home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Cream of the Crop 20
/
Cream of the Crop 20 (Terry Blount) (1996).iso
/
virus
/
avp0512.zip
/
AVPWW104.ZIP
/
AVPWW104.TXT
< prev
next >
Wrap
Text File
|
1996-03-23
|
17KB
|
421 lines
AntiViral Toolkit Pro for Microsoft Word (AVPWW)
------------------------------------------------
version 1.04
This package contains the anti-virus utility for known viruses that infect
the Microsoft Word documents. This package is FREEWARE.
To check your Microsoft Word for the viruses you should load Microsoft
Word and open the AVPWWxxx.DOC file. If your Word is already infected,
AVPWW displays a warning message. To install AVPWW "memory resident" you
should press "Install" button while reading AVPWWxxx.DOC file.
See AVPWWxxx.DOC for more details.
To find all the infected files you should use anti-virus database
MACRO.AVB and anti-virus scanner AVP for DOS. Then you should load all
infected document into Word with installed AVPWW utility. AVPWW does
automatically disinfection being installed.
Macro-viruses
The Macro-viruses use the features of Macro-languages that are built into
the modern data-processing systems (text editors and spreadsheets). To
allow the viruses to spread the systems have a built in macro-language
that allows:
1) assignment of specific macro-program(s) to specific files
2) copy macro-program(s) from one file to another
3) pass the control to macro-program(s) without user's permission
(Auto-macroses).
There are three systems that meet these conditions: Microsoft Word,
Microsoft Excel and Lotus AmiPro. These systems contain built-in
Basic-like macro languages (Word - Word Basic, Excel - Visual Basic),
and:
1) macro-program(s) are assigned to specific file(s) (AmiPro), or exists
only within the file body (Word, Excel);
2) macro-language allows to copy DOS-files (AmiPro) or copy macro-programs
into the system and other files (Word, Excel);
3) while working with a file the macro-programs are executed under some
conditions (file opening, closing, and so on), these programs are
defined by special commands (AmiPro), or they have standard names
(Word, Excel).
These features of modern systems was designed to write "document
auto-processing systems", but they also allow for the viruses to spread
their copies, i.e. to infect the files.
There are three known systems that may be infected with the computer virus:
Microsoft Word, Excel and AmiPro. Under these systems the viruses receive
the control while opening/closing an infected document, then they hook one
or more system events (functions, macros), and infect the files that are
accessed with these functions.
The macro viruses are "memory resident". They hook the system events and
are active not only at the moment of file opening/closing, but during all
time when the system is working.
Macro.Word-viruses
Macro.Word.Atom
───────────────
This virus contains four macros: Atom, FileOpen, FileSaveAs, AutoOpen, and
infects Word while loading the infected document (AutoOpen).
This virus infects the files in two ways: while opening the file (command
File/Open, macros FileOpen), and while saving the document with new name
(command File/SaveAs, macros FileSaveAs).
While infecting the document while saving it with new name (FileSaveAs)
the virus checks the system time. If the value of seconds is equal to 13
the virus set the password ATOM#1 for this document. The virus cannot set
the password if the file is already infected - Word displays the
message about WordBasic error.
While opening the infected document on 13th of December the virus deletes
all files of current directory. We did not check it, but the system has to
display the error message while deleting opened files.
Macro.Word.Color (Rainbow, Color Changer)
This is a encrypted virus, it contains the macroses:
macros, FileNew, AutoExec, AutoOpen, FileExit,
FileSave, AutoClose, FileSaveAs, ToolsMacro
This virus infects the files while creating of new document (FileNew) and
while saving the document with new name (FileSaveAs).
On each 300th call to the file functions (FileNew, AutoOpen, FileExit,
FileSave, AutoClose, FileSaveAs and ToolsMacro) the virus alters the
section [colors] in the WIN.INI file, and sets the random selected colors
for Windows components. New colors appear after next Windows loading. The
virus keeps the trigger counter in the WIN.INI file in the [windows]
section:
[windows]
countersu= 234
The virus allows Auto-macroses (AutoOpen, AutoClose and so on), it sets
DisableAutoMacros to zero.
When the virus is active, it is impossible to activate Tools/Macro command.
To manual disinfection it is necessary to delete virus' macroses by using
Organizer (Tools/Customize, Word command, then draw Organizer out to
toolbar).
Macro.Word.Concept (WW6Macro)
This is the first WinWord virus found "in the wild". The virus contains
five macroses: AAAZAO, AAAZFS, AutoOpen, PayLoad, FileSaveAs. It infects
the files that are SaveAs'ed (FileSaveAs).
There are the text strings in the infected document:
see if we're already installed
iWW6IInstance
AAAZFS
AAAZAO
That's enough to prove my point
and other. The WINWORD6.INI on infected system contains the file:
WW6I= 1
On the first execution of the virus code (i.e. on the first opening of the
infected file) the MessageBox appears with digit "1" inside, and "Ok"
button.
Macro.Word.DMV
This is the first known MS-Word macro-virus. It contains only one macros -
AutoClose, and infects the files that are saved on disk. While infecting
this virus displays the MessageBox'es with the header:
Document Macro Virus
The messages are:
Counting global macros.
AutoClose macro virus is already installed in NORMAL.DOT.
AutoClose macro virus already present in this document.
Saved current document as template.
Infected current document with copy of AutoClose macro virus.
Macro virus has been spread.
Now execute some other code (good, bad, or indifferent).
Macro.Word.Hot
This is encrypted virus. It contains the macroses: AutoOpen, InsertPBreak,
DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus
renames the ToolsRepaginat macros to FileSave, and then infects the
existing documents that are saved on disk (FileSave). While infecting the
documents the virus renames FileSave macros back to ToolsRepaginat name.
While infecting the system the virus inserts the string "QLHot=nnnn" into
the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the
number of current day of this century plus 14, for example:
QLHot=35110
The next days the virus selects random value from 1 till 6, and adds to the
"triggering day". If the result is equal to the current day, the virus
deletes the file before saving it to disk.
14 days after last modifying of the "QLHot" string the virus renews it.
The virus does no action if there is the C:\DOS\EGA5.CPI file.
The virus does not work under Microsoft Word 7.0. While opening the
infected document the system displays the message:
Unable to load specified library
Macro.Word.Imposter
This is a plagiarism from "Word.Macro.Concept" and "Word.Macro.DMV". It
contains two macroses:
in infected document: AutoClose, DMV
in infected NORMAL.DOT: FileSaveAs, DMV
While infecting the system the virus receives the control in AutoClose
document, renames DMV macros to FileSaveAs, then renames AutoClose to DMV.
While infecting the files (FileSaveAs) the virus renames these macros back
DMV -> AutoClose, FileSaveAs -> DMV.
While infecting the documents the virus displays the MessageBox:
DMV
One of the strings in the virus body looks like follows:
just to prove another point
Macro.Word.Nuclear
It is encrypted virus, it contains the macroses:
AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
InsertPayload, Payload, DropSuriv, FileExit
While installation these macros are copied into Global Macros area, and
overwrites the macros if they are already present there. Then the virus
infects the documents by FileSaveAs macros.
The virus manifest itself in three ways: 1) runs COM