home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
CD ROM Paradise Collection 4
/
CD ROM Paradise Collection 4 1995 Nov.iso
/
win
/
avpww102.zip
/
AVPWW102.TXT
< prev
next >
Wrap
Text File
|
1995-09-13
|
12KB
|
337 lines
AntiViral Toolkit Pro for Microsoft Word (AVPWW)
------------------------------------------------
version 1.02
This package contains the anti-virus utility for two known viruses infected
the Microsoft Word documents. This package is FREEWARE.
To check your Microsoft Word for the viruses you should load Microsoft Word
and open the AVPWW102.DOC file. If your Word is already infected AVPWW
displays the warning message. To install AVPWW "memory resident" you should
press "Install" button while reading AVPWW102.DOC file.
See AVPWW102.DOC for more details.
To find out all the infected files you should use anti-virus database
WINWORD.AVB and AVP for DOS anti-virus scanner. You should run it in
"Redundant" mode (see AVP for DOS "Setup" menu). Then you should load all
infected document into Word with installed AVPWW utility. AVPWW does
automatically disinfection being installed.
The contents of package
-----------------------
There are the files:
AVPWW102.TXT - this file
AVPWW102.DOC - anti-virus utility AVPWW ver. 1.02
WINWORD.AVB - anti-virus database for AVP for DOS scanner
FILE_ID_DIZ - ID file
The viruses infect Microsoft Word documents
-------------------------------------------
1995 year brings new type of the viruses - Microsoft Word documents
infectors. These viruses hit (not overwrite!) the DOC-files of the
Microsoft Word ver.6 format.
The system gets infection while READING the infected file. To infect the
computer is it necessary only to run Microsoft Word ver.6 and open the
infected file. Then the virus spreads into all the newly created DOC files.
After sending the newly created and infected file to another (clear)
computer that file can infect that computer too (while opening in Microsoft
Word).
These viruses are VERY FAST infectors. The DOC files are sent/received more
often than executable ones.
These viruses can hit the Microsoft Word files on any computer, not only
IBM-PC. The viruses work very well under Microsoft Word7 and Microsoft
Word6 for NT.
While opening the Word Document file the Word executes the internal file
macros. It that document is infected, Word executes *infected* macros, i.e.
the virus code. The virus copies the macros into the Global Macros area,
defines FileSaveAs macro, and then it copies its macros into all the newly
created documents (i.e. documents are saves with "Save as" command). The
virus also converts the MicrosoftDocument files into Template format while
saving.
On exiting from Word the Global Macros are automatically saved into system
DOT-files (NORMAL.DOT or other). So on next Word execution the virus
receives control before reading of the first document, it infects the
environment while loading the Global Macros from DOT file.
WinWord.Concept virus (aka WW6Macro)
------------------------------------
Fortunately, that virus does not call any dangerous trigger routine, the
place for that routine contains only the string:
That's enough to prove my point
But it is not clear up to now is that virus free of another "deep" effects
(i.e. is that virus 100% compatible with Word or not).
The infected files contains the strings:
see if we're already installed
iWW6IInstance
AAAZFS
AAAZAO
That's enough to prove my point
and other.
The WINWORD6.INI on infected system contains the file:
WW6I= 1
On the first execution of the virus code (i.e. on the first opening of the
infected file) the MessageBox with digit "1" appears.
WinWord.Nuclear virus
---------------------
The WinWord.Nuclear virus infects the Microsoft Word documents as well as
COM, EXE and NewEXE (Windows) files.
The virus in documents is the encrypted macros. It can drop the
COM/EXE/NewEXE virus.
Being dropped COM/EXE/NewEXE virus stays memory resident and hit executable
files, but it cannot hit Microsoft Word documents.
That virus contains the macros:
AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
InsertPayload, Payload, DropSuriv, FileExit
While installation these macros are copied into Global Macros area.
All these macros call to "DropSuriv" macro which check the system time and
drops the COM/EXE/NewEXE virus if the time is in 17:00 / 18:00. While
dropping the virus uses DEBUG utility.
First, the virus checks the C:\DOS\DEBUG.EXE. If there is such one the
virus creates temporary file PH33R.SCR in C:\DOS directory, and writes hex
dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus
creates the temporary file EXEC_PH.BAT with the strings inside:
@echo off
debug < ph33r.scr > nul
and executes that. As the result DEBUG utility creates the copy of
COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT
21h and writes itself at the end of COM/EXE/NewEXE files while opening,
execution, renaming and changing their attributes.
The execution of BAT-file is doing in background, so the user does not know
that there are two(!) viruses on his PC.
Them the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files.
While printing of documents the virus appends the text approximately to
each 12th file (if the seconds are 55 or more):
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
These strings are appended to the document immediately before printing, so
the uses does not see them (often documents occupy more that one screen).
This is very curios effect, especially while sending documents via fax.
On 5th of April the virus erases IO.SYS and COMMAND.COM files.
There are text strings in COM/EXE/NewEXE part of that virus:
=Ph33r=
Qark/VLAD
New AVP Shareware Releases / Updates
------------------------------------
Information about new releases/updates is available in local conferences:
Internet: relcom.comp.virus Russia
FidoNet: AVP.SUPPORT Russia
AVP.FR France
New releases and updates for Antiviral Toolkit Pro (AVP) are available on:
Anonymous FTP sites:
a) Weekly & Cumulative Updates, Shareware versions:
Server: Path: Filenames:
===========================================================================
ftp.command-hq.com /pub/command/avp/ *.*
io.com /pub/usr/pmonti/avp/ *.*
ftp.informatik.uni-hamburg.de /pub/virus/progs/avp/ *.*
sunsite.unc.edu
/pub/docs/security/hamburg-mirror/virus/progs/avp/ *.*
ftp.sct.fr /pub/virus/tools/antivirus/avp/updates/ *.*
ftp.sunet.se /pub/security/virus/progs/avp/ *.*
ftp.uu.net /pub/security/virus/progs/avp/ *.*
ftp.icomm.rnd.su /ANTIVIRUS/AVP/ *.*
b) Cumulative Updates and Shareware versions:
Server: Path: Filenames:
===========================================================================
SimTel:
oak.oakland.edu /pub/msdos/virus/ avp*.*
SimTel Mirrors: (a small selection, there are many more)
ftp.switch.ch /mirror/simtel/msdos/virus/ avp*.*
ftp.cyf-kr.edu.pl /pub/mirror/simtel/msdos/virus/ avp*.*
ftp.icm.edu.pl /pub/simtel/msdos/virus/ avp*.*
micros.hensa.ac.uk /mirrors/simtel/msdos/virus/ avp*.*
ftp.ibp.fr /pub/pc/SimTel/msdos/virus/ avp*.*
ftp.cs.cuhk.hk /pub/simtel/msdos/virus/ avp*.*
ftp.sun.ac.za /pub/simtel/msdos/virus/ avp*.*
WWW-Sites:
URL: Desc. Lang.
==========================================================================
http://www.marktplatz.ch/metro/ AVP-Information / News, etc. E/D
http://www.command-hq.com/command AVP-Information E
http://www.icomm.rnd.su/icomm/avp/ AVP-Information R/E
Lang.: E=English D=Deutsch (German)
R=Russian
BBSs:
Switzerland:
Metropolitan Network BBS:
+41 (0)31 348-1331 (2 lines) 2400-33600bps V.34+/V.FC/V.32bis/HST
+41 (0)31 348-0422 (1 line) 2400-28800bps V.34/V.FC/V.32bis/HST
Russia:
+7 (8632) 69-6931 (8 lines) 2400-14400 V32bis
+7 (095) 278-9949
+7 (095) 932-8465
+7 (092) 223-7354
AVP distributors and technical support sites
--------------------------------------------
Belgium:
bvba DataRescue sprl, 110 route du Condroz, 4121 Neuprê, Belgium
contact : Dr Pierre Vandevenne
Phone/Fax : +32-41-729114
BBS/Fax : +32-41-729110
E-mail : peterpan@datarescue.knooppunt.be
FIDO : 2:293/2213
France:
Editions Gerard MANNIG, BP 7, F-76161 DARNETAL CEDEX
contact : Gerard MANNIG
Phone/FAX : +33 3559-9344/+33 3559-9344
E-mail : mannig@world-net.sct.fr
FIDO : 2:322/2.1
Germany:
Howard Fuhs Elektronik, Computer Virus Research Lab Germany
Rheingaustr. 152 65203 Wiesbaden - Biebrich
Phone : +49 611 67713
Fax : +49 611 603789
CompuServe : 100120,503
Internet : 100120.503@compuserve.com
FIDO : 2:244/2120.7
PROKON software - Theo Christoph, Hauptstrasse 42
07751 Rothenstein - Deutschland
Phone : +49 36424-56509
Fax : +49 36424-56511
BBS : +49 36424-56512 (v.32bis/terbo/V.FC/V.34 - soon available)
: +49 36424-56513 (v.32bis/terbo/V.FC/V.34 - soon available)
E-mail : prokon@gtc11.gtc.net
Italy:
C.S.I. srl
Mail address: Rome, Aquileia st. n. 7 (Italy)
Phone(s) : +39-6-8607663, +39-6-5020879
Fax : +39-6-86321371
E-mail: : MC3162@mclink.it
pmonti@io.com
FIDO: : 2:335/420
Netherlands:
Address : Roggekamp 416, 2592 VH The Hague, The Netherlands
Contact : Titia Vlaardingerbroek
Phone : +31703836044
Fax : +31703471256
E-mail : vrch@knoware.nl
FIDO : 2:281/552
VIRNET : 9:3110/0
BBS : +31703857867
Poland:
Address : VACIMEX Al. Stanow Zjednoczonych 46/24 04-036 Warszawa
Tel/Fax : +48-22 106246
e-mail : bored@maloka.waw.pl, vacimex@.maloka.waw.pl
Russia:
KAMI Ltd., Moscow 109052 Nizhegorodskaya st. 29,
Phone : +7-095-278-9412
Fax : +7-095-278-2418
E-mail : eugene@kamis.msk.su
BBS : +7-095-278-9949
FIDO : 2:5020/156
Intercommunications CO, 107/25 Oborony st, 344007, Rostov-na-Donu, Russia
Contact : Mikhael Monastyrsky, Alexander Ivanov
Phone(s) : +7 (8632) 62-0562, 63-1360, 64-3088
Fax : +7 (8632) 63-1360
E-mail : avp-support@icomm.rnd.su
BBS : +7 (8632) 69-6931 (8 lines) 2400-14400 V32bis
or telnet icomm.rnd.su
FTP : ftp.icomm.rnd.su
WWW : www.icomm.rnd.su
call for more AVP distributors in Russia
Switzerland:
Metropolitan Network BBS, AVP, Postfach 827, 3000 Bern 8
Contact : Gerard VUILLE
Phone(s) : +41 (0)31 348-1333
Fax : +41 (0)31 348-1335
E-mail : avp-support@metro-net.ch
BBS : +41 (0)31 348-1331 (2400-33600bps V.34/V.FC/HST)
WWW : http://www.thenet.ch/metro/
http://www.marktplatz.ch/metro/
USA:
Company : Central Command Inc.
Address : P.O. Box 856 Brunswick, Ohio 44212
Phone : 216-273-2820
FAX : 216-273-2820
Contact : Keith A. Peer
E-mail : keith@command-hq.com
Support : support@command-hq.com
Sales : sales@command-hq.com
FTP : ftp.command-hq.com /pub/command/avp
WWW : http://www.command-hq.com/command [not operational yet]