New Macintosh Virus Discovered (Word Macro 9508)
28 August 1995

Virus: Word-Macro-9508 (see description, below, for aliases)

Damage: Changes macros in some Word files and templates; may alter file
types.

Spread: Under Microsoft Word 6.0 for Mac, DOS, OS/2, Windows (all), and
others.

Systems affected: All Apple Macintosh computers, plus PCs.

The Word Macro virus is the first non-research instance of a virus type
that has been known to anti-virus experts for years: a virus residing in
interpreted data that can spread to different OS platforms. This virus
does not spread via modification of executable machine code, but by
modification of data in files that are interpreted by application
programs. In this case, the interpreter is the Microsoft Word 6.0 program
(also part of Microsoft Office), and any other versions of Word that
support macros and WordBasic.

This virus is capable of spreading to and from more than one platform. Any
systems that are capable of running Microsoft Word 6.0 can be affected by
the virus, and transfer of files between systems can spread it. Thus,
transferring Word files between DOS, OS/2, Windows, NT, or other non-Mac
platforms and your Mac can spread the virus. Note that this may be more
common on Mac systems with PC co-processor cards or running SoftWindows.

The virus appears to be widespread in the PC (DOS, OS/2, Windows, etc)
world, with instances from the US, UK, France, Germany, Canada, the
Netherlands, Turkey, and Finland reported to one major PC anti-virus firm.
However, we have seen very few reports of the virus on Macs to date.

The virus adds several new macros to the global macro pool: "AAAZA0",
"AAAZFS", "Payload" and one entitled "FileSaveAs". The virus is activated
in an infected file when you choose the "Save As" feature in the "File"
menu and the virus macro is run. The altered macros are then saved with
the file, and may be saved in the global template file as well.

The virus may be noticed when triggered by the appearance of an alert
window with the digit "1" in it. On Macs, it may also be noticed because
infected files are saved as templates no matter what type was specified in
the "Save As" dialog (note that this changes the icon you see from that of
a normal document). Additionally, a user may examine the defined macros
for a file to determine if any suspicious macros are present. As has been
noted in some press releases, the virus code is simple for a novice to
modify, so variants may also be present or appear soon; variants that will
run successfully on all affected platforms, including Macintoshes, may not
be so simple to create.

The PC community has also named this virus "WinWord.Concept", "WW6", and
"WW6Macro" (misnomers, as it spreads to other platforms running Word 6.0),
and Microsoft has dubbed it "Prank". One of the best descriptions of the
virus, albeit with an emphasis on the DOS, OS/2 and Windows environments,
is available from IBM's WWW server:
<http://www.research.ibm.com/xw-D953-wconc>.

A few vendors of major Macintosh anti-virus software are planning minor
releases of their products to cope with this virus or help identify its
presence. Other vendors are deferring to Microsoft for more comprehensive
solution, to this and similar such viruses.

Microsoft has made software available to counter the virus, obtainable via
the WWW from

  <http://www.microsoft.com/kb/softlib/mslfiles/mwl222.hqx>

and via ftp from

  <ftp://ftp.microsoft.com/softlib/mslfiles/mwl222.hqx>.

Note that as of the release of this advisory, the fix from Microsoft only
renames the virus rather than removing it. Furthermore, we have had
reports that the filesystem scan function supplied ("Scan.doc") may not
actually find every occurrence of infected files on a Macintosh. Also note
that the release from Microsoft does *not* negate the threat of simple
variants or similar such viruses that might be written in the future.

Be aware that if you operate your Mac in a heterogeneous computing
environment that includes other platforms running Microsoft Word 6.0, you
may need to obtain updated versions of anti-virus software for those other
platforms. Eradicating the virus from your Macintoshes may not be enough
protection -- a different platform with the virus may result in the virus
being reestablished on your Macs.

Also note that some users have MIME-compliant mailers (e.g., Eudora) and
WWW browsers (e.g., Mosaic and Netscape) configured to recognize Microsoft
Word documents and automatically start Word if this file type is
encountered. This mechanism may also allow the virus to be reintroduced
into your system via mail or a WWW page, so you should use such automatic
execution with caution.

Further questions about the virus and Microsoft Word 6.0 should be directed
to Microsoft technical support. Queries about their plans to prevent
future such viruses should also be directed to Microsoft.

Tool: Virex
Status: Commercial software
Revision to be released: Virex 5.6.1 Virex Virus Update 5.6.1, for all
versions of Virex 5.5 or later.
Where to find: Datawatch Corporation, (508) 988-9700

  AOL:            Keyword DATAWATCH
  Compuserve: Go: NCSA/NCSA Anti-Virus Vendor Forum/
                  Browse Libraries/General Info/Utils
  AppleLink:      Third Parties/3rd Party Demos/Updates/
                  Software Updates/Companies A-D/
                  Datawatch Corporation
  Internet:       <ftp://gateway.datawatch.com/pub/>
  Datawatch BBS:  (508) 988-6373 [8,N,1]

When available: Immediately

Comments: Virex Virus Update 5.6.1 is available on the listed online
services. Subscribers will automatically receive updates by mail. Contact
Datawatch for additional information on update and subscription services.

Other antivirals:
  CPAV (Central Point Anti-virus): no update at this time
  Disinfectant does not deal with non-machine code viruses,
    so no update is needed.
  Gatekeeper is no longer actively supported. However, its design is
    such that no update would be needed (this virus would likely not
    be stopped by Gatekeeper)
  No information is available at this time about the "Rival" antivirus
    program and this virus.
  SAM (Virus Clinic and Intercept) no update at this time
  VirusDetective: no updated planned
---------------------------------------------------------------------
If you discover what you believe to be a virus on your Macintosh system,
please report it to the vendor/author of your anti-virus software package
for analysis. Such reports make early, informed warnings like this one
possible for the rest of the Mac community. If you are otherwise unsure of
who to contact, you may send e-mail to spaf@cs.purdue.edu as an initial
point of contact.

Also, be aware that writing and releasing computer viruses is more than a
rude and damaging act of vandalism -- it is also a violation of many state
and Federal laws in the US, and illegal in several other countries. If you
have information concerning the author of this or any other computer
virus, please contact any of the anti-virus providers listed above.
Several Mac virus authors have been apprehended thanks to the efforts of
the Mac user community, and some have received criminal convictions for
their actions. This is yet one more way to help protect your computers.
---------------------------------------------------------------------
Gene Spafford, COAST Project Director
Department of Computer Sciences
Purdue University, W. Lafayette IN 47907-1398
spaf@cs.purdue.edu    (317) 494-7825
http://www.cs.purdue.edu/people/spaf
 
 =========================================================
 From the 'New Product News' Electronic News Service on...
 AOL (Keyword = New Products) and Delphi (GO COMP PROD)
 =========================================================
 This information was processed from data provided by the
 company/author mentioned. For additional details, please
 contact them directly at the address/phone# indicated.
 Trademarks are the property of their respective owners.
 =========================================================
 All submissions for this service should be addressed to:
 BAKER ENTERPRISES,  20 Ferro Dr,  Sewell, NJ  08080  USA
 Email: rbakerpc@delphi.com  -or- RBakerPC (on AOL/Delphi)
 =========================================================
