Store Locator: Enter Zip Code: List All Locations

X97M.Laroux.JG Excel macro virus warning!

Question

X97M.Laroux.JG Excel macro virus warning!

Answer

This question was answered on February 2, 2001. Much of the information contained herein may have changed since posting.

X97M.Laroux.JG is a macro virus that infects Microsoft Excel spreadsheets. On infected systems, X97M.Laroux.JG replicates by copying itself, line by line, to Microsoft Excel spreadsheets when they are opened. By inserting a file into the Excel startup folder (usually \Xlstart), the virus ensures that it will be executed every time that Microsoft Excel is started. The virus has a payload that triggers on the 25th of every month.

The first time that X97M.Laroux.JG is executed on a system, it does the following:

1. It inserts the Hd.xls file into the Microsoft Excel startup folder.

2. The virus checks to see if the active spreadsheet is infected. If it is not infected, X97M.Laroux.JG inserts itself to the active spreadsheet. The virus does this by copying one line at a time from itself the active spreadsheet.

3. The virus runs the payload. The virus checks to see if it is the 25th of the month. If it is, the virus runs the payload.

When the payload is run, the following occur:

1. A message box appears with the message:

Hyundai Unicorns left from Incheon, What do you think of it?

The choices are Yes and No. The correct answer to this question, according to the virus, is "Yes."

2. What happens next depends on whether you clicked Yes or No:

If you clicked Yes, the virus displays the message:

Good! You're pretty good guy!!

The payload routine then closes.

If you clicked No, the virus displays the message:

Oh! no, Next question is last time for you.

3. The last question appears as follows:

We do not buy Hyundai's product, is it right?. If you have wrong answer, you will have punishment.

The choices are Yes and No. Again, the virus sees Yes as the correct answer:

4. What happens next depends on whether you clicked Yes or No:

If you clicked Yes, the virus displays the message

You got it!, You have right answer.

The payload routine then closes.

If you clicked No, the virus displays the message

Wrong Answer, Your file will be deleted! You are SOB, too.

In you clicked No twice, the virus will clear the entire contents of the spreadsheet. However, it will not save the changes. Therefore it is possible to get everything back by simply closing the active spreadsheet without saving and then reopening it.

Author

Posted by Ken of Data Doctors on February 2, 2001

Personal Services | Business Services | Radio Show | Free Help Center | Franchising | About Us | Sitemap

Business Network Solutions | Computer Data Recovery | Computer Franchises | Computer Hardware Repair | Computer Help | Computer Network Support | Computer Problems | Computer Repair | Computer Troubleshooting | Data Recovery | Data Recovery Service | Data Recovery Services | Disk Recovery | File Recovery | Wireless Networking Solutions