X97M/Laroux.gen!A is also known as Virus.MSExcel.Laroux.jk (Kaspersky), EXCEL.97.Escop.G (VirusBuster), X2000M/Laroux.JK.1 (Avira), X97M.Escape.K (BitDefender), X97M.Escape.4 (Dr.Web), X97M/Escop.E virus (ESET), Virus.X97M.Laroux (Ikarus), X97M/Laroux (McAfee), Macro.Excel.Manalo.a (Rising AV), XM97/Larou-B (Sophos), X97M.Laroux.gen (Symantec), X97M_LAROUX.CE (Trend Micro).
Explanation :
Virus:X97M/Laroux.gen!A is the generic detection for a macro virus that infects Microsoft Excel files.
Installation
Virus:X97M/Laroux.gen!A resides in a module called "StartUp" and may consist of the following macros:
- auto_open or auto_close
- ycop
- escape
- back
When a file infected with Virus:X97M/Laroux.gen!A is opened using Microsoft Excel, the virus saves a copy of the file to the Excel Startup folder (usually "%AppData%\Microsoft\Excel\XLSTART") as "StartUp.xls". This ensures that the infected file is run every time Microsoft Excel starts.
Spreads via...
File infection
Whenever an uninfected spreadsheet is opened, Virus:X97M/Laroux.gen!A infects it by running the "ycop" macro, which copies the macro module "StartUp" from the infected file to the uninfected file.
Additional information
Stealth techniques
Virus:X97M/Laroux.gen!A may use stealth techniques to avoid detection. When a user uses the keyboard shortcut to open Visual Basic Editor (Alt+F11), for example if there is suspicion that an unauthorized macro is running, it runs the macro "escape". This macro removes the virus module from all open workbooks and closes the infected file "StartUp.xls".
Analysis by Chris Stubbs
Last update 17 May 2012
