NEW MACRO VIRUS TARGETS WORD DOCUMENT FILES

Date: 23rd of August, 1995

Overview

A new virus written in the Microsoft Word for Windows v6.x macro language
(WordBasic) has been reported to be in the wild in several countries.

The virus, known as WinWord.Concept, Word Prank Macro or WW6Macro infects
Word DOC files. It works also under Microsoft Word for Macintosh v6.x,
making this the first multiplatform virus. Virus also replicates in
Microsoft Word run under Windows 95 and Windows NT environments.

The virus gets executed when an infected Word document is opened. After
this all documents that are saved with the same copy of Word get
automatically infected.

How to detect if you are infected

Run Word and open menu Tools/Macro. If you see a macro named AAAZFS on the
list, you're infected. For further information, refer to WVFIX below.

Technical information

Infected document files contain a Microsoft WordBasic macro which is
capable of attaching itself to other documents. These copies can
themselves replicate when infected documents are opened.

The macro names to look for are as follows:

  AAAZAO
  AAAZFS
  AutoOpen
  FileSaveAs
  PayLoad

Note that "AutoOpen" and "FileSaveAs" are legitimate macros that some users
may already have on their system.

The macro virus triggers as part of Microsoft Word's "AutoOpen" macro. For
reference, the "AutoOpen" macro executes each time you open a document.

The first thing the macro virus does is check the global document template,
typically "NORMAL.DOT", for the presence of either a macro named "PayLoad"
or "FileSaveAs". If either macro is found, the routine aborts and no
infection of the global document template occurs.

During the course of copying the macros to the global document template, a
small dialog box with an "Ok" button appears on the screen. The dialog box
simply contains the number "1" as its only text. The title bar of the
dialog box indicates it is a Microsoft Word dialog box. This dialog will
only be shown during the initial infection.

Once these macros are added to the global document template, they replicate
by means of the virus version of 'File Save' command. Consequently any
document created using File Save As will contain this macro virus. An
uninfected user can simply open the document and become infected.

An interesting observation is that the "PayLoad" macro contains the
following text:

  Sub MAIN
    REM That's enough to prove my point
  End Sub

However, "PayLoad" is not executed at any time. Because of the flexibility
of Microsoft's Word BASIC macro language, almost anything could be done
here.

Also note that Word is available in many different languages, and in some
versions also the macro language commands have been translated. This has
the effect that macros written with English version of Word will not work
in, for example, Finnish version of Word. The result is that users of such
national version of Word will not get infected by this virus. However,
using an infected document in a translated version of Word will not
produce any errors, and the infection will stay intact even if the
document is re-saved. Such users are instructed to check for the presence
of the virus in any case, in order not to spread infected DOC files
further.

What you can do

Since the "AutoOpen" macro first checks for the presence of a "PayLoad" or
"FileSaveAs" macro before continuing, simply creating a "PayLoad" macro
that does nothing is sufficient to deter the virus from spreading.

Note that this is only a temporary solution as the "AutoOpen" macro could
be modified to simply infect the document template regardless of whether a
"PayLoad" or a "FileSaveAs" macro exists.

We recommend you get the WVFIX package and install it to your Word for
Windows. This package will detect if your copy of Word is infected and
will clean it if needed. It can also modify your Word settings so that
this specific macro virus will be unable to infect it. In addition, WVFIX
package can be used to check all further DOC files for infection.

The WVFIX package is available from the Data Fellows FTP site at URL
ftp://ftp.datafellows.fi/pub/f-prot/wvfix.zip. If you are located in the
United States, you might want to get the package from Command Software
System's FTP site at ftp://ftp.commandcom.com/pub/fix/wvfix.zip.

Product specific advice

Owners of F-PROT can search for the virus by adding the user-defined virus
search string below:

Winword.Concept = 64 6F 02 69 0D 69 57 57 36 49 49 6E

When entering the user-defined search string, answer "Yes" when F-PROT asks
you if the virus is a COM or EXE file infector.

You can also do this by directly copying the following lines to a file
called USER.DEF in your F-PROT for DOS directory:

  CE Winword.Concept
  646F02690D6957573649496E7374616E63650C67

To scan for the user-defined virus string, either configure F-PROT to scan
all files, or add the filename extension ".DO?" to the list of files
F-PROT should scan for. It is recommended that you simply scan all files
in case your users use a non-standard filename extension for their
documents.

Under the Targets menu item turn on User-defined Virus Strings.

Isolate all documents or document templates that contain this search string
and examine them for the virus. Do not assume any of the files are
infected, as the strings required to identify it could occur in uninfected
documents. Instead, check suspect files with the WVFIX package mentioned
above.

This document is based on information received from Sara Gordon, Command
Software System's F-PROT Professional Support, e-mail:
gordon@commandcom.com.
 
 =========================================================
 From the 'New Product News' Electronic News Service on...
 AOL (Keyword = New Products) and Delphi (GO COMP PROD)
 =========================================================
 This information was processed from data provided by the
 company/author mentioned. For additional details, please
 contact them directly at the address/phone# indicated.
 Trademarks are the property of their respective owners.
 =========================================================
 All submissions for this service should be addressed to:
 BAKER ENTERPRISES,  20 Ferro Dr,  Sewell, NJ  08080  USA
 Email: rbakerpc@delphi.com  -or- RBakerPC (on AOL/Delphi)
 =========================================================
