home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Everything For A Hacker
/
19990506-[HACK].iso
/
ANTIVIR
/
MICROSOF
/
WE1280
/
WE1280.TXT
next >
Wrap
Text File
|
1996-10-01
|
24KB
|
555 lines
======================================================================
Microsoft(R) Product Support Services Application Note (Text File)
WE1280: Virus Search Add-in, Version 1.2
======================================================================
Revision Date: 9/96
1 Disk Included
The following information applies to Microsoft Excel for Windows(R),
versions 5.x, 7.0, and 7.0a.
---------------------------------------------------------------------
INFORMATION PROVIDED IN THIS DOCUMENT AND ANY SOFTWARE THAT MAY ACCOM
PANY THIS DOCUMENT (collectively referred to as an Application Note)
IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. The user
assumes the entire risk as to the accuracy and the use of this
Application Note. This Application Note may be copied and distributed
subject to the following conditions: 1) All text must be copied
without modification and all pages must be included; 2) If software
is included, all files on the disk(s) must be copied without
modification (the MS-DOS(R) utility diskcopy is appropriate for this
purpose); 3) All components of this Application Note must be
distributed together; and 4) This Application Note may not be
distributed for profit.
The information contained in this document represents the current
view of Microsoft Corporation on the issues discussed as of the date
of publication. Because Microsoft must respond to changing marketing
conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any
information presented after the date of publication.
Copyright (C) 1996 Microsoft Corporation. All Rights Reserved.
Microsoft, MS-DOS, and Windows are registered trademarks of
Microsoft Corporation. Other product and company names herein may be
the trademarks of their respective owners.
---------------------------------------------------------------------
INTRODUCTION
======================================================================
This Application Note contains version 1.2 of the Virus Search
add-in. You can use this add-in to remove the Laruox virus from
your computer.
WHAT IS THE LAROUX VIRUS?
======================================================================
The Laroux macro is a nonharmful, nondestructive "concept" virus that
appends a module named "Laroux" to a workbook. It does not affect data
or anything else in the workbook. This is the first replicating macro
virus ever discovered in Microsoft Excel. The virus affects workbooks
created in the following versions of Microsoft Excel:
- Microsoft Excel version 5.x for Windows 3.x
- Microsoft Excel version 5.x for Windows NT«
- Microsoft Excel for Windows 95, version 7.0 (for Windows 95 and
Windows NT)
- Certain localized versions of Microsoft Excel (for example,
versions of Microsoft Excel translated to German)
This virus does not affect any version of Microsoft Excel for the
Macintosh or Microsoft Excel versions 2.x, 3.x, or 4.x for Windows.
DETECTING THE LAROUX VIRUS
======================================================================
To determine if you have the virus:
1. Start Microsoft Excel.
2. Open a workbook that you suspect contains the virus.
3. On the Tools menu, click Macro.
4. If you see the following macro names in the list, the Laroux
virus may be present:
Auto_Open
Check_Files
PERSONAL.XLS!auto_open
PERSONAL.XLS!check_files
Note: If you see only the Auto_Open macro, without the
Check_Files macro, it's possible that the workbook does not
contain the virus.
5. If any workbooks that you have open in the background also
contain the virus, you may also see the following names listed
'bookname'!auto_open
'bookname'!check_files
where 'bookname'! is the name of the open workbook.
6. You can confirm the existence of the virus macro by clicking
the Unhide command on the Window menu and then clicking the
Personal.xls file name.
In the Personal.xls workbook, a sheet tab with the word "Laroux"
indicates that the virus is present.
INSTALLING THE MICROSOFT EXCEL VIRUS SEARCH 1.2 ADD-IN
======================================================================
Note: The English language version of the Microsoft Excel Virus
Search 1.2 add-In is not supported for use with the international
versions of Microsoft Excel.
To install the Virus Search add-in on your computer
---------------------------------------------------
1. Exit Microsoft Excel.
2. If you received a disk with this Application Note, insert the disk
in the appropriate floppy disk drive.
If you downloaded this Application Note from an online service, skip
to step 3. This procedure assumes that you have already downloaded
and extracted the compressed file.
3. Copy the Xlscan.xla file from the WE1280 disk (or from the
directory to which you downloaded and extracted WE1280.exe) to the
Microsoft Excel Library folder using Windows Explorer or File
Manager. For more information about copying files, see your Windows
User's Guide or Windows online Help. (For Microsoft Excel version
7.0 for Windows 95, copy the file to the MSOffice\Excel\Library
folder; For Microsoft Excel version 5.x for Windows, copy the file
to the Excel\Library folder.)
To load the add-in in Microsoft Excel
-------------------------------------
1. Start Microsoft Excel.
2. On the Tools menu, click Add-Ins.
3. Make sure Microsoft Excel Virus Search is selected (has a check
mark next to it).
If you don't see this add-in listed, click Browse and use the
Browse dialog box to locate and select the Xlscan.xla file.
4. Click Yes to begin the scan.
5. If the Virus Search add-in reports that the Laroux virus was
found and removed from a workbook, it prompts you to save the
workbook. Click Yes, so that the clean version of the workbook
is saved over the version with the virus.
The first time you load the Virus Search add-in, the add-in
automatically scans workbooks in memory. You are then given the option
of scanning saved files. When you scan the files, they are opened. If
the Laroux virus is found in a workbook, it is removed and the clean
workbook is then saved.
After the initial scan, the Virus Search add-in automatically scans
workbooks and workbook templates when you open them by clicking Open
on the File menu or by clicking the Open button (on the Standard
toolbar). If the workbook contains macros, you receive a warning
message that lets you decide how to open the workbook. Use the
following table to determine how to open the workbook.
In this scenario Do this
-------------------------------------------------------------------
If you aren't sure that Click the Open Without Macros button.
the workbook is from a The workbook is opened, but neither
reliable source, but you Microsoft Excel 4.x (XLM) nor Visual
want to see the contents Basic macros are included. If you
of the workbook then save the workbook with the same
name, it is saved without the macros,
and all macros previously in the
workbook are permanently lost. It's a
good idea to save the workbook with a
different name if you want a copy of
the workbook without the macros.
-or-
Click the Cancel button and use the
Virus Search add-in to check the file
on disk.
After the Virus Search add-in has
scanned and cleaned the file, you can
open the file with its macros and be
sure that the Laroux virus is not
present.
If you are certain of Click the Open With Macros button to
the reliability of the open the workbook and use the macros.
source from which you
obtained the workbook,
or you have already
checked the workbook
with the Virus Search
add-in
If you want to examine Select the Do Not Run Auto_Open Macro
the macros manually for check box, and then click the Open
viruses With Macros button.
The workbook and its macros is
opened, but any macros that normally
run automatically when the workbook
is opened do not run. Macros of this
type are a common mechanism by which
viruses such as the Laroux virus
introduce themselves into a computer.
For more information about manual
checking, see the "Manually Checking
a File for the Laroux Virus" section
in this document.
USING THE ADD-IN TO REMOVE THE LAROUX VIRUS
======================================================================
To remove the virus from files on your computer
-----------------------------------------------
When the add-in is loaded, files on your computer are automatically
scanned when you open them by clicking Open on the File menu or by
clicking the Open button (on the Standard toolbar). In addition, the
Virus Search command is added to the Tools menu. You can use this
command to use the add-in to open workbook files safely and prevent
the virus from being reintroduced onto your computer.
To remove the virus from files that are on a disk or that are located
on a shared network drive
---------------------------------------------------------------------
1. Close any open workbooks.
2. If the Virus Search add-in is not currently running, click the
Virus Search command on the Tools menu.
If the Virus Search add-in is already running, respond to the prompt
asking if you want to scan your files for the virus by clicking Yes.
3. Click Currently Open Workbooks And Disk Files, and then click
OK.
4. When you are prompted that the add-in will save open workbooks,
click OK.
5. When you are prompted about scanning workbooks older than the
date when the Laroux virus was first detected, click Yes if you want
to check all workbooks regardless of age, or click No to check only
workbooks that have been saved since the Laroux virus appeared.
Clicking No may speed up the process because the add-in will scan
fewer workbooks.
6. In the Directory box, type the path to the disk or shared
network directory on which you want to start scanning for the virus.
7. In the File Types box, enter all file extensions used on your
computer for Microsoft Excel workbooks or workbook templates. For
example, .xls and .xlt are the default extensions. Enter the
extensions in the format shown, and separate each entry with a
semicolon, as in the following example:
*.xls; *.xlt.
8. To search all folders within the top-level folder you
specified, make sure the Scan Subdirectories check box is selected.
9. To display a worksheet that lists the results when the scan is
complete, make sure the Log Searched Files check box is selected.
10. Click OK to begin scanning the files.
During the scan, the Laroux virus is removed from any files in which
it is detected, and the cleaned files are then saved automatically.
11. When the scan is complete, click Yes to repeat the search
starting from a different top-level folder, or click No to close the
dialog box and return to Microsoft Excel.
To remove the virus from a protected, read-only, or shared workbook
-------------------------------------------------------------------
If a workbook is protected for structure, is read-only, or is a shared
workbook, the virus cannot be removed. If you have a workbook of any
of these types, you can scan it to determine whether it has the virus.
If the virus is found, unprotect the workbook, make it read/write, or
remove it from shared use, and then repeat the virus scan.
To remove the virus from a workbook opened from a source other than
Microsoft Excel
-------------------------------------------------------------------
If you open a workbook from File Manager or Windows Explorer, from an
electronic mail message, or from a Web browser such as the Microsoft
Internet Explorer, the workbook is not scanned automatically for
macros that might contain viruses. If you open workbooks in any of
these ways, or if you decide to open a workbook with macros, use the
following steps to check the workbook and remove the Laroux virus
before you save the workbooks (if you don't do use these steps before
you save the workbook, you may inadvertently infect another workbook
with the virus):
1. On the Tools menu, click Virus Search.
2. Click the Currently Open Workbooks option, and then click OK.
3. If the Virus Search add-in reports that the Laroux virus was
found and removed from a workbook, it prompts you to save the
workbook. Click Yes, so that the clean version of the workbook is
saved over the version that has the virus on your disk.
MANUALLY CHECKING A FILE FOR THE LAROUX VIRUS
======================================================================
To examine macros manually for the Laroux virus
-----------------------------------------------
1. If you do not have the Virus Search add-in installed, hold down
the shift key while you open the workbook, so that the workbook is
opened without running any macros (if you don't press the shift key,
some macros run automatically when you open a workbook).
Note: If you have the Virus Search add-in installed, the SHIFT+Open
capability is disabled. Click Open on the File menu, double-click
the workbook you want to open, select the Do Not Run Auto_Open
Macro check box, and then click Open With Macros.
2. On the Tools menu, click Macro.
3. In the list box, delete any of the following macro names that
appear:
Auto_Open
Check_Files
PERSONAL.XLS!auto_open
PERSONAL.XLS!check_files
Note: If the list contains the Auto_Open macro, but the Check_Files
macro is not present, the file may not contain the Laroux virus.
4. Click OK.
5. On the File menu, click Exit, and then click Yes to save all
changes.
The file no longer contains the Laroux virus.
PREVENTING THE LAROUX AND OTHER VIRUSES FROM INFECTING YOUR COMPUTER
======================================================================
After you have scanned your workbooks and removed the Laroux virus,
you can prevent the virus from returning by taking the following
precautions:
- Open workbooks by clicking Open on the File menu or by clicking
Open (on the Standard toolbar). When you open workbooks in this way,
they are automatically scanned for macros when you have the add-in
loaded.
- If you open a workbook from File Manager or Windows Explorer,
from an electronic mail message, or from a Web browser such as the
Microsoft Internet Explorer, immediately check the workbook for the
Laroux virus by using the Virus Search command on the Tools menu, as
explained in the "To remove the virus from a workbook opened from a
source other than Microsoft Excel" section in this document.
Workbooks opened in any of these ways are not automatically scanned
for macros, so it's important for you to check them for the virus.
- Version 1.2 of the Microsoft Excel Virus Search add-in can detect
and remove the Laroux virus only. If new viruses are discovered in the
future, Microsoft will provide information about what you need to do
to remove them from your files and prevent them from recurring. To
minimize the possibility of acquiring any new viruses that might
appear, do the following:
1. Always open workbooks by clicking Open on the File menu or by
clicking the Open button (on the Standard toolbar).
2. Open workbooks with their macros only if you are certain of
the reliability of the source from which you obtained the
workbook.
3. If you aren't sure about the source of a workbook, open it
without macros.
HOW THE VIRUS SEARCH ADD-IN CHANGES MICROSOFT EXCEL
======================================================================
The Virus Search add-in makes several changes to Microsoft Excel that
affect how you open files.
The Recently Used Files List Is Removed
---------------------------------------
With the Virus Search add-in installed, you do not see a list of
recently opened files when you click the File menu. To open a recently
used file, use Open on the File menu or click the Open button (on the
Standard toolbar).
Not All File Types Are Listed in the Files of Type Box in the Open
Dialog Box
------------------------------------------------------------------
When you install the Virus Search add-in, the Files Of Type list in
the Open dialog box no longer lists certain rarely used file types.
However, you can still open files of these types. If you don't see the
file type you're looking for in the Files Of Type list, click All
Files (*.*) (the first selection in the list), click the name of the
file you want, and click the Open button.
Can't Open Workbooks as Read-Only from the Open Dialog Box
----------------------------------------------------------
When you install the Virus Search add-in, the Open dialog box (the
dialog box that is displayed when you click Open on the File menu) no
longer lets you open a workbook as read-only.
To open a workbook as read-only, uninstall the Virus Search add-in, or
use the following steps:
1. On the File menu, click Open, and then open the workbook.
2. On the View menu, click Toolbars. In the Toolbars box, select
the Workgroup check box, and then click OK.
3. To make the workbook read-only, click the Toggle Read Only
button on the Workgroup toolbar.
Can't Use SHIFT+Open to Prevent Auto_Open from Running
------------------------------------------------------
With the Virus Search add-in installed, holding down the shift key
while opening files will no longer prevent the Auto_Open macro from
running. Instead, use Open on the File menu to open a workbook. If you
do not want the Auto_Open macro to run, select the Do Not Run
Auto_Open Macro check box, and then click Open With Macros.
Text Import Wizard Does Not Start Automatically
-----------------------------------------------
When you open a text file, Microsoft Excel normally starts the Text
Import Wizard. With the Virus Search add-in installed, Microsoft Excel
cannot start the Text Import Wizard as it usually does. Instead,
Microsoft Excel asks whether you want to use the Text Import Wizard.
If you click OK, the Virus Search add-in turns off its detection
capabilities, and displays the Open dialog with the text file selected
by default. Click OK to open the text file and run the Text Import
Wizard.
UNINSTALLING THE MICROSOFT EXCEL VIRUS SEARCH 1.2 ADD-IN
======================================================================
To uninstall the Virus Search add-in
-------------------------------------
1. On the Tools menu, click Add-ins.
2. Clear the Microsoft Excel Virus Search check box, and then
click OK.
When you uninstall the add-in, the Open dialog box works as it did
before you installed the add-in. The Xlscan.xla file remains in your
Library folder so that you can easily reinstall it later.
ANSWERS TO COMMON QUESTIONS
======================================================================
The following information was taken from the Question and Answer
document from the following site on the World Wide Web
http://www.microsoft.com/msexcel/productinfo/vbavirus/emvolc.htm.
Please refer to this site for the most up-to-date Questions and
Answers.
1. Q. What are macro viruses?
A. Macro viruses are a type of virus that use an application's own
macro programming language to distribute themselves. Unlike
previous viruses, macro viruses do not attach to programs; they
attach to documents (workbooks).
2. Q. What is Microsoft doing about ExcelMacro/Laroux?
A. Customers have several resources for solutions:
1. Virus Search add-in. A free tool that detects and cleans
affected workbooks is currently available on
http://www.microsoft.com/.
2. Third-Party Tools. Microsoft is working very closely with
third party anti-virus vendors to give them the information
they need to create tools that protect against macro viruses
in Microsoft Excel. There are already tools developed by anti-
virus vendors to clean and detect the virus.
3. Customer Information. We will continue to make information
available to customers:
The Microsoft Web Site: http://www.microsoft.com/
The Microsoft ftp site: ftp.microsoft.com
Microsoft AnswerPoint Information Services: 206-635-7070
in the United States
Contact your local Microsoft office for locations outside
the United States
Autoreply e-mail via the Internet: msxlinfo@microsoft.com
4. Long Term Solutions. We are building technology into the next
release of our product that will help prevent macros from
executing and affecting your workbooks when you open a file.
3. Q. How do I know if I have ExcelMacro/Laroux?
A. See the section "Detecting the Laroux Virus" below.
4. Q. How can I get rid of ExcelMacro/Laroux if I have it?
A. Install and run the Microsoft Excel Virus Search add-in as
described in this document.
5. Q. What does ExcelMacro/Laroux do?
A. The ExcelMacro/Laroux macro is a nonharmful, nondestructive
concept virus that simply appends a module named "Laroux" to
workbooks created in Microsoft Excel. It does not affect data or
anything else in the workbook.
ExcelMacro/Laroux consists of two macros, Auto_Open and
Check_Files. The Auto_Open macro executes whenever a workbook
containing the virus is opened, followed by the Check_Files
macro which determines the startup path of Excel and copies a
module named "Laroux" to workbooks you open.
If there is no file named PERSONAL.XLS in the startup path, the
virus creates one. This file contains a module named "Laroux".
Once the PERSONAL.XLS file is infected, the macros will be
copied to new workbooks and workbooks you open by adding a new
module named "Laroux".
PERSONAL.XLS is the default filename for any macros recorded
under Microsoft Excel, so you might have a PERSONAL.XLS file
even if this virus is not present on your computer. The startup
path is set by default as \MSOFFICE\EXCEL\XLSTART, but can be
changed by clicking the Options command on the Tools menu,
clicking the General tab, and then changing the Alternate
Startup File Location option.
6. Q. Is this the same virus that affected Microsoft Word?
A. No. Microsoft Word currently uses a different programming
language than Microsoft Excel so it is not possible for the same
macro virus to infect both a Microsoft Word document and a
Microsoft Excel workbook.
