News In the |
 |
By Beverly Rosenbaum |
Several makers of virus-detection software products have recently issued press releases regarding a working Excel macro virus. While this virus does exist, it is not currently believed to be widespread and does not have any intentional payload it just replicates. The virus, called XM.Laroux, only appears in Microsoft Excel versions 5.x and 7.x under Windows 3.x, 95 and NT. It does not work in Excel 3.x and 4.x for Windows or any version for Macintosh. At this writing, there have been only two cases of the XM.Laroux virus reported in the same company on two continents one in Africa, and one in Alaska. This macro simply creates a hidden blank worksheet named "laroux" and does not affect anything else in the workbook. You can determine if you have the virus by opening the Tools/Macro dialog box to see if you have `auto open' and `check files' macros. If they are present, your system is infected, and you can use Tools/Macro/Delete to get rid of it. Datafellows (makers of F-Prot), Dr. Solomon (FindVirus) and Symantec (Norton AntiVirus) are among the first companies to develop tools for cleaning and detecting the virus.
The Microsoft Word Macro viruses first appeared a year ago, and quickly became widespread. They were the first viruses to infect documents rather than executable files, and were the first multi-platform viruses able to infect PC systems as well as Macintosh. The Concept virus makes use of the well-developed Microsoft Word macro language Word Basic to infect Microsoft Word 6.0 documents and the NORMAL.DOT template. Concept is very common in the wild and accounts for at least 20% of all reported virus incidences. According to a report from Dr. Solomon's Virus Center, the Concept virus was accidentally shipped by Microsoft on a CD ROM (Microsoft Windows 95 Compatibility Test) to hundreds of OEM companies last year. Another company distributed more Concept-infected documents on 5500 copies of a CD ROM called Snap-on Tools for Windows NT shortly afterwards. Now there are as many as 20 versions of the Word 6 macro appearing in the wild. A variant also infects Lotus AmiPro documents.
Several agencies including Symantec's Antivirus Center and the Virus Bulletin are reporting that among the top ten virus occurrences worldwide, the majority are PC Boot Sector viruses, which can be spread only through diskettes. Infection with this type of virus occurs when an attempt is made to boot the computer with an infected diskette in the floppy disk drive, even if the diskette is not bootable. Once in place, the virus loads itself into memory even before an antivirus program is run, and can prevent detection when in memory. When you access other floppy disks, their boot sectors become infected. When you pass this infected disk to a friend, it will infect the hard drive of their computer by corrupting its boot sector and even the partition table as well.
Claiming to be an updated version of the popular Macintosh freeware virus checker Disinfectant 3.6, the "Updated Virus Checker 1.2" is actually a Trojan Horse and should not be used. A Trojan Horse is disguised as a regular program which behaves like a virus and can cause damage to your system when run.
Watch for an in-depth study of viruses and available resources to detect and remove them coming next month in your User Journal.
Beverly Rosenbaum is a HAL-PC member.
E-mail me at webmaster@hal-pc.org with any comments you have and tell me what you want to see here.
Back to the User Journal Home Page