-----BEGIN PGP SIGNED MESSAGE----- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE OUTSIDE ADVISORY REDISTRIBUTION 05 August 1996 12:00 GMT Number: ERS-OAR-E01-1996:013.1 =============================================================================== The IBM-ERS Outside Advisory Redistribution is designed to provide customers of the IBM Emergency Response Service with access to the security advisories sent out by other computer security incident response teams, vendors, and other groups concerned about security. IBM makes no representations and assumes no responsibility for the contents or accuracy of the advisories themselves. IBM-ERS is forwarding the following information from NASIRC. Contact information for NASIRC is included in the forwarded text below; please contact them if you have any questions or need further information. =============================================================================== ********************** FORWARDED INFORMATION STARTS HERE ********************** NASIRC BULLETIN B-96-33 August 02, 1996 Laroux Excel Macro Virus =========================================================== NASA Automated Systems Incident Response Capability __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/\ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ Serving NASA and the International Aerospace Communities =========================================================== This bulletin reports a recently announced security vulner- ability. It may contain a workaround or software patch. Bulletins should be considered urgent as vulnera- bility information is likely to be widely known by the time a patch is issued or other solutions are developed. =========================================================== SYSTEMS AFFECTED Systems running Microsoft Excel 5.x and 7.x on Windows 3.x, Windows 95, and Windows NT are affected. PROBLEM DESCRIPTION The first "in the wild" Microsoft Excel macro virus, named ExcelMacro/Laroux, was found in July 1996. ExcelMacro/Laroux was written in Visual Basic for Applications (VBA). This is a macro language based on the Visual Basic language from Microsoft. This virus is able to operate in Excel 5.x and 7.x under Windows 3.x, Windows 95, and Windows NT. This virus does not work under any version of Excel for Macintosh or Excel 3.x or 4.x for Windows. ExcelMacro/Laroux consists of two macros: auto_open and check_files. The auto_open macro executes whenever a spreadsheet is opened, followed by the check_files macro that determines the startup path of Excel. If there is no file named "PERSONAL.XLS" in the startup path, the virus creates one. This file contains a module called "laroux". The Laroux virus infects the "PERSONAL.XLS" file which, by default, is found in "\MSOFFICE\EXCEL\XLSTART", but it can be changed using Excel's Tools/Options/General/Alternate Startup File menu option. The file name PERSONAL.XLS is a default file name similar to NORMAL.DOT for Microsoft Word for Windows. Once the "PERSONAL.XLS" file is infected, the macros will be copied to new workbooks by adding a new module called "laroux", infecting any created or accessed spreadsheets. ExcelMacro/Laroux is not known to be destructive and contains no obvious payload; it just replicates. RECOMMENDED ACTIONS To determine if users have the virus, they should: 1. Start Microsoft Excel. 2. Click Macro on the Tools menu. 3. Infection is likely if the following macro names are listed: Auto_Open Check_files PERSONAL.XLS!auto_open PERSONAL.XLS!check_files 4.If users have any infected workbooks open in the background, they may also see the following names listed: 'bookname'!auto_open 'bookname'!check_files (where 'bookname'! is the name of the open workbook) Note: Before disinfecting files, users should confirm the existence of the macro by clicking Unhide on the Window menu and unhiding the PERSONAL.XLS file. Doing this should make the sheet visible. Presence of the virus is indicated by the word "laroux" in the sheet tab. To manually disinfect ExcelMacro/Laroux, users should: 1. Start Microsoft Excel. 2. Click Macro on the Tools menu. 3. Delete any of the following macro names that appear in the workbook: Auto_Open Check_files PERSONAL.XLS!auto_open PERSONAL.XLS!check_files 4. Click Exit on the Microsoft Excel File menu, and click Yes to save all changes. Microsoft Excel is now clean. 5. Continue to open all infected workbooks one by one. Press and hold the shift key while opening them to bypass any automacros. a. For each workbook, click Macro on the Tools menu and delete the virus macros. b. Click Save on the File menu and re-save the file. Prevention Users should reset the attributes for the PERSONAL.XLS file to read-only. This protects PERSONAL.XLS so Laroux cannot infect it. If PERSONAL.XLS does not exist on the system, users should create an empty PERSONAL.XLS file and follow the above procedure. Detecting ExcelMacro/Laroux with F-PROT Professional: F-PROT supports user-defined search strings to search for new viruses. Users should add the following search string with the name ExcelMacro/Laroux: 00 21 00 60 00 27 20 6A 00 20 20 6A 00 AD 00 01 00 5C 00 11 After this, users should check all Excel worksheets for infection. This can be done by scanning all files or by adding "XL?" to the list of file extensions to be scanned. Infected files will be reported by F-PROT like this: C:\SHEETS\CUSTOMER.XLS contains the ExcelMacro/Laroux search string. *Note: Microsoft Tools - A free tool to detect and clean infected documents is currently being developed and will be available within the next week on http://www.microsoft.com. NASIRC will obtain a copy and place it in its ftp archives. Vendor Information The following list is not a NASIRC recommendation for any product. This list is not exhaustive and is only provided as a convenience. Vendors Product Detects Eradicates DataFellows Fprot yes Manually Microsoft in development yes yes Symantec SAM/NAM yes yes McAfee McAfee Unspecified Unspecified -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ACKNOWLEDGMENTS: ASSIST and AT&T for bringing this situation to NASIRC's attention. BULLETIN AUTHOR: Tom Baxter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory may be forwarded without restriction. Persons within the NASA community or operating in support of a NASA contract may contact NASIRC with any questions about this advisory. Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853 International: +1-301-441-4398 STU III: 1-301-982-5480 Internet E-Mail: nasirc@nasa.gov 24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 WWW: http://nasirc.nasa.gov/NASIRC_home.html FTP: nasirc.nasa.gov, login "anonymous" Anyone requiring assistance or wishing to report a security incident but not operating in support of NASA may contact the Forum of Incident Response and Security Teams (FIRST), an international organization of incident response teams, to determine the appropriate team. A list of FIRST member organizations and their constituencies may be obtained by sending E-mail to "docserver@first.org" with an empty "subject" line and a message body containing the line "send first-contacts" or via WWW at http://www.first.org/ . *********************** FORWARDED INFORMATION ENDS HERE *********************** =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, Integrated Systems Solutions Corporation, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMgXsGPWDLGpfj4rlAQGGsAQAxGS/5I07QEwb0nnqZgtEX0NrqQdD1O2E KyMHH1ZE6SIAmaBffNCnYO948YAzoSMEamGaw55tajVijOKZeuK6dQD1sMmvzn15 1I+m40TtGHmQYgdDiNbW+96X4VsSsrBm7Gp/J9sPEYkzDJ1sWSMViKI063HeQLEE VSMxsm1meH8= =Bchm -----END PGP SIGNATURE-----