INFORMATION PROVIDED IN THIS DOCUMENT AND ANY SOFTWARE THAT MAY ACCOMPANY THIS DOCUMENT (collectively referred to as an Application Note) IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. The user assumes the entire risk as to the accuracy and the use of this Application Note. This Application Note may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included 2) If software is included, all files on the disk(s) must be copied without modification (the MS-DOS(R) utility diskcopy is appropriate for this purpose) 3) All components of this Application Note must be distributed together 4) This Application Note may not be distributed for profit. Copyright (c) 1996 Microsoft Corporation. All Rights Reserved. Microsoft, MS-DOS, MSN, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and/or other countries. America Online is a registered trademark of America Online, Inc. Macintosh is a registered trademark of Apple Computer, Inc. CompuServe is a registered trademark of CompuServe, Inc. MICROSOFT(R) EXCEL VIRUS SEARCH 1.2 ADD-IN December 11, 1996 Please read this entire document for important information about the Microsoft Excel Virus Search 1.2 Add-In, including problems you may encounter when running it. _______________________________________________ CONTENTS What Is the Laroux Virus? What Is the Sofa Virus? Answers to Common Questions Detecting the Laroux Virus Installing the Microsoft Excel Virus Search 1.2 Add-In Removing the Laroux Virus from Your System Removing the virus from files on disk Opening new workbooks safely Removing the virus from workbooks that you open Manually checking a file for the Laroux virus Preventing the Laroux Virus and Future Viruses How the Virus Search Add-In Changes Microsoft Excel Opening recently used files Opening files of types that aren't listed Opening workbooks read-only Changes to SHIFT + Open Uninstalling the Microsoft Excel Virus Search 1.2 Add-In _______________________________________________ WHAT IS THE LAROUX VIRUS? ========================= The ExcelMacro/Laroux macro is a non-harmful, non-destructive concept virus that simply appends a module named "laroux" to workbooks. It does not affect data in the workbook. The Laroux B virus is a variation that has the same effect but can also overwrite macros stored in the user's Personal.XLS macro sheet. This is the first replicating macro virus ever discovered in Microsoft Excel. The virus only affects workbooks created in Microsoft Excel version 5.x for Windows(R) 3.x, Microsoft Excel version 5.x for Windows NT(R), and Microsoft Excel 95 for Windows 95 and Windows NT, including certain localized versions of Microsoft Excel. This virus does not affect any version of Microsoft Excel for Macintosh(R) or Microsoft Excel versions 2.x, 3.x, or 4.x for Windows. WHAT IS THE SOFA VIRUS? ========================= The Sofa macro is a non-harmful, non-destructive concept virus that does not affect data in any way. Infected files display the application header "Microsofa Excel" instead of "Microsoft Excel." ANSWERS TO COMMON QUESTIONS =========================== Q: What are macro viruses? A: Macro viruses are a type of virus that use an application's own macro programming language to distribute themselves. Unlike previous viruses, macro viruses do not attach to programs; they attach to documents (workbooks). Q: What is Microsoft doing about Laroux and Sofa? A: Customers have several resources for solutions: 1. Virus Search add-in. A free tool that detects (and cleans Laroux) affected workbooks is currently available on http://www.microsoft.com/. 2. Third-Party Tools. Microsoft is working very closely with third party anti-virus vendors to give them the information they need to create tools that protect against macro viruses in Microsoft Excel. There are already tools developed by anti-virus vendors to clean and detect the virus. 3. Customer Information. We will continue to make information available to customers: The Microsoft Web Site: http://www.microsoft.com/ The Microsoft ftp site: ftp.microsoft.com Microsoft AnswerPoint Information Services: 206-635-7070 in the United States Contact your local Microsoft office for locations outside the United States 4. Long Term Solutions. We are building technology into the next release of our product, Microsoft Excel 97, that will help prevent macros from executing and affecting your workbooks when you open a file. Q: How do I know if I have Laroux? A: See the section "Detecting the Laroux Virus" below. Q: How can I get rid of Laroux if I have it? A: Install and run the Microsoft Excel Virus Search add-in as described in this document. More Details ------------ Q: What does Laroux do? A: The ExcelMacro/Laroux macro is a non-harmful, non-destructive concept virus that simply appends a module named "laroux" to workbooks created in Microsoft Excel. It does not affect data in the workbook. The Laroux B virus is a variation that has the same effect but can also overwrite macros stored in the user's Personal.XLS macro sheet. Laroux consists of two macros, Auto_Open and Check_Files. The Auto_Open macro executes whenever a workbook containing the virus is opened, followed by the Check_Files macro which determines the startup path of Excel and copies a module named "Laroux" to workbooks you open. If there is no file named PERSONAL.XLS in the startup path, the virus creates one. This file contains a module named "laroux". Once the PERSONAL.XLS file is infected, the macros will be copied to new workbooks and workbooks you open by adding a new module named "laroux". PERSONAL.XLS is the default filename for any macros recorded under Microsoft Excel, so you might have a PERSONAL.XLS file even if this virus is not present on your system. The startup path is set by default as \MSOFFICE\EXCEL\XLSTART, but can be changed by clicking the Options command on the Tools menu, clicking the General tab, and then changing the Alternate Startup File Location option. Q: Is this the same virus that affected Microsoft Word? A: No. Microsoft Word currently uses a different programming language than Microsoft Excel so it is not possible for the same macro virus to infect both a Microsoft Word document and a Microsoft Excel workbook. DETECTING THE LAROUX VIRUS ========================== To determine if you have the virus: 1. Start Microsoft Excel. 2. Open a workbook that you suspect contains the virus. 3. On the Tools menu, click the Macro command. 4. If you see the following macro names in the list, the Laroux virus may be present: Auto_Open Check_Files PERSONAL.XLS!auto_open PERSONAL.XLS!check_files If you see only the Auto_Open macro, without the Check_Files macro, it's possible that the workbook does not contain the virus. 5. If any workbooks that you have open in the background also contain the virus, you may also see the following names listed: 'bookname'!auto_open 'bookname'!check_files (where 'bookname'! is the name of the open workbook) 6. You can confirm the existence of the virus macro by clicking the Unhide command on the Window menu and then clicking the Personal.xls file. In the Personal.xls workbook, a sheet tab with the word "laroux" indicates that the virus is present. INSTALLING THE MICROSOFT EXCEL VIRUS SEARCH 1.2 ADD-IN ====================================================== To install the Virus Search add-in on your Microsoft Excel version 5.x or Microsoft Excel 95 system: 1. Exit from Microsoft Excel. 2. Copy the file xlscan.xla to your Microsoft Excel Library folder. For Microsoft Excel 95, copy the file to the MSOffice\Excel\Library folder. For Microsoft Excel version 5.x for Windows, copy the file to the LIBRARY directory under the EXCEL directory. 3. Start Microsoft Excel. 4. On the Tools menu, click the Add-ins command. 5. Make sure Microsoft Excel Virus Search is checked. If you don't see this add-in listed, click Browse and use the Browse dialog box to locate and select the xlscan.xla file. 6. Click the OK button to begin the scan. 7. If the Virus Search add-in reports that the Laroux virus was found and removed from a workbook, it prompts you to save the workbook. Click the Yes button, so that the clean version of the workbook is saved over the version with the virus on your disk. 8. To remove the virus from files on disk, follow the steps in the next section. REMOVING THE LAROUX VIRUS FROM YOUR SYSTEM ========================================== Once you have installed the add-in, you can remove the virus from workbook files on your hard disk and shared network directories. After doing this, you can continue to use the add-in to open workbook files safely, and prevent the virus from being reintroduced onto your system. Removing the virus from files on disk ------------------------------------- The first time you load the Virus Search add-in, workbooks in memory are automatically scanned, and then you're given the option of scanning saved files. When you scan the files, they are opened, and if the Laroux virus is found in a workbook it is removed and the clean workbook is then saved. If a workbook is protected for structure, is read-only, or is a shared workbook, the virus cannot be removed. If you have workbooks of any of these types, you can go ahead with the scan to determine whether they have the virus. Then if the virus is found, you'll need to unprotect the workbook, make it read/write, or remove it from shared use, and then repeat the virus scan. Follow these steps to clean the files on your disk or shared network directories: 1. Close any open workbooks. 2. If the Virus Search add-in is not currently running, click the Virus Search command on the Tools menu. If the Virus Search add-in is already running, respond to the prompt asking if you want to scan your files for the virus by clicking the Yes button. 3. Click the Currently Open Workbooks And Disk Files option, and then click the OK button. 4. When prompted that open workbooks will be saved, click the OK button. 5. When prompted about scanning workbooks older than the date when the Laroux virus was first detected, click the Yes button if you want to check all workbooks regardless of age, or click the No button to check only workbooks that have been saved since the Laroux virus appeared. Clicking the No button may speed up the process by scanning fewer workbooks. 6. In the Directory box, enter the path of the folder on your hard disk or a shared network directory where you want to start scanning for the virus. 7. In the File Types box, enter all file extensions used on your system for Microsoft Excel workbooks or workbook templates. For example, *.xls and *.xlt are the default extensions. Enter the extensions in the format shown, separated by semicolons: *.xls; *.xlt. 8. To search all folders within the top-level folder you specified, make sure the Scan Subdirectories check box is selected. 9. To display a worksheet listing the results when the scan is complete, make sure the Log Searched Files check box is selected. 10. Click the OK button to begin the scan. During the scan, the Laroux virus is removed from any files in which it is detected, and the cleaned files are then saved automatically. 11. When the scan is complete, click the Yes button to repeat the search starting from a different top-level folder, or click the No button to exit. Opening new workbooks safely ---------------------------- Once you install the Virus Search add-in, all workbooks and workbook templates that you open by using the Open command on the File menu or the Open button on the Standard toolbar are checked automatically for macros. If a workbook contains macros, you see a warning message that lets you decide how to open the workbook: * If you aren't sure that the workbook is from a reliable source, but you want to see the contents of the workbook, you can click the Open Without Macros button. The workbook opens, but neither Microsoft Excel 4.x (XLM) nor Visual Basic macros are included. If you then save the workbook with the same name, it is saved without the macros, and all macros previously in the workbook are permanently lost. It's a good idea to save the workbook with a different name if you want a copy without the macros. As an alternative, you may want to click the Cancel button and use the Virus Search add-in to check the file on disk. Once the Virus Search add-in has checked and cleaned the file, you can open the file with its macros and be sure that the Laroux and Sofa viruses are not present. * If you are certain of the reliability of the source from which you obtained the workbook, or you have already checked the workbook with the Virus Search add-in, you can click the Open With Macros button to open the workbook and use the macros. * If you want to examine the macros manually for viruses, you can select the Do Not Run Auto_Open Macro check box, and then click the Open With Macros button. The workbook and its macros open, but any macros that normally run automatically when the workbook is opened do not run. Macros of this type are a common mechanism by which viruses such as the Laroux virus introduce themselves into a system. See the section "Manually checking a file for the Laroux virus" for more information. Removing the Laroux virus from workbooks that you open ----------------------------------------------- If you open a workbook from the Windows File Manager or Windows Explorer, from an electronic mail message, or from a Web browser such as the Microsoft Internet Explorer, the workbook is not checked automatically for macros that might contain viruses. If you open workbooks in any of these ways, or if you decide to open a workbook with macros, you can check these workbooks as follows and remove the Laroux virus before you save the workbooks or pass the virus on to other workbooks. To clear the virus from open workbooks: 1. On the Tools menu, click the Virus Search command. 2. In response to the prompt asking if you want to search for the virus, click the Yes button. 3. Click the Currently Open Workbooks option, and then click the OK button. 4. If the Virus Search add-in reports that the Laroux virus was found and removed from a workbook, it prompts you to save the workbook. Click the Yes button, so that the clean version of the workbook is saved over the version that has the virus on your disk. Manually checking a file for the Laroux virus --------------------------------------------- To examine macros manually for the Laroux virus: 1. If you do not have the Virus Search add-in installed, hold down the SHIFT key while you open the workbook, so that it opens without running any macros that would otherwise run automatically If you have the Virus Search add-in installed, the SHIFT + Open capability is disabled. Click the Open command on the File menu, double-click the workbook you want to open, select the Do Not Run Auto_Open Macro check box, and then click the Open With Macros button. 2. On the Tools menu, click the Macro command. 3. In the list box, delete any of the following macro names that appear: Auto_Open Check_Files PERSONAL.XLS!auto_open PERSONAL.XLS!check_files If the list contains the Auto_Open macro, but the Check_Files macro is not present, the file may not contain the Laroux virus. 4. Click the OK button. 5. On the File menu, click the Exit command, and then click the Yes button to save all changes. The file no longer contains the Laroux virus. PREVENTING THE LAROUX VIRUS AND FUTURE VIRUSES ============================================== Once you have scanned your workbooks and removed the Laroux virus, you can prevent the virus from returning by doing the following: * Whenever possible, open workbooks by clicking the Open command on the File menu or the Open button on the standard toolbar. When you open workbooks in this way, they are automatically checked for macros. * If you open a workbook from the Windows File Manager or Windows Explorer, from an electronic mail message, or from a Web browser such as the Microsoft Internet Explorer, immediately check the workbook for the Laroux virus using the Virus Search command on the Tools menu, as explained in the section "Removing the virus from open workbooks." Workbooks opened in any of these ways are not checked automatically for macros, so it's important for you to check them for the virus. Version 1.2 of the Microsoft Excel Virus Search add-in can only detect and remove Excel Macro/Laroux and Laroux B virus. If new viruses are discovered in the future, Microsoft will provide information about what you need to do to remove them from your files and prevent them from recurring. To minimize the possibility of acquiring any new viruses that might appear, do the following: * Always open workbooks by clicking the Open command on the File menu or the Open button on the standard toolbar. * Open workbooks with their macros only if you are certain of the reliability of the source from which you obtained the workbook. * If you aren't sure about the source of a workbook, open it without macros. HOW THE VIRUS SEARCH ADD-IN CHANGES MICROSOFT EXCEL =================================================== The Virus Search add-in make several changes to Microsoft Excel that affect how you open files. Opening recently used files --------------------------- With the Virus Search add-in installed, you do not see a list of recently opened files when you click the File menu. To reopen a recently used file, use the Open command on the File menu or the Open button on the standard toolbar. Opening files of types that aren't listed ----------------------------------------- When you install the Virus Search add-in, the Files Of Type drop-down list in the Open dialog box no longer lists certain rarely used file types for display. However, you can still open files of these types, and all of the types of files that you could before. If you don't see the file type you're looking for in drop-down list, click the first selection in the list, All Files (*.*). Then click the name of the file you want, and click the Open button. Opening text files ---------------------- When you open a text file, Microsoft Excel normally starts the Text Import Wizard. With the Virus Search add-in installed, Microsoft Excel cannot start the Text Import Wizard as it usually does. Instead, Microsoft Excel asks if you want to use the Text Import Wizard. If click OK, the Virus Search add-in turns off its dectection capabilities and then displays the Open dialog with your text file selected by default. Click OK to open the text file and run the Text Import Wizard. Opening workbooks read-only --------------------------- When you install the Virus Search add-in, the dialog box displayed when you click the Open command on the File menu no longer lets you open a workbook as read-only. To open workbooks as read-only, you can uninstall the Virus Search add-in, or you can proceed as follows: 1. On the File menu, click the Open command, and then open the workbook. 2. On the View menu, click the Toolbars command. In the Toolbars box, select the Workgroup check box, and then click OK. 3. To make the workbook read-only, click the Toggle Read Only button on the Workgroup toolbar. Note for users of non-English versions of Microsoft Excel --------------------------------------------------------- The English language version of the Microsoft Excel Virus Search 1.2 Add-In is not supported for use on the international versions of Microsoft Excel. UNINSTALLING THE MICROSOFT EXCEL VIRUS SEARCH 1.2 ADD-IN ======================================================== When you uninstall the add-in, the Open dialog box then works as it did before you installed the add-in. The xlscan.xla file remains in your Library folder so that you can easily reinstall it later. To uninstall the Virus Search add-in: 1. On the Tools menu, click the Add-ins command. 2. Clear the Microsoft Excel Virus Search check box, and then click the OK button. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing marketing conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for information purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Microsoft, Windows and Windows NT are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. Macintosh is a registered trademark of Apple Computer Inc.