home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Monster Media 1996 #15
/
Monster Media Number 15 (Monster Media)(July 1996).ISO
/
virus
/
fwin311e.zip
/
FWIN.TXT
< prev
next >
Wrap
Text File
|
1996-06-16
|
119KB
|
2,681 lines
F / W I N 3 . 1 1
=====================================
HEURISTIC DETECTION OF WINDOWS, WINDOWS 95 AND MACRO VIRUSES
Author of F/WIN
---------------
Stefan Kurtzhals
Dörrenberg 42
42899 Remscheid
Germany
E-Mail: kurtzhal@wrcs3.urz.uni-wuppertal.de
Fido: 2:2480/8849.2
United States Authorized Agent
------------------------------
Computer Virus Solutions
C/O Gary Martin
P.O. Box. 30802
Gahanna, Ohio 43230
Voice: (614) 337-0995
E-mail: FWIN_SUP@ix.netcom.com
WWW: http://www.gen.com/fwin
TABLE OF CONTENTS
=================
1.0 OVERVIEW OF F/WIN
1.1 Tips for using this documentation
1.2 What "Heuristic" detection is
1.3 What F/WIN can detect - for Non-technical users
1.4 What F/WIN can detect - for Technical users
1.5 What F/WIN can clean - for Non-Technical users
1.6 What F/WIN can clean - For Technical users
1.7 False alarms
2.0 HOW TO USE F/WIN
2.1 From a DOS prompt
2.2 From Windows 3.x
2.3 From Windows '95
2.4 From OS/2 Warp
2.5 Choices F/WIN provides when a suspected virus is
found
2.6 Situations in which F/WIN should N-O-T be run
3.0 HOW TO ORDER A REGISTERED VERSION OF F/WIN
3.1 Extras in the registered version
3.2 In Germany
3.3 In the United States
3.4 In other countries
3.5 Stefan Kurtzhals PGP public key (Germany)
3.6 Gary Martin's PGP public key (USA)
4.0 WINDOWS EXE VIRUSES
4.1 For NON-technical readers
4.1.1 F/WIN's detection of
4.2 For Technical readers
4.2.1 F/WIN's detection of
5.0 MACRO VIRUSES
5.1 What they are
5.2 History of
5.3 Why they pose such a threat to your data
5.4 F/WIN's detection of
5.5 How the viruses are removed
6.0 F/WIN MESSAGES FOR WINDOWS VIRUSES
6.1 Possible 16-bit virus (NE-EXE)
6.2 Possible 32-bit virus (PE-EXE)
7.0 F/WIN MESSAGES FOR MACRO VIRUSES
7.1 - A backup has been created:
7.2 - Attempt to backup file before cleaning failed!
7.3 - Changes DOS attributes of other files
7.4 - Contains # macros (# bytes)
7.5 - Contains macros but is not named .DOC
7.6 - Contains execute-only macros (encrypted macros)
7.7 - Contains macro shortcuts
7.8 - Contains macros
7.9 - Copy macros into the global template ('CopyMacro')
7.10 - Deletes other files! (Kill)
7.11 - Disables NORMAL.DOT write access warnings
7.12 - Enables the quick save option
7.13 - Execute other DOS or Windows programs! (Shell)
7.14 - F/WIN can not check Microsoft Word 2.0 documents!
7.15 - F/WIN can not clean this file safely!
7.16 - has been moved to:
7.17 - Might contain suspicious macros
7.18 - Might contain an antivirus-macro (please verify!)
7.19 - Reenables auto macro processing
7.20 - Seems to be infected with a macro virus!
7.21 - Seems to contain a trojan macro!
7.22 - System macros:
7.22.1 AUTOCLOSE
7.22.2 AUTOEXEC
7.22.3 AUTONEW
7.22.4 AUTOOPEN
7.22.5 FILEEXIT
7.22.6 FILENEW
7.22.7 FILESAVE
7.22.8 FILESAVEAS
7.22.9 TOOLSMACRO
7.23 - The file has been moved to:
7.24 - The macros within this file are disabled!
7.25 - This document is internally fragmented. The repair
could have failed!
7.26 - Uses macro 'FileSaveAs'
7.27 - Uses 'Organize .Copy' to copy macros'
7.28 - Writes into other files directly (Write)
8.0 COPYRIGHT, LICENSE TERMS AND DISCLAIMER
9.0 GLOSSARY OF TERMS USED IN THIS DOCUMENTATION
1.0 OVERVIEW OF F/WIN
=================================================================
1.1 Tips for using this documentation
-----------------------------------------------------------------
a. Do a character string search for what you're looking
for. This may be the fastest way to locate the
needed information.
b. Check the Table of Contents, then do a character
string search on the section number.
c. In several sections, there are two versions of the
documentation. One is for novice users, the other
for people who are fairly familiar with virus and
other technical terminology. We thought about
splitting these two types of documentation up into
different files, but decided against doing it. We
suspect that many less experienced users will want to
take a crack at trying to understand the technical
explanations, and keeping them grouped together by
topic will make that easier to do.
d. In the novice sections, there are key words and
phrases that appear in all uppercase, and are
enclosed in brackets {}. These terms are defined in
the Glossary.
1.2 What "Heuristic" detection is
-----------------------------------------------------------------
F/WIN doesn't use {scan strings} to detect viruses. This
method is fast but won't detect {unknown viruses}.
Instead, it uses heuristic scanning techniques. Scan
strings searches look for strings (combinations) of
characters that are unique to a particular virus.
Heuristic analysis look for any kind of dangerous code or
virus like code, regardless of what particular virus it
may belong to, or what the macro name is. For instance,
the <Winword.Concept> virus is typically located by
searching for the macro names that it uses. Those macro
names are:
AAAZAO
AAAZFS
AutoOpen
Payload
When scan string scanners find these macro names, they
correctly flag the document as being infected with this
virus. However, what if someone were to copy these
macros into another document and slightly modify them?
Well, we did just that and the resulting 'new' virus was
completely undetectable by a lot of the common virus
scanners on the market that we tested. Only F/WIN was
able to detect it, because it searches for macro viruses
in a completely different way.
In this example, F/WIN would look for potentially
dangerous commands within each macro and flag them. It
also notifies the user of any macros that could be run
automatically, such as those that are run when files are
opened, closed, saved, etc. Macro viruses often use
these automatic or "system" macros to spread themselves,
or to carry out destructive activities. These are the
messages you would see when F/WIN's heuristic scanner
finds the <Winword.Concept> virus:
- Contains macros
- System macros: AUTOOPEN
- Copy macros into the global template 'CopyMacro'
- Uses macro 'FileSaveAs'
Seems to be infected with a macro virus
ANY macro that contained the kind of coding flagged above
would be flagged as being possibly virus infected, not
just <Winword.Concept>. So even though we changed the
virus internally, F/WIN was still able to locate the virus
using these heuristic scanning techniques. These
messages are explained in more detail in sections 6.0 and
7.0.
1.3 What F/WIN can detect - for Non-Technical users
-----------------------------------------------------------------
F/WIN uses heuristic scanning techniques to detect:
a. Macro viruses in Microsoft Word release 6.0 and 7.0
documents. The current release will not detect viruses
or trojans in Word 2.0 files, but that's a feature
we'll be adding later. It doesn't matter what the file
is called. F/WIN will scan all files that appear in
the selected directory and all of its sub-directories
looking for viruses. So if you have a virus in a Word
document you've called "PAYROLL.WK1", F/WIN will find
it just as easily as if you had named it "PAYROLL.DOC"
or "PAYROLL".
F/WIN CAN N-O-T DETECT THE PRESENCE OF MACRO VIRUSES
IN MICROSOFT WORD DOCUMENTS THAT ARE ENCRYPTED WITH
A PASSWORD.
If you suspect that a password protected document is
infected, copy the document onto a PC where it won't
matter if a virus destroys data and open and scan it
there. Or send it to your regular anti-virus company,
or to the author of F/WIN to check and clean it.
b. A special kind of virus that infects EXE files for
Windows or Windows '95. "EXE" files are executable
files and usually have the file extension ".EXE" or
".DLL". The ".EXE" file extension (last three
characters of the file name) is reserved by DOS and
Windows for executable files only. DOS EXE files are
structured differently than Windows EXE files. F/WIN
locates viruses that have infected Windows executable
files only. (Exception: the DOS executables infected
by <NE.Ph33r> will also be detected, but not with
heuristics.)
1.4 What F/WIN can detect - for Technical users
-----------------------------------------------------------------
Windows executables are quite different from the normal
DOS EXE files. Windows 3.x uses the NE-EXE format (New
Executable) and Windows 95 uses PE-EXE (Portable
Executable) which is also used by Windows NT. Because the
new file structures are so different from the standard DOS
EXE format, most virus coders never manage to write real
Windows viruses. However, some virus coders from Australia
finally managed to write a fully functional Windows 3.x
virus, namely <NE.Winsurfer> and later <NE.Ph33r>. The
used infection scheme is much more "advanced" in some ways
so that it's likely that other virus coders will copy it.
NE-EXE viruses are detected by analyzing the program
header of any NE-EXE file found. The NE-EXE viruses
modify the programs in a special way which allows a
reliable detection of this virus type. It doesn't matter
if the virus is polymorphic, F/WIN doesn't check any
program code at all! In other words, it can detect, in a
general or generic way, that a virus is likely present.
But F/WIN can't tell you exactly which virus it is.
Still, this feature of F/WIN is quite valuable because of
it's ability to detect unknown viruses, and let you know
that you have a problem sooner, rather than later.
It detects specifically the infection scheme that
<NE.Winsurfer> and <NE.Ph33r> use. These were the first
really "functional" Windows executables viruses, and their
techniques will most likely be copied by other virus
authors. F/WIN also detects the only known PE-EXE virus
for Windows 95 using a similar approach. Because only one
PE-EXE virus exist so far, it really can't be said how
good the heuristic detection is, but F/WIN will of course
be updated in order to catch newer variants if they are
undetectable by the current heuristic approach. All three
known <Boza> variants are detected by F/WIN.
F/WIN detected all the known NE-EXE and PE-EXE viruses
which use the described infection mechanism. If however
you should happen to come across one that is not detected
by F/WIN, please e-mail a copy of it to the author of
F/WIN for analysis. See SENDVIR.TXT for more information.
The macro virus detection is more complicated. Because we
weren't able to get a technical description of the DOC
format used by Microsoft Word (how macros are stored
within each document or template), F/WIN has to scan the
whole DOC file to find the macro list and definitions.
F/WIN checks for the existence of auto macros (such as
AutoExec, AutoOpen, AutoClose, FileExit), encrypted
macros, renamed templates (templates are normally named
".DOT"), standard virus commands (like MacroCopy or
FileSaveAs) and dangerous commands (like Shell, Kill or
Write). Any macro that is found to contain one or more
of these commands will be flagged as being possibly virus
infected. F/WIN checks unencrypted macros as well as
encrypted (execute-only) ones.
F/WIN CAN N-O-T DETECT THE PRESENCE OF MACRO VIRUSES IN
MICROSOFT WORD DOCUMENTS THAT ARE ENCRYPTED WITH A
PASSWORD (the whole document is encrypted, not just the
macros).
1.5 What F/WIN can clean - for Non-Technical users
-----------------------------------------------------------------
Macro viruses in Microsoft Word documents
F/WIN doesn't remove suspected viruses without asking the
user or taking some precautions. First it makes a backup
copy of the file before disinfecting it. The backup file
will have the same file name, except that it will have a
file extension (end with) .VIR. So an infected file named
PAYROLL.WK1 would have a backup file called PAYROLL.VIR.
If there are more files with the same name, F/WIN will use
file extensions like ".VI1", ".VI2" etc.. Next F/WIN
overwrites the virus's macro code with harmless code and
wipes the offending macro names from the macro list if
you choose the 'Clean' option. Because the DOC format is
so complex, the cleaning process may fail. In this case,
you can then try a different approach by restoring the
backup copy and using the 'Wipe macro names' option.
DON'T FORGET TO REMOVE ALL THE .Vnn FILES WHEN YOU'RE
FINISHED WITH THEM. We suggest also using a product like
Norton Utilities WIPEINFO.EXE to wipe the FREE SPACE
(not the whole drive) on the entire hard drive after all
macro virus files are cleaned and removed. If the files
are just deleted, in many cases, they can simply be
undeleted and reused by someone with bad intentions.
Wiping all the free space on the entire hard drive will
prevent someone from recovering a virus infected file by
undeleting it, or by using a disk editor.
Windows EXE files
-----------------
F/WIN can clean most of the known Windows 3.x (NE-EXE)
and Windows 95 (PE-EXE) viruses like Boza, Ph33r, Winlame,
Wintiny and Tentacle. The cleaning is generic which means
that F/WIN will also clean most of the future viruses which
use the same infection scheme.
1.6 What F/WIN can clean - for Technical users
-----------------------------------------------------------------
Macro viruses in Microsoft Word documents
-----------------------------------------
F/WIN doesn't remove suspected viruses without asking the
user or taking some precautions. First it makes a backup
copy of the file before disinfecting it. Actually, F/WIN
won't start the cleaning process if it can't create the
backup file! The backup file will have the same file name,
except that it will have a file extension (end with)
".VIR" (if there are duplicate file names, F/WIN will use
".VI1", ".VI2" etc.).
So an infected file named PAYROLL.WK1 would have a backup
file called PAYROLL.VIR. Next F/WIN overwrites the virus's
macro code with harmless code that does nothing and wipes
the offending macro names from the macro list. If on the
outside chance the cleaning process leaves it unreadable,
you can then try a different approach using the backup
copy and selecting 'Wipe macro names'.
DON'T FORGET TO REMOVE ALL THE BACKUP FILES WHEN YOU'RE
FINISHED WITH THEM.
Also note that DOC files are OLE2 objects. An OLE2 object
could be internally split up in several parts. Like hard
disk clusters, these parts can be fragmented and worst of
all, they have a slack area like real clusters. This is
quite a security hole, and Microsoft already offers an
update for OLE2 for Windows 95 which correctly handle this
'slack areas'.
Windows .EXE files
------------------
F/WIN can detect and clean the only known PE-NE (Windows
95 virus), and any future ones that use similar infection
schemes. It can also detect and clean several of the
newer NE-EXE (Windows 3.x) viruses, which use the same
infection scheme as Ph33r. These viruses add a relocation
entry add the end of the file which is used by F/WIN to
locate the original entry point of the program.
The cleaning method used by F/WIN is generic and will
even clean certain encrypted or polymorphic NE-EXE
viruses as the relocation entry can't get encrypted by
the virus. Some of the known NE-EXE viruses use other
ways to store this information and can't be cleaned by
the current cleaning approach of F/WIN.
Please note the shareware version of F/WIN is restricted
and will not clean viruses but only detects them.
1.7 False alarms
-----------------------------------------------------------------
Every heuristic analysis will cause either false positives
or {false negatives}. Of course this is also true for
F/WIN. This means that F/WIN may flag some harmless files
as infected and on the other hand will miss some of the
more unusual viruses. We tried everything to keep the
amount of both the false positives and negatives as low
as possible, but we can't completely avoid them.
Windows .EXE files
------------------
F/WIN may on rare occasions trigger a false alarm on
Windows EXE files. Should you experience one, please
send a copy of the file that was flagged in error to the
author of F/WIN for evaluation. F/WIN will either be
modified to stop triggering the false alarm, or a new file
will be created listing known false alarms. So far, the
most false positives were caused by device drivers or
special DLLs.
Microsoft Word Macro Viruses
----------------------------
After the first macro viruses appeared, the AV companies
and others released some Microsoft Word .DOT and .DOC
files that contained anti-virus macros which can detect
and clean some of the viruses. F/WIN will flag some of
the antivirus macros we tested as being possibly infected.
We tested SCAN831.DOC, SCANPROT.DOT, WVFIX.DOT,
AVPW10n.DOT (also AVPW10nG.DOT) and CHEKWORD.DOC. The
reason F/WIN flags them is because they contain almost
all of the same potentially dangerous macro commands which
are sometimes found in macro viruses.
It's impossible to distinguish between such an antivirus
macro and a real macro virus without creating a severe
security hole in F/WIN! SCANPROT.DOC, CHEKWORD.DOC and
AVPW10n.DOT were all flagged as being possibly infected by
a virus. However, F/WIN will produce a message that
flashes in the color green alerting the user to the
possibility that the document being flagged may be a
legitimate anti-virus template. The text of the message
is:
"Might contain an antivirus-macro (please verify!)"
See section 7.14 for more about this.
As an example we will show here the messages that F/WIN
produces when it analyzes SCANPROT.DOT:
C:\MSOFFICE\WINWORD\TEMPLATE\SCANPROT.DOT
- Contains macros
- System macros: AUTOOPEN, AUTOCLOSE, AUTONEW
- Copy macros into the global template (CopyMacro)
- Uses macro 'FileSaveAs'
- Execute other DOS or Windows programs! (Shell)
- Writes into other files directly (Write)
- Deletes other files! (Kill)
- Changes DOS attributes of other files
Seems to be infected with a macro virus!
Might contain an antivirus-macro (please verify!)
There is a small percentage of Microsoft Word users
who write legitimate, useful macros that may use some of
the commands that F/WIN detects. Especially the
experienced user quite often uses macros to speed up the
work with Winword. In general, if you know that you have
not written any macros and that you've not received any
documents with known macros in them, then it's highly
likely that you do have a virus if F/WIN detects the
presence of suspicious macro code in your Microsoft Word
documents or templates. This is especially true if
possible infections are detected in multiple documents.
If legitimate macros are present in your environment that
trigger warnings from F/WIN, make a note of what commands
F/WIN is finding and flagging and make sure your macros
are supposed to contain those commands.
2.0 HOW TO USE F/WIN
=================================================================
In general, it's important that you don't run Microsoft
Word itself at the same time as F/WIN. F/WIN is able to
check already opened files, but it can't clean them
because it will not get write access to such files. So,
if your NORMAL.DOT or other document is infected with a
macro virus, you must exit Word before running F/WIN.
2.1 From a DOS prompt
-----------------------------------------------------------------
If you run F/WIN without parameters, you will be prompted
to enter a drive letter which will be scanned then.
There are three levels of scanning that F/WIN does for
Macro viruses and trojans. It is important to understand
which is right for your needs before choosing the one you
want.
LEVEL 0: F/WIN detects and produces warning messages for
obvious virus and trojan files. However, no
trojans are detected with the shareware version.
All currently known Word 6.0 and 7.0 viruses are
detected at this level. This is the default
level of scanning when the /MODE, /PARANOID and
/EXTENDED parameters are not used. This level
detects viruses and trojans that are fully
functional. "Fully functional" means that they
contain all the components that would normally
be present in a virus or trojan. The four most
important criteria F/WIN uses to make this
determination are:
a) How likely is it that the macro code will be
executed without the users knowledge or
consent? If the macro code is placed into
a macro called "ABC", it is quite unlikely
that any user would run such a
macro by accident. But if it were placed in
one of the system macros like "AutoOpen" or
"FileSaveAs", then it would be very easy for
most users to execute the macro code without
knowing they were doing it.
b) Does the macro code contain any potentially
destructive code? This would also include
any linking to programs other than Word
(i.e. running a DOS "ERASE" command).
c) Can the macro(s) that are present in the
document spread themselves to other files?
d) Does the pattern of code in the macro(s)
fit the pattern of known anti-virus macros?
If 'a', 'b' and 'c' are all true, then F/WIN
considers the document to be infected by
"virus", because viruses by their nature spread
to other files. If only 'a' and 'b' are true,
then F/WIN flags the file as being possibly
infected by a "trojan", because trojans don't
spread.
If 'd' is true, then F/WIN produces an extra
message informing the user that the current file
that F/WIN is producing messages for may be an
anti-virus template. If it is, then they don't
need to be concerned. Users are encouraged to
verify for sure that such templates are being
used in their environment. Don't assume that
it's harmless when this extra message is
produced. It could be a clever virus designed
specifically to trigger this message in F/WIN
for the purpose of deceiving the user.
LEVEL 1: Level 1 detection does everything Level 0 does,
and MORE. To use extended mode, specify either
/MODE=1 or /EXTENDED. This is called "Extended
Mode" Level 1 will produce warning messages
even if all the conditions specified in level 0
are not met. To use LEVEL 1 scanning, use the
/MODE=1 parameter.
For instance, if F/WIN finds a WordBasic "Kill"
command (deletes files) in an execute-only macro
called "AutoOpen", at this level of scanning, it
will produce a warning message that says:
"Might contain suspicious macros"
This message will appear only in level 1 or 2
scanning. The "Extended Mode" might cause more
false positives than the standard scanning mode.
LEVEL 2: Level 2 detection does everything Level 1 does,
and MORE. Use the /MODE=2 or /PARANOID
parameter to get the most comprehensive scanning
F/WIN can deliver.
For example, a template called "VIRUS.DOC" with
a macro "Harmless" which contains a single
KILL will be flagged by F/WIN if you use the
Paranoid mode. In general, F/WIN needs much
less criteria to flag a document as being
suspicious. Especially very simple macro
trojans can only be detected in this mode but it
will also cause much more false positives than
the Normal or Standard scanning.
If you're not sure which level to use, start with the
highest level, and work your way backwards if you get a
lot of false alarms. For instance:
1. Start by using /PARANOID or /MODE=2. If you get too
many false alarms, then:
2. Use /MODE=1 or /EXTENDED. If you still get too many
false alarms, then:
3. Run F/WIN without specifying either the /MODE=n,
/EXTENDED or /PARANOID commands.
The syntax for F/WIN is as follows. Parameters enclosed
in [ ]'s are optional:
FWIN path [/?] [/H] [/DOC] [/REPORT=Name]
[/EXTENDED] [/PARANOID] [/MODE=n]
[/RENAMEALL] [/WIPEALL] [/CLEANALL]
[/IGNOREALL] [/MOVE=directory] [/TROJAN]
path The directory and all of its
sub-directories to be scanned. Specify
just the drive name if the entire drive is
to be scanned. Wild-cards in the dataset
name are not allowed. You may specify
only one drive or path name at a time.
CD-ROM drives names may also be specified.
F/WIN accepts Windows 95 long file name
paths, but keep in mind that the DOS
command-line only can handle 128 chars.
Path names with spaces must be enclosed in
quotation marks.
/? or /H Will display a short help screen.
/DOC F/WIN scans only .DOC and .DOT files. The
default is to scan ALL files. This will
increase the scan speed, but F/WIN will
only detect macro viruses with this option
enabled.
/REPORT=... The path and file name for a text file
that contains a report of the files that
F/WIN checked. The report option is only
available in the registered version.
For instance: /REPORT=C:\FWINCDRV.RPT.
/MODE=n Enables the advanced scanning modes.
n = 1 : Extended mode. This is the same as
using the /EXTENDED parameter.
n = 2 : Paranoid. This is the same as
using the /PARANOID parameter.
/EXTENDED By default, F/WIN checks macros carefully
and will try to minimize the chance of
false positives. However, this keeps F/WIN
from detecting some trojan macros. If you
enable the extended mode, F/WIN will also
report documents which contain suspicious
macros but doesn't seem to contain a
complete macro virus or trojan. /EXTENDED
is equal to /MODE=1 and only available in
the registered version.
/PARANOID By default, F/WIN checks macros carefully
and will try to minimize the chance of
false positives. However, this keeps F/WIN
from detecting some trojan macros. If you
enable the paranoid mode, F/WIN will also
report macros which are only partially
suspicious but will also report more false
positives. /PARANOID and /MODE=2 perform
exactly the same functions. The /PARANOID
parameter was included because it might be
easier for some users to remember than
/MODE=2. If you don't use Word macros at
all, /PARANOID or /MODE=2 is a very good
choice.
/RENAMEALL F/WIN renames all suspicious files it
detects without prompting for user input.
/CLEANALL By default, F/WIN prompts for what action
to take on an infected file as it
encounters each one. This switch tells
F/WIN to not prompt for action on each
file, but instead, to go ahead and remove
the virus from all infected files using the
"CLEAN" method. "Clean" is a deep
cleaning. In additional to writing over
the macro definition list, it also writes
over the virus code itself. Because of
internal fragmentation in Word templates,
clean will sometimes not clean the document
properly leaving it unreadable, or locking
your PC up when trying to access the
document after the clean. However, a
backup of all cleaned files are made, so
you can try the WIPE disinfect method
instead if the CLEAN method fails (after
restoring the document from the backup).
Most likely, F/WIN by itself will detect
that a file can't be cleaned with the
"CLEAN" option and will report the message
"This file can not be cleaned safely!".
If this option is used, you MUST also use
the /REPORT= option. /CLEANALL Can't be
used with /RENAMEALL or /WIPEALL.
/WIPEALL By default, F/WIN prompts for what action
to take on an infected file as it
encounters each one. This switch tells
F/WIN to not prompt for action on each
file, but instead, to go ahead and remove
the virus from all infected files using the
"WIPE" method. "Wipe" is a shallow
cleaning. In simply writes over the
the macro name and offset list. It does
not write over the virus code itself like
CLEAN does. However, Word will never
be able to access the virus code again
using this cleaning method, so it is quite
effective. Since /WIPEALL only wipes the
macro name and offset list, it is far less
susceptible to damaging documents it
disinfects. As a result, it is only on
very rare occasions that F/WIN damages
templates it cleans this way. /WIPEALL
makes a backup copy of all modified files.
If this option is used, you MUST also use
the /REPORT= option. /WIPEALL Can't be
used with /RENAMEALL or /CLEANALL.
/IGNOREALL Like /RENAMEALL, /WIPEALL and /CLEANALL,
F/WIN will not stop and prompt for user
input if it detects suspicious files. When
you use /IGNOREALL, the suspicious files
will stay untouched. /IGNOREALL can only
be used with /REPORT and can be
used in DOS batch files. Using /IGNOREALL
has the same affect as choosing the (Skip
all) feature.
/MOVE= When F/WIN removes any virus or trojan
it first makes a backup copy of the
infected file. By default, F/WIN makes the
backup copy in the same directory as the
file from which the virus/trojan was
removed. For instance, if F/WIN cleaned a
file in C:\WINWORD\INFECTED.DOC, it would,
by default, make a backup file called
C:\WINWORD\INFECTED.VIR. Also, if a file
is too fragmented for F/WIN to clean it
safely, F/WIN just leaves the file right
where it is (it produces a message saying
it can't clean the file).
When the /MOVE= parameter is used, it
allows the user to specify what directory
backup files, and files that couldn't be
cleaned appear in. F/WIN creates two sub-
directories under the directory specified
in the /MOVE= parameter. For instance,
assume that the user wants to put all
backup files into a directory called
C:\FWINBKUP. Here's how the parameter
would be coded:
/MOVE=C:\FWINBKUP
F/WIN would then create to additional
sub-directories under that one. One would
be called \BACKUP and the other \DAMAGE.
Using this same example, this is what F/WIN
would create:
C:\FWINBKUP\BACKUP (backups of files that
F/WIN was able to
clean)
C:\FWINBKUP\DAMAGE (original files that
F/WIN was NOT able to
clean. They literally
were moved to this
directory, not just
copied).
/TROJAN= By default, F/WIN will NOT check for
trojans, only viruses. This is to help
reduce the possibility of false positives.
When /TROJAN is specified, F/WIN will
notify users of possible harmful trojans as
well as viruses. How sensitive F/WIN is to
detecting trojans depends on which
additional parameters are used.
Currently, there are no macro trojans
reported in the wild.
Level 0 sensitivity (lowest): /EXTENDED,
/MODE and /PARANOID NOT used.
Level 1 sensitivity (medium): /EXTENDED
or /MODE=1 also specified.
Level 2 sensitivity (maximum): /PARANOID
or /MODE=2 also specified.
When using F/WIN in a DOS Batch file, it will return the
following error levels that can be checked in a DOS batch
file:
0 - F/WIN finished the scan without finding
suspicious files.
1 - F/WIN detected suspicious files during the
scan process.
252 - The evaluation version has expired. This
message is referring to the fully-functional
evaluation copy, not the partially functional
shareware version.
253 - A wrong scan drive or path specified.
254 - An wrong command-line parameter was specified
255 - F/WIN found a companion virus which has
infected F/WIN.EXE.
Here are some examples of how to execute F/WIN:
FWIN D:
(scans the entire D: drive)
FWIN "C:\MSOffice\WinWord\Template\My templates"
(Scan the "My templates" subdirectory and all
directories below it. Note that the parameters
passed to FWIN had to be enclosed in quotes
in this case because of the space that appears
between "My" and "templates")
FWIN A:\ /REPORT=C:\FWIN.RPT
(scans the entire A: drive, and puts a report of
what it found into the file C:/FWIN.RPT)
FWIN D:\ /REPORT=A:\FWIN.RPT /PARANOID /DOC
(scans the entire D: drive, and puts a report of
what it found in A:/FWIN.RPT, and checks ONLY
macros in files that end in .DOC or .DOT)
FWIN C:\ /REPORT=A:\FWIN.RPT /MODE=2 /CLEANALL
(scans the entire C: drive in the Paranoid mode and
puts a report of what it found in A:/FWIN.RPT, and
cleans all files infected with Word macro viruses
or trojans.)
FWIN C:\ /REPORT=C:\FWIN.RPT /MODE=1 /WIPEALL
(scans the entire C: drive, and puts a report of
what it found in C:/FWIN.RPT, and wipes the macro
definition list from all files infected with Word
macro viruses or trojans that satisfy the /MODE=1
search criteria. Also makes a backup copy of all
disinfected files.)
FWIN
(F/WIN will prompt for which drive to scan. Just
enter the letter of the drive (don't add a ':'
after it). It also produces the same help
information that's listed when the /H or /?
parameters are used.
FWIN /?
(F/WIN displays help information)
FWIN C:\*.DOC
(will NOT work; wildcards are not valid)
FWIN C: /REPORT=C:\FWIN_C.RPT /IGNOREALL
(Scan the C: drive, and put the results of the scan
in a file called FWIN_C.RPT on the C: drive root
directory. F/WIN doesn't stop scanning for any
viruses found (/IGNOREALL), just keeps scanning and
only reports what is found.
2.2 From Windows 3.x
-----------------------------------------------------------------
Option #1: Click on the "MS-DOS PROMPT" icon in the
"MAIN" window and follow the previous
instructions for running from a DOS prompt.
Option #2: On the PROGRAM MANAGER screen, click on
"FILE", then on "RUN". Point to where FWIN
is stored, then add the appropriate parms to
run it the way you want it to. For instance,
in the box that says "COMMAND LINE", you
would enter: "C:\FWIN C:" to scan the C:
drive, assuming that FWIN was being stored
in the root directory of the C: drive.
In either of the above two options, F/WIN will prompt you
for the path to scan if it isn't specified.
2.3 From Windows '95
-----------------------------------------------------------------
Option #1: Run it from DOS. There are three ways to get
to it.
First way: Click on "START"
Click on "RUN"
Key in the appropriate FWIN command. Use
the previous instructions for running F-
WIN in DOS. For instance, enter:
C:\FWIN A: to scan the A: drive.
Click on "OK"
Second way: Click on "START"
Click on "PROGRAMS"
Click on "MS-DOS PROMPT"
Key in the appropriate FWIN command. Use
the previous instructions for running F-
WIN in DOS. For instance, enter:
C:\FWIN A: to scan the A: drive.
Third way: Click on "START"
Click on "PROGRAMS"
Click on "MAIN"
Click on "MS-DOS PROMPT"
Key in the appropriate FWIN command. Use
the previous instructions for running F-
WIN in DOS. For instance, enter:
C:\FWIN A: to scan the A: drive.
You may also set up icons to run FWIN with from the
Windows 95 Menu. In these example below, FWIN will scan
the A: drive:
Copy FWIN.EXE into whatever directory you want to run it
from. In this example, it is run from the C:\
directory.
Click on "START"
Click on "SETTINGS"
Click on "TASKBAR"
Click on "START MENU PROGRAMS"
Click on "ADD"
Key in "C:\FWIN.EXE A:" in the box labeled "Command
Line", then press ENTER
Click on "NEXT"
Key in "FWIN (scan A drive)" in the box labeled "Select
a name for the shortcut", then press ENTER
Click on the icon of your choice, or use the FWIN.ICO
file that came with F/WIN.
Click on "FINISH", then "OK"
To run what you just set up:
Click on "START"
Click on "PROGRAMS"
Click on "FWIN (scan A drive)"
2.4 From OS/2 Warp
-----------------------------------------------------------------
Open an OS/2 DOS window. Then execute F/WIN exactly the
same way you would as if you were running it in DOS.
2.5 Choices F/WIN provides when a suspected virus is
found
-----------------------------------------------------------------
If F/WIN detected a suspicious files, it will stop
scanning and display some messages. At the bottom of this
text you will get a display similar to the examples below:
This file has suspicious structures! (32 bit virus?)
Rename file? [Y]es, [N]o, [A]ll, [S]kip all :
This document has suspicious structures or contents:
Rename file? [Y]es, [N]o, Rename [A]ll, [C]lean file,
[W]ipe macro names, [S]kip all :
You choose options by pressing the letter enclosed in
brackets (F/WIN will display this chars in another color).
The options explained in detail:
- (Rename file) [Y]es:
F/WIN will rename this document to another file
extension (.VIR, VI1, etc.) and will continue the
search. The contents of the reported file are not
changed.
- (Rename file) [N]o:
F/WIN will do nothing with the reported file and will
continue the search normally.
- (Rename) [A]ll:
This and all further suspicious files will be renamed
to a .VIR extension. F/WIN will not stop and prompt if
it detects further files with suspicious contents.
(F/WIN will rename both macro and Windows EXE viruses)
- [S]kip all:
The search will be continued and F/WIN will not
interrupt again if it finds suspicious files. All
suspicious files will remain unchanged. This feature
may not be very helpful unless you also use the
/REPORT option.
- [C]lean:
Macro viruses:
F/WIN will try to clean the reported file with the
full cleaning method. Before starting the cleaning
process, it will create a backup of the target file.
The cleaning process will get aborted if F/WIN can't
create the backup file. All macros are removed from
the template, not just the virus macros!
Windows 3.x (NE-EXE) viruses:
F/WIN will try to clean the reported file by searching
the original entry point in the virus code. The virus
code will be removed completely by F/WIN. If the virus
can't be cleaned, F/WIN will report "This file can not
be cleaned safely".
- [W]ipe macro names:
Like the full cleaning option, F/WIN will create a
backup before trying to modify a file. Removing
just the macro name and offset list from a document is
much safer than CLEAN and you should use this option if
you encounter problems with the full cleaning. All
macros are removed from the template, not only the
virus macros. This option is not available for
Windows EXE viruses.
2.6 Situations in which FWIN should N-O-T be run
-----------------------------------------------------------------
If you suspect that a DOS, Windows 95 or OS/2 virus is
memory resident, do N-O-T run F/WIN until you are
confident that the virus is no longer memory resident.
If a virus is memory resident, and it's a "fast infector",
running F/WIN can cause it to infect every executable file
it's capable of infecting during F/WIN's scan. F/WIN is
not a full-blown scanner that can check to see if DOS and
Windows viruses are resident in memory. It is a
specialized scanner that supplements the regular scanner
you already have. Use your regular scanner to make sure
there are no memory resident viruses before running F/WIN
or better yet, boot from a clean system disk.
These precautions are only necessary against resident DOS,
Windows 95 or OS/2 file or boot sector viruses. Macro
viruses are 'resident' too, but don't directly interfere
with a running of those three operating systems programs.
3.0 HOW TO ORDER A REGISTERED VERSION OF FWIN
=================================================================
3.1 Extras in the registered version
The following extra features will appear in the registered
version that aren't active in the shareware version.
a) Cleaning of all files will be activated (not just
NORMAL.DOT).
b) /REPORT switch will be activated
c) /MODE and /PARANOID switches will be activated
d) /CLEANALL and /WIPEALL will be activated
3.2 In Germany
Orders can be submitted using e-mail or normal way. Please
fill in the file REGISTER.TXT and send it to:
Stefan Kurtzhals
Dörrenberg 42
42899 Remscheid
Germany
E-Mail: kurtzhal@wrcs3.urz.uni-wuppertal.de
The registered version will be sent either on a 3,5" disk
or by PGP encrypted E-Mail. Please don't forget to add
your public PGP key if you want to receive the registered
version by E-Mail! You will receive a PKZIP archive which
will contain the latest version of F/WIN and a personal
key file.
The latest German shareware version of F/WIN can be
downloaded from:
- HTTP://WWW.GEN.COM/FWIN
- HTTP://WWW.CYBERBOX.NORTH.DE
- CYBERBOX BBS (V32b: 0441-3990032, V34: 0441-3990033,
ISDN: 0441-9396977)
- VHM II BBS (V34/ISDN: 08638-881108)
3.3 In the United States
PAYING FOR THE REGISTERED VERSION
---------------------------------
Print and fill out the file ORDER.TXT, then mail to:
Computer Virus Solutions
Order Processing
P.O. Box 30802
Gahanna, Ohio 43230
United States of America
Please include a check or money-order payable to:
"COMPUTER VIRUS SOLUTIONS"
At this time, we are not yet set up to accept credit
card orders, but we should be in the future.
When we are able to accept credit card orders, there
will also be a dedicated fax line to place your orders
by fax. We are hoping to have that available in the
middle to end of March, 1996. Watch our WWW site for
news about this.
HOW TO RECEIVE THE SOFTWARE AND KEY FILE
----------------------------------------
Option #1
---------
Download the shareware version from an FTP site.
After receiving your payment by mail, we'll send you
your unique key file which turns the shareware version
into the registered version. You may receive your key
file in any of the following ways:
a. By mail on a floppy diskette.
b. By e-mail as a PGP encrypted binary file
attachment (make sure you're e-mail system allows
this)
c. A UUENCODE'd e-mail message (must be PGP
encrypted, though)
d. A PGP ASCII file sent in an e-mail message
e. PKZIP password protected file that's been
UUENCODED.
If you wish to receive your key file by e-mail, you
must make sure to send us your PGP public key. We
will not send an unencrypted key file through the
internet.
With the exception of the diskette option, the file
you'll receive will a self-extracting PKZIP compressed
file.
Option #2
---------
2. All software sent on a diskette.
Getting Updates
---------------
Updates (which is the shareware version) can be downloaded
from the following web sites (see below). As long as you
have a valid, legal FWIN.KEY file, you can download the
"shareware" versions from these sites to upgrade your copy
of F/WIN.
The FWIN.EXE file by itself is the "shareware" version.
When FWIN.EXE and FWIN.KEY are used together, collectively
they make up the fully-functional "registered" version.
Here's how this works. When you run F/WIN Anti-Virus, the
FWIN.EXE program looks to see if a valid FWIN.KEY file
exists where it expects it to be. If FWIN.KEY is missing,
FWIN.EXE is programmed to avoid activating some features.
If a valid FWIN.KEY is found, then FWIN.EXE will activate
all of its features. So you can keep downloading updated
shareware versions, and have the most up-to-date
registered version as well because of your FWIN.KEY file.
See the price list in the ordering files for what it costs
to receive update diskettes by mail 4 times a year.
We also have an auto-responder set up that will allow you
to send an e-mail message (with nothing in the subject or
message; a completely blank message) to our WWW site, and
have it automatically send you back through e-mail a
UUENCODE'd version of the latest shareware release. This
will allow anyone with internet e-mail access to get their
updates (and the original shareware version) by e-mail, so
long as they have UUDECODE software to decode it. To get
the latest version of F/WIN Anti-Virus by e-mail, send a
message (with nothing in the Subject line or body of the
message) to:
EVALUATE@FWIN.GEN.COM
If you don't currently have UUDECODE, it is available at
many FTP sites on the Internet. Our web page also contains
the DOS and Windows version of UUENCODE/UUDECODE for you to
download. Here's how to get to our web page:
HTTP://WWW.GEN.COM/FWIN
The shareware version may also be downloaded from:
http://www.valleynet.com/~joe
F/WIN may also be downloaded from any of the various
SimTel FTP sites around the world.
3.4 In other countries
For ordering the German version, contact Stefan Kurtzhals
for purchasing instructions. All others please contact Gary
Martin. Both can be contacted by e-mail through our web
page specified above.
4.0 WINDOWS EXE VIRUSES
=================================================================
4.1. For NON-Technical readers
-----------------------------------------------------------------
Until recently, {windows viruses} were very rare and
primitive. In most cases they just converted the Windows
executable format {NE-EXE} into normal {DOS-EXE} or used
{companion style infection} and didn't change the programs
at all. Furthermore, they all were {non-resident}
{direct action} infectors which never spread very far.
Viruses like {WinVir14} were to clumsy to escape into the
{wild} and remained pure research viruses.
But the situation changed after an underground virus
magazine published the source code for a virus called
{Winsurfer}. <Winsurfer> used a new {infection scheme} for
infecting NE-EXE files. It was the first virus which was
able to infect NE-EXE in a proper way without converting
the program in DOS-EXE or by just creating companions.
The new infection scheme is much less noticeable than the
previous ones because it only changes a very small part
of the {program header} and leaves the program still
executable.
Also, <Winsurfer> (and especially <Ph33r>) stay {resident}
using the {DPMI API}. This gives them a much higher
infection rate than the older direct action viruses.
(<Ph33r> is a partial {fast infector})
Because this infection scheme is so clearly superior and
additionally being published widely, it's very likely that
more viruses will appear which copy this special method
of infecting files.
Windows 95 programs (32 bit EXE) have a new format,
PE-EXE. The viruses that use the NE-EXE infection scheme
don't infect this format, but as there are still some
NE-EXE (16 bit EXE) left in Windows 95 or the user still
uses old Windows programs, the viruses will still spread
under Windows 95. Also, <Ph33r> infects DOS programs such
as COMMAND.COM or WIN.COM beside infecting Windows EXE.
The same underground virus writer group which created
<Winsurfer> and <Ph33r> also managed to write a PE-EXE
virus for Windows 95 executables. This virus is still
quite clumsy (it's again just a direct action virus), but
surely there will soon follow more complex viruses as the
virus source was again published by the authors.
4.1.1 F/WIN's detection of Windows EXE viruses
-----------------------------------------------------------------
F/WIN detects Windows EXE viruses by analyzing the NE-EXE
and PE-EXE header of a file. The known Windows EXE viruses
modify this header to an very unusual structure which can
be detected by F/WIN. F/WIN does not check the program
code which seems suspicious, and it will detect normal or
variable encrypted {polymorphic} viruses because of this.
4.2. For Technical readers
-----------------------------------------------------------------
Until recently, windows viruses were very rare and
primitive. In most cases they just converted the Windows
executable format NE-EXE into normal DOS-EXE or use
companion style infection and didn't change the programs
at all. Furthermore, they all were non-resident direct
action infectors which never spread very far. Viruses
like WinVir14 were to clumsy to escape into the wild and
remained pure research viruses.
But the situation changed after an underground virus
magazine published the source code for a virus called
<Winsurfer>. <Winsurfer> used a new infection scheme for
infecting NE-EXE files. It was the first virus which
was able to infect NE-EXE in a proper way without
converting the program in DOS-EXE or by just creating
companions. The new infection scheme is much less
noticeable than the previous ones because it only
changes a very small part of the program header and
leaves the program still executable.
In detail, the virus moves the NE header 8 bytes in order
to get a free slot for a new segment entry which now
points to the virus code. The virus code will then be
added to the end of the file, storing the original entry
point in a relocator entry behind the virus code.
Also, <Winsurfer> (and especially <Ph33r>) stay resident
using the DPMI API. This gives them a much higher
infection rate than the older direct action viruses.
(<Ph33r> is a partial fast infector)
Because this infection scheme is so clearly superior and
additionally being published widely it's very likely that
more viruses will appear which copy this special method
of infecting files.
Windows 95 programs (32 bit EXE) have a new format,
PE-EXE. The viruses that use the NE-EXE infection scheme
don't infect this format, but as there are still some
NE-EXE (16 bit EXE) left in Windows 95 or the user still
uses old Windows programs, the viruses will still spread
under Windows 95. Also, <Ph33r> infects DOS programs such
as COMMAND.COM or WIN.COM beside infecting Windows EXE.
The same underground virus writer group which created
<Winsurfer> and <Ph33r> now also managed to write a PE-EXE
virus for Windows 95 executables. This virus is still
quite clumsy (it's again just a direct action virus), but
surely there will soon follow more complex viruses as the
virus source was again published by the authors.
Actually, the virus is written for operating systems which
support the Win32 API. At the moment, Win32 is supported
by Windows (Win32s), Windows 95 and Windows NT.
<PE.Boza> increases the amount of segments, changes the
IP RVA to the new virus entry point, adds a new segment
to the segment list (the new segment is named .vlad) and
add the virus code at the end of the file.
4.1.1 F/WIN's detection of Windows EXE viruses
-----------------------------------------------------------------
F/WIN detects Windows EXE viruses by analyzing the NE-EXE
and PE-EXE header of a file. The known Windows EXE viruses
modify this header to an very unusual structure which can
be detected by F/WIN. Usually, they add strange segments
which have no valid code segment flags set. F/WIN does not
scan into these suspicious code segments, because there
are yet too few Windows EXE viruses to derive a good code
heuristic from them. Because F/WIN doesn't check the code
of the virus, it is able to detect any unencrypted or
polymorphic virus which use the <Winsurfer> or <Boza>
infection schemes.
5.0 MACRO VIRUSES
=================================================================
5.1 What they are
-----------------------------------------------------------------
Macro viruses which infects documents are fairly new. In the
case of Microsoft Word templates, they use the built-in
macro language called WordBasic. Other products like Excel,
Word Perfect, etc. have their own built-in macro languages
similar in function to WordBasic.
Winword Macro viruses copy themselves into the global macro
template and convert user documents into macro templates
when the document is saved and infected. Also, the viruses
use auto macros that are executed by WinWord automatically
when for example a file is opened, saved or closed.
Microsoft Word also allows execute-only macros which means
that the user can't read the macro definition anymore, a
feature which is used by most of the macro viruses.
5.2 History of
-----------------------------------------------------------------
The idea of macro viruses by itself isn't new at all.
In 1994 an example macro virus (<Winword.DMV>) was
done to show the dangers of macro languages. This virus
is a pure demonstration virus and was never spread.
The first macro virus that escaped into the wild was
<Winword.Concept>, which was released in 1995. Shortly
after <Concept> other macro viruses where done, such as
<Nuclear> and <Colors>. For more information about the
known macro viruses to-date, use your web browser to link
to:
http://www.bocklabs.wisc.edu/~janda/macro_faq.html
5.3 Why they pose such a great threat to your data
-----------------------------------------------------------------
There are two major reasons why macro viruses in general
pose such a great potential threat to your data.
First, macro languages like WordBasic (the macro language of
Microsoft Word) are easy to learn. What keeps most people
with bad intentions from writing DOS viruses is that DOS
viruses are usually written in Assembler which is quite
difficult to learn. But macro languages like WordBasic are
significantly easier to learn and write viruses with than
Assembler is. Coding examples for writing macro viruses can
be found on the Internet.
If your business uses one of the Microsoft Word templates
that have been designed to intercept and remove viruses,
then you have provided an excellent coding example to your
employees for coding a WordBasic virus. Parts of those
templates can be easily copied and modified to become
destructive virus code. And the help screens that are
available for WordBasic are plentiful. It would probably
take the average programmer less than 10 hours to start with
one of these anti-virus templates, and make a fully
functional virus with highly destructive capabilities from
it. The potential for data loss from a disgruntled employee
is high if someone made a decision to attack your company in
this manner.
The second reason the risk is so high is that most virus
scanners to-date only check for known macro viruses. They
are not capable of detecting unknown ones, or if they do,
they can misidentify what they've found. So if someone
did plant a new virus that they just wrote in your business,
you may not find it until it's too late. And it is very
easy to create a 'new' undetectable virus by just inserting
spaces and carriage returns into the macro code of a known
virus.
F/WIN's strength is that it finds both known and UNKNOWN
WordBasic viruses and trojan's. F/WIN uses heuristic
analysis instead of signature scans to find the viruses.
F/WIN can also REMOVE most viruses it finds. And if it
would happen to remove a virus in such a way where the
document is no longer accessible, it makes a backup copy of
the file before attempting to remove the virus. So F/WIN is
both effective, and safe.
Keep in mind that WordBasic is a powerful language. Beside
the possibility of modifying almost every parameter and
option of Winword, you can easily rename, change or delete
other files (like WIN.INI, SYSTEM.INI, CONFIG.SYS etc.) and
you can call other Windows or DOS programs, i.e. FORMAT or
DELTREE. It's also possible to execute Win API calls or
other embedded OLE objects.
5.4 F/WIN's detection of WordBasic macro viruses/trojans
-----------------------------------------------------------------
When F/WIN analyses a document, it scans the whole file.
This is necessary because of the complex internal format
of document files (which are OLE objects). F/WIN tries
to locate macro definition and macro list areas and then
scans the target areas for suspicious commands or texts.
Execute-only macros will get decrypted in memory while
checked (it uses a technique similar to the 'x-ray'
scanning method). F/WIN will analyze all the WordBasic
tokens for virus like commands as FileSaveAs, CopyMacro
and others. The macro name lists will be scanned for the
presence of auto and system macros like AutoOpen or
FileExit. After the end of the scanning process, F/WIN
analyses the temporary results and tries to figure out
if the macros are normal, or if they could represent
a trojan or even a macro virus.
Because of the complexity of OLE objects, F/WIN might
fail to properly locate all macro areas in a file. This
is not a real problem for virus detection, but it may
cause problems while trying to clean the document.
If the complete repair method fails (option 'C'), try the
safer macro name wiping method (option 'W') which will
work in almost every case.
5.5 How the viruses are removed
-----------------------------------------------------------------
At this time, F/WIN only can remove macros from documents.
It's not able to remove Windows EXE viruses. F/WIN
offers two possible ways for removing macros.
The Clean option (choose 'C')
-----------------------------
For a Winword macro virus to work, two things must be
present inside the Word template that's infected. First,
there must be a macro name list area. It's similar to a
Table of Contents in a book that point the reader to the
page numbers of each chapter. It's how Word determines
which macro's are present and where exactly they are
placed. Then there's the macro definitions area. This is
where the macro code itself is stored. The "Clean" function
erases both areas. In our testing, the "Clean" function
safely removed the viruses and trojans in the overwhelming
majority of the cases. But there were some occasional
incidents when the clean left the document unreadable.
If this happens, just restore the document from the backup
that F/WIN made and use the "Wipe" option to remove the
virus instead. If the full cleaning method fails, F/WIN
will produce the error message ('F/WIN can not clean this
file safely!'). You should then try the macro name wiping
instead.
The Wipe option (choose 'W')
----------------------------
Because of the complexity of the internal template
structures, the Clean option may fail. You can avoid this
problem most of the time by using the Wipe option instead
(option 'W').
"Wipe" overwrites (wipes) only the macro name list. It
does not overwrite the virus code itself (the macro
"definitions"). The virus/trojan code is only accessible
with a disk editor after this kind of disinfection. But
even a disk editor is quite useless in almost every case
because the macros are usually encrypted and most people
could not even find them, let alone decrypt and reuse them.
There currently are no tools available to decrypt them, at
least not ones available to the general public. It is quite
unlikely that most people could do this, even skilled PC
programmers. Once the macro definitions list has been
erased, it is VIRTUALLY IMPOSSIBLE FOR WORD TO EVER FIND THE
VIRUS CODE AGAIN. Your documents will be safe to use again.
We have on very rare occasions, experienced situations in
which even Wipe could not safely disinfect a template. In
most of those cases, F/WIN clearly tells you that it could
not safely remove the virus/trojan. You may then send it to
your regular anti-virus company, or to F/WIN Support to have
it removed.
When comparing F/WIN with other macro anti-virus products,
keep in mind than some virus scanners still don't include
any kind of a cleaning facility at all or just clean the
macro name list.
REGARDLESS OF WHETHER YOU CHOOSE "CLEAN" OR "WIPE" F/WIN
WILL REMOVE -ALL- MACROS FROM A DOCUMENT, NOT JUST THE ONES
WHICH SEEMS TO CONTAIN SUSPICIOUS CODE. SO IF YOU
DISINFECT YOUR NORMAL.DOT AND HAVE USEFUL MACROS INSTALLED,
THEY WILL BE REMOVED TOO.
Before starting the actual cleaning process, F/WIN will try
to backup the target file by creating a copy of the file
with ".Vnn" file extension. The file will not get modified
if F/WIN fails to create a backup! Here's an example of how
this naming scheme works. Assuming that you have eleven
Word documents containing payroll information, and all are
infected, here's how F/WIN would name the backup copies.
Infected file Backup file
------------- -----------
PAYROLL.WK1 PAYROLL.VIR
PAYROLL.WK2 PAYROLL.VI1
PAYROLL.WK3 PAYROLL.VI2
PAYROLL.WK4 PAYROLL.VI3
PAYROLL.WK5 PAYROLL.VI4
PAYROLL.WK6 PAYROLL.VI5
PAYROLL.WK7 PAYROLL.VI6
PAYROLL.WK8 PAYROLL.VI7
PAYROLL.WK9 PAYROLL.VI8
PAYROLL.WK10 PAYROLL.VI9
PAYROLL.WK11 PAYROLL.V10 (notice that the 'I' is now
replaced by a '1')
6.0 F/WIN MESSAGES FOR WINDOWS VIRUSES
=================================================================
6.1 Possible 16-bit virus (NE-EXE)
-----------------------------------------------------------------
F/WIN will display this message when it finds a Windows
executable with a suspicious internal file structure.
This will most likely indicate a Windows 3.x EXE virus
infection. Please send such files to the F/WIN Support
for analysis! It would be easy to ignore this message
because of the use of the word "possible". We encourage
you to take this message very seriously if you see it.
We have had no instances in our testing where it has
produced a false alarm but still the NE-EXE and PE-EXE
heuristic analysis is quite 'weak'.
6.2 Possible 32-bit virus (PE-EXE)
-----------------------------------------------------------------
Like NE-EXE viruses, F/WIN will detect this virus type by
analyzing the internal file structures. At the moment,
only one PE-EXE virus is known, <PE.Boza>. If you encounter
a possible 32-bit virus infected file, please send us a
sample for analysis! It would be easy to ignore this
message because of the use of the word "possible". We
encourage you to take this message very seriously if you
see it. We have had no instances in our testing where it
has produced a false alarm using the latest release of
F/WIN.
7.0 F/WIN MESSAGES FOR MACRO VIRUSES
=================================================================
7.1 "A backup has been created"
Before F/WIN removes a virus or trojan from a Word template,
it first tries to make a backup copy of it. The backup copy
will be unaltered, and will still contain the virus. F/WIN
does this for two reasons. First, if the file is highly
fragmented F/WIN may not be able to clean it properly.
Since a backup is available, you can try a different
approach. For instance, if the Clean function leaves it
damaged, try the Wipe function instead on the backup copy.
The second reason a backup is made is to allow recovery of
macros that F/WIN flagged as dangerous, but that weren't.
For instance, if someone wrote a macro to automatically
delete all the *.TMP files that Word creates every time Word
is opened, they would most likely us a 'Kill' command to do
it. Since F/WIN would find this 'Kill' command, and see
that it executes automatically, it would consider such a
macro to be dangerous and it would remove it during the
cleaning process. Having a backup copy allows the person
using that macro to have it restored from a backup copy.
This message tells the user that F/WIN was successfully
able to make the backup copy.
7.2 "Attempt to backup file before cleaning failed!!"
Before F/WIN removes a virus or trojan from a Word template,
it first tries to make a backup copy of it. The backup copy
will be unaltered, and will still contain the virus. See
description of the "A backup has been created" message above
for more information about why the backup is done.
This message means that F/WIN could NOT create the backup
file. F/WIN will NOT remove the virus from the original
infected file if it can't successfully make a backup copy.
There are a few possible causes.
- the disk drive is out of space
- the original file was damaged before F/WIN scanned it.
An example of this would be a cross-linked file. A
cross-linked file is a file whose disk space is
partially shared by another file.
When F/WIN can't clean it, it reacts one of two ways. If
the /MOVE= parameter was specified, it literally moves the
infected document to whatever directory was specified by the
user in the /MOVE= command, except that F/WIN creates a
directory below that one to actually place the file in. The
sub-directory F/WIN creates for such instances is \BACKUP.
So if /MOVE=C:\FWINBKUP was specified, F/WIN would actually
move the file to C:\FWINBKUP\BACKUP\filename. Also, F/WIN
renames the file extension. The old and new file names
appear in F/WIN's report to make the file easy to locate
after the scan is finished.
If /MOVE= was NOT used, then F/WIN just leaves the file
where it currently is, but still renames it.
7.3 "Changes DOS attributes of other files"
The "attributes" of a file can be modified to change the way
DOS views and stores a file. While there are legitimate
reasons for changing the attributes of a file, viruses often
remove the attributes before modifying files. READ-ONLY file
attributes prevent a program from modifying a file while
this attribute is enabled. SYSTEM or HIDDEN attributes are
used by DOS and Windows to hide it's critical system files.
Files with these attributes don't get listed with DIR or in
the Explorer unless you configure them to do so. Some of
the known macro viruses remove the system attributes of the
IO.SYS and MSDOS.SYS files and then delete them. A regular
macro does not contain such commands.
This would probably be a good place to point out that the
READ-ONLY attributes are no protection against viruses.
These attributes can be removed and set without any problems
by a virus. In fact, some resident file viruses (DOS) infect
on setting the file attributes.
7.4 "Contains # macros (# bytes)"
The '#' is replaced by an actual number in the message F/WIN
produces. As a diagnostic aid, F/WIN will report how many
macros it found, and the total number of bytes they utilize
collectively. This can be helpful in determining if a new
macro virus or trojan has been found. Here are the numbers
that F/WIN produces for some common viruses and trojans:
Winword.Trojan.FormatC - Contains 1 macro (81 bytes)
Winword.KillDLL - Contains 1 macro (284 bytes)
Winword.Wazzu - Contains 1 macro (644 bytes)
Winword.Date - Contains 1 macro (1042 bytes)
Winword.Guess - Contains 1 macro (1126 bytes)
Winword.Devina - Contains 1 macro (2357 bytes)
Winword.Imposter - Contains 2 macros (907 bytes)
Winword.Doggie - Contains 3 macros (610 bytes)
Winword.Atom - Contains 4 macros (1029 bytes)
Winword.Concept - Contains 4 macros (1968 bytes)
Winword.Boom - Contains 4 macros (2863 bytes)
Winword.Hot - Contains 4 macros (5515 bytes)
Winword.Colors - Contains 9 macros (6470 bytes)
Winword.Nuclear - Contains 9 macros (10556 bytes)
Winword.Xenios - Contains 11 macros (31342 bytes)
If the infected Word template contained macros in it before
it was infected, then some of those original harmless macros
could still be present. In that case, the counts above
would not match the counts you'd normally see for each
particular virus. For instance, if a template contained 2
macros totaling 1000 bytes before being infected with the
Concept virus, F/WIN's count would include those original
macros plus those that were copied into the file by the
Concept virus. So in this example, F/WIN might produce the
following line for Concept:
- Contains 6 macros (2968 bytes)
7.5 "Contains macro shortcuts"
Normally, macro viruses must hook certain critical macros to
get activated when you open an infected document. For
instance, they create an "AUTOOPEN" macro to perform some
function when the user "opens" a file. A lot of antivirus
programs now intercept or detect these types of macros, but
there's another method that is more difficult to detect.
Instead of using system macros like AutoOpen or FileClose,
macro viruses can assign shortcuts to macros. For example,
you can assign a macro to the 'PgDn' (page down) key. Each
time you press the key, the macro will get executed. So far,
no virus is know to use this method, but this it will be
just a matter of time before they do. And when they do,
F/WIN will detect the key assignment and will allow the user
to clean both the macro and the shortcut.
7.6 "Contains macros but is named .DOC"
Templates which normally contain macros are usually named
".DOT". Winword, however doesn't need this special file
extension to recognize macro templates. Macro viruses use
this and keep the old ".DOC" extension after infecting a
document, even if it's now a template rather than a
document. By concealing the true file extension, the virus
attempts to hide it's presence in infected files.
Regular macro templates are named ".DOT", so if you find
macros in a ".DOC" file it's quite suspicious, especially
if they are auto macros or execute-only macros.
7.7 "Contains execute-only macros (encrypted macros)"
There are two ways of storing macros in Word templates. The
non-encrypting method allows Word users to look inside the
macro just as they do a document and see what is coded in
it. If the macro is a malicious one, someone who understands
WordBasic can read the code and determine what it is trying
to do. WordBasic is a programming language within Microsoft
Word that allows Word users to create time-saving macros.
Non-encrypted macros can also be modified into useful code,
or into destructive virus or trojan code.
The second way of storing a macro is to use the
"execute-only" option. This option encrypts the macro so
that it is no longer eye-readable. It also prevents the
macro from being modified. However, it may still be renamed
or deleted and of course, executed.
Once a macro is encrypted, WordBasic provides no mechanism
for decrypting it back into readable form. This is the
choice method of storing macros for virus writers because
most Word users will not be able to look inside suspicious
macros to see what they're doing. Except for the information
F/WIN can provide on such macros, in most cases, the
document or template must be sent to an anti-virus company
for analysis to get the full details on what it's trying to
do.
This message indicates that F/WIN has found at least one
execute-only (encrypting) macro. However, F/WIN only
displays this message if it finds potentially dangerous
commands within the encrypted macro (F/WIN is able to look
inside for you). If it simply finds an encrypted macro that
has no dangerous WordBasic commands in it, this message will
not appear.
Execute-only macros are quite suspicious, but there are also
commercial or shareware macros which uses the encryption to
prevent modification of their code.
7.8 "Contains macros"
This warning message indicates that macros are present in
the template. However, this message will not appear unless
potentially dangerous WordBasic commands are present in one
or more of the macros.
7.9 "Copy macros into the global template ('CopyMacro')"
This warning message indicates that the WordBasic
"CopyMacro" command has been found in a macro. Of all the
error messages that F/WIN produces, this one is probably the
best at indicating the presence of a virus. Almost all
Word viruses to-date have used the "CopyMacro" command to
spread themselves from one Word template to the next. If
products like SCANPROT.DOT are being used for anti-virus
defenses, then there may be no cause for concern if this
warning message is produced for a file called SCANPROT.DOT.
SCANPROT.DOT is a Microsoft Word template developed by the
Microsoft Corp. to help combat Microsoft Word viruses.
SCANPROT.DOT contains several macros that use some of the
same commands used by viruses. If SCANPROT.DOT is present,
F/WIN will produce numerous warning messages when it
analyzes it. See section "1.7 False alarms" in the F/WIN
documentation to determine how to distinguish SCANPROT.DOT
warnings from other ones. We want to make it clear that we
are not suggesting that Microsoft is writing macro viruses.
The SCANPROT.DOT file is a template that is intended to
protect you against WordBasic macro viruses. Our point here
is that it uses exactly the same WordBasic commands that
some viruses use, so F/WIN will trigger warnings on
SCANPROT.DOT when it scans it. There are other anti-virus
templates besides SCANPROT.DOT that will trigger warning
messages from F/WIN. If any such templates are scanned by
F/WIN, in most cases, F/WIN will point this out by also
producing a message that says, "Might contain an
antivirus-macro (please verify!)". See 7.14 below for more
information about that message.
If you are sure that tools like SCANPROT.DOT are not in use,
and that legitimate macros that used the CopyMacro function
are not supposed to be in your environment, then it is quite
likely F/WIN has detected an actual virus if this particular
message is produced. Take this message very seriously, and
have an expert investigate the documents in question. It is
important to know if macros should be or should not be
present in your environment so that you can distinguish real
viruses from false alarms. Since most individuals and
corporate users of Microsoft Word rarely if ever use macros,
more often than not, this warning message will indicate the
presence of an actual virus, or of an anti-virus template
like SCANPROT.DOT.
Macro viruses often use 'CopyMacro' together with auto
macros like 'AutoOpen', 'AutoExec' or 'AutoClose' and are
also often encrypted (execute-only macros). To hide
themselves, they also often are not named ".DOT" but ".DOC
instead.
7.10 "Deletes other files! (Kill)"
This message indicates that the WordBasic "Kill" command is
being used within a macro. The Kill command deletes files.
You need to ask yourself, "why is my Word document deleting
files?" This is not a common activity for a macro, and may
indicate the presence of destructive code (macro trojan or
virus).
7.11 "Disables NORMAL.DOT write access warnings"
Most viruses will install their own special macros into the
Global Template (the NORMAL.DOT file). This allows the
virus to spread itself to virtually any template that is
opened by the user. Microsoft Word has an option users can
activate that alerts users to the fact that NORMAL.DOT has
been changed. It's a pop-up window that asks if you want to
save the changes to NORMAL.DOT. Some viruses disable this
warning message through a certain WordBasic command,
preventing the user from being warned that the Global
template has been changed. This message is telling you that
the warning message will be disabled if the macros in the
file are allowed to run.
7.12 "Enables the quick save option"
The Quick Save option allows users to speed up the process
of writing to disk, the changes that have been made to a
document. When the quick save option is on, only the
changes that were made are saved. When it's off, the entire
document is written back to disk during a save. While the
quick save option has the benefit of makings saves run
faster, it also makes virus detection and especially removal
more difficult. The reason is because of what's known as
"fragmentation".
Fragmentation can be compared to a complex puzzle. When
several saves have been done with quick save turned on, the
file is stored similar to a puzzle with all the pieces mixed
up. A language called "OLE2" (pronounced o-lay-two) manages
all these pieces of data for Microsoft Word, and puts them
all back together when a Word document is opened. But OLE2
is very complex. For a virus scanner to detect and remove
viruses/trojans, it too must understand how to put all the
pieces back together into the right order.
Some virus authors are aware of the problems that the quick
save option create for anti-virus products. As a result,
they may turn the quick save option on in an attempt to make
detection and removal more difficult. It's unusual for
someone to code this option in a macro, so this may be an
indication of an actual virus or trojan, especially if other
strong indicators are present.
Another reason virus authors might use the quick save option
is because it speeds up the process of writing the virus to
the template, thus making it a bit less noticeable to the
user.
7.13 "Execute other DOS or Windows programs! (Shell)"
This message indicates that another DOS or Windows program
is being executed by a macro. This is quite suspicious. Why
should a document execute a DOS or Windows program? While a
legitimate, useful macro could do this, it's not common.
Normally, macro viruses use this for dropping DOS viruses
(like Winword.Nuclear does with Vlad.Ph33r) or they call
FORMAT, DELETE, ERASE or other damaging DOS commands.
7.14 "F/WIN can not check Microsoft Word 2.0 documents!"
At this time, F/WIN can not check for viruses and trojans
in Microsoft Word 2.0 templates. However, this ability
is coming in a later release.
7.15 "F/WIN can not clean this file safely!"
The template is so internally fragmented that F/WIN has
determined that it can not safely clean the virus or
trojan using the CLEAN option (option 'C'). However,
the user has the option of restoring this file from the
backup copy that F/WIN made and trying to remove the
virus with the 'W' option instead (W=Wipe Macro Names).
The 'W' option should fail only on very rare occasions.
7.16 "has been moved to:"
When F/WIN removes a virus/trojan from a Word file, it makes
a backup copy of it first. This message tells the name of
the original file, and of the backup file associated with
it. For instance:
DATE.DOC has been moved to:
F:\FWINBKUP\BACKUP\DATE.VI0
This message says that "DATE.DOC" was the original file. If
F/WIN was able to clean the virus/trojan successfully (it
tells you when it can't), this file will be virus free.
DATE.DOC is safe to open and use. The "DATE.VI0" file is
the backup copy of "DATE.DOC" before the virus was removed.
DATE.VI0 still contains the virus, so don't open it! If the
cleaning failed, DATE.VI0 could be copied to another
directory and a different cleaning approach could be used.
7.17 "Might contain an antivirus-macro (please verify!)"
F/WIN has determined that the file MAY contain anti-virus
macros which are intended to be helpful to the user, and
that any warning messages associated with this file may be
false alarms. See section 1.7 for more information about
possible false alarms. In any case you should verify if this
is really an antivirus macro. Some viruses could mask
themselves as such useful macros.
7.18 "Might contain suspicious macros"
This is reported when the macro contains suspicious operands
and structures, but some parts are missing which are usually
found in macro viruses or macro trojans. This will only be
reported in the Extended or Paranoid scanning modes (/MODE=n
or /PARANOID).
7.19 "Reenables auto macro processing"
There are some macros that can be automatically executed if
they exist in a template. They are AUTOOPEN, AUTOCLOSE,
AUTOEXEC, and AUTONEW. AUTOOPEN, for instance, is executed
automatically when a file is OPENed. Some users in an
effort to protect themselves from macro viruses have
disabled all four auto macros. This message indicates that
code has been found that reactivate the auto macros. This
function is common for viruses to allow them to spread more
quickly and easily.
7.20 "Seems to be infected with a macro virus!"
F/WIN detected enough suspicious structures which gives a
very high chance that the reported document is infected
with a macro virus (or is an anti-virus template like
SCANPROT.DOT).
Be aware, too that this message may also be produced for
non-virus documents like SCANPROT.DOT, which are intended
to protect you from macro viruses. These anti-virus macros
contains almost the same WordBasic commands like a virus,
so it's impossible to distinguish between them.
7.21 "Seems to contain a trojan macro!"
This is reported if destructive commands are found and the
WordBasic "CopyMacro" command isn't used. This can't be a
virus, because it doesn't spread. A virus and a trojan can
both contain destructive code. However, a virus spreads and
a trojan does not. If you want to increase the trojan
detection ability of F/WIN you could use the options /MODE=n
or /PARANOID, but this also increase the chance of false
positives!
7.22 "System macros:"
A "system macro" is a macro that is executed automatically
when the user performs a certain action. For instance, when
a document is opened, the "AUTOOPEN" macro will be executed
automatically if it exists (if automatic execution is
enabled, which it is be default). If a file is saved, the
FILESAVE macro will be executed if it exists. This messages
indicates that F/WIN has detected the presence of one or
more macros that will be automatically executed when some
function is performed. The specific macros it finds are
listed. The purpose/function of each one is briefly
explained next. There could be a legitimate reason for the
existence of these macros in your document. However, they
may also be used by a virus or trojan, which usually contain
"AutoOpen", "AutoClose" or "AutoExec".
7.22.1 AUTOCLOSE
Called automatically if the user or Microsoft
Word closes a document.
7.22.2 AUTOEXEC
This macro is called automatically every time
Microsoft Word is started (when you click on
the Word icon).
7.22.3 AUTONEW
This macro is called automatically every time
a new document is created.
7.22.4 AUTOOPEN
This macro is called automatically every time
an existing document is opened. This is most
often used by the macro viruses because it
allows them to perform some activity (like
spreading itself) right away if you try to
read an infected document.
7.22.5 FILEEXIT
This macro is executed when a file is closed
(i.e. choosing "File", then "Close" from
Microsoft Word).
7.22.6 FILENEW
This macro is run when "File", then "New" are
selected from Microsoft Word.
7.22.7 FILESAVE
This macro is run whenever a file is saved.
That includes when automatic, timed backups
are made.
7.22.8 FILESAVEAS
This saves a document to a different name
and/or different file type. This macro must
be redefined by macro viruses because they
must convert documents into templates in
order to save macros in the file. This
macro will most likely only be included in
the global macro template NORMAL.DOT.
7.22.9 TOOLSMACRO
This function is called when the user tries
to view, delete, rename or edit macros.
Some of the macro viruses use this to infect
further documents, or add some stealth
functions which prevent the user from seeing
the suspicious macros.
DANGER!! Do not attempt to manually remove
the virus or trojan by clicking on "Tools",
then "Macro" when this message appears. The
virus author may have coded some destructive
code in the TOOLSMACRO macro that you will
activate when you do this. Only allow an
anti-virus program like F/WIN to remove the
virus when you see that the TOOLSMACRO macro
is present.
7.23 "The file has been moved to:"
If F/WIN is unable to remove a virus from a file for some
reason, or if it can't make a good backup copy of the file
before removing it, F/WIN moves it from it's current
directory to the one specified in the /MOVE= parameter,
except that F/WIN creates a directory below that one to
actually place the file in. The sub-directory F/WIN creates
for such instances is \DAMAGE. So if /MOVE=C:\FWINBKUP was
specified, F/WIN would actually move the file to
C:\FWINBKUP\DAMAGE\filename. Also, F/WIN renames the file
extension. The old and new file names appear in F/WIN's
report to make the file easy to locate after the scan is
finished.
If /MOVE= was NOT used, then F/WIN just leaves the file
where it currently is, but still renames it.
This message tells the user that F/WIN successful in moving
the infected file to the /MOVE= directory.
7.24 "The macros within this file are disabled!"
Some antivirus programs clean macro virus in a special way.
In order to avoid problems with complex (fragmented)
documents, they just overwrite a few bytes in the macro list
that tell Word that macros are present. Word checks this
part of the document first to see if there are macros. If
This particular area says there aren't any, then Word goes
on about its business assuming that no macros are present,
even thought they may actually be. This is a fast and easy
way to disable the macros, and its effects are permanent.
The macros can't be accessed anymore after this kind of
cleaning. However, the macro code and names are still
present in the file. A lot of antivirus programs can't
handle such files correctly and still report them as
infected. By default, F/WIN will ignore such 'corpses'.
However, if the /MODE=2 or /PARANOID options were used,
F/WIN will report these files and will display the message
shown above.
7.25 "This document is internally fragmented. The repair
could have failed !"
The CLEAN option was chosen, but because of fragmentation in
the file, the CLEAN may not have worked. It is suggested
that you keep a copy of the backup files that F/WIN created
until it can be confirmed that the document is still
accessible. Better yet, rename the backup file and try to
remove the virus with the 'W' option (Wipe Macro Names)
option instead. In most cases, this will clean the file
successfully.
It might be helpful to explain in plain English what
internal fragmentation is. A Word document/template can
have many things stored within it. It can have tables,
text, graphical images, macros, etc. All of these different
components are stored like puzzle pieces that OLE2 can store
in chronological order, or all mixed up. OLE2 is the file
format that Word uses to manage the contents of Word
documents and templates. How OLE2 is able to store these
components all mixed up, and still present them all put back
together for the user is a very complex process.
Imagine if you had a 500 piece puzzle. Drop it on the
floor, scramble it all around, then try to put it back
together. That's somewhat similar to what an "internally
fragmented" file is. Because OLE stored the document in
such a scrambled manner, it knows how to put it all back
together into something you can easily view when you open
the file. Use of the Word QuickSave option is primarily
responsible for causing this kind of fragmentation in Word
documents.
Because F/WIN is not a Windows program, it can't use the OLE
API functions to read and analyze Microsoft Word documents.
It has to figure out where the macros are stored in the
document by itself and because of the complexity of OLE
objects the cleaning may occasionally fail. If you get this
warning you should try the 'Wipe macro names' option instead
of the full cleaning.
7.26 "Uses macro 'FileSaveAs'"
As said above, this is essential for macro viruses because
they must convert documents into templates. In fact, if the
user saves a file, the viruses internally uses FileSaveAs.
In WordBasic, there is a FileSaveAs "macro name", and a
FileSaveAs "WordBasic command". The macro internally calls
the function, but the FileSaveAs macro could be redefined,
i.e. to offer special prompts.
7.27 "Uses 'Organize .Copy' to copy macros"
This warning message indicates that the WordBasic "Organize
.Copy" command has been found in a macro. Like the
"Copymacro" command (see 7.5 for details), this is a very
strong indicator of the likely presence of a virus. Both
perform the same function, they just do it in different
ways. They copy a macro into another Word template. Most
of the older macro viruses used CopyMacro to spread
themselves. Recently, a new virus called "Boom" use the
"Organize .Copy" command instead of "CopyMacro" to spread
itself.
Macro viruses often use 'CopyMacro' or 'Organize .Copy
together with auto macros like 'AutoOpen', 'AutoExec' or
'AutoClose' and are also often encrypted (execute-only
macros). To hide themselves, they also often are not named
".DOT" but ".DOC instead. Do not take this warning message
lightly, especially if it appears along with several other
strong warning messages.
7.28 "Writes into other files directly (Write)"
This WordBasic command writes data directly into another
file. Quite unusual for regular macros, but some macro
viruses like <Winword.Xenixos> use this to drop DOS viruses
into the system. They create a debug script file with the
write command and then execute DEBUG to "compile" it.
8.0 COPYRIGHT, LICENSE TERMS AND DISCLAIMER
=================================================================
See file "LICENSE.TXT".
9.0 GLOSSARY OF TERMS USED IN THIS DOCUMENTATION
=================================================================
16-bit EXE
Windows 3.x uses a special executable file format,
NE-EXE. Beside the old DOS EXE file header, it has a new
NE header which specifies the locations and sizes of the
code and data resources in the file. NE-EXE files still
can call the DOS INT 21h or DPMI API functions. The first
known virus for NE-EXE was <WinVir_1.4>.
32-bit EXE
Windows 95 and Windows NT uses a new executable format,
PE-EXE (Portable Executable). It is optimized for the
32-bit OS, i.e. by using 32-bit RVA's and supporting
MMF (Memory Mapped Files). Like NE-EXE, they still have
a normal DOS EXE header followed by the PE header which
indicates the location and size of the file contents.
PE-EXE run in flat protected mode and the program code
can only call Windows API functions. The first known
virus for PE-EXE was <Boza>.
Auto Macro
Auto macros are special Microsoft Word macros which are
executed automatically by Word on certain events, i.e.
like opening a document. To some degree, they can be
disabled, but the macro viruses still have enough other
ways to intrude the system.
Boza
<PE.Boza> is the first known virus for PE-EXE files
(Windows 95), and comes from Australia. It's only a
research viruses and not in the wild, mostly because
it's just a direct action virus and has some bugs.
COMMAND.COM
The first normal DOS executable which is started at a
system bootup. It only contains the command-line
interpreter, but it's often a target for DOS file
viruses. DOS itself is stored in MSDOS.SYS and IO.SYS
(or IBMDOS.COM and IBMBIO.COM). COMMAND.COM itself
executes AUTOEXEC.BAT.
Companion Virus
Companion Style Infection
If you have two files with the same filename but
different file extensions (one .COM, one .EXE) in the
current directory and you execute the program without
specifying an extension, DOS will always start the .COM
program and not the .EXE. For example, if you have
TEST.COM and TEST.EXE and execute "TEST", TEST.COM will
be started. Companion viruses use this and creates
corresponding .COM files to existing .EXE programs.
These .COM files often have the HIDDEN attribute set
in order to prevent detection (you will see this when
you run tools like DEFRAG: the whole hard disk cluster
layout is covered with single unmovable clusters).
Concept
The first Microsoft Word macro virus which appeared in
the wild. It appeared in the mid of 1995 and spread
rapidly world-wide. Beside displaying a window with a
'1' in it, <Concept> is quite harmless. Together with
some other macro viruses, <Concept> is now very common.
Direct Action Infector
A virus which actively scans the system for infection
targets and doesn't go resident in memory. These viruses
are not very viable and never spread very far because
they are too obvious to the users and have a too low
spread rate. All common viruses are resident.
DOS-EXE
The standard DOS executable format. It has a special
EXE header, which is placed directly at the beginning
of the file and is marked with a ASCII signature ('MZ').
The header will specify things like the program entry
point, code size, amount of relocations, size of stack
and others. Unlike .COM executables, EXE can be larger
than 64K.
DPMI API
The DOS PROTECTED MODE INTERFACE API is used by real
mode applications to interfere with the protected mode,
i.e. mode-switching, transferring memory blocks, calling
INT 21h from protected mode and other services. In real
mode, the CPU only can access 1 MB of address space, in
protected mode the memory is usually limited to 4 GB
(real and virtual memory).
Dropper File
Sometimes viruses are hidden in a special dropper file.
The virus is then often encrypted or compressed with
special tools in order to prevent detection by virus
scanners. Droppers are also used to 'install' boot
viruses from files. <Winword.Nuclear> contains a
debug script of the <Ph33r> virus, which will be
dropped into the system sometimes.
Encrypted Macro
Execute-Only Macro
Microsoft Word macros which can't be read or modified
by the user anymore. It's only possible to execute,
rename or delete such macros. Execute-only macros are
often used by macro viruses to protect and hide their
code.
False Negative
An infected file which is not detected by a virus
scanner is called false negative. An uninfected file
which is flagged as being infected by a virus is called
false positive.
Fast Infector
At first, resident viruses only infected programs when
the user execute the application by intercepting the
INT 21h EXECUTE call. Newer file viruses also infect
programs when they are opened or closed, which will
cause very high spread rate for the virus. It is
possible that a virus scanner will spread the virus
infection, if the virus is a fast infector and unknown
to the virus scanner. If you scan the hard disk with
such a virus being active, almost every executable
on the hard disk will get infected!
Flat Protected Mode
In flat protected mode, the memory is mapped as linear
4 GB address space. You don't need multiple selectors
and can address the memory without much effort.
Fragmented document (complex document)
If you enable the FastSave option in Microsoft Word and
change a document it will turn into a format that is
called 'complex document'. The changes to the document
will be stored at the end of the file, together with some
links to the original positions. Also, the texts,
graphics and macros in a document are treated as objects
which can be split up and will get fragmented like a
FAT hard disk. You even will get slack space areas like
in FAT disk clusters. The FastSave option will also
increase the size of the document compared to a normally
saved document.
In The Wild (ITW)
Viruses, which have been found often and are very
common are 'in the wild'. From the known 8500 viruses,
only about 300 are in the wild. All other viruses are
either extinct or research viruses, which never spread
very far.
Infection Scheme
The way how a virus modifies an executable. Usually a
virus changes the file header in way that it now points
to the virus code, which is added at the file end.
Some special viruses insert themselves at the file
beginning or split up themselves throughout the file.
Macro
Microsoft Word macros contain WordBasic commands which
can be used to speed up your work with Word. For example,
you could write a macro which reformats a text block in
a special way.
Microsoft Word
A word processor from Microsoft, which is used quite
often. Word documents are OLE objects.
NE Header
The program header used by NE executables. Must be
modified by Windows EXE viruses during the infection.
NE-EXE
See 16-bit EXE.
Non-Resident
See Direct Action Infector.
NORMAL.DOT
The global template of Microsoft Word. Beside some other
things, global Word options and all global Word macros
are stored in this file. NORMAL.DOT will be infected
at once by most Winword macro viruses.
PE header
See 32-bit EXE.
PE-EXE
See 32-bit EXE.
PGP
PGP (Pretty Good Privacy) is a tool for encrypting data
(i.e. e-mail) and verifying the integrity and source of
data. It uses RSA and IDEA encryption and is very secure.
Ph33r
The second virus which used the <Winsurfer> infection
scheme. Beside infecting NE-EXE, <Ph33r> also attacks
DOS .COM and .EXE files and is memory resident using
DPMI API calls. A <Ph33r> dropper was included in the
<Winword.Nuclear> virus.
Program Header
Located at the beginning of executables, the program
header specifies things like the program entry point,
code size, stack size etc. File viruses must modify
this part of the program during infection, but a lot
of viruses are buggy and change the header incorrectly.
Public Key
Used by PGP. If you want to exchanged encrypted data
with someone, you must exchange your public keys.
Even if someone intercepted both public keys, he can't
decrypt the transferred data because he doesn't have the
private keys which are also protected with a password.
Scan String
Used by normal virus scanner to identify viruses. It's
a byte signature which maybe contains wildcards and is
like a 'fingerprint' to the virus, which will only
detect this special virus. Virus scanners without
heuristics will usually quickly be outdated because of
the large number of new viruses which appear every day
or month.
Segment
Because the normal CPU registers are 16 bit, you only
can access 64K at a time. If you want to address other
space you must change the segment registers. In the
protected mode, you don't have this segment restriction.
System Macro
Beside auto macros, Microsoft word has other important
macros like FileExit, ToolsMakros and others. This
system macros are also often used and intercepted by
macro viruses.
Trojan
A program which causes damage but unlike a virus it
does not spread by itself.
Unknown virus
A (new) virus that is yet unknown to the virus scanners
and is not detected by them without heuristics. Some of
the heuristic scanners will detect about 60-90% of all
new viruses.
VBA (Visual Basic for Applications)
The language used in the Microsoft Office products
(Excel, Access) can also be used to write macro viruses.
So far, there's only one know Excel virus (<Excel.DMV>),
which is just a research virus.
Virus
A piece of executable code which is able to replicate
and to insert a copy of itself into other executables.
VLAD
An Australian virus underground organization, which
is responsible for a lot of very advanced viruses,
like <Ph33r>, <Boza>, <MegaStealth> and others.
Usually they release their latest viruses in an
electronic magazine which is also called VLAD.
WIN API
The set of functions available to Windows programs.
This contains functions like virtual memory management,
file access, graphical operations and other things.
There are a lot of different API's like Win32s, WinG
and others.
Windows EXE
Can be either NE-EXE (Windows 3.x), PE-EXE (Windows 95
and Windows NT) or LE-EXE (used by some device drivers).
See 16-bit and 32-bit EXE.
Windows Virus
A virus which is able to infect Windows executables or
Windows related objects like Microsoft Word documents.
Winsurfer
A Windows NE-EXE virus which uses a powerful new
infection scheme.
WinVir14
The very first Windows virus, which never spread and
is considered as a pure research virus, done by the
virus coder group called Trident.
Winword
Word
See Microsoft Word.
WordBasic
The macro language used by Microsoft Word.
*
F/WIN - Copyright (c) 1996 by Stefan Kurtzhals
