home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Professional Soft Collection 1.02
/
Professional Soft Collection 1.02.iso
/
antivir
/
webwword
/
drwebvww.eng
< prev
next >
Wrap
Text File
|
1996-01-26
|
6KB
|
135 lines
ATTENTION !!! ATTENTION !!! ATTENTION !!!
WinWord.Concept - A NEW VIRUS DESIGNED TO INFECT WINWORD DOCUMENT FILES
Copyright (c) Igor Daniloff 1995
A virus of new generation, WinWord.Concept, has appeared in July/August
this year. It is specifically designed for infecting document files of WinWord
6.0 or 7.0.
It is proliferating at an alarming rate and has been detected in more than
25 countries: United States, Great Britain, Finland, Germany, Russia, and
elsewhere. This is not surprising because WinWord has become a de facto
international standard for document preparation and exchange system all over
the world.
The virus infects a system when an infected doc file is opened for
editing. On opening an infected doc file, WinWord calls the virus macros,
which are written in WordBasic and defined as global macros. These macros copy
the virus body (virus macros) when an "old document" is saved or when a new
document is saved through the "Save As" command.
On ending a WinWord session, the global virus macros are automatically
saved in DOT file (as a rule, in normal.dot file). At the next start of
WinWord, the global virus macros are automatically loaded anew.
This virus does not exhibit any obvious destructive activities, but side
effects may be observed in certain particular cases; for example, WinWord may
refuse to convert a document. Furthermore, the virus is not operative in
Russianized WinWord.
The virus can be detected as follows. Open the menu "Tools | Macro |
All Active Templates". If the system is infected, the list of All Active
Templates will contain the macros AAAZAO, AAAZFS, FileSaveAs, and PayLoad.
An infect document file contains the following text strings:
see if we're already installed
iWW6IInstance
WW6Infector
AAAZFS
AAAZAO
That's enough to prove my point
These text strings can be seen by opening the file by any simple ASCII text
viewer; for example, the viewer of Norton Commander. A global search for
infected files can be made by TS (Text Search) program of Norton Utilities
through the following command:
TS WW6Infector *.DOC /S /T /A /LOG >c:report.txt
In an infected system, the winword6.ini file contains a line
WW6I= 1
On activated, the virus first adds this line to the WinWord initiation
file. This fact is helpful in safeguarding your system against this virus by
the DialogueScience Anti-virus kit:
(1) if Sheriff protection system is installed in your machine, include
winword6.ini in the list of files to be protected by Sheriff to prevent the
virus from being activated, or
(2) if ADinf integrity checker is installed in your machine, include
winword6.ini in the list of stable files (along with nc.exe, command.com,
etc.). If ADinf warns against virus-like activities in your system, check
whether the winword6.ini file contains the line WW6I= 1.
Besides these methods, you can advantageously use a new tool, Dr. Web
Vaccine for WinWord, which I have designed to eradicate the WinWord.Concept
virus. It is not an anti-virus for the DOS environment in the true sense of the
word, but it is designed as a vaccine document for WinWord, using the same
medium and technology as the virus itself.
To "start" the vaccine, open the document drwebvww.doc through WinWord. If
your system is infected, Dr. Web Vaccine will inform that the system is
infected and delete the virus macros from the system. Then Dr. Web Vaccine
will inquire whether you would like to install the vaccine program in the
system. Confirm your intention if you wish to safeguard your WinWord. After
installation, Dr. Web Vaccine will check every winword document for the
WinWord.Concept virus on opening. If the virus is detected in a document, Dr.
Web Vaccine will warn and seek your permission to remove the virus from the
document.
After installation, there is no need to start Dr. Web Vaccine in
subsequent WinWord sessions; it is automatically loaded by WinWord. To
deinstall Dr. Web Vaccine, open the document drwebvww.doc once again through
WinWord. You will be asked to confirm your intention prior to deleting the
vaccine from the system.
Below is my PGP key for identifying and verifying Dr. Web Vaccine for
WinWord with the help of the confirmation signature in the file drwebvww.pgp.
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAi3R1+AAAAEEAMeH97dViOlTOwWjd6iLsRnEvDuNMnfQor+7NtuxV0v7Dgig
Kd4cE8dcSdfINr89mmIcPVCgI+uSDoDdgGK0WAl2pkJUigmJtidMpjFgyPoUTU6T
cqmss4CyDFH9UoM74RUEqSG0cwsnt+rz46yELf+v6kS9QZC3r53C6gEbhxltAAUR
tCFJZ29yIEEuIERhbmlsb2ZmIDxpZEBzYWxkLnNwYi5zdT6JAJUDBRAugG2cOpoV
rn3diFEBAeD3A/9jGJRp5TqD2FBrwkIaJd6SqJVvSbYQnE39th/u4csghFYEYcdS
GqPnVjxl0Sri1N5OqYB2uTRn0d0kqsrD24fuWFbZwvKlcZQO2C6W1zZSmwqAfw2p
jAD+tTvRZDSx2z0+zgRZ/EhDIaH/louf8zcL3UlrW2YPNRODzJW6VUiouIkAlQMF
EC8n2IANOmycNvS2swEBvqYEAJgRxQjfQhJI+iTMMUhWS8whvgitjzDeD+5u2tKz
KwqSa4TaOfgf2000rN2SbqyTg5gDirLsVF8x80PusKFRxedwBzBNLl9ar78HB/x4
lOEO+/obRUH4wT+bH6KfUkDuqVvYsTRZ3mDoLfyJw9pCtkDiFQdCrWcGh+UNr8nJ
oNBx
=kuRk
-----END PGP PUBLIC KEY BLOCK-----
The new anti-virus Dr.Web Vaccine for WinWord is distributed by
DialogueScience, Inc. as a freeware. You can get it from the DialogueScience
BBS general access line, ROSNET network in the open DialogueScience anti-virus
section, Relis server in relis.dials.web groupe, ftp-server of
ftp.kiam1.rssi.ru, or directly at the DialogueScience Office.
For more information on Dr. Web anti-virus and Dr.Web Vaccine for
WinWord, call
DialogueScience, Inc., Moscow, Russia.
tel (095) 135-6253, 137-0150, tel/fax 938-2970
BBS (095) 938-2856 (14400/V.32bis, 19200/ZyXEL)
E-mail: lyu@dials.msk.su
FidoNet: 2:5020/69
Igor A. Daniloff, the designer, is available at
tel (812) 298-8624 (10.00-18.00)
E-mail: id@dials.msk.su , id@sald.spb.su
FidoNet: 2:5020/69.14 , 2:5030/87.57