By: George Rudzinski Re: Macrovirus 1 DOCUMENT TITLE: New macro viruses target Word docume
By: George Rudzinski
Re: Macrovirus 1
DOCUMENT TITLE: New macro viruses target Word document files
New macro viruses target Word document files
Date: 23rd of August, 1995, updated 27th of October.
Same information in Finnish / Suomenkielinen versio
˙˙˙Introduction
˙˙˙WordMacro/DMV
˙˙˙WordMacro/Concept
˙˙˙WordMacro/Nuclear
˙˙˙NEW! WordMacro/Colors
˙˙˙Protecting yourself against macro viruses
Introduction
Macro viruses are not a new concept - they were predicted as early
as the late eighties. At that time, the first studies about the
possibility
of writing viruses with the macro languages of certain applications
were made.
However, macro viruses are not just a theory any more. Currently,
there are several known macro viruses. They have all been written
with WordBasic, the powerful macro language of Microsoft Word. These
viruses spread through Word documents - Word's advanced template
system makes it an opportune environment for viral mischief. This
is problematic, because people exchange document a lot more than
executables or floppy disks. Macro viruses are also very easy to
create or modify.
Although other word processors like WordPerfect and Ami Pro do
support
reading Word documents, they can not be infected by these viruses.
It is not impossible to write similar viruses for these systems,
however.
WordMacro/DMV
WordMacro/DMV is probably the first Word macro virus to have been
written. It is test virus, written by a person called Joel McNamara
to study the behavior of macro viruses. As such, it is no threat
- it announces its presence in the system, and keeps the user
informed
of its actions.
Mr. McNamara wrote WordMacro/DMV for over a year ago, in fall 1994
- at the same time, he published a detailed study about macro
viruses.
He kept his test virus under wraps until a real macro virus,
WordMacro/
Concept, was recently discovered. At that time, he decided to make
WordMacro/DMV known to the public. We oppose to such behaviour;
although
it can be argued that spreading such information will educate the
public, we can also except to see new variants of the DMV virus,
as well as totally new viruses inspired by the techniques used in
this virus. McNamara also published a skeleton for a virus to infect
Microsoft Excel spreadsheet files.
F-PROT Professional 2.20 is able to the detect the WordMacro/DMV
macro virus.
WordMacro/Concept
WordMacro/Concept - also known as Word Prank Macro or WW6Macro -
is a real macro virus which has been written with the Microsoft Word
v6.x macro language. It has been reported in several countries, and
seems to have no trouble propagating in the wild.
WordMacro/Concept consists of several Word macros. Since Word macros
are carried with Word documents themselves, the virus is able to
spread through document files. This is a quite ominous development
- so far, people have only had to worry about infections in their
program files. The situation is made worse by the fact that
WordMacro/
Concept is also able to function with Microsoft Word for Windows
6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and
Windows NT environments. It is, truly, the first functional multi-
environment virus, although it can be argued that the effective
operating
system of this virus is Microsoft Word, not Windows or MacOS.
The virus gets executed every time an infected document is opened.
It tries to infect Word's global document template, NORMAL.DOT (which
is also capable of holding macros). If it finds either the macro
"PayLoad" or "FileSaveAs" already on the template,
it assumes that the template is already infected and ceases its
functioning.
If the virus does not find "PayLoad" or "FileSaveAs"
in NORMAL.DOT, it starts copies the viral macros to the template
and displays a small dialog box on the screen. The box contains the
number "1" and an "OK" button, and its title
bar identifies it as a Word dialog box. This effect seems to have
been meant to act as a generation counter, but it does not work as
intended. This dialog is only shown during the initial infection
of NORMAL.DOT.
After the virus has managed to infect the global template, it infects
all documents that are created with the "Save As" command.
It is then able to spread to other systems on these documents - when
a user opens an infected document on a clean system, the virus will
infect the global document template.
The virus consists of the following macros:
AAAZAO
AAAZFS
AutoOpen
FileSaveAs
PayLoad
Picture of the macro list in an infected machine
Note that "AutoOpen" and "FileSaveAs" are legitimate
macro names, and some users may already have attached these macros
to their documents and templates. In this context, "PayLoad"
sounds very ominous. It contains the text:
Sub MAIN
REM That's enough to prove my point
End Sub
However, the "PayLoad" macro is not executed at any time.
You can detect the presence of the WordMacro/Concept macro virus
in your system by simply selecting the command Macro from Word's
Tools menu. If the macro list contains a macro named "AAAZFS"
, your system is infected.
You could prevent the virus from infecting your system by creating
a macro named "PayLoad" that doesn't have to do anything.
The virus will then consider your system already infected, and will
not try to infect the global template NORMAL.DOT. This is only a
temporary solution, though - somebody may modify the viruse's "
AutoOpen" macro to infect the system regardless of whether NORMAL.DOT
contains the macros "FileSaveAs" or "PayLoad"
There is also a anti-macro virus package called WVFIX available.
This package will detect if your copy of Word is infected, and will
clean it if needed. It can also modify your Word settings so that
this specific macro virus will be unable to infect it. In addition,
WVFIX is available on the F-PROT for DOS diskette.
The WVFIX package is available from the Data Fellows FTP site at
URL ftp://ftp.datafellows.fi/pub/f-prot/wvfix.zip. If you are located
in the United States, you might want to get the package from Command
Software System's FTP site at
ftp://ftp.commandcom.com/pub/fix/wvfix.zip.
If you don't have F-PROT Professional which detects this virus, you
can detect it manually with older F-PROT versions: you can do this
by directly copying the following lines to a file called USER.DEF
in your F-PROT for DOS directory:
CE WordMacro/Concept
646F02690D6957573649496E7374616E63650C67
To scan for the user-defined virus string, either configure F-PROT
to scan all files, or add the filename extension ".DO?" to the list
of files F-PROT should scan for. It is recommended that you simply
scan all files in case your users use a non-standard filename
extension
for their documents. Under the Targets menu item turn on User-defined
Virus Strings.
Isolate all documents or document templates that contain this search
string and examine them for the virus. DO NOT ASSUME ANY OF THE FILES
ARE INFECTED, AS THE STRINGS REQUIRED TO IDENTIFY IT COULD OCCUR
IN UNINFECTED DOCUMENTS. Instead, check suspect files with the WVFIX
package mentioned above.
F-PROT Profesional 2.20 is able to the detect the WordMacro/Concept
macro virus.
WordMacro/Nuclear
WordMacro/Nuclear was recently discovered. Like WordMacro/DMV and
WordMacro/Concept, it spreads through Microsoft Word documents. The
new virus was first spotted on a FTP site in Internet, in a publicly
accessible area which has in the past been a notorious distribution
site for viral code. Apparently, the viruse's distributor has some
sense of irony; the virus was attached to a document which described
an earlier Word macro virus, WordMacro/Concept.
Whereas WordMacro/DMV is a test virus and WordMacro/Concept is only
potentially harmful, WordMacro/Nuclear is destructive, harmful and
generally obnoxious. It consists of a number of Word macros attached
to documents. When an infected document is opened, the virus is
executed
and tries to infect Word's global document template, NORMAL.DOT.
Unlike WordMacro/Concept - which pops up a dialogue box when it
infects
NORMAL.DOT - WordMacro/Nuclear does not announce its arrival in the
system. Instead, it lays low and infects every document created with
the "Save As" function by attaching its own macros to it.
The virus tries to hide its presence by switching off the "Prompt
to save NORMAL.DOT" option (in the Options dialogue, opened
from Tools menu) every time a document is closed. That way, the user
is no longer asked whether changes in NORMAL.DOT should be saved,
and the virus is that more likely to go unnoticed. Many users relied
on this option to protect themselves against the WordMacro/Concept
virus, but it obviouisly no longer works against Nuclear.
WordMacro/Nuclear contains several potentially destructive and
irritating
routines. The next time Word is started after initial infection,
one of its constituent macros, "DropSuriv", looks up the
time in the computer's clock. If the time is between 17.00 and 17.59,
the virus tries to inject a more traditional DOS/Windows file virus
called "Ph33r" into the system (as the viruse's author
has commented in the viruse's code: "5PM - approx time before
work is finished"). "Suriv" is, of course, "Virus"
spelled backwards. However, due to an error, this routine does not
work as intended in any of the popular operating environments.
Another of the viruse's macros, "PayLoad", tries to delete
the computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM
whenever
the date is fifth of April. And finally, the virus adds the following
two lines:
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC
at the end of any document printed or faxed from Word during the
last five seconds of any minute. Since the text is added at print-
time only, the user is unlikely to notice this embarassing change.
This function is handled by the viral macro "InsertPayload"
The virus can be detected by selecting the Macro command from the
Tools menu and checking whether the macro list contains any curiously
named macros. "DropSuriv" and "InsertPayload"
are obvious giveaways.
F-PROT Professional 2.20 is able to the detect the WordMacro/Nuclear
virus.
WordMacro/Colors
This macro virus was posted to a usenet newsgroup on the 14th of
October, 1995. It is also known as the Rainbow virus. This macro
virus infectes Word documents in a similar manner as the previous
Word macro viruses, except that it does not rely only on the auto-
execute macros to operate. Thus, this virus will be able to execute
even if the automacros are turned off. Colors contains the following
macros:
AutoClose
AutoExec
AutoOpen
FileExit
FileNew
FileSave
FileSaveAs
ToolsMacro
macros
All macros are encrypted with the standard Word execute-only feature.
When an infected document is opened, the virus will execute when
user:
˙˙˙
˙˙˙Creates a new file
˙˙˙Closes the infected file
˙˙˙Saves the file (autosave does this automatically after the
infected
˙˙˙document has been open for some time)
˙˙˙Lists macros with the Tools/Macro command
It is important NOT TO USE THE TOOLS/MACRO COMMAND to check if you
are infected with this virus, as you will just execute the virus
while doing this. Instead, use File/Templates/Organizer/Macros
command
to detect and delete the offending macros. Do note that a future
macro virus will probably subvert this command as well.
The virus maintains a generation counter in WIN.INI, where a line
"countersu =" in the [windows] part is increased during the execution
of the macros. After every 300rd increments the virus will modify
the system color settings; the colors of different Windows objects
will be changed to random colors after next boot-up. This activation
routine will not work under Microsoft Word for Macintosh.
It is interesting to note that the AutoExec macro in the virus is
empty. It is probably included just to overwrite an existing AutoExec
macro - which might contain some antivirus routines. WordMacro/Colors
also enables the automatic execution of automacros if they have been
disabled, and turns off the 'prompt to save changes to NORMAL.DOT'
feature, both of which have been used to fight macro viruses.
WordMacro/Colors seems to be carefully written; The virus even has
a debug mode built-in. The virus is probably written in Portugal.
F-PROT Profesional 2.20 is not yet able to detect the
WordMacro/Colors
macro virus, but you can detect it manually by directly copying the
following lines to a file called USER.DEF in your F-PROT for DOS
directory:
CE WordMacro/Colors
0100066D6163726F730100084175746F45786563
To scan for the user-defined virus string, either configure F-PROT
to scan all files, or add the filename extension ".DO?" to the list
of files F-PROT should scan for. It is recommended that you simply
scan all files in case your users use a non-standard filename
extension
for their documents. Under the Targets menu item turn on User-defined
Virus Strings.
Isolate all documents or document templates that contain this search
string and examine them for the virus. DO NOT ASSUME ANY OF THE FILES
ARE INFECTED, AS THIS PRELIMINARY STRING COULD OCCUR IN UNINFECTED
DOCUMENTS.
F-PROT Professional 2.21 is able to the detect the WordMacro/Colors
macro virus.
Protecting yourself against macro viruses
There is a generic way to protect your Word against currently known
macro viruses except WordMacro/Colors. Select the command Macro from
the Tools menu and create a new macro called "AutoExec"
. Write the following commands to the macro and save it:
Sub MAIN
DisableAutoMacros
MsgBox "AutoMacros are now turned off.", "Virus
protection", 64
End Sub
This macro will be executed automatically when Word starts. It will
disable the feature which Concept, DMV and Nuclear use to attack
the system. However, there are ways to create future macro viruses
that are able to bypass such protection.
Currently known Word macro viruses are not able to infect certain
nationalized versions on Word. In these programs, the macro language
commands have been translated to the national language, and therefore
macros created with the English version of Word will not work. Since
these viruses consists of macros, they will be unable to function.
Description of WordMacro/Concept is based on information received
from Sarah Gordon, Command Software System's F-PROT Professional
Support, e-mail: sgordon@commandcom.com.
There's more information on Word macro viruses and on Microsoft Word
in general at Woody Leonhard's Wopr site. You might also want to
check out what Microsoft has to say on the subject.
---------------------------------------------------------------------
------
Move to:
˙˙˙Newsflash!
˙˙˙Data Fellows WWW Table of Contents
---------------------------------------------------------------------
------
F-PROT-Support@DataFellows.com
... Fundies: More fun than an atheist should be legally allowed to have.
E-Mail Fredric L. Rice / The Skeptic Tank