AntiViral Toolkit Pro for Microsoft Word (AVPWW) ------------------------------------------------ version 1.02 This package contains the anti-virus utility for two known viruses infected the Microsoft Word documents. This package is FREEWARE. To check your Microsoft Word for the viruses you should load Microsoft Word and open the AVPWW102.DOC file. If your Word is already infected AVPWW displays the warning message. To install AVPWW "memory resident" you should press "Install" button while reading AVPWW102.DOC file. See AVPWW102.DOC for more details. To find out all the infected files you should use anti-virus database WINWORD.AVB and AVP for DOS anti-virus scanner. You should run it in "Redundant" mode (see AVP for DOS "Setup" menu). Then you should load all infected document into Word with installed AVPWW utility. AVPWW does automatically disinfection being installed. The contents of package ----------------------- There are the files: AVPWW102.TXT - this file AVPWW102.DOC - anti-virus utility AVPWW ver. 1.02 WINWORD.AVB - anti-virus database for AVP for DOS scanner FILE_ID_DIZ - ID file The viruses infect Microsoft Word documents ------------------------------------------- 1995 year brings new type of the viruses - Microsoft Word documents infectors. These viruses hit (not overwrite!) the DOC-files of the Microsoft Word ver.6 format. The system gets infection while READING the infected file. To infect the computer is it necessary only to run Microsoft Word ver.6 and open the infected file. Then the virus spreads into all the newly created DOC files. After sending the newly created and infected file to another (clear) computer that file can infect that computer too (while opening in Microsoft Word). These viruses are VERY FAST infectors. The DOC files are sent/received more often than executable ones. These viruses can hit the Microsoft Word files on any computer, not only IBM-PC. The viruses work very well under Microsoft Word7 and Microsoft Word6 for NT. While opening the Word Document file the Word executes the internal file macros. It that document is infected, Word executes *infected* macros, i.e. the virus code. The virus copies the macros into the Global Macros area, defines FileSaveAs macro, and then it copies its macros into all the newly created documents (i.e. documents are saves with "Save as" command). The virus also converts the MicrosoftDocument files into Template format while saving. On exiting from Word the Global Macros are automatically saved into system DOT-files (NORMAL.DOT or other). So on next Word execution the virus receives control before reading of the first document, it infects the environment while loading the Global Macros from DOT file. WinWord.Concept virus (aka WW6Macro) ------------------------------------ Fortunately, that virus does not call any dangerous trigger routine, the place for that routine contains only the string: That's enough to prove my point But it is not clear up to now is that virus free of another "deep" effects (i.e. is that virus 100% compatible with Word or not). The infected files contains the strings: see if we're already installed iWW6IInstance AAAZFS AAAZAO That's enough to prove my point and other. The WINWORD6.INI on infected system contains the file: WW6I= 1 On the first execution of the virus code (i.e. on the first opening of the infected file) the MessageBox with digit "1" appears. WinWord.Nuclear virus --------------------- The WinWord.Nuclear virus infects the Microsoft Word documents as well as COM, EXE and NewEXE (Windows) files. The virus in documents is the encrypted macros. It can drop the COM/EXE/NewEXE virus. Being dropped COM/EXE/NewEXE virus stays memory resident and hit executable files, but it cannot hit Microsoft Word documents. That virus contains the macros: AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault, InsertPayload, Payload, DropSuriv, FileExit While installation these macros are copied into Global Macros area. All these macros call to "DropSuriv" macro which check the system time and drops the COM/EXE/NewEXE virus if the time is in 17:00 / 18:00. While dropping the virus uses DEBUG utility. First, the virus checks the C:\DOS\DEBUG.EXE. If there is such one the virus creates temporary file PH33R.SCR in C:\DOS directory, and writes hex dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus creates the temporary file EXEC_PH.BAT with the strings inside: @echo off debug < ph33r.scr > nul and executes that. As the result DEBUG utility creates the copy of COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT 21h and writes itself at the end of COM/EXE/NewEXE files while opening, execution, renaming and changing their attributes. The execution of BAT-file is doing in background, so the user does not know that there are two(!) viruses on his PC. Them the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files. While printing of documents the virus appends the text approximately to each 12th file (if the seconds are 55 or more): And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! These strings are appended to the document immediately before printing, so the uses does not see them (often documents occupy more that one screen). This is very curios effect, especially while sending documents via fax. On 5th of April the virus erases IO.SYS and COMMAND.COM files. There are text strings in COM/EXE/NewEXE part of that virus: =Ph33r= Qark/VLAD New AVP Shareware Releases / Updates ------------------------------------ Information about new releases/updates is available in local conferences: Internet: relcom.comp.virus Russia FidoNet: AVP.SUPPORT Russia AVP.FR France New releases and updates for Antiviral Toolkit Pro (AVP) are available on: Anonymous FTP sites: a) Weekly & Cumulative Updates, Shareware versions: Server: Path: Filenames: =========================================================================== ftp.command-hq.com /pub/command/avp/ *.* io.com /pub/usr/pmonti/avp/ *.* ftp.informatik.uni-hamburg.de /pub/virus/progs/avp/ *.* sunsite.unc.edu /pub/docs/security/hamburg-mirror/virus/progs/avp/ *.* ftp.sct.fr /pub/virus/tools/antivirus/avp/updates/ *.* ftp.sunet.se /pub/security/virus/progs/avp/ *.* ftp.uu.net /pub/security/virus/progs/avp/ *.* ftp.icomm.rnd.su /ANTIVIRUS/AVP/ *.* b) Cumulative Updates and Shareware versions: Server: Path: Filenames: =========================================================================== SimTel: oak.oakland.edu /pub/msdos/virus/ avp*.* SimTel Mirrors: (a small selection, there are many more) ftp.switch.ch /mirror/simtel/msdos/virus/ avp*.* ftp.cyf-kr.edu.pl /pub/mirror/simtel/msdos/virus/ avp*.* ftp.icm.edu.pl /pub/simtel/msdos/virus/ avp*.* micros.hensa.ac.uk /mirrors/simtel/msdos/virus/ avp*.* ftp.ibp.fr /pub/pc/SimTel/msdos/virus/ avp*.* ftp.cs.cuhk.hk /pub/simtel/msdos/virus/ avp*.* ftp.sun.ac.za /pub/simtel/msdos/virus/ avp*.* WWW-Sites: URL: Desc. Lang. ========================================================================== http://www.marktplatz.ch/metro/ AVP-Information / News, etc. E/D http://www.command-hq.com/command AVP-Information E http://www.icomm.rnd.su/icomm/avp/ AVP-Information R/E Lang.: E=English D=Deutsch (German) R=Russian BBSs: Switzerland: Metropolitan Network BBS: +41 (0)31 348-1331 (2 lines) 2400-33600bps V.34+/V.FC/V.32bis/HST +41 (0)31 348-0422 (1 line) 2400-28800bps V.34/V.FC/V.32bis/HST Russia: +7 (8632) 69-6931 (8 lines) 2400-14400 V32bis +7 (095) 278-9949 +7 (095) 932-8465 +7 (092) 223-7354 AVP distributors and technical support sites -------------------------------------------- Belgium: bvba DataRescue sprl, 110 route du Condroz, 4121 Neuprˆ, Belgium contact : Dr Pierre Vandevenne Phone/Fax : +32-41-729114 BBS/Fax : +32-41-729110 E-mail : peterpan@datarescue.knooppunt.be FIDO : 2:293/2213 France: Editions Gerard MANNIG, BP 7, F-76161 DARNETAL CEDEX contact : Gerard MANNIG Phone/FAX : +33 3559-9344/+33 3559-9344 E-mail : mannig@world-net.sct.fr FIDO : 2:322/2.1 Germany: Howard Fuhs Elektronik, Computer Virus Research Lab Germany Rheingaustr. 152 65203 Wiesbaden - Biebrich Phone : +49 611 67713 Fax : +49 611 603789 CompuServe : 100120,503 Internet : 100120.503@compuserve.com FIDO : 2:244/2120.7 PROKON software - Theo Christoph, Hauptstrasse 42 07751 Rothenstein - Deutschland Phone : +49 36424-56509 Fax : +49 36424-56511 BBS : +49 36424-56512 (v.32bis/terbo/V.FC/V.34 - soon available) : +49 36424-56513 (v.32bis/terbo/V.FC/V.34 - soon available) E-mail : prokon@gtc11.gtc.net Italy: C.S.I. srl Mail address: Rome, Aquileia st. n. 7 (Italy) Phone(s) : +39-6-8607663, +39-6-5020879 Fax : +39-6-86321371 E-mail: : MC3162@mclink.it pmonti@io.com FIDO: : 2:335/420 Netherlands: Address : Roggekamp 416, 2592 VH The Hague, The Netherlands Contact : Titia Vlaardingerbroek Phone : +31703836044 Fax : +31703471256 E-mail : vrch@knoware.nl FIDO : 2:281/552 VIRNET : 9:3110/0 BBS : +31703857867 Poland: Address : VACIMEX Al. Stanow Zjednoczonych 46/24 04-036 Warszawa Tel/Fax : +48-22 106246 e-mail : bored@maloka.waw.pl, vacimex@.maloka.waw.pl Russia: KAMI Ltd., Moscow 109052 Nizhegorodskaya st. 29, Phone : +7-095-278-9412 Fax : +7-095-278-2418 E-mail : eugene@kamis.msk.su BBS : +7-095-278-9949 FIDO : 2:5020/156 Intercommunications CO, 107/25 Oborony st, 344007, Rostov-na-Donu, Russia Contact : Mikhael Monastyrsky, Alexander Ivanov Phone(s) : +7 (8632) 62-0562, 63-1360, 64-3088 Fax : +7 (8632) 63-1360 E-mail : avp-support@icomm.rnd.su BBS : +7 (8632) 69-6931 (8 lines) 2400-14400 V32bis or telnet icomm.rnd.su FTP : ftp.icomm.rnd.su WWW : www.icomm.rnd.su call for more AVP distributors in Russia Switzerland: Metropolitan Network BBS, AVP, Postfach 827, 3000 Bern 8 Contact : Gerard VUILLE Phone(s) : +41 (0)31 348-1333 Fax : +41 (0)31 348-1335 E-mail : avp-support@metro-net.ch BBS : +41 (0)31 348-1331 (2400-33600bps V.34/V.FC/HST) WWW : http://www.thenet.ch/metro/ http://www.marktplatz.ch/metro/ USA: Company : Central Command Inc. Address : P.O. Box 856 Brunswick, Ohio 44212 Phone : 216-273-2820 FAX : 216-273-2820 Contact : Keith A. Peer E-mail : keith@command-hq.com Support : support@command-hq.com Sales : sales@command-hq.com FTP : ftp.command-hq.com /pub/command/avp WWW : http://www.command-hq.com/command [not operational yet]