Collection of Hack-Phreak Scene Programs

home *** CD-ROM | disk | FTP | other *** search

/ Collection of Hack-Phreak Scene Programs / cleanhpvac.zip / cleanhpvac / MVUPDAT3.ZIP / MACRO_AV.ZIP / MACRO009.TXT < prev next >

Wrap

Text File | 1996-09-02 | 25KB | 629 lines

1st August 1996 Macro viruses are the latest development in the battle against computer viruses. First encountered in the autumn of 1995 they have quickly caught the imagination of the press and virus-author alike. Their introduction into the virus world has caused a stir because they have broken some of the established "rules": * They are the first ever viruses to infect documents rather than executable files. The first macro viruses seen infected Microsoft Word documents. In January 1996 the first AmiPro macro virus (Green Stripe) appeard. It should be remembered that other word processors(and even other applications) could be at risk in the future. * They are the first ever multi-platform viruses - not just capable of infecting PC systems, but Macintosh as well. ----------------------------------------------------------------- Atom | Concept | Concept.B.Fr | Divina | DMV | FormatC | Friendly | Green Stripe | Hot | Imposter | NOP | Nuclear | Nuclear.B | Polite | Wazzu | Wiederoffnen | WM.AntiDMV | WM.Colors | WM.Nop | WM.Phantom | WM.Telefonica | Xenixos | ----------------------------------------------------------------- ATOM Alias: Wordmacro.Atom Type: Word Macro Virus ATOM consists of 4 macros - AutoOpen, FileOpen, FIleSaveAs, and ATOM - all of which are execute-only. When an infected document is opened, ATOM infects the global template. If the auto macros are disabled, the virus is rendered ineffective. ATOM does not turn off the prompting when saving the global template, so if prompting is turned on you will be prompted to save changes to the global template at the end of the session. After the global template is infected, ATOM calls its first destructive payload. If the current date is December 13, the virus deletes all files in the current directory. Once the virus is active (i.e., it has infected the global template), it infects all documents which are saved via the FileSaveAs command or which are opened via the FileOpen command. If the seconds field of the current time is 13 at the time of infection , the virus encrypts the document being saved with the password "ATOM#1". WordMacro/ATOM is not known to be in the wild. ----------------------------------------------------------------- Concept Aliases: WinWord.Concept, WW6Macro, WW6Infector, WBMV (Word Basic Macro Virus), Prank Macro Type: Word macro virus Description: This is the first virus to infect data files. Concept infects Microsoft Word 6 documents (*.DOC) and the NORMAL.DOT template. The virus makes use of the well-developed Microsoft Word macro language, Word Basic, in an attempt to exploit the fact that computer users exchange documents far more often than programs. When an infected document is opened under Microsoft Word for the first time, the virus gets control as an AutoOpen macro and infects the NORMAL.DOT template (or any other template, if it has been selected as a global default template). A message box, with the text '1', appears on the screen. After this, every document saved using the File|SaveAs command is infected with the virus. This normally happens when a newly-created document is saved to the disk. If Microsoft Word is run, then Tools|Macros is selected and the list of macros checked, the presence of the macros named AAAZFS, AAAZAO, AutoOpen, PayLoad and FileSaveAs indicates that the Microsoft Word system is infected. This virus works under Microsoft Word for Windows 3.x, Word for Windows 95, Word for Windows NT, and Word for Macintosh. This made it the first ever multi-platform virus. Other macro viruses have been written in the wake of Concept, including Nuclear, DMV, and Colors. The Concept virus is very common in the wild. This is largely due to Microsoft accidentally shipping it on a CD ROM called Microsoft Windows 95 Software Compatability Test to hundreds of OEM companies in August 1995. Another company distributed more Concept-infected documents on 5500 copies of a CD ROM called Snap-on Tools for Windows NT shortly afterwards. ----------------------------------------------------------------- Nuclear Description A Word .DOC file, containing a description of another Word Macro virus (Concept) was uploaded to one of the publicly accessible ftp directories at the USA internet provider netcom.com . The file in turn, appeared to be infected with a new Word Macro virus - Nuclear. Similar to Concept, Nuclear infects NORMAL.DOT when an infected document is opened. Then it infects all the documents being saved using File/SaveAs. Unlike Concept, all macros in Nuclear are "execute-only" i.e. protected (encrypted) in such a way you cannot view or modify their source code. (You still can see the macros' names in Tools/Macro though). We, nevertheless, succeeded in decrypting the macros and thus, analysing and understanding the virus. An infected document or NORMAL.DOT contains nine macros named AutoExec, AutoOpen, DropSuriv, FileExit, FilePrint, FilePrintDefault, FileSaveAs, InsertPayload and PayLoad. The main effect of the virus, besides replication, is that if a document is being printed and the system clock seconds counter is in between 55 and 59 seconds (i.e. with a probability of approximately 1/12th), two lines are added to the document and are subsequently printed at the end of the last page: And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! The virus was also supposed to drop a "normal" (i.e. COM/EXE/NewEXE infecting) virus named PH33R (pronounced 'fear'), but due to a whole set of bugs it fails to achieve this. By the way, the virus it is supposed to drop has nothing to do with the old Suriv virus family. The confusion is completely due to the fact the macro to do this is called DropSuriv. 'suriv' is nothing but 'virus' reversed and the only thing in common between the Suriv viruses and DropSuriv macro is the name. Another payload conceived by Nuclear author should be triggered on April 5 any year. The destructive macro named Payload was supposed to damage (truncate to 0 bytes) system files IO.SYS, MSDOS.SYS and COMMAND.COM. Fortunately, once again the virus author never dared to debug this piece of code - the Payload macro does not work either due to bugs in it. The virus also causes some side effects such as error messages if you choose from File/Print or File/SaveAs. ----------------------------------------------------------------- Hot Aliases: Wordmacro.Hot, WM.Hot Type: Word macro virus Description: WordMacro.Hot creates an entry in the WINWORD6.INI configuration file which contains a "hot date" 14 days in the future when its payload will trigger. The virus can then activate randomly within a few days of the "hot date": when you try to open a document its contents are erased instead. The payload is disabled if C:\DOS\EGA5.CPI is found to exist. A comment in the virus source code suggests that this is a "feature" designed to protect the virus author and his friends. ----------------------------------------------------------------- DMV Type: Word macro virus Description: DMV is the name of a Word macro virus that was written for "demonstration" purposes by an American computer user. He subsequently made his virus available for all to download via the World Wide Web. The author of this virus also attempted to write an Excel macro virus - but it fails to work because of a bug. ----------------------------------------------------------------- NOP Type: Word Macro Virus Description: NOP is a new WordMacro virus 'in the wild' in Germany. In order to spread, this virus requires the German version of Microsoft Word for Windows 6.0 or above; under other language versions of Word for Windows, the virus will infect NORMAL.DOT but will not spread further. Documents infected with NOP contain the macro AutoOpen and NOP. When an infected document is opened under Word for Windows, the virus gets control via the AutoOpen macro and infects the NORMAL.DOT global template. In an infected NORMAL.DOT, the AutoOpen macro becomes NOP; and the NOP macro becomes DateiSpeichern (German for FileSave). NOP has no payload. ----------------------------------------------------------------- Divina Type: Word Macro Virus Description Like DMV, Divina contains just an AutoClose macro. The macro is an execute-only. When an infected document is loaded under MS Word and then closed, the virus infects NORMAL.DOT. Any document closed after that will be infected. The virus has two payloads: If a document is being closed during the 17th minute of any hour, a set of dialogue boxes are displayed, with pauses and beeps in between. The first says "ROBERTA TI AMO!" Then "Virus 'ROBERTA' is running. Hard Disk damaged. Start antivirus?". Next comes "Exit from system and low level format are recommended." and finally "Exit from System?". After that the virus exits Windows. So, while the virus has no destructive payload as such, it might well succeed in persuading an average user to reformat his/her hard disk. Another payload triggers on 21st May if a document is being closed between 10th and 20th or between 40th and 50th minute of any hour. Two dialogue boxes are displayed: "DIVINA IS THE BEST!" followed by a box titled "Virus 'DIVINA' in esecuzione" and containing some message in Italian. After that the virus quits Windows. Judging on the language, style, variables and subroutine names it is certain that Divina was written by the same person who wrote AntiDMV. AntiDMV is fairly widespread in Italy, Malta and Spain but should have stopped replicating after June 1, 1996. Thus, AntiDMV could infact be AntiDivina. ----------------------------------------------------------------- Xenixos Aliases: Nemesis, Evil One Type: Word Macro Virus Description This virus was distributed in a file named "NEMESIS.ZIP" on an Internet newsgroup back in February, 1996, and so has received broad initial distribution. Its further spread has been somewhat limited by the fact that it is written to exploit only the German-language version of Microsoft Word. It will infect the Global Template file of an English Word user, but not replicate further into new documents. It watches for attempts to print files while it is active, and about half the times this happens it adds the phrase "Brought to you by the Nemesis Corporation, ⌐ 1996" onto the end of the document printing. When files are saved, the virus encrypts them with the file password "xenixos" just over half the time. Xenixos replaces the Tools|Macros command with code that will display an error message instead of the activating WordÆs built-in macro viewer/editor, so it is not so easy to see its macros are in place. One other interesting effect is that Xenixos tries is to plant and arrange to have activated a variant of the DOS multipartite virus known as Neuroquila, when files are saved after March 1. It succeeds in planting this DOS virus, but not in running it. The Neuroquila variant planted has a bug, so it only infects boot sectors and not also programs. AUTOEXEC.BAT is altered to call the Neuroquila virus. ----------------------------------------------------------------- Imposter Type: Word Macro Virus Description At the beginning of March, 1996, a new virus very closely related to Concept was discovered in England by S&SÆs Virus Lab researchers. It contains code similar to that found in both the DMV virus, and in Concept. In fact, one of its macros is always named DMV. Like Concept, it contains a Payload macro, but this one says "just to prove another point". It was named Imposter dues to its attempt to appear as either DMV or Concept and hopefully fool anti-virus products, an attempt at which it is generally unsuccessful. ----------------------------------------------------------------- Wazzu Type: Word Macro Virus Aliases: WM.Wazzu, WinWord.Wazzu, WordMacro.Wazzu Variants: Wazzu.a, Wazzu.b Description Wazzu is a Microsoft Word macro virus. This virus only contains one macro, AutoOpen. Since the name of the AutoOpen macro is the same in all language versions of MS Word, this is the first virus that will replicate equally effectively in all International versions of Word. Wazzu has an interesting payload - when the infected document is opened, the virus calls a routine three times. Each time there is a 20% probability that the virus will move one word in the document to a random place in the document. There is then a 25% probability that the virus will also insert the word "wazzu" at a random point in the document. The virus then returns to the beginning of the document.. ----------------------------------------------------------------- Nuclear.B Type: Word Macro Virus Description A variant of Nuclear, altered from the original virus apparently by some curious and inept user messing around with it, was discovered in a corporation in France in early March. Since the original Nuclear virus was encrypted, it is likely that the user obtained the unencrypted source from where it was posted into an Internet newsgroup created for the distribution of viruses and the promotion of virus writing, and worked from that to create this new variant. Nuclear.B does not try to plant the PH33R virus, but calls other destructive routines from the original virus instead at that point. This variant does not replicate in encrypted form, so it will be much easier for others to learn from, and it is to be expected that advanced macro virus programming techniques from this virus will start showing up much more often in future viruses. ----------------------------------------------------------------- Polite Type: Word Macro Virus Description In late March, a new macro virus named Polite was discovered in the USA. It installs only FileClose and FileSaveAs replacement macros, and so avoids detection by systems watching Auto macros. It is rather odd in that it asks each time before it infects a document. Unfortunately, it does not ask when it originally infects the Global Template. It is not expected to survive and spread well in the wild. ----------------------------------------------------------------- WM.Colors Alias: Colors.B Type: Word Macro Virus Description In early April 1996, a prominent anti-virus researcher investigated what appeared at first to be an outbreak of the ordinary Colors macro virus (described above) in Portugal. When a sample of the virus involved was examined, he discovered that it contained the Colors virus, except that the macro replacing AutoOpen was not from Colors, it was the one found in Concept! One likely explanation of what happened is that a machine infected with Colors was then exposed to a document infected with Concept. This replaced ColorsÆ AutoOpen macro with the one from Concept, and when the other code in Colors caused Colors to replicate it copied the Concept version of the AutoOpen macro to the target instead of its own AutoOpen, without checking. In any case, the virus still replicates, in its new form. Here we have a new virus that has very likely been formed from a system being exposed to two earlier viruses, which could be said to have "mated" and exchanged "genetic material". ----------------------------------------------------------------- WM.Telefonica Alias: LBNYJ Type: Word Macro Virus Description Discovered in late April, 1996, this is another German-Word specific virus. It tries to create and execute an encrypted .COM file via debug 1 out of 60 infections. It replicates using MacroCopy to replicate its set of seven macros, including FileNew, FileOpen, FileClose, AutoOpen and Autoexec. This virus was first reported attached to a document which was an order form in German for a set of erotic videos. ----------------------------------------------------------------- WM.Phantom Alias: Guess Type: Word Macro Virus Description In early May, another multi-language macro virus was discovered, again in Germany. The only macro attached, AutoOpen, is language independent. It is also encrypted. It can only replicate through this AutoOpen macro. When decrypted, it appears to have been written by kids in a high school. It displays some silly messages, including "Hi sexy !" and "Guess who ?". ----------------------------------------------------------------- Friendly Type: Word Macro Virus Description This virus, again German in origin, was discovered in mid May, 1996. It shows signs of having been written by the same person as LBYNJ. It creates an .INI file entry [FRIENDS] in which it sets: Author=Nightmare Jocker It attempts to be bilingual by carrying along with it a complete set of its macros in English, as well as a complete set in German ! This brings the total macro count to 20 macros. Unfortunately for the author, who apparently did not have a copy of Word in English to test with, his English set of macros are improperly saved, and so the virus does not work under English versions of Word after all. When it replicates under German Word, it plants a copy of a variant of the old DOS virus "Little Brother". ----------------------------------------------------------------- Concept.B.Fr Type: Word Macro Virus Description Again in early March, someone translated the FileSaveAs macroÆs name in Concept into the French equivalent, producing a French-only version of Concept that infected a large site within France. This is the only difference between it and the original Concept. ----------------------------------------------------------------- FormatC Type: Word macro trojan Description: This is not a virus, but a trojan because it does not replicate. It does, however, format your C: drive as soon as the document is opened. This trojan was posted to a Usenet newsgroup. ----------------------------------------------------------------- Wiederoffnen Type: Word macro trojan Description: Wiederoffnen is not a virus, but a Word macro trojan. It comes in a Microsoft Word 2 document but works perfectly under Word 6 too. Wiederoffnen intercepts the AutoClose macro and when the document is closed plays tricks with AUTOEXEC.BAT. ----------------------------------------------------------------- Green Stripe: Aliases: AMP.GreenStripe Type: Ami Pro macro virus Description: This virus infects Ami Pro document files (*.SAM) by creating for every .SAM file a corresponding .SMM (Ami Pro macro) file with the same name in the same directory and linking .SAM to .SMM in such a way that opening .SAM invokes execution of the .SMM. .SMM files are hidden and cannot be seen with a simple DIR command - DIR /AH will work though. When an infected document is opened, the virus gets control and infects all *.SAM files in the current directory which is always Ami Pro's default DOCS directory (...\AMIPRO\DOCS). The process is very noticeable since all the doc files are opened and then closed one by one and a user can see them quickly appearing/disappearing on the screen. Then the virus intercepts File/Save and File/Save As commands. On File/Save As the virus infects the document being saved. And this is the only way the virus can propagate to another computer. Since both .SAM and .SMM files are necessary for the virus and since .SAM file contains an absolute pathname as a reference to the appropriate .SMM file, if one simply copies either .SAM or both .SAM and .SMM files to a floppy and then opens .SAM under Ami Pro on a different computer, the virus won't run. But when a document (.SAM) is copied using File/Save As both .SAM and .SMM are transferred and the pathname link is changed accordingly. File/Save was supposed to be used for the virus' payload. On File/Save the virus should replace all occurences of "its" in the document with "it's". This did not appear to work in our experiments however. Unlike with Word macro viruses, this Ami Pro virus is very unlikely to be transmitted by E-mail. Again, this is due to the fact that Ami Pro keeps macros in separate .SMM files, while only .SAM file is sent as a cc:Mail attachment. The name of the virus - Green Stripe - is taken from the virus itself. It's main macro procedure is called Green_Stripe_virus. Detection is made easier by a number of factors: Firstly, as mentioned above, when an infected document is opened it is very noticeable - the screen keeps blinking as numerous documents are loaded and then closed. Secondly, after loading a document, one can go to Tools/Macros/Edit and see whether the document has an appropriate macro file (same name, .SMM) assigned to it to be executed on open. The report will contain the names of all infected (and now deleted) .SMM files. Then one should run Ami Pro and for each .SMM file listed in the report load .SAM file with the same name (there will be an error message saying that the appropriate .SMM file was not found), go to Tools/Macros/Edit and uncheck the Assign box(es). ----------------------------------------------------------------- WM.NOP WM.NOP is a new WordMacro virus æin the wildÆ in Germany. In order to spread, this virus requires the German version of Microsoft Word for Windows 6.0 or above; under other language versions of Word for Windows, the virus will infect NORMAL.DOT but will not spread further. Documents infected with WM.NOP contain the macros AutoOpen and NOP. When an infected document is opened under Word for Windows, the virus gets control via the AutoOpen macro and infects the NORMAL.DOT global template. In an infected NORMAL.DOT, the AutoOpen macro becomes NOP; and the NOP macro becomes DateiSpeichern [German for FileSave]. WM.NOP has no payload. ----------------------------------------------------------------- WM.AntiDMV WM.AntiDMV is a new WordMacro virus; it is reportedly in the wild in Italy, Malta and Spain and probably in some other Mediterranean countries. This virus was designed to spread until 1 June 1996; and should, therefore, have stopped spreading at this time. However, it is possible that many infected documents and templates may exist æin the wildÆ. WM.AntiDMV contains only one macro, AutoOpen. If an infected document is opened under Microsoft Word for Windows, the current year is before 1997 and the current month is before the 6 June, the virus infects NORMAL.DOT. The virus also removes the macro AutoClose from documents and templates, if it exists. It is the time-limited feature, plus the removal of the AutoClose macro, which prompted the name of the virus; it effectively removes the WM.DMV virus.