X97M/Laroux.A
Analysis
- Virus hooks Excel event handler which prevents
the opening of infected files in order to run its
code
- Virus may become up-converted from Excel95 to Excel97
when opening infected Excel95 workbooks in Excel97
- Virus exists in a code module named "laroux"
- Virus verifies if it has infected the Excel environment
by searching for the file "PERSONAL.XLS"
in the XLStart folder - if the file does not exist,
a new workbook is created, infected and then saved
as "PERSONAL.XLS" in the XLStart folder
- Virus sets these workbook properties to a null
value during infection -
Title = ""
Subject = ""
Author = ""
Keywords = ""
Comments = ""
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |