------------------------------------------------------------------ MICROSOFT(R) EXCEL VIRUS SEARCH 2.0 ADD-IN FOR MICROSOFT EXCEL 97 February 1997 ------------------------------------------------------------------ (c) 1997 Microsoft Corporation. All rights reserved. [To view this readme most effectively in Notepad, turn on Word Wrap (Edit menu).] MICROSOFT EXPRESSLY DISCLAIMS ANY WARRANTY FOR THE INFORMATION IN THIS DOCUMENT AND ANY SOFTWARE THAT MAY ACCOMPANY THIS DOCUMENT (collectively referred to as an Application Note). THE APPLICATION NOTE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND/OR FITNESS FOR A PARTICULAR PURPOSE. The entire risk arising out of use or performance of the APPLICATION NOTE remains with you. This Application Note may be copied and distributed subject to the following conditions: 1) All text must be copied without modification and all pages must be included; 2) If software is included, all files on the disk(s) must be copied without modification; 3) All components of this Application Note must be distributed together; and 4) This Application Note may not be distributed for profit. NO LIABILITY FOR DAMAGES. In no event shall Microsoft or its suppliers be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss) arising out of the use of or inability to use the Application Notes, even if Microsoft has been advised of the possibility of such damages. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing marketing conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. Microsoft, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S. and/or other countries. Macintosh is a registered trademark of Apple Computer, Inc. Other products and company names mentioned herein may the trademarks of their respective owners. _______________________________________________ CONTENTS Introduction What Is the Laroux Virus? Answers to Common Questions Detecting the Laroux Virus Installing the Microsoft Excel Virus Search 2.0 Add-In Removing the Laroux Virus from Your System Removing the virus from files on disk Opening new workbooks safely Removing the virus from workbooks that you open Manually checking a file for the Laroux virus Preventing the Laroux Virus and Future Viruses What's New in Microsoft Excel Virus Search 2.0 Add-In Uninstalling the Microsoft Excel Virus Search 2.0 Add-In _______________________________________________ INTRODUCTION ============ Version 2.0 of the Microsoft Excel Virus Search Add-In can only detect and remove the Laroux virus. If new viruses are discovered in the future, Microsoft will provide information about what you need to do to remove them from your files and prevent them from recurring. Please read this entire document for important information about the Microsoft Excel Virus Search 2.0 Add-In, including problems you may encounter when running it. WHAT IS THE LAROUX VIRUS? ========================= The Laroux virus is a non-harmful, non-destructive concept virus that simply appends a module named "laroux" to workbooks. It does not affect data or anything else in the workbook. This is the first replicating macro virus ever discovered in Microsoft Excel. The virus only affects workbooks created in Microsoft Excel version 5.x for Windows(R) 3.x, Microsoft Excel version 5.x for Windows NT(R), Microsoft Excel 95 for Windows 95 and Windows NT, Microsoft Excel 97 for Windows 95 and Windows NT, including certain localized versions of Microsoft Excel (for example, versions of Microsoft Excel translated into German). This virus does not affect any version of Microsoft Excel for the Macintosh(R) or Microsoft Excel version 2.x, 3.x, or 4.x for Windows. ANSWERS TO COMMON QUESTIONS =========================== Q: What are macro viruses? A: A macro virus is a type of virus that uses a program's own macro programming language to distribute itself. Unlike previous viruses, macro viruses do not attach to programs; they attach to documents (workbooks). Q: What is Microsoft doing about the Laroux virus? A: Customers have several resources for solutions: 1. Virus Search Add-In. A free tool that detects and cleans affected workbooks is currently available on http://www.microsoft.com/. 2. Third-Party Tools. Microsoft is working very closely with third-party anti-virus vendors to give them the information they need to create tools that protect against macro viruses in Microsoft Excel. Tools developed by anti-virus vendors to clean and detect the virus are already available. 3. Customer Information. We will continue to make information available to customers: The Microsoft Web Site: http://www.microsoft.com/ The Microsoft ftp site: ftp.microsoft.com Microsoft Technical Support: (206) 635-7070 in the U.S.A. Contact your local Microsoft office for locations outside the U.S.A. Autoreply e-mail via the Internet: msxlinfo@microsoft.com 4. Long-Term Solutions. We are building technology into the next release of our product that will help prevent macros from executing and affecting your workbooks when you open a file. Q: How do I know if I have the Laroux virus? A: See the section "Detecting the Laroux Virus" below. Q: How can I get rid of the Laroux virus if I have it? A: If you are using Microsoft Excel 97, install and run the Microsoft Excel Virus Search 2.0 Add-In as described in this document. If you are using Microsoft Excel version 5.x for Windows(R), or Microsoft Excel 95 for Windows 95 or Windows NT, then you should use version 1.2 of the Microsoft Excel Virus Search Add-In. You can obtain a free copy of version 1.2 on one of the Web sites listed in resource #3 above or by contacting Microsoft Technical Support. If you have Microsoft Excel 97 for Windows 95 and Windows NT, then you should use version 2.0 of the Microsoft Excel Virus Search Add-In. The files accompanying this readme are version 2.0. Version 2.0 will not function with earlier versions of Microsoft Excel. Q: Can I use the English version of the Microsoft Excel Virus Search 2.0 Add-In with non-English (international) versions of Microsoft Excel 97? A: The English language version of the Microsoft Excel Virus Search 2.0 Add-In is not supported for use on the international versions of Microsoft Excel 97. More Details ------------ Q: What does the Laroux virus do? A: The Laroux virus is a non-harmful, non-destructive concept virus that appends a module named "laroux" to workbooks created in Microsoft Excel. It does not affect data or anything else in the workbook. A file infected with the Laroux virus contains two macros, Auto_Open and Check_Files. The Auto_Open macro runs when you open the file, and the macro then runs the Check_Files macro. The Check_Files macro looks to see if you have a Personal.xls file in your Microsoft Excel startup folder. If Personal.xls does not already exist, the virus creates one. This new file contains a module named "laroux" that contains the same Auto_Open and Check_Files macros that were in the infected file. This virus causes Microsoft Excel to copy the laroux module to the current workbook and every workbook you open thereafter. You might have a Personal.xls file even if this virus is not present on your system. Personal.xls is the default file name for the personal macro workbook where you store any global macros you record. DETECTING THE LAROUX VIRUS ========================== To determine if you have the virus: 1. Start Microsoft Excel. 2. Open any workbook (new or existing) if one is not open. 3. On the Tools menu, point to Macro, and then click Macros. 4. If you see the following macro names in the list, the Laroux virus may be present: Auto_Open Check_Files PERSONAL.XLS!auto_open PERSONAL.XLS!check_files If you see only the Auto_Open macro, without the Check_Files macro, it's possible that the workbook does not contain the virus. If any workbooks that you have open in the background also contain the virus, you will also see the following names listed: 'bookname'!auto_open 'bookname'!check_files (where 'bookname'! is the name of the open workbook) INSTALLING THE MICROSOFT EXCEL VIRUS SEARCH 2.0 ADD-IN ====================================================== The add-in program includes four files and this readme file. To install the Virus Search 2.0 Add-In: 1. Quit Microsoft Excel. 2. Visit the Microsoft Excel web page http://www.microsoft.com/excel/productinfo/vbavirus/add_in.htm. In the "DOWNLOADING THE MICROSOFT EXCEL VIRUS SEARCH 1.2 and 2.0 ADD-INS" section, click "Download and install XLSCAN97.EXE" under Microsoft Excel Virus Search 2.0 Add-in. 3. Start Microsoft Excel. 4. On the Tools menu, click Add-Ins. 5. Make sure Microsoft Excel Virus Search is checked. If you don't see this add-in listed, click Browse, and use the Browse dialog box to locate and select the Xlscan97.xla file. In the Add-Ins dialog box, click OK. The Virus Search Add-In program starts. 6. Click the Yes button to begin a virus search. To remove the virus from files on disk and shared network folders, follow the steps in the next section. If you have problems with the installation, check the files below to be sure they were downloaded to the proper directories. · Xlscan97.xla and Xvbscan.exe should appear in your Microsoft Excel Library folder. By default, the Library folder for Microsoft Excel 97 is C:\Program Files\Microsoft Office\Office\Library · Scanload.dll should appear in your Office folder. By default, the Office folder is C:\Program Files\Microsoft Office\Office · Msvbvm50.dll should appear in your system folder. By default, the Windows 95 system folder is C:\Windows\System By default, the Windows NT system folder is C:\Winnt\System32 REMOVING THE LAROUX VIRUS FROM YOUR SYSTEM ========================================== Once you have installed the add-in, you can remove the virus from workbook files on your hard disk and shared network folders. After doing this, you can continue to use the Virus Search Add-In to periodically search for viruses. Removing the virus from files on disk ------------------------------------- The first time you load the Virus Search Add-In, workbooks you currently have open are automatically scanned, and you can optionally scan saved files. The add-in opens each file, and if the Laroux virus is found, the add-in removes it and saves the clean file. If a workbook is protected for structure, is read-only, or is a shared workbook, the add-in cannot remove the virus. If you have workbooks with any of these restrictions, you can go ahead with the scan to determine whether they have the virus. Then if the virus is found, you'll need to unprotect the workbook, make it read/write, or remove it from shared use, and then repeat the virus scan. Note: Before cleaning files on your disk or shared network folders, close any other programs that are running. While the Virus Search Add-In is running, do not start other programs. Follow these steps to clean the files on your disk or shared network directories: 1. Close any open workbooks. 2. If the Virus Search Add-In is not currently running, click Virus Search on the Tools menu. If the Virus Search Add-In is already running, respond to the prompt asking if you want to scan your files for the virus by clicking the Yes button. 3. Click the Currently Open Workbooks And Disk Files option, and then click OK. 4. When prompted that open workbooks will be saved, click OK. 5. When prompted about scanning workbooks older than the date when the Laroux virus was first detected, click Yes if you want to check all workbooks regardless of age, or click No to check only workbooks that have been saved since the Laroux virus appeared. Clicking No may speed up the process by scanning fewer workbooks. 6. In the Directory box, type the path of the folder on your hard disk or a shared network folder where you want to start scanning for the virus. 7. In the File Types box, type all file extensions used on your system for Microsoft Excel workbooks or workbook templates. For example, *.xls and *.xlt are the default extensions. Enter the extensions in the format shown, separated by semicolons: *.xls; *.xlt. 8. To search all folders within the top-level folder you specified, make sure the Include Subfolders check box is checked. 9. Click OK. The add-in will prepare Microsoft Excel and start the scanning utility. 10. Click Start to begin the scan. The add-in removes the Laroux virus from any files in which it is detected and saves the cleaned files automatically. 11. When the scan is complete, click Yes to repeat the search starting from a different top-level folder, or click No to exit. Note: If an alert message appears while scanning, click OK to continue the search. If Microsoft Excel or the Virus Search add-in crashes due to a corrupt workbook file, manually delete the file from your hard drive or shared network drive. Opening new workbooks safely ---------------------------- Microsoft Excel 97 includes a Macro Virus Protection feature. This feature automatically checks all workbooks and workbook templates that you open by using Open on the File menu or the Open button on the Standard toolbar. If a workbook contains macros, the scanner displays a warning message that lets you decide how to open the workbook. Macro Virus Protection does not recognize any particular virus, it just detects macros stored within a workbook. Therefore, you will see this warning even when the macros are "safe." If you are unsure whether a particular workbook with macros is safe, click the Disable Macros button. Then if you have installed the Virus Search Add-In, use Virus Search on the Tools menu to search the workbook for the Laroux Virus. The Macro Virus Protection feature is turned on in Microsoft Excel 97 by default. You can confirm the feature is turned on by making sure the Macro Virus Protection check box (Tools menu, Options command, General tab) is checked. Removing the virus from workbooks that you open ----------------------------------------------- If you decide to open a workbook with macros, you can check these workbooks as follows and remove the Laroux virus (if found) before you save the workbooks or pass the virus on to other workbooks: 1. On the Tools menu, click Virus Search. 2. Click the Currently Open Workbooks option, and then click OK. 3. If the Virus Search Add-In reports that the Laroux virus was found and removed from a workbook, it prompts you to save the workbook. Click Yes; this will save the clean version of the workbook over the version that has the virus on your disk. Manually checking a file for the Laroux virus --------------------------------------------- To examine macros manually for the Laroux virus: 1. If you do not have the Virus Search Add-In installed, choose "Disable Macros" while opening the workbook, so that it opens without running any macros that would otherwise run automatically. 2. On the Tools menu, point to Macro, and then click Macros. 3. In the list box, delete any of the following macro names that appear: Auto_Open Check_Files PERSONAL.XLS!auto_open PERSONAL.XLS!check_files If the list contains the Auto_Open macro but the Check_Files macro is not present, the file may not contain the Laroux virus. 4. Click OK. 5. On the File menu, click Exit, and then click Yes to save all changes. The file no longer contains the Laroux virus. PREVENTING THE LAROUX VIRUS AND FUTURE VIRUSES ============================================== Once you have scanned your workbooks and removed the Laroux virus, you can prevent the virus from returning by doing the following: * If you open a workbook from an e-mail message, or from a Web browser such as the Microsoft Internet Explorer, or from any questionable origin, immediately check the workbook for the Laroux virus using the Virus Search command on the Tools menu, as explained in the section "Removing the virus from open workbooks." Workbooks are not checked automatically (by the Macro Virus Protection feature) for the Laroux virus, so it is important for you to check them for the virus. Version 2.0 of the Microsoft Excel Virus Search Add-In can only detect and remove the Laroux virus. If new viruses are discovered in the future, Microsoft will provide information about what you need to do to remove them from your files and prevent them from recurring. To minimize the possibility of acquiring any new viruses that might appear, do the following: * Enable macros as you open workbooks only if you are certain of the reliability of the source from which you obtained the workbook. * If you aren't sure about the source of a workbook, open it with macros disabled, then use Virus Search on the Tools menu. WHAT'S NEW IN MICROSOFT EXCEL VIRUS SEARCH 2.0 ADD-IN ===================================================== Unlike version 1.0, the Microsoft Excel Virus Search 2.0 Add-In does not make any changes to the Open command. The problems associated with version 1.0 that affect how you open files do not exist in version 2.0. UNINSTALLING THE MICROSOFT EXCEL VIRUS SEARCH 2.0 ADD-IN ======================================================== When you uninstall the add-in, the Xlscan97.xla file remains in your Library folder so that you can easily reinstall it later. To uninstall the Virus Search Add-In: 1. On the Tools menu, click Add-Ins. 2. Clear the Microsoft Excel Virus Search check box, and then click OK. --------------------------------------------------------------