Virus.X97M.LAROUX.F

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It does not have any backdoor routine.

It does not have any information-stealing capability.

Arrival Details

This Virus arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Virus drops a copy of itself in the following folders using different file names:

• {Excel Application Path}\XLSTART\mypersonnel.xls → if the malware file is not executed in this location.

Backdoor Routine

This Virus does not have any backdoor routine.

Rootkit Capabilities

This Virus does not have rootkit capabilities.

Information Theft

This Virus does not have any information-stealing capability.

Other Details

This Virus does the following:

• It disables the Escape key to prevent users from cancelling the script's execution.
• It checks for the following conditions:
  • If the file is in ".xlsx" format.
  • If the version of the file is Microsoft Office Excel 2007 or newer.
• If one of the conditions is met, it will create a copy of itself with the following filename and version and deletes the original file afterwards:
  • {Malware Path}\{Malware Name}.xls → file version set to Microsoft Excel 97-2003
• It remains active every time Excel is launched, infecting any new workbooks created and previously saved workbooks when they are opened.
• If the first sheet is not named "Kangatang", it copies a sheet named "Kangatang" containing the malicious script to the beginning of the active workbook to ensure infection and propagation.

NOTES:

It does not exploit any vulnerability.