AntiViral Toolkit Pro for Microsoft Word (AVPWW) ------------------------------------------------ version 1.04 This package contains the anti-virus utility for known viruses that infect the Microsoft Word documents. This package is FREEWARE. To check your Microsoft Word for the viruses you should load Microsoft Word and open the AVPWWxxx.DOC file. If your Word is already infected, AVPWW displays a warning message. To install AVPWW "memory resident" you should press "Install" button while reading AVPWWxxx.DOC file. See AVPWWxxx.DOC for more details. To find all the infected files you should use anti-virus database MACRO.AVB and anti-virus scanner AVP for DOS. Then you should load all infected document into Word with installed AVPWW utility. AVPWW does automatically disinfection being installed. Macro-viruses The Macro-viruses use the features of Macro-languages that are built into the modern data-processing systems (text editors and spreadsheets). To allow the viruses to spread the systems have a built in macro-language that allows: 1) assignment of specific macro-program(s) to specific files 2) copy macro-program(s) from one file to another 3) pass the control to macro-program(s) without user's permission (Auto-macroses). There are three systems that meet these conditions: Microsoft Word, Microsoft Excel and Lotus AmiPro. These systems contain built-in Basic-like macro languages (Word - Word Basic, Excel - Visual Basic), and: 1) macro-program(s) are assigned to specific file(s) (AmiPro), or exists only within the file body (Word, Excel); 2) macro-language allows to copy DOS-files (AmiPro) or copy macro-programs into the system and other files (Word, Excel); 3) while working with a file the macro-programs are executed under some conditions (file opening, closing, and so on), these programs are defined by special commands (AmiPro), or they have standard names (Word, Excel). These features of modern systems was designed to write "document auto-processing systems", but they also allow for the viruses to spread their copies, i.e. to infect the files. There are three known systems that may be infected with the computer virus: Microsoft Word, Excel and AmiPro. Under these systems the viruses receive the control while opening/closing an infected document, then they hook one or more system events (functions, macros), and infect the files that are accessed with these functions. The macro viruses are "memory resident". They hook the system events and are active not only at the moment of file opening/closing, but during all time when the system is working. Macro.Word-viruses Macro.Word.Atom ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ This virus contains four macros: Atom, FileOpen, FileSaveAs, AutoOpen, and infects Word while loading the infected document (AutoOpen). This virus infects the files in two ways: while opening the file (command File/Open, macros FileOpen), and while saving the document with new name (command File/SaveAs, macros FileSaveAs). While infecting the document while saving it with new name (FileSaveAs) the virus checks the system time. If the value of seconds is equal to 13 the virus set the password ATOM#1 for this document. The virus cannot set the password if the file is already infected - Word displays the message about WordBasic error. While opening the infected document on 13th of December the virus deletes all files of current directory. We did not check it, but the system has to display the error message while deleting opened files. Macro.Word.Color (Rainbow, Color Changer) This is a encrypted virus, it contains the macroses: macros, FileNew, AutoExec, AutoOpen, FileExit, FileSave, AutoClose, FileSaveAs, ToolsMacro This virus infects the files while creating of new document (FileNew) and while saving the document with new name (FileSaveAs). On each 300th call to the file functions (FileNew, AutoOpen, FileExit, FileSave, AutoClose, FileSaveAs and ToolsMacro) the virus alters the section [colors] in the WIN.INI file, and sets the random selected colors for Windows components. New colors appear after next Windows loading. The virus keeps the trigger counter in the WIN.INI file in the [windows] section: [windows] countersu= 234 The virus allows Auto-macroses (AutoOpen, AutoClose and so on), it sets DisableAutoMacros to zero. When the virus is active, it is impossible to activate Tools/Macro command. To manual disinfection it is necessary to delete virus' macroses by using Organizer (Tools/Customize, Word command, then draw Organizer out to toolbar). Macro.Word.Concept (WW6Macro) This is the first WinWord virus found "in the wild". The virus contains five macroses: AAAZAO, AAAZFS, AutoOpen, PayLoad, FileSaveAs. It infects the files that are SaveAs'ed (FileSaveAs). There are the text strings in the infected document: see if we're already installed iWW6IInstance AAAZFS AAAZAO That's enough to prove my point and other. The WINWORD6.INI on infected system contains the file: WW6I= 1 On the first execution of the virus code (i.e. on the first opening of the infected file) the MessageBox appears with digit "1" inside, and "Ok" button. Macro.Word.DMV This is the first known MS-Word macro-virus. It contains only one macros - AutoClose, and infects the files that are saved on disk. While infecting this virus displays the MessageBox'es with the header: Document Macro Virus The messages are: Counting global macros. AutoClose macro virus is already installed in NORMAL.DOT. AutoClose macro virus already present in this document. Saved current document as template. Infected current document with copy of AutoClose macro virus. Macro virus has been spread. Now execute some other code (good, bad, or indifferent). Macro.Word.Hot This is encrypted virus. It contains the macroses: AutoOpen, InsertPBreak, DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus renames the ToolsRepaginat macros to FileSave, and then infects the existing documents that are saved on disk (FileSave). While infecting the documents the virus renames FileSave macros back to ToolsRepaginat name. While infecting the system the virus inserts the string "QLHot=nnnn" into the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the number of current day of this century plus 14, for example: QLHot=35110 The next days the virus selects random value from 1 till 6, and adds to the "triggering day". If the result is equal to the current day, the virus deletes the file before saving it to disk. 14 days after last modifying of the "QLHot" string the virus renews it. The virus does no action if there is the C:\DOS\EGA5.CPI file. The virus does not work under Microsoft Word 7.0. While opening the infected document the system displays the message: Unable to load specified library Macro.Word.Imposter This is a plagiarism from "Word.Macro.Concept" and "Word.Macro.DMV". It contains two macroses: in infected document: AutoClose, DMV in infected NORMAL.DOT: FileSaveAs, DMV While infecting the system the virus receives the control in AutoClose document, renames DMV macros to FileSaveAs, then renames AutoClose to DMV. While infecting the files (FileSaveAs) the virus renames these macros back DMV -> AutoClose, FileSaveAs -> DMV. While infecting the documents the virus displays the MessageBox: DMV One of the strings in the virus body looks like follows: just to prove another point Macro.Word.Nuclear It is encrypted virus, it contains the macroses: AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault, InsertPayload, Payload, DropSuriv, FileExit While installation these macros are copied into Global Macros area, and overwrites the macros if they are already present there. Then the virus infects the documents by FileSaveAs macros. The virus manifest itself in three ways: 1) runs COM/EXE/NewEXE virus, 2) appends the text strings while printing the documents, 3) corrupts the system files. 1) The AutoExec macro calls DropSuriv macro which check the system time and drops the COM/EXE/NewEXE virus ({"Ph33r":Ph33r}) if the time is in 17:00 / 18:00. While dropping the virus uses DEBUG utility. First, the virus checks the C:\DOS\DEBUG.EXE. If there is such one the virus creates temporary file PH33R.SCR in C:\DOS directory, and writes hex dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus creates the temporary file EXEC_PH.BAT with the strings inside: @echo off debug < ph33r.scr > nul and executes that. As the result DEBUG utility creates the copy of COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT 21h and writes itself to the end of COM/EXE/NewEXE files while opening, execution, renaming and changing their attributes. The execution of BAT-file is doing in background, so the user does not know that there are two(!) viruses on his PC. Them the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files. Fortunately, this virus has a bug, and fails to drop COM/EXE/NewEXE-virus, but it is quite easy way to fix that bug in next virus version. 2) While printing of documents the virus appends the text approximately to each 12th file (if the seconds are 55 or more): And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! These strings are appended to the document immediately before printing, so the uses does not see them (often documents occupy more that one screen). This is very curios effect, especially while sending documents via fax. 3) On 5th of April the virus erases IO.SYS and COMMAND.COM files. Macro.Word.Nuclear.b The variant of previous one. Does not contain COM/EXE/NewEXE virus and macroses DropSuriv, FileExit. There is a bug while appending the text to the end of the document while printing. As the result the virus appends blank page, and Word displays the message about WordBasic error. Macro.Word.Xenixos (Nemesis) It is encrypted virus. It contains the macroses: Drop, Dummy, AutoExec, AutoOpen, DateiÖffnen, ExtrasMakro, DateiBeenden, DateiDrucken, DateiSpeichern, DateiSpeichernUnter, DateiDruckenStandard. In some cases it sets the password "xenixos" for infected documents, displays the message: Diese Option ist derzeit leider nicht verfügbar. Fehler While printing the documents it appends: Brought to you by the Nemesis Corporation, ©1996 On 1st of may the virus writes the string to the AUTOEXEC.BAT file: @echo j|format c: /u >nul This virus also launches "Neurobasher.b" multipartite virus. To do that the virus creates the C:\DOS\SCRIPT.SCR file, and writes hexadecimal dump of that virus into there. Then the virus creates the C:\DOS\EXEC.BAT file, and writes the strings into there: @echo off debug < script.scr>nul rem debugger.com echo @c:\dos\debugger.exe>>c:\autoexec.bat del c:\dos\script.scr del c:\dos\exec.bat Then the virus executes that file. As the result DEBUG.EXE creates the DEBUGGER.EXE file, and C:\AUTOEXEC.BAT has new string at its end: @c:\dos\debugger.exe So, the last command of AUTOEXEC.BAT launches dropper of "Neurobasher.b" virus. Word.Excel-viruses While processing the document Word (as well as Excel while processing spreadsheets) performs different actions: opens the file, closes it, reads the date, saves and prints it. At the same time Word executes corresponding macro-program with standard name - FileSave while file saving, FileSaveAs while saving the file with new name, FilePrint while printing, and so on, if there macros are defined. While opening the document Word checks it for the AutoOpen macro presence. If there is such one, Word executes that macro (if it is not disabled by DisableAutoMacros). While file closing Word executes AutoClose macros. The Macro.Word-viruses contain at least one of Auto-macros: AutoOpen, AutoClose, AutoExec, AutoExit, AutoNew. If the document is infected with Macro.Word virus Word executes infected Auto-macros, i.e. executes the virus code. The Auto-macros in the viruses contains the code of moving other virus macros into the area of Global Word macros, and the virus copies itself into Word Global macros by this way. While exiting Microsoft Word saves all Global macros (including the virus ones) into the DOT file (usually NORMAL.DOT). Being started Word loads all global macros (including virus ones) from DOT file, as the result on next loading the virus infects Word at the moment Word initialize its system areas, and Word is infected before loading the first document. Then the virus replaces or defines other system macros (FileOpen, FileSave, FileSaveAs, FilePrint), and hooks in such way the file accessing functions. When any of hooked function is executed, the virus receives the control, and performs different branches of its code, including infection routine. While infecting the virus converts the document into Template format, and copies all virus macros (including Auto-macros) into the document. Being converted to Template format the document cannot be converted in any other format. The presence of Auto-macros allows the virus infect other computers while reading just infected document. I.e. if the virus hooks FileSaveAs macros, it infects the files that are saved by "File/Save As" call. If the virus hooks FileOpen macros, it hits the files while Word is opening them. Note: MS Word allows to encrypt the code of macroses, and some of Macro.Word-viruses are encrypted. Known Macro.Word viruses infect the documents of Microsoft Word ver.6 format. The system gets infection while reading the infected document. Then the viruses infect all newly created DOC files. The Macro.Word viruses can infect the computers of different platforms, not IBM-PC only. To spread they need for the text processor compatible with Microsoft Word. The common features of these viruses are: 1) It is impossible to convert the infected document in any other format. 2) It is impossible to save the document in any other subdirectory/disk by using "Save As" command. 3) The infected documents have the Template internal format. While infection the documents are converted by the viruses from Microsoft Document into Template format. Majority of Macro.Word viruses do not infect localized Word versions, but only English one, other viruses infect only local Word versions (French, German), and do not work under English version. But anyway the virus stays active in infected document, and may spread on other computers with necessary version of Word installed. It is possible to protect oneself against these virus by disabling AutoOpen macro by using the Word system macro DisableAutoMacros. AmiPro-viruses AmiPro creates two files while processing the text: the first file contains the text and has the name extension SAM, the second one contains macroses and other system data and has the name extension SMM. It is possible to assign to document any macros of SMM-file by AssignMacroToFile command. The assigned macros has the same mean as AutoOpen in Word-documents, and it is executed while the file opening. I see it is impossible to copy AmiPro macros into Global area, so AmiPro viruses may infect the system only while opening the infected document, but not while system loading (as Word does with the NORMAL.DOT file). AmiPro, as well as MS-Word, allows to hook the system events (macros) such as SaveAs and Save. It is possible by the command ChangeMenuAction. While calling hooked functions the virus' macros receives the control. Macro.AmiPro.GreenStripe This virus contains four macroses (functions): Green_Stripe_Virus, Infect_File, SaveFile, SaveAsFile. They receives the control when infected document is opening, then the virus searches for *.SAM-files of current directory, and infects them. While infecting a SAM-file the virus creates SMM-file, and copies itself to there by the command DosCopyFile. Then the virus assigns the Green_Stripe_Virus macros for that file, the virus does it by the AssignMacroToFile command. Then the virus hooks SaveFile and SaveAsFile macroses. When "Save As" command is performed, the virus infects that document. In case of "Save" command the virus replaces the "its" string with "it's" one within the file. ========================================================================== Microsoft Word and Micorsoft Excel are trademarks of Microsoft Corporation Lotus Amipro is a trademark of Lotus Corporation