X97M.Laroux.JG Excel macro virus warning!

X97M.Laroux.JG Excel macro virus warning!

This question was answered on February 2, 2001. Much of the information contained herein may have changed since posting.

---

X97M.Laroux.JG is a macro virus that infects Microsoft Excel spreadsheets On infected systems, X97M.Laroux.JG replicates by copying itself, line by line, to Microsoft Excel spreadsheets when they are opened By inserting a file into the Excel startup folder (usually \Xlstart), the virus ensures that it will be executed every time that Microsoft Excel is started The virus has a payload that triggers on the 25th of every month.

The first time that X97M.Laroux.JG is executed on a system, it does the following:

1 It inserts the Hd.xls file into the Microsoft Excel startup folder.

2 The virus checks to see if the active spreadsheet is infected If it is not infected, X97M.Laroux.JG inserts itself to the active spreadsheet The virus does this by copying one line at a time from itself the active spreadsheet.

3 The virus runs the payload The virus checks to see if it is the 25th of the month If it is, the virus runs the payload.

When the payload is run, the following occur:

1 A message box appears with the message:

Hyundai Unicorns left from Incheon, What do you think of it?

The choices are Yes and No The correct answer to this question, according to the virus, is "Yes."

2 What happens next depends on whether you clicked Yes or No:

If you clicked Yes, the virus displays the message:

Good! You're pretty good guy!!

The payload routine then closes.

If you clicked No, the virus displays the message:

Oh! no, Next question is last time for you.

3 The last question appears as follows:

We do not buy Hyundai's product, is it right? If you have wrong answer, you will have punishment.

The choices are Yes and No Again, the virus sees Yes as the correct answer:

4 What happens next depends on whether you clicked Yes or No:

If you clicked Yes, the virus displays the message

You got it!, You have right answer.

The payload routine then closes.

If you clicked No, the virus displays the message

Wrong Answer, Your file will be deleted! You are SOB, too.

In you clicked No twice, the virus will clear the entire contents of the spreadsheet However, it will not save the changes Therefore it is possible to get everything back by simply closing the active spreadsheet without saving and then reopening it.

About the author

Posted by Ken Colburn of Data Doctors on February 2, 2001

Need Help with this Issue?

We help people with technology! It's what we do.
Contact or Schedule an Appointment with a location for help!