Home / malwarePDF  

XM/Laroux


First posted on 08 February 2012.
Source: Microsoft

Aliases :

There are no other names known for XM/Laroux.

Explanation :

XM/Laroux is a family of macro viruses that infects Microsoft Excel spreadsheets.


Top

XM/Laroux is a family of macro viruses that infects Microsoft Excel spreadsheets.



Installation

Laroux may arrive with the file name "Startup.xls". It may also arrive with any of the following names:

  • 1006.xls
  • 1006ú¿+-ú®.xls
  • BINV.XLS
  • dimon.XLS
  • ECSYSTEM.xls
  • NEGS.XLS
  • PERSONAL.XLS
  • PLDT.XLS
  • RESULTS.XLS
  • SGV.XLS
  • SHIT.XLS
  • VERA.XLS
  • Virus.XLS


It resides in a macro module, visible in the Visual Basic editor in Excel, that usually has any of the following names:

  • AppEvents
  • ECSYSTEM
  • foxz
  • guyan
  • larouxr
  • Locas
  • Mars
  • monci
  • Program
  • results
  • SGV
  • StartUp
  • virus


It usually has the following four macros that have different purposes:

  • auto_open - executes whenever an infected file is opened; the term auto_open is a special macro name in Excel, any macro named auto_open in Excel automatically runs when Excel starts. Thus, this malicious macro either overwrites (if the macro auto_open had previously been defined) or implements the automatic execution function.
  • copy (may also be called acop, al_muskilat, Auto_Search, check_files, Check_virus, ck_files, cop, Get_rng, MassageVirus, vrs, or ycop) - executes whenever a sheet is selected in any spreadsheet file
  • escape or del - executes whenever the user presses the "Alt+F11" keyboard combination, which opens the Visual Basic Editor view, or Alt+F8, which opens the macro dialog box.
  • back (may also be called aback) - executes a short time after the escape macro executes.


Note that some variants may not have all the macros.

Spreads via...

File infection

When an infected spreadhseet is opened, the macro auto_open executes. This macro runs the macro copy, which creates a copy of the infected file in the Excel startup folder. This action ensures that every time Excel is opened, an infected spreadsheet runs as well, thus infecting other opened workbooks.

If the user opens the Visual Basic Editor or the macro dialog box using either the Alt+F11 or Alt+F8 shortcuts, the escape macro runs, removing all of the Laroux-associated macros. This action serves to hide the infection from the user. A specified amount of time later, the macro back runs, which opens the infected file copy in the Excel startup folder.



Payload

Displays error messages

Some variants of Laroux may show a message box triggered by the current system time. The following are some examples of the displayed message boxes:







Runs other macros

Some variants of Laroux may attempt to run other macros. If the macro it attempts to run is not available, Excel displays an error message such as the following, where the del macro is not found:



Additional information

Laroux affects versions of Microsoft Excel from 95 onwards.



Analysis by Francis Allan Tan Seng

Last update 08 February 2012

 

TOP

Malware :