home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
MVUPDAT3.ZIP
/
MACRO_AV.ZIP
/
MACRO009.TXT
< prev
next >
Wrap
Text File
|
1996-09-02
|
25KB
|
629 lines
1st August 1996
Macro viruses are the latest development in the battle against
computer viruses. First encountered in the autumn of 1995 they
have quickly caught the imagination of the press and
virus-author alike. Their introduction into the virus world has
caused a stir because they have broken some of the established
"rules":
* They are the first ever viruses to infect documents rather
than executable files. The first macro viruses seen
infected Microsoft Word documents. In January 1996 the
first AmiPro macro virus (Green Stripe) appeard. It should
be remembered that other word processors(and even other
applications) could be at risk in the future.
* They are the first ever multi-platform viruses - not just
capable of infecting PC systems, but Macintosh as well.
-----------------------------------------------------------------
Atom | Concept | Concept.B.Fr | Divina | DMV | FormatC |
Friendly | Green Stripe | Hot | Imposter | NOP | Nuclear |
Nuclear.B | Polite | Wazzu | Wiederoffnen | WM.AntiDMV |
WM.Colors | WM.Nop | WM.Phantom | WM.Telefonica | Xenixos |
-----------------------------------------------------------------
ATOM
Alias: Wordmacro.Atom
Type: Word Macro Virus
ATOM consists of 4 macros - AutoOpen, FileOpen, FIleSaveAs, and
ATOM - all of which are execute-only.
When an infected document is opened, ATOM infects the global
template. If the auto macros are disabled, the virus is rendered
ineffective. ATOM does not turn off the prompting when saving
the global template, so if prompting is turned on you will be
prompted to save changes to the global template at the end of
the session.
After the global template is infected, ATOM calls its first
destructive payload. If the current date is December 13, the
virus deletes all files in the current directory.
Once the virus is active (i.e., it has infected the global
template), it infects all documents which are saved via the
FileSaveAs command or which are opened via the FileOpen command.
If the seconds field of the current time is 13 at the time of
infection , the virus encrypts the document being saved with the
password "ATOM#1".
WordMacro/ATOM is not known to be in the wild.
-----------------------------------------------------------------
Concept
Aliases: WinWord.Concept, WW6Macro, WW6Infector, WBMV (Word
Basic Macro Virus), Prank Macro
Type: Word macro virus
Description:
This is the first virus to infect data files. Concept infects
Microsoft Word 6 documents (*.DOC) and the NORMAL.DOT template.
The virus makes use of the well-developed Microsoft Word macro
language, Word Basic, in an attempt to exploit the fact that
computer users exchange documents far more often than programs.
When an infected document is opened under Microsoft Word for the
first time, the virus gets control as an AutoOpen macro and
infects the NORMAL.DOT template (or any other template, if it
has been selected as a global default template). A message box,
with the text '1', appears on the screen.
After this, every document saved using the File|SaveAs command
is infected with the virus. This normally happens when a
newly-created document is saved to the disk.
If Microsoft Word is run, then Tools|Macros is selected and the
list of macros checked, the presence of the macros named AAAZFS,
AAAZAO, AutoOpen, PayLoad and FileSaveAs indicates that the
Microsoft Word system is infected.
This virus works under Microsoft Word for Windows 3.x, Word for
Windows 95, Word for Windows NT, and Word for Macintosh. This
made it the first ever multi-platform virus. Other macro viruses
have been written in the wake of Concept, including Nuclear,
DMV, and Colors.
The Concept virus is very common in the wild. This is largely
due to Microsoft accidentally shipping it on a CD ROM called
Microsoft Windows 95 Software Compatability Test to hundreds of
OEM companies in August 1995. Another company distributed more
Concept-infected documents on 5500 copies of a CD ROM called
Snap-on Tools for Windows NT shortly afterwards.
-----------------------------------------------------------------
Nuclear
Description
A Word .DOC file, containing a description of another Word Macro
virus (Concept) was uploaded to one of the publicly accessible
ftp directories at the USA internet provider netcom.com . The
file in turn, appeared to be infected with a new Word Macro
virus - Nuclear.
Similar to Concept, Nuclear infects NORMAL.DOT when an infected
document is opened. Then it infects all the documents being
saved using File/SaveAs. Unlike Concept, all macros in Nuclear
are "execute-only" i.e. protected (encrypted) in such a way you
cannot view or modify their source code. (You still can see the
macros' names in Tools/Macro though). We, nevertheless,
succeeded in decrypting the macros and thus, analysing and
understanding the virus.
An infected document or NORMAL.DOT contains nine macros named
AutoExec, AutoOpen, DropSuriv, FileExit, FilePrint,
FilePrintDefault, FileSaveAs, InsertPayload and PayLoad. The
main effect of the virus, besides replication, is that if a
document is being printed and the system clock seconds counter
is in between 55 and 59 seconds (i.e. with a probability of
approximately 1/12th), two lines are added to the document and
are subsequently printed at the end of the last page:
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
The virus was also supposed to drop a "normal" (i.e.
COM/EXE/NewEXE infecting) virus named PH33R (pronounced 'fear'),
but due to a whole set of bugs it fails to achieve this. By the
way, the virus it is supposed to drop has nothing to do with the
old Suriv virus family. The confusion is completely due to the
fact the macro to do this is called DropSuriv. 'suriv' is
nothing but 'virus' reversed and the only thing in common
between the Suriv viruses and DropSuriv macro is the name.
Another payload conceived by Nuclear author should be triggered
on April 5 any year. The destructive macro named Payload was
supposed to damage (truncate to 0 bytes) system files IO.SYS,
MSDOS.SYS and COMMAND.COM. Fortunately, once again the virus
author never dared to debug this piece of code - the Payload
macro does not work either due to bugs in it.
The virus also causes some side effects such as error messages
if you choose from File/Print or File/SaveAs.
-----------------------------------------------------------------
Hot
Aliases: Wordmacro.Hot, WM.Hot
Type: Word macro virus
Description:
WordMacro.Hot creates an entry in the WINWORD6.INI configuration
file which contains a "hot date" 14 days in the future when its
payload will trigger.
The virus can then activate randomly within a few days of the
"hot date": when you try to open a document its contents are
erased instead.
The payload is disabled if C:\DOS\EGA5.CPI is found to exist. A
comment in the virus source code suggests that this is a
"feature" designed to protect the virus author and his friends.
-----------------------------------------------------------------
DMV
Type: Word macro virus
Description:
DMV is the name of a Word macro virus that was written for
"demonstration" purposes by an American computer user. He
subsequently made his virus available for all to download via
the World Wide Web.
The author of this virus also attempted to write an Excel macro
virus - but it fails to work because of a bug.
-----------------------------------------------------------------
NOP
Type: Word Macro Virus
Description:
NOP is a new WordMacro virus 'in the wild' in Germany.
In order to spread, this virus requires the German version of
Microsoft Word for Windows 6.0 or above; under other language
versions of Word for Windows, the virus will infect NORMAL.DOT
but will not spread further.
Documents infected with NOP contain the macro AutoOpen and NOP.
When an infected document is opened under Word for Windows, the
virus gets control via the AutoOpen macro and infects the
NORMAL.DOT global template. In an infected NORMAL.DOT, the
AutoOpen macro becomes NOP; and the NOP macro becomes
DateiSpeichern (German for FileSave).
NOP has no payload.
-----------------------------------------------------------------
Divina
Type: Word Macro Virus
Description
Like DMV, Divina contains just an AutoClose macro. The macro is
an execute-only. When an infected document is loaded under MS
Word and then closed, the virus infects NORMAL.DOT. Any document
closed after that will be infected.
The virus has two payloads:
If a document is being closed during the 17th minute of any
hour, a set of dialogue boxes are displayed, with pauses and
beeps in between. The first says
"ROBERTA TI AMO!"
Then
"Virus 'ROBERTA' is running. Hard Disk damaged. Start
antivirus?".
Next comes
"Exit from system and low level format are recommended."
and finally
"Exit from System?".
After that the virus exits Windows. So, while the virus has no
destructive payload as such, it might well succeed in persuading
an average user to reformat his/her hard disk.
Another payload triggers on 21st May if a document is being
closed between 10th and 20th or between 40th and 50th minute of
any hour. Two dialogue boxes are displayed:
"DIVINA IS THE BEST!"
followed by a box titled "Virus 'DIVINA' in esecuzione" and
containing some message in Italian. After that the virus quits
Windows.
Judging on the language, style, variables and subroutine names
it is certain that Divina was written by the same person who
wrote AntiDMV. AntiDMV is fairly widespread in Italy, Malta and
Spain but should have stopped replicating after June 1, 1996.
Thus, AntiDMV could infact be AntiDivina.
-----------------------------------------------------------------
Xenixos
Aliases: Nemesis, Evil One
Type: Word Macro Virus
Description
This virus was distributed in a file named "NEMESIS.ZIP" on an
Internet newsgroup back in February, 1996, and so has received
broad initial distribution.
Its further spread has been somewhat limited by the fact that it
is written to exploit only the German-language version of
Microsoft Word. It will infect the Global Template file of an
English Word user, but not replicate further into new documents.
It watches for attempts to print files while it is active, and
about half the times this happens it adds the phrase
"Brought to you by the Nemesis Corporation, ⌐ 1996"
onto the end of the document printing.
When files are saved, the virus encrypts them with the file
password "xenixos" just over half the time. Xenixos replaces the
Tools|Macros command with code that will display an error
message instead of the activating WordÆs built-in macro
viewer/editor, so it is not so easy to see its macros are in
place.
One other interesting effect is that Xenixos tries is to plant
and arrange to have activated a variant of the DOS multipartite
virus known as Neuroquila, when files are saved after March 1.
It succeeds in planting this DOS virus, but not in running it.
The Neuroquila variant planted has a bug, so it only infects
boot sectors and not also programs.
AUTOEXEC.BAT is altered to call the Neuroquila virus.
-----------------------------------------------------------------
Imposter
Type: Word Macro Virus
Description
At the beginning of March, 1996, a new virus very closely
related to Concept was discovered in England by S&SÆs Virus Lab
researchers.
It contains code similar to that found in both the DMV virus,
and in Concept. In fact, one of its macros is always named DMV.
Like Concept, it contains a Payload macro, but this one says
"just to prove another point".
It was named Imposter dues to its attempt to appear as either
DMV or Concept and hopefully fool anti-virus products, an
attempt at which it is generally unsuccessful.
-----------------------------------------------------------------
Wazzu
Type: Word Macro Virus
Aliases: WM.Wazzu, WinWord.Wazzu, WordMacro.Wazzu
Variants: Wazzu.a, Wazzu.b
Description
Wazzu is a Microsoft Word macro virus. This virus only contains
one macro, AutoOpen. Since the name of the AutoOpen macro is the
same in all language versions of MS Word, this is the first
virus that will replicate equally effectively in all
International versions of Word.
Wazzu has an interesting payload - when the infected document is
opened, the virus calls a routine three times. Each time there
is a 20% probability that the virus will move one word in the
document to a random place in the document. There is then a 25%
probability that the virus will also insert the word "wazzu" at
a random point in the document. The virus then returns to the
beginning of the document..
-----------------------------------------------------------------
Nuclear.B
Type: Word Macro Virus
Description
A variant of Nuclear, altered from the original virus apparently
by some curious and inept user messing around with it, was
discovered in a corporation in France in early March.
Since the original Nuclear virus was encrypted, it is likely
that the user obtained the unencrypted source from where it was
posted into an Internet newsgroup created for the distribution
of viruses and the promotion of virus writing, and worked from
that to create this new variant.
Nuclear.B does not try to plant the PH33R virus, but calls other
destructive routines from the original virus instead at that
point.
This variant does not replicate in encrypted form, so it will be
much easier for others to learn from, and it is to be expected
that advanced macro virus programming techniques from this virus
will start showing up much more often in future viruses.
-----------------------------------------------------------------
Polite
Type: Word Macro Virus
Description
In late March, a new macro virus named Polite was discovered in
the USA. It installs only FileClose and FileSaveAs replacement
macros, and so avoids detection by systems watching Auto macros.
It is rather odd in that it asks each time before it infects a
document. Unfortunately, it does not ask when it originally
infects the Global Template. It is not expected to survive and
spread well in the wild.
-----------------------------------------------------------------
WM.Colors
Alias: Colors.B
Type: Word Macro Virus
Description
In early April 1996, a prominent anti-virus researcher
investigated what appeared at first to be an outbreak of the
ordinary Colors macro virus (described above) in Portugal. When
a sample of the virus involved was examined, he discovered that
it contained the Colors virus, except that the macro replacing
AutoOpen was not from Colors, it was the one found in Concept!
One likely explanation of what happened is that a machine
infected with Colors was then exposed to a document infected
with Concept. This replaced ColorsÆ AutoOpen macro with the one
from Concept, and when the other code in Colors caused Colors to
replicate it copied the Concept version of the AutoOpen macro to
the target instead of its own AutoOpen, without checking. In any
case, the virus still replicates, in its new form.
Here we have a new virus that has very likely been formed from a
system being exposed to two earlier viruses, which could be said
to have "mated" and exchanged "genetic material".
-----------------------------------------------------------------
WM.Telefonica
Alias: LBNYJ
Type: Word Macro Virus
Description
Discovered in late April, 1996, this is another German-Word
specific virus. It tries to create and execute an encrypted .COM
file via debug 1 out of 60 infections.
It replicates using MacroCopy to replicate its set of seven
macros, including FileNew, FileOpen, FileClose, AutoOpen and
Autoexec.
This virus was first reported attached to a document which was
an order form in German for a set of erotic videos.
-----------------------------------------------------------------
WM.Phantom
Alias: Guess Type: Word Macro Virus
Description
In early May, another multi-language macro virus was discovered,
again in Germany.
The only macro attached, AutoOpen, is language independent. It
is also encrypted. It can only replicate through this AutoOpen
macro.
When decrypted, it appears to have been written by kids in a
high school. It displays some silly messages, including
"Hi sexy !"
and
"Guess who ?".
-----------------------------------------------------------------
Friendly
Type: Word Macro Virus
Description
This virus, again German in origin, was discovered in mid May,
1996. It shows signs of having been written by the same person
as LBYNJ. It creates an .INI file entry
[FRIENDS]
in which it sets:
Author=Nightmare Jocker
It attempts to be bilingual by carrying along with it a complete
set of its macros in English, as well as a complete set in
German ! This brings the total macro count to 20 macros.
Unfortunately for the author, who apparently did not have a copy
of Word in English to test with, his English set of macros are
improperly saved, and so the virus does not work under English
versions of Word after all.
When it replicates under German Word, it plants a copy of a
variant of the old DOS virus "Little Brother".
-----------------------------------------------------------------
Concept.B.Fr
Type: Word Macro Virus
Description
Again in early March, someone translated the FileSaveAs macroÆs
name in Concept into the French equivalent, producing a
French-only version of Concept that infected a large site within
France. This is the only difference between it and the original
Concept.
-----------------------------------------------------------------
FormatC
Type: Word macro trojan
Description:
This is not a virus, but a trojan because it does not replicate.
It does, however, format your C: drive as soon as the document
is opened.
This trojan was posted to a Usenet newsgroup.
-----------------------------------------------------------------
Wiederoffnen
Type: Word macro trojan
Description:
Wiederoffnen is not a virus, but a Word macro trojan. It comes
in a Microsoft Word 2 document but works perfectly under Word 6
too. Wiederoffnen intercepts the AutoClose macro and when the
document is closed plays tricks with AUTOEXEC.BAT.
-----------------------------------------------------------------
Green Stripe:
Aliases: AMP.GreenStripe
Type: Ami Pro macro virus
Description:
This virus infects Ami Pro document files (*.SAM) by creating
for every .SAM file a corresponding .SMM (Ami Pro macro) file
with the same name in the same directory and linking .SAM to
.SMM in such a way that opening .SAM invokes execution of the
.SMM. .SMM files are hidden and cannot be seen with a simple DIR
command - DIR /AH will work though.
When an infected document is opened, the virus gets control and
infects all *.SAM files in the current directory which is always
Ami Pro's default DOCS directory (...\AMIPRO\DOCS). The process
is very noticeable since all the doc files are opened and then
closed one by one and a user can see them quickly
appearing/disappearing on the screen.
Then the virus intercepts File/Save and File/Save As commands.
On File/Save As the virus infects the document being saved. And
this is the only way the virus can propagate to another
computer. Since both .SAM and .SMM files are necessary for the
virus and since .SAM file contains an absolute pathname as a
reference to the appropriate .SMM file, if one simply copies
either .SAM or both .SAM and .SMM files to a floppy and then
opens .SAM under Ami Pro on a different computer, the virus
won't run. But when a document (.SAM) is copied using File/Save
As both .SAM and .SMM are transferred and the pathname link is
changed accordingly.
File/Save was supposed to be used for the virus' payload. On
File/Save the virus should replace all occurences of "its" in
the document with "it's". This did not appear to work in our
experiments however.
Unlike with Word macro viruses, this Ami Pro virus is very
unlikely to be transmitted by E-mail. Again, this is due to the
fact that Ami Pro keeps macros in separate .SMM files, while
only .SAM file is sent as a cc:Mail attachment.
The name of the virus - Green Stripe - is taken from the virus
itself. It's main macro procedure is called Green_Stripe_virus.
Detection is made easier by a number of factors:
Firstly, as mentioned above, when an infected document is opened
it is very noticeable - the screen keeps blinking as numerous
documents are loaded and then closed.
Secondly, after loading a document, one can go to
Tools/Macros/Edit and see whether the document has an
appropriate macro file (same name, .SMM) assigned to it to be
executed on open.
The report will contain the names of all infected (and now
deleted) .SMM files. Then one should run Ami Pro and for each
.SMM file listed in the report load .SAM file with the same name
(there will be an error message saying that the appropriate .SMM
file was not found), go to Tools/Macros/Edit and uncheck the
Assign box(es).
-----------------------------------------------------------------
WM.NOP
WM.NOP is a new WordMacro virus æin the wildÆ in Germany.
In order to spread, this virus requires the German version of
Microsoft Word for Windows 6.0 or above; under other language
versions of Word for Windows, the virus will infect NORMAL.DOT
but will not spread further.
Documents infected with WM.NOP contain the macros AutoOpen and
NOP. When an infected document is opened under Word for Windows,
the virus gets control via the AutoOpen macro and infects the
NORMAL.DOT global template. In an infected NORMAL.DOT, the
AutoOpen macro becomes NOP; and the NOP macro becomes
DateiSpeichern [German for FileSave].
WM.NOP has no payload.
-----------------------------------------------------------------
WM.AntiDMV
WM.AntiDMV is a new WordMacro virus; it is reportedly in the
wild in Italy, Malta and Spain and probably in some other
Mediterranean countries.
This virus was designed to spread until 1 June 1996; and should,
therefore, have stopped spreading at this time. However, it is
possible that many infected documents and templates may exist
æin the wildÆ.
WM.AntiDMV contains only one macro, AutoOpen. If an infected
document is opened under Microsoft Word for Windows, the current
year is before 1997 and the current month is before the 6 June,
the virus infects NORMAL.DOT. The virus also removes the macro
AutoClose from documents and templates, if it exists.
It is the time-limited feature, plus the removal of the
AutoClose macro, which prompted the name of the virus; it
effectively removes the WM.DMV virus.