Virus Database

WG.728

Description WG.728

It is a very dangerous memory resident encrypted parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are accessed by FindFirst/Next ASCII DOS functions. The virus does not infect the files:
AI*.* AD*.* WE*.* VD*.* VS*.* MS*.* HI*.*

Depending on the system timer the virus corrupts the data while writing to disk (INT 21h, AH=40h). The virus contains the text string:
WG02

Check other viruses! Be aware! Use Antiviral Software

Macro.Excel.KMaster

Description Macro.Excel.KMaster

This is French specific Word macro virus related to "Macro.Excel.Laroux". It infects Excel worksheets (XLS-files). It contains two macros in module KMaster: Auto_ouvrir, check_files.
The Auto_ouvrir macro is auto-macros (auto_open) and it is executed on opening an infected file. The virus takes control and installs itself into Excel. To do that the virus created the infected file PERSONAL.XLM in the Excel StartupPath directory. To intercept sheets to infect them the virus sets its "check_file" macro (infection routine) to be executed on any sheet activation.
To detect already infected files the virus looks for KMaster module in there, then for the Feuil1 page, then for the text "Knowledge is power" at the first field of this page.

Macro.Excel.Laroux

Description Macro.Excel.Laroux

This virus infects Excel sheets (XLS files). It contains two macros: auto_open and check_files. While loading an infected document, Excel executes the auto macros auto_open, and the virus gains control. The virus auto_open macro contains just one command that defines the check_files macro as a handler of the OnSheetActivate routine. As a result, the virus hooks the sheet-activate routine, and while opening a sheet, the virus (the check_files macro) gains control.
When the check_files macro gains the control, it searches for PERSONAL.XLS files in the Excel Startup directory, and checks the module count in the current Workbook.
If the infected macro is an active Workbook, and the PERSONAL.XLS file does not exist in the Excel Startup directory (the virus is executed for the first time), the virus creates that file there, and saves its code to that file using the SaveAs command. When Excel is loading its modules the next time, it automatically loads all XLS files from the Startup directory. As a result, the infected PERSONAL.XLS is loaded as well as other files, the virus gains control, and hooks the sheet activation routine.
If the active macro is not infected (there are no modules in the active Workbook), and the PERSONAL.XLS file exists in the Excel directory, the virus copies its code to the active Workbook. As a result the active Workbook is infected.
To check your system for the virus, you should to check PERSONAL.XLS and other XLS files for the string "laroux" that is present in infected sheets.

Home