If I am given a formula: Excel Formula Macro Virus

Last year, I analyzed an Excel Formula Macro Virus XF97/Yagnuul-A. Today, when I got in to work, what seemed to be a variant of XF97/Yagnuul-A was handed over to me by the Australian Lab.

After some digging there it appeared that there were actually two new variants and I could improved the original detection. So I set about replicating the samples and publishing detection (XF97/Yagnuul-C and XM97/Yagnuul-E). We don’t see many macro biruses anymore and we hardly ever see Excel Formula viruses. There are ~6000 macro viruses of which ~30 of them are Excel Formula viruses. So it was a case of quickly re-learning knowledge that had been pushed out of my head by newer more relevant information.

The thing about Excel Formula macros is that unlike normal VBA macros you cannot disable the macro code! When presented with the ubiquitous “contains macros” MessageBox you are give the choice of “Disable Macros”, “Enable Macros” or “More Info”.

Disable Macros

Pressing “Disable macros” gives you another MessageBox containing the following phrase “This workbook contains a type of macro (Microsoft Excel version 4.0 macro) that cannot be disabled. There may be viruses in these macros. If you are sure this workbook is from a trusted source, click Yes. Open the workbook?”.

Cannot be disabled

If you press “No” the document is not opened. Meaning users will re-open the file and press “Yes” to see the information and thereby infect themselves. This fact has meant that Excel Formula (or version 4.0 macro) viruses still turn up from time to time.