====================================================================== Microsoft(R) Product Support Services Application Note (Text File) WE1280: Virus Search Add-in, Version 1.2 ====================================================================== Revision Date: 9/96 1 Disk Included The following information applies to Microsoft Excel for Windows(R), versions 5.x, 7.0, and 7.0a. --------------------------------------------------------------------- INFORMATION PROVIDED IN THIS DOCUMENT AND ANY SOFTWARE THAT MAY ACCOM PANY THIS DOCUMENT (collectively referred to as an Application Note) IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. The user assumes the entire risk as to the accuracy and the use of this Application Note. This Application Note may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) If software is included, all files on the disk(s) must be copied without modification (the MS-DOS(R) utility diskcopy is appropriate for this purpose); 3) All components of this Application Note must be distributed together; and 4) This Application Note may not be distributed for profit. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing marketing conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Copyright (C) 1996 Microsoft Corporation. All Rights Reserved. Microsoft, MS-DOS, and Windows are registered trademarks of Microsoft Corporation. Other product and company names herein may be the trademarks of their respective owners. --------------------------------------------------------------------- INTRODUCTION ====================================================================== This Application Note contains version 1.2 of the Virus Search add-in. You can use this add-in to remove the Laruox virus from your computer. WHAT IS THE LAROUX VIRUS? ====================================================================== The Laroux macro is a nonharmful, nondestructive "concept" virus that appends a module named "Laroux" to a workbook. It does not affect data or anything else in the workbook. This is the first replicating macro virus ever discovered in Microsoft Excel. The virus affects workbooks created in the following versions of Microsoft Excel: - Microsoft Excel version 5.x for Windows 3.x - Microsoft Excel version 5.x for Windows NTŪ - Microsoft Excel for Windows 95, version 7.0 (for Windows 95 and Windows NT) - Certain localized versions of Microsoft Excel (for example, versions of Microsoft Excel translated to German) This virus does not affect any version of Microsoft Excel for the Macintosh or Microsoft Excel versions 2.x, 3.x, or 4.x for Windows. DETECTING THE LAROUX VIRUS ====================================================================== To determine if you have the virus: 1. Start Microsoft Excel. 2. Open a workbook that you suspect contains the virus. 3. On the Tools menu, click Macro. 4. If you see the following macro names in the list, the Laroux virus may be present: Auto_Open Check_Files PERSONAL.XLS!auto_open PERSONAL.XLS!check_files Note: If you see only the Auto_Open macro, without the Check_Files macro, it's possible that the workbook does not contain the virus. 5. If any workbooks that you have open in the background also contain the virus, you may also see the following names listed 'bookname'!auto_open 'bookname'!check_files where 'bookname'! is the name of the open workbook. 6. You can confirm the existence of the virus macro by clicking the Unhide command on the Window menu and then clicking the Personal.xls file name. In the Personal.xls workbook, a sheet tab with the word "Laroux" indicates that the virus is present. INSTALLING THE MICROSOFT EXCEL VIRUS SEARCH 1.2 ADD-IN ====================================================================== Note: The English language version of the Microsoft Excel Virus Search 1.2 add-In is not supported for use with the international versions of Microsoft Excel. To install the Virus Search add-in on your computer --------------------------------------------------- 1. Exit Microsoft Excel. 2. If you received a disk with this Application Note, insert the disk in the appropriate floppy disk drive. If you downloaded this Application Note from an online service, skip to step 3. This procedure assumes that you have already downloaded and extracted the compressed file. 3. Copy the Xlscan.xla file from the WE1280 disk (or from the directory to which you downloaded and extracted WE1280.exe) to the Microsoft Excel Library folder using Windows Explorer or File Manager. For more information about copying files, see your Windows User's Guide or Windows online Help. (For Microsoft Excel version 7.0 for Windows 95, copy the file to the MSOffice\Excel\Library folder; For Microsoft Excel version 5.x for Windows, copy the file to the Excel\Library folder.) To load the add-in in Microsoft Excel ------------------------------------- 1. Start Microsoft Excel. 2. On the Tools menu, click Add-Ins. 3. Make sure Microsoft Excel Virus Search is selected (has a check mark next to it). If you don't see this add-in listed, click Browse and use the Browse dialog box to locate and select the Xlscan.xla file. 4. Click Yes to begin the scan. 5. If the Virus Search add-in reports that the Laroux virus was found and removed from a workbook, it prompts you to save the workbook. Click Yes, so that the clean version of the workbook is saved over the version with the virus. The first time you load the Virus Search add-in, the add-in automatically scans workbooks in memory. You are then given the option of scanning saved files. When you scan the files, they are opened. If the Laroux virus is found in a workbook, it is removed and the clean workbook is then saved. After the initial scan, the Virus Search add-in automatically scans workbooks and workbook templates when you open them by clicking Open on the File menu or by clicking the Open button (on the Standard toolbar). If the workbook contains macros, you receive a warning message that lets you decide how to open the workbook. Use the following table to determine how to open the workbook. In this scenario Do this ------------------------------------------------------------------- If you aren't sure that Click the Open Without Macros button. the workbook is from a The workbook is opened, but neither reliable source, but you Microsoft Excel 4.x (XLM) nor Visual want to see the contents Basic macros are included. If you of the workbook then save the workbook with the same name, it is saved without the macros, and all macros previously in the workbook are permanently lost. It's a good idea to save the workbook with a different name if you want a copy of the workbook without the macros. -or- Click the Cancel button and use the Virus Search add-in to check the file on disk. After the Virus Search add-in has scanned and cleaned the file, you can open the file with its macros and be sure that the Laroux virus is not present. If you are certain of Click the Open With Macros button to the reliability of the open the workbook and use the macros. source from which you obtained the workbook, or you have already checked the workbook with the Virus Search add-in If you want to examine Select the Do Not Run Auto_Open Macro the macros manually for check box, and then click the Open viruses With Macros button. The workbook and its macros is opened, but any macros that normally run automatically when the workbook is opened do not run. Macros of this type are a common mechanism by which viruses such as the Laroux virus introduce themselves into a computer. For more information about manual checking, see the "Manually Checking a File for the Laroux Virus" section in this document. USING THE ADD-IN TO REMOVE THE LAROUX VIRUS ====================================================================== To remove the virus from files on your computer ----------------------------------------------- When the add-in is loaded, files on your computer are automatically scanned when you open them by clicking Open on the File menu or by clicking the Open button (on the Standard toolbar). In addition, the Virus Search command is added to the Tools menu. You can use this command to use the add-in to open workbook files safely and prevent the virus from being reintroduced onto your computer. To remove the virus from files that are on a disk or that are located on a shared network drive --------------------------------------------------------------------- 1. Close any open workbooks. 2. If the Virus Search add-in is not currently running, click the Virus Search command on the Tools menu. If the Virus Search add-in is already running, respond to the prompt asking if you want to scan your files for the virus by clicking Yes. 3. Click Currently Open Workbooks And Disk Files, and then click OK. 4. When you are prompted that the add-in will save open workbooks, click OK. 5. When you are prompted about scanning workbooks older than the date when the Laroux virus was first detected, click Yes if you want to check all workbooks regardless of age, or click No to check only workbooks that have been saved since the Laroux virus appeared. Clicking No may speed up the process because the add-in will scan fewer workbooks. 6. In the Directory box, type the path to the disk or shared network directory on which you want to start scanning for the virus. 7. In the File Types box, enter all file extensions used on your computer for Microsoft Excel workbooks or workbook templates. For example, .xls and .xlt are the default extensions. Enter the extensions in the format shown, and separate each entry with a semicolon, as in the following example: *.xls; *.xlt. 8. To search all folders within the top-level folder you specified, make sure the Scan Subdirectories check box is selected. 9. To display a worksheet that lists the results when the scan is complete, make sure the Log Searched Files check box is selected. 10. Click OK to begin scanning the files. During the scan, the Laroux virus is removed from any files in which it is detected, and the cleaned files are then saved automatically. 11. When the scan is complete, click Yes to repeat the search starting from a different top-level folder, or click No to close the dialog box and return to Microsoft Excel. To remove the virus from a protected, read-only, or shared workbook ------------------------------------------------------------------- If a workbook is protected for structure, is read-only, or is a shared workbook, the virus cannot be removed. If you have a workbook of any of these types, you can scan it to determine whether it has the virus. If the virus is found, unprotect the workbook, make it read/write, or remove it from shared use, and then repeat the virus scan. To remove the virus from a workbook opened from a source other than Microsoft Excel ------------------------------------------------------------------- If you open a workbook from File Manager or Windows Explorer, from an electronic mail message, or from a Web browser such as the Microsoft Internet Explorer, the workbook is not scanned automatically for macros that might contain viruses. If you open workbooks in any of these ways, or if you decide to open a workbook with macros, use the following steps to check the workbook and remove the Laroux virus before you save the workbooks (if you don't do use these steps before you save the workbook, you may inadvertently infect another workbook with the virus): 1. On the Tools menu, click Virus Search. 2. Click the Currently Open Workbooks option, and then click OK. 3. If the Virus Search add-in reports that the Laroux virus was found and removed from a workbook, it prompts you to save the workbook. Click Yes, so that the clean version of the workbook is saved over the version that has the virus on your disk. MANUALLY CHECKING A FILE FOR THE LAROUX VIRUS ====================================================================== To examine macros manually for the Laroux virus ----------------------------------------------- 1. If you do not have the Virus Search add-in installed, hold down the shift key while you open the workbook, so that the workbook is opened without running any macros (if you don't press the shift key, some macros run automatically when you open a workbook). Note: If you have the Virus Search add-in installed, the SHIFT+Open capability is disabled. Click Open on the File menu, double-click the workbook you want to open, select the Do Not Run Auto_Open Macro check box, and then click Open With Macros. 2. On the Tools menu, click Macro. 3. In the list box, delete any of the following macro names that appear: Auto_Open Check_Files PERSONAL.XLS!auto_open PERSONAL.XLS!check_files Note: If the list contains the Auto_Open macro, but the Check_Files macro is not present, the file may not contain the Laroux virus. 4. Click OK. 5. On the File menu, click Exit, and then click Yes to save all changes. The file no longer contains the Laroux virus. PREVENTING THE LAROUX AND OTHER VIRUSES FROM INFECTING YOUR COMPUTER ====================================================================== After you have scanned your workbooks and removed the Laroux virus, you can prevent the virus from returning by taking the following precautions: - Open workbooks by clicking Open on the File menu or by clicking Open (on the Standard toolbar). When you open workbooks in this way, they are automatically scanned for macros when you have the add-in loaded. - If you open a workbook from File Manager or Windows Explorer, from an electronic mail message, or from a Web browser such as the Microsoft Internet Explorer, immediately check the workbook for the Laroux virus by using the Virus Search command on the Tools menu, as explained in the "To remove the virus from a workbook opened from a source other than Microsoft Excel" section in this document. Workbooks opened in any of these ways are not automatically scanned for macros, so it's important for you to check them for the virus. - Version 1.2 of the Microsoft Excel Virus Search add-in can detect and remove the Laroux virus only. If new viruses are discovered in the future, Microsoft will provide information about what you need to do to remove them from your files and prevent them from recurring. To minimize the possibility of acquiring any new viruses that might appear, do the following: 1. Always open workbooks by clicking Open on the File menu or by clicking the Open button (on the Standard toolbar). 2. Open workbooks with their macros only if you are certain of the reliability of the source from which you obtained the workbook. 3. If you aren't sure about the source of a workbook, open it without macros. HOW THE VIRUS SEARCH ADD-IN CHANGES MICROSOFT EXCEL ====================================================================== The Virus Search add-in makes several changes to Microsoft Excel that affect how you open files. The Recently Used Files List Is Removed --------------------------------------- With the Virus Search add-in installed, you do not see a list of recently opened files when you click the File menu. To open a recently used file, use Open on the File menu or click the Open button (on the Standard toolbar). Not All File Types Are Listed in the Files of Type Box in the Open Dialog Box ------------------------------------------------------------------ When you install the Virus Search add-in, the Files Of Type list in the Open dialog box no longer lists certain rarely used file types. However, you can still open files of these types. If you don't see the file type you're looking for in the Files Of Type list, click All Files (*.*) (the first selection in the list), click the name of the file you want, and click the Open button. Can't Open Workbooks as Read-Only from the Open Dialog Box ---------------------------------------------------------- When you install the Virus Search add-in, the Open dialog box (the dialog box that is displayed when you click Open on the File menu) no longer lets you open a workbook as read-only. To open a workbook as read-only, uninstall the Virus Search add-in, or use the following steps: 1. On the File menu, click Open, and then open the workbook. 2. On the View menu, click Toolbars. In the Toolbars box, select the Workgroup check box, and then click OK. 3. To make the workbook read-only, click the Toggle Read Only button on the Workgroup toolbar. Can't Use SHIFT+Open to Prevent Auto_Open from Running ------------------------------------------------------ With the Virus Search add-in installed, holding down the shift key while opening files will no longer prevent the Auto_Open macro from running. Instead, use Open on the File menu to open a workbook. If you do not want the Auto_Open macro to run, select the Do Not Run Auto_Open Macro check box, and then click Open With Macros. Text Import Wizard Does Not Start Automatically ----------------------------------------------- When you open a text file, Microsoft Excel normally starts the Text Import Wizard. With the Virus Search add-in installed, Microsoft Excel cannot start the Text Import Wizard as it usually does. Instead, Microsoft Excel asks whether you want to use the Text Import Wizard. If you click OK, the Virus Search add-in turns off its detection capabilities, and displays the Open dialog with the text file selected by default. Click OK to open the text file and run the Text Import Wizard. UNINSTALLING THE MICROSOFT EXCEL VIRUS SEARCH 1.2 ADD-IN ====================================================================== To uninstall the Virus Search add-in ------------------------------------- 1. On the Tools menu, click Add-ins. 2. Clear the Microsoft Excel Virus Search check box, and then click OK. When you uninstall the add-in, the Open dialog box works as it did before you installed the add-in. The Xlscan.xla file remains in your Library folder so that you can easily reinstall it later. ANSWERS TO COMMON QUESTIONS ====================================================================== The following information was taken from the Question and Answer document from the following site on the World Wide Web http://www.microsoft.com/msexcel/productinfo/vbavirus/emvolc.htm. Please refer to this site for the most up-to-date Questions and Answers. 1. Q. What are macro viruses? A. Macro viruses are a type of virus that use an application's own macro programming language to distribute themselves. Unlike previous viruses, macro viruses do not attach to programs; they attach to documents (workbooks). 2. Q. What is Microsoft doing about ExcelMacro/Laroux? A. Customers have several resources for solutions: 1. Virus Search add-in. A free tool that detects and cleans affected workbooks is currently available on http://www.microsoft.com/. 2. Third-Party Tools. Microsoft is working very closely with third party anti-virus vendors to give them the information they need to create tools that protect against macro viruses in Microsoft Excel. There are already tools developed by anti- virus vendors to clean and detect the virus. 3. Customer Information. We will continue to make information available to customers: The Microsoft Web Site: http://www.microsoft.com/ The Microsoft ftp site: ftp.microsoft.com Microsoft AnswerPoint Information Services: 206-635-7070 in the United States Contact your local Microsoft office for locations outside the United States Autoreply e-mail via the Internet: msxlinfo@microsoft.com 4. Long Term Solutions. We are building technology into the next release of our product that will help prevent macros from executing and affecting your workbooks when you open a file. 3. Q. How do I know if I have ExcelMacro/Laroux? A. See the section "Detecting the Laroux Virus" below. 4. Q. How can I get rid of ExcelMacro/Laroux if I have it? A. Install and run the Microsoft Excel Virus Search add-in as described in this document. 5. Q. What does ExcelMacro/Laroux do? A. The ExcelMacro/Laroux macro is a nonharmful, nondestructive concept virus that simply appends a module named "Laroux" to workbooks created in Microsoft Excel. It does not affect data or anything else in the workbook. ExcelMacro/Laroux consists of two macros, Auto_Open and Check_Files. The Auto_Open macro executes whenever a workbook containing the virus is opened, followed by the Check_Files macro which determines the startup path of Excel and copies a module named "Laroux" to workbooks you open. If there is no file named PERSONAL.XLS in the startup path, the virus creates one. This file contains a module named "Laroux". Once the PERSONAL.XLS file is infected, the macros will be copied to new workbooks and workbooks you open by adding a new module named "Laroux". PERSONAL.XLS is the default filename for any macros recorded under Microsoft Excel, so you might have a PERSONAL.XLS file even if this virus is not present on your computer. The startup path is set by default as \MSOFFICE\EXCEL\XLSTART, but can be changed by clicking the Options command on the Tools menu, clicking the General tab, and then changing the Alternate Startup File Location option. 6. Q. Is this the same virus that affected Microsoft Word? A. No. Microsoft Word currently uses a different programming language than Microsoft Excel so it is not possible for the same macro virus to infect both a Microsoft Word document and a Microsoft Excel workbook.