[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | PERSONAL COMPUTER SECURITY |
| Notice: | SWEEP servers Note 5; more info on www-is-security.mso.dec.com |
| Moderator: | BSS::BOREN |
|
| Created: | Wed Jan 02 1991 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 504 |
| Total number of notes: | 2905 |
````````````````````````````````````````````````````````````````````
WOW -- Woody's Office Watch
-----------------------------
(a Microsoft Word & Office guru comes to your desktop every week!)
````````````````````````````````````````````````````````````````````
12 February 1997 Vol 2 No 7
...
*** THE FIRST WORD 97 SPECIFIC VIRUS ***
If you only read one WOW article this year, this should be the one.
Please feel free to distribute this article far and wide, as long as
you distribute it in its entirety, including the credit at the bottom.
Last week I was researching an article for Office Computing, poking
around Microsoft's Web site, when I bumped into a self-extracting file
called REVCODES.EXE. That file expanded into something called
WORD97~1.DOC, purportedly a Microsoft marketing white paper. Ho-hum. I
opened WORD97~1.DOC in Word 97, and got that Virus Warning message, "If
you are sure this document is from a trusted source, click Enable
Macros. . ." I figured www.microsoft.com was a pretty trusted source,
so I clicked Enable Macros, and immediately popped into the VBA editor
to see what nifty macros Microsoft had posted with a lowly marketing
white paper.
There was just one macro, called autoOpen.MAIN (note capitalization),
attached to the document. Odd. I looked at autoOpen.MAIN and lo and
behold - - it was our old friend, the Wazzu virus. It looked a little
weird because, instead of appearing in good ol' WordBasic (the Word 6
and Word 95 macro language), this little hummer had been rewritten in
VBA/Word, so it would only run in Word 97.
I immediately checked out normal.dot, the global template, and found
another autoOpen.MAIN there. I'd been infected! I opened a new document
and, sure enough, it got infected, too. This beast acted just like the
old Wazzu virus, except it was written in VBA/Word. So it would only
ride on Word 97 documents, only infect Word 97 installations. I double-
checked against an old copy of Wazzu and found that this new virus was,
in effect, a fully mutated version of the old Wazzu virus, re-written
specifically to infect Word 97 installations. And it had infected me
just three weeks after Word 97 hit the shelves. From the Microsoft Web
site, no less.
I contacted Microsoft. To their credit, they pulled REVCODES.EXE within
minutes of discovering its location. I contacted the VMacro group, that
part of the international anti-virus group CARO that identifies and
names new macro viruses. The VMacro people were very helpful in
analyzing this new virus, pointing out a number of quirks and
idiosyncrasies. They debated about it a bit, then assigned the virus a
name befitting its status. The virus is now known as W97M.Wazzu.A,
where W97M stands for "Word 97 Macro virus". Remember that name. It's
the first of a new breed, created by a mutation that, in spite of great
odds, rendered the virus capable of surviving in this new environment
called "Office 97". While it's the first identified Word 97-specific
macro virus, you can bet it won't be the last: you'll be hearing a lot
about W97M.Wazzu.A and its kin in the coming months.
As many of you know, the Wazzu virus isn't terribly destructive. (In
spite of what the Joint Chiefs of Staff message said about it in last
week's WOW.) At random intervals Wazzu scrambles around a few words at
the end of an infected document, at times inserting the string "wazzu
". It propagates through a macro called autoOpen attached to infected
documents and to normal.dot, the global template. This new Wazzu works
in pretty much the same way, give or take a few glitches introduced by
the translation to VBA/Word.
I won't go into a lot of details about the source of W97M.Wazzu.A,
except to say that the mutation must've taken place during the Office
97 beta test process. For the rest of the story on W97M.Wazzu.A's
genesis, check out the May issues of Office Computing and PC Computing.
You can tell you're infected if you click on Tools/Macro/Macros and
there's a macro called autoOpen.MAIN (again, note the capitalization)
in normal.dot. Removing the infection is a monumental pain. First you
have to remove autoOpen.MAIN in normal.dot, then you have to go through
every single one of your Word 97 documents and templates, and make sure
none of them are infected. I've come up with a ten-step method for
doing this that will run in the May issue of Office Computing. In the
mean time, though, if you're infected, drop me a line at [email protected]
and I'll take you through the steps.
Nobody knows at this point how many copies of REVCODES.EXE were
downloaded, but you should scan your hard drive (and your company's
LAN, and maybe even your Web site!) to see if it expands to a file
called WORD97~1.DOC. If so, delete both WORD97~1.DOC and REVCODES.EXE
right away, and notify your favorite Anti-virus software manufacturer.
Since the mutation obviously took place during the Office 97 beta test,
if you have any old CDs with a beta version of Office 97 lying around
(something like 70,000 copies of "Beta 2" were distributed), get rid of
them. Delete the beta from your hard drive. And encourage other people
to do the same.
Finally, realize that Microsoft has distributed lots of infected
documents. At the very least there were conference CDs and a Solution
Provider CD with infected Word documents, a European Web site that
(I've been told) wasn't cleaned up for weeks, at least one infected
document on the CompuServe Excel forum, and heaven knows how many
others. When opening a file from Microsoft, if the Word 97 Virus
Warning message asks if you got the file from a reliable source, keep
Microsoft's track record in mind. You might save yourself a ton of
trouble.
You might be wondering if you should avoid upgrading to Office 97
because of W97M.Wazzu.A - - if the headache of a new virus might not
make your life more miserable. That isn't the case, of course; quite
the contrary, in fact. According to The Virus Bulletin
(www.virusbtn.com ), in January the most-frequently-reported virus of
any kind was the Concept macro virus. The second most common was the
Npad macro virus, and number five was Wazzu. The three of them together
accounted for 30% of all reported virus infestations in January. These
three will all infect Word 6 or Word 95 documents and installations.
But none of the common strains of Concept, Npad or Wazzu will infect
Word 97. If you're concerned about macro viruses, the quickest way to
eliminate the largest threat is to simply upgrade to Word 97.
>From Woody's Office Watch, copyright 1997 Pinecliffe International. To
subscribe to WOW, the free weekly electronic bulletin on Microsoft
Office, send e-mail to [email protected].
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 481.1 | Thanks for this report | VARDAF::BERBIGIER | No known policy forbids common sense | Mon Feb 17 1997 05:35 | 20 |
| 1/ Viruses: noone is safe! as you mentionned it, Microsoft
did propagate macro viruses (CDs, Web) and he's not alone!
2/ Whenever opening a word document, either if you've installed
SCANPROT or are running Word 7.0a with antivirus detection
configured, NEVER ACCEPT TO EXECUTE THE MACROS. (in 99.99%
these macros are viruses)
3/ never distribute word documents with macros. Virus
aware users should not execute them! (even legitimate macros)
4/ As far as I understand, Office97 is distributed with tools
that will convert Office95 macros in the new language, making
all existing macro viruses work happily in the new environment.
5/ Due to late disclosure of Office97 file formats to the
anti-virus producers, there are today, very few products on the market
that are able to safely disinfect Office97 macro viruses.
Pierre
|