X97M_LAROUX.DEJ
October 09, 2012
PLATFORM:
Windows 2000, Windows XP, Windows Server 2003
OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:
Threat Type: File infector
Destructiveness: No
Encrypted: No
In the wild: Yes
OVERVIEW
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
File Size: 166,912 bytes
File Type: XLS
Memory Resident: No
Initial Samples Received Date: 16 Jan 2012
Arrival Details
This file infector arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
NOTES:
It hooks the macro auto_open().
It checks if the following file exists:
- %User Profile%\Application Data\Microsoft\Excel\XLSTART\StartUp.xls
If the file does not exist, it creates a copy of the active workbook in the said folder as StartUp.xls.
It infects Microsoft Office Excel files by creating a macro module named StartUp, which contains the malware codes.