-----BEGIN PGP SIGNED MESSAGE-----

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
      OUTSIDE ADVISORY REDISTRIBUTION

05 August 1996 12:00 GMT                         Number: ERS-OAR-E01-1996:013.1
===============================================================================

The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.

IBM-ERS is forwarding the following information from NASIRC.  Contact
information for NASIRC is included in the forwarded text below; please
contact them if you have any questions or need further information.

===============================================================================

********************** FORWARDED INFORMATION STARTS HERE **********************

        NASIRC BULLETIN B-96-33         August 02, 1996

                            Laroux Excel Macro Virus
         ===========================================================
            NASA Automated Systems Incident Response Capability
               __    __      __      ___   ___  ____     ____
              /_/\  /_/|    /_/\    / _/\ /_/| / __/ \  / __/\
              | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/
              | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |
              | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
              |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/
          Serving NASA and the International Aerospace Communities
         ===========================================================

         This bulletin reports a recently announced security vulner-
         ability.    It   may   contain   a   workaround or software
         patch.  Bulletins should be considered urgent  as  vulnera-
         bility information is likely to be widely known by the time
         a patch is issued or other solutions are developed.

         ===========================================================

SYSTEMS AFFECTED

        Systems running Microsoft Excel 5.x and 7.x on Windows 3.x,
        Windows 95, and Windows NT are affected.

PROBLEM DESCRIPTION

        The first "in the wild" Microsoft Excel macro virus, named
        ExcelMacro/Laroux, was found in July 1996.

        ExcelMacro/Laroux was written in Visual Basic for Applications
        (VBA). This is a macro language based on the Visual Basic
        language from Microsoft. This virus is able to operate in Excel
        5.x and 7.x under Windows 3.x, Windows 95, and Windows NT.  This
        virus does not work under any version of Excel for Macintosh or
        Excel 3.x or 4.x for Windows.

        ExcelMacro/Laroux consists of two macros: auto_open and
        check_files. The auto_open macro executes whenever a spreadsheet
        is opened, followed by the check_files macro that determines the
        startup path of Excel. If there is no file named "PERSONAL.XLS"
        in the startup path, the virus creates one. This file contains a
        module called "laroux".

        The Laroux virus infects the "PERSONAL.XLS" file which, by
        default, is found in "\MSOFFICE\EXCEL\XLSTART", but it can be
        changed using Excel's Tools/Options/General/Alternate Startup
        File menu option.  The file name PERSONAL.XLS is a default file
        name similar to NORMAL.DOT for Microsoft Word for Windows.  Once
        the "PERSONAL.XLS" file is infected, the macros will be copied to
        new workbooks by adding a new module called "laroux", infecting
        any created or accessed spreadsheets.

        ExcelMacro/Laroux is not known to be destructive and contains no
        obvious payload; it just replicates.

RECOMMENDED ACTIONS

   To determine if users have the virus, they should:

        1. Start Microsoft Excel.
        2. Click Macro on the Tools menu.
        3. Infection is likely if the following macro names are listed:
                           Auto_Open
                           Check_files
                           PERSONAL.XLS!auto_open
                           PERSONAL.XLS!check_files
        4.If users have any infected workbooks open in the background, they may
          also see the following names listed:
                           'bookname'!auto_open
                           'bookname'!check_files (where 'bookname'! is
                                the name of the open workbook)

        Note: Before disinfecting files, users should confirm the
        existence of the macro by clicking Unhide on the Window menu and
        unhiding the PERSONAL.XLS file. Doing this should make the sheet
        visible. Presence of the virus is indicated by the word "laroux" in
        the sheet tab.

   To manually disinfect ExcelMacro/Laroux, users should:

        1. Start Microsoft Excel.
        2. Click Macro on the Tools menu.
        3. Delete any of the following macro names that appear in the workbook:
                           Auto_Open
                           Check_files
                           PERSONAL.XLS!auto_open
                           PERSONAL.XLS!check_files
        4. Click Exit on the Microsoft Excel File menu, and click Yes to save all
           changes. Microsoft Excel is now clean.
        5. Continue to open all infected workbooks one by one. Press and hold the
           shift key while opening them to bypass any automacros.

                a. For each workbook, click Macro on the Tools menu and delete
                   the virus macros.
                b. Click Save on the File menu and re-save the file.

Prevention

        Users should reset the attributes for the PERSONAL.XLS file to
        read-only.  This protects PERSONAL.XLS so Laroux cannot
        infect it.  If PERSONAL.XLS does not exist on the system, users
        should create an empty PERSONAL.XLS file and follow the above
        procedure.


Detecting ExcelMacro/Laroux with F-PROT Professional:

        F-PROT supports user-defined search strings to search for new viruses.
        Users should add the following search string with the name
        ExcelMacro/Laroux:

                00 21 00 60 00 27 20 6A 00 20 20 6A 00 AD 00 01 00 5C 00 11

        After this, users should check all Excel worksheets for infection.  This
        can be done by scanning all files or by adding "XL?" to the list
        of file extensions to be scanned.

        Infected files will be reported by F-PROT like this:

                C:\SHEETS\CUSTOMER.XLS contains the ExcelMacro/Laroux search
                string.


*Note: Microsoft Tools - A free tool to detect and clean infected
documents is currently being developed and will be available within the
next week on http://www.microsoft.com.  NASIRC will obtain a copy and
place it in its ftp archives.

Vendor Information

        The following list is not a NASIRC recommendation for any
        product.  This list is not exhaustive and is only provided as a
        convenience.

        Vendors         Product         Detects         Eradicates

        DataFellows     Fprot           yes             Manually
        Microsoft       in development  yes             yes
        Symantec        SAM/NAM         yes             yes
        McAfee          McAfee          Unspecified     Unspecified

        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                ACKNOWLEDGMENTS: ASSIST and AT&T for bringing this
                        situation to NASIRC's attention.

                BULLETIN AUTHOR: Tom Baxter
        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


        This advisory may be forwarded without restriction.  Persons
        within the NASA community or operating in support of a NASA
        contract may contact NASIRC with any questions about this
        advisory.

            Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853
            International: +1-301-441-4398         STU III: 1-301-982-5480
            Internet E-Mail: nasirc@nasa.gov
            24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
            WWW: http://nasirc.nasa.gov/NASIRC_home.html
            FTP: nasirc.nasa.gov, login "anonymous"

        Anyone requiring assistance or wishing to report a security
        incident but not operating in support of NASA may contact the
        Forum of Incident Response and Security Teams (FIRST), an
        international organization of incident response teams, to
        determine the appropriate team.  A list of FIRST member
        organizations and their constituencies may be obtained by
        sending E-mail to "docserver@first.org" with an empty "subject"
        line and a message body containing the line "send first-contacts"
        or via WWW at  http://www.first.org/  .

*********************** FORWARDED INFORMATION ENDS HERE ***********************

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBMgXsGPWDLGpfj4rlAQGGsAQAxGS/5I07QEwb0nnqZgtEX0NrqQdD1O2E
KyMHH1ZE6SIAmaBffNCnYO948YAzoSMEamGaw55tajVijOKZeuK6dQD1sMmvzn15
1I+m40TtGHmQYgdDiNbW+96X4VsSsrBm7Gp/J9sPEYkzDJ1sWSMViKI063HeQLEE
VSMxsm1meH8=
=Bchm
-----END PGP SIGNATURE-----