Cream of the Crop 20

home *** CD-ROM | disk | FTP | other *** search

/ Cream of the Crop 20 / Cream of the Crop 20 (Terry Blount) (1996).iso / virus / avp0512.zip / AVPWW104.ZIP / AVPWW104.TXT < prev next >

Wrap

Text File | 1996-03-23 | 17KB | 421 lines

AntiViral Toolkit Pro for Microsoft Word (AVPWW) ------------------------------------------------ version 1.04 This package contains the anti-virus utility for known viruses that infect the Microsoft Word documents. This package is FREEWARE. To check your Microsoft Word for the viruses you should load Microsoft Word and open the AVPWWxxx.DOC file. If your Word is already infected, AVPWW displays a warning message. To install AVPWW "memory resident" you should press "Install" button while reading AVPWWxxx.DOC file. See AVPWWxxx.DOC for more details. To find all the infected files you should use anti-virus database MACRO.AVB and anti-virus scanner AVP for DOS. Then you should load all infected document into Word with installed AVPWW utility. AVPWW does automatically disinfection being installed. Macro-viruses The Macro-viruses use the features of Macro-languages that are built into the modern data-processing systems (text editors and spreadsheets). To allow the viruses to spread the systems have a built in macro-language that allows: 1) assignment of specific macro-program(s) to specific files 2) copy macro-program(s) from one file to another 3) pass the control to macro-program(s) without user's permission (Auto-macroses). There are three systems that meet these conditions: Microsoft Word, Microsoft Excel and Lotus AmiPro. These systems contain built-in Basic-like macro languages (Word - Word Basic, Excel - Visual Basic), and: 1) macro-program(s) are assigned to specific file(s) (AmiPro), or exists only within the file body (Word, Excel); 2) macro-language allows to copy DOS-files (AmiPro) or copy macro-programs into the system and other files (Word, Excel); 3) while working with a file the macro-programs are executed under some conditions (file opening, closing, and so on), these programs are defined by special commands (AmiPro), or they have standard names (Word, Excel). These features of modern systems was designed to write "document auto-processing systems", but they also allow for the viruses to spread their copies, i.e. to infect the files. There are three known systems that may be infected with the computer virus: Microsoft Word, Excel and AmiPro. Under these systems the viruses receive the control while opening/closing an infected document, then they hook one or more system events (functions, macros), and infect the files that are accessed with these functions. The macro viruses are "memory resident". They hook the system events and are active not only at the moment of file opening/closing, but during all time when the system is working. Macro.Word-viruses Macro.Word.Atom ─────────────── This virus contains four macros: Atom, FileOpen, FileSaveAs, AutoOpen, and infects Word while loading the infected document (AutoOpen). This virus infects the files in two ways: while opening the file (command File/Open, macros FileOpen), and while saving the document with new name (command File/SaveAs, macros FileSaveAs). While infecting the document while saving it with new name (FileSaveAs) the virus checks the system time. If the value of seconds is equal to 13 the virus set the password ATOM#1 for this document. The virus cannot set the password if the file is already infected - Word displays the message about WordBasic error. While opening the infected document on 13th of December the virus deletes all files of current directory. We did not check it, but the system has to display the error message while deleting opened files. Macro.Word.Color (Rainbow, Color Changer) This is a encrypted virus, it contains the macroses: macros, FileNew, AutoExec, AutoOpen, FileExit, FileSave, AutoClose, FileSaveAs, ToolsMacro This virus infects the files while creating of new document (FileNew) and while saving the document with new name (FileSaveAs). On each 300th call to the file functions (FileNew, AutoOpen, FileExit, FileSave, AutoClose, FileSaveAs and ToolsMacro) the virus alters the section [colors] in the WIN.INI file, and sets the random selected colors for Windows components. New colors appear after next Windows loading. The virus keeps the trigger counter in the WIN.INI file in the [windows] section: [windows] countersu= 234 The virus allows Auto-macroses (AutoOpen, AutoClose and so on), it sets DisableAutoMacros to zero. When the virus is active, it is impossible to activate Tools/Macro command. To manual disinfection it is necessary to delete virus' macroses by using Organizer (Tools/Customize, Word command, then draw Organizer out to toolbar). Macro.Word.Concept (WW6Macro) This is the first WinWord virus found "in the wild". The virus contains five macroses: AAAZAO, AAAZFS, AutoOpen, PayLoad, FileSaveAs. It infects the files that are SaveAs'ed (FileSaveAs). There are the text strings in the infected document: see if we're already installed iWW6IInstance AAAZFS AAAZAO That's enough to prove my point and other. The WINWORD6.INI on infected system contains the file: WW6I= 1 On the first execution of the virus code (i.e. on the first opening of the infected file) the MessageBox appears with digit "1" inside, and "Ok" button. Macro.Word.DMV This is the first known MS-Word macro-virus. It contains only one macros - AutoClose, and infects the files that are saved on disk. While infecting this virus displays the MessageBox'es with the header: Document Macro Virus The messages are: Counting global macros. AutoClose macro virus is already installed in NORMAL.DOT. AutoClose macro virus already present in this document. Saved current document as template. Infected current document with copy of AutoClose macro virus. Macro virus has been spread. Now execute some other code (good, bad, or indifferent). Macro.Word.Hot This is encrypted virus. It contains the macroses: AutoOpen, InsertPBreak, DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus renames the ToolsRepaginat macros to FileSave, and then infects the existing documents that are saved on disk (FileSave). While infecting the documents the virus renames FileSave macros back to ToolsRepaginat name. While infecting the system the virus inserts the string "QLHot=nnnn" into the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the number of current day of this century plus 14, for example: QLHot=35110 The next days the virus selects random value from 1 till 6, and adds to the "triggering day". If the result is equal to the current day, the virus deletes the file before saving it to disk. 14 days after last modifying of the "QLHot" string the virus renews it. The virus does no action if there is the C:\DOS\EGA5.CPI file. The virus does not work under Microsoft Word 7.0. While opening the infected document the system displays the message: Unable to load specified library Macro.Word.Imposter This is a plagiarism from "Word.Macro.Concept" and "Word.Macro.DMV". It contains two macroses: in infected document: AutoClose, DMV in infected NORMAL.DOT: FileSaveAs, DMV While infecting the system the virus receives the control in AutoClose document, renames DMV macros to FileSaveAs, then renames AutoClose to DMV. While infecting the files (FileSaveAs) the virus renames these macros back DMV -> AutoClose, FileSaveAs -> DMV. While infecting the documents the virus displays the MessageBox: DMV One of the strings in the virus body looks like follows: just to prove another point Macro.Word.Nuclear It is encrypted virus, it contains the macroses: AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault, InsertPayload, Payload, DropSuriv, FileExit While installation these macros are copied into Global Macros area, and overwrites the macros if they are already present there. Then the virus infects the documents by FileSaveAs macros. The virus manifest itself in three ways: 1) runs COM