home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
DP Tool Club 31
/
CDASC_31_1996_juillet_aout.iso
/
vrac
/
up960519.zip
/
AVPWW104.ZIP
/
AVPWW104.TXT
< prev
next >
Wrap
Text File
|
1996-03-23
|
17KB
|
421 lines
AntiViral Toolkit Pro for Microsoft Word (AVPWW)
------------------------------------------------
version 1.04
This package contains the anti-virus utility for known viruses that infect
the Microsoft Word documents. This package is FREEWARE.
To check your Microsoft Word for the viruses you should load Microsoft
Word and open the AVPWWxxx.DOC file. If your Word is already infected,
AVPWW displays a warning message. To install AVPWW "memory resident" you
should press "Install" button while reading AVPWWxxx.DOC file.
See AVPWWxxx.DOC for more details.
To find all the infected files you should use anti-virus database
MACRO.AVB and anti-virus scanner AVP for DOS. Then you should load all
infected document into Word with installed AVPWW utility. AVPWW does
automatically disinfection being installed.
Macro-viruses
The Macro-viruses use the features of Macro-languages that are built into
the modern data-processing systems (text editors and spreadsheets). To
allow the viruses to spread the systems have a built in macro-language
that allows:
1) assignment of specific macro-program(s) to specific files
2) copy macro-program(s) from one file to another
3) pass the control to macro-program(s) without user's permission
(Auto-macroses).
There are three systems that meet these conditions: Microsoft Word,
Microsoft Excel and Lotus AmiPro. These systems contain built-in
Basic-like macro languages (Word - Word Basic, Excel - Visual Basic),
and:
1) macro-program(s) are assigned to specific file(s) (AmiPro), or exists
only within the file body (Word, Excel);
2) macro-language allows to copy DOS-files (AmiPro) or copy macro-programs
into the system and other files (Word, Excel);
3) while working with a file the macro-programs are executed under some
conditions (file opening, closing, and so on), these programs are
defined by special commands (AmiPro), or they have standard names
(Word, Excel).
These features of modern systems was designed to write "document
auto-processing systems", but they also allow for the viruses to spread
their copies, i.e. to infect the files.
There are three known systems that may be infected with the computer virus:
Microsoft Word, Excel and AmiPro. Under these systems the viruses receive
the control while opening/closing an infected document, then they hook one
or more system events (functions, macros), and infect the files that are
accessed with these functions.
The macro viruses are "memory resident". They hook the system events and
are active not only at the moment of file opening/closing, but during all
time when the system is working.
Macro.Word-viruses
Macro.Word.Atom
───────────────
This virus contains four macros: Atom, FileOpen, FileSaveAs, AutoOpen, and
infects Word while loading the infected document (AutoOpen).
This virus infects the files in two ways: while opening the file (command
File/Open, macros FileOpen), and while saving the document with new name
(command File/SaveAs, macros FileSaveAs).
While infecting the document while saving it with new name (FileSaveAs)
the virus checks the system time. If the value of seconds is equal to 13
the virus set the password ATOM#1 for this document. The virus cannot set
the password if the file is already infected - Word displays the
message about WordBasic error.
While opening the infected document on 13th of December the virus deletes
all files of current directory. We did not check it, but the system has to
display the error message while deleting opened files.
Macro.Word.Color (Rainbow, Color Changer)
This is a encrypted virus, it contains the macroses:
macros, FileNew, AutoExec, AutoOpen, FileExit,
FileSave, AutoClose, FileSaveAs, ToolsMacro
This virus infects the files while creating of new document (FileNew) and
while saving the document with new name (FileSaveAs).
On each 300th call to the file functions (FileNew, AutoOpen, FileExit,
FileSave, AutoClose, FileSaveAs and ToolsMacro) the virus alters the
section [colors] in the WIN.INI file, and sets the random selected colors
for Windows components. New colors appear after next Windows loading. The
virus keeps the trigger counter in the WIN.INI file in the [windows]
section:
[windows]
countersu= 234
The virus allows Auto-macroses (AutoOpen, AutoClose and so on), it sets
DisableAutoMacros to zero.
When the virus is active, it is impossible to activate Tools/Macro command.
To manual disinfection it is necessary to delete virus' macroses by using
Organizer (Tools/Customize, Word command, then draw Organizer out to
toolbar).
Macro.Word.Concept (WW6Macro)
This is the first WinWord virus found "in the wild". The virus contains
five macroses: AAAZAO, AAAZFS, AutoOpen, PayLoad, FileSaveAs. It infects
the files that are SaveAs'ed (FileSaveAs).
There are the text strings in the infected document:
see if we're already installed
iWW6IInstance
AAAZFS
AAAZAO
That's enough to prove my point
and other. The WINWORD6.INI on infected system contains the file:
WW6I= 1
On the first execution of the virus code (i.e. on the first opening of the
infected file) the MessageBox appears with digit "1" inside, and "Ok"
button.
Macro.Word.DMV
This is the first known MS-Word macro-virus. It contains only one macros -
AutoClose, and infects the files that are saved on disk. While infecting
this virus displays the MessageBox'es with the header:
Document Macro Virus
The messages are:
Counting global macros.
AutoClose macro virus is already installed in NORMAL.DOT.
AutoClose macro virus already present in this document.
Saved current document as template.
Infected current document with copy of AutoClose macro virus.
Macro virus has been spread.
Now execute some other code (good, bad, or indifferent).
Macro.Word.Hot
This is encrypted virus. It contains the macroses: AutoOpen, InsertPBreak,
DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus
renames the ToolsRepaginat macros to FileSave, and then infects the
existing documents that are saved on disk (FileSave). While infecting the
documents the virus renames FileSave macros back to ToolsRepaginat name.
While infecting the system the virus inserts the string "QLHot=nnnn" into
the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the
number of current day of this century plus 14, for example:
QLHot=35110
The next days the virus selects random value from 1 till 6, and adds to the
"triggering day". If the result is equal to the current day, the virus
deletes the file before saving it to disk.
14 days after last modifying of the "QLHot" string the virus renews it.
The virus does no action if there is the C:\DOS\EGA5.CPI file.
The virus does not work under Microsoft Word 7.0. While opening the
infected document the system displays the message:
Unable to load specified library
Macro.Word.Imposter
This is a plagiarism from "Word.Macro.Concept" and "Word.Macro.DMV". It
contains two macroses:
in infected document: AutoClose, DMV
in infected NORMAL.DOT: FileSaveAs, DMV
While infecting the system the virus receives the control in AutoClose
document, renames DMV macros to FileSaveAs, then renames AutoClose to DMV.
While infecting the files (FileSaveAs) the virus renames these macros back
DMV -> AutoClose, FileSaveAs -> DMV.
While infecting the documents the virus displays the MessageBox:
DMV
One of the strings in the virus body looks like follows:
just to prove another point
Macro.Word.Nuclear
It is encrypted virus, it contains the macroses:
AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
InsertPayload, Payload, DropSuriv, FileExit
While installation these macros are copied into Global Macros area, and
overwrites the macros if they are already present there. Then the virus
infects the documents by FileSaveAs macros.
The virus manifest itself in three ways: 1) runs COM/EXE/NewEXE virus,
2) appends the text strings while printing the documents, 3) corrupts the
system files.
1) The AutoExec macro calls DropSuriv macro which check the system time and
drops the COM/EXE/NewEXE virus ({"Ph33r":Ph33r}) if the time is in 17:00 /
18:00. While dropping the virus uses DEBUG utility.
First, the virus checks the C:\DOS\DEBUG.EXE. If there is such one the
virus creates temporary file PH33R.SCR in C:\DOS directory, and writes hex
dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus
creates the temporary file EXEC_PH.BAT with the strings inside:
@echo off
debug < ph33r.scr > nul
and executes that. As the result DEBUG utility creates the copy of
COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT
21h and writes itself to the end of COM/EXE/NewEXE files while opening,
execution, renaming and changing their attributes.
The execution of BAT-file is doing in background, so the user does not know
that there are two(!) viruses on his PC.
Them the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files.
Fortunately, this virus has a bug, and fails to drop COM/EXE/NewEXE-virus,
but it is quite easy way to fix that bug in next virus version.
2) While printing of documents the virus appends the text approximately to
each 12th file (if the seconds are 55 or more):
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
These strings are appended to the document immediately before printing, so
the uses does not see them (often documents occupy more that one screen).
This is very curios effect, especially while sending documents via fax.
3) On 5th of April the virus erases IO.SYS and COMMAND.COM files.
Macro.Word.Nuclear.b
The variant of previous one. Does not contain COM/EXE/NewEXE virus and
macroses DropSuriv, FileExit.
There is a bug while appending the text to the end of the document while
printing. As the result the virus appends blank page, and Word displays the
message about WordBasic error.
Macro.Word.Xenixos (Nemesis)
It is encrypted virus. It contains the macroses:
Drop, Dummy, AutoExec, AutoOpen, Datei╓ffnen, ExtrasMakro, DateiBeenden,
DateiDrucken, DateiSpeichern, DateiSpeichernUnter, DateiDruckenStandard.
In some cases it sets the password "xenixos" for infected documents,
displays the message:
Diese Option ist derzeit leider nicht verfⁿgbar.
Fehler
While printing the documents it appends:
Brought to you by the Nemesis Corporation, ⌐1996
On 1st of may the virus writes the string to the AUTOEXEC.BAT file:
@echo j|format c: /u >nul
This virus also launches "Neurobasher.b" multipartite virus. To do that the
virus creates the C:\DOS\SCRIPT.SCR file, and writes hexadecimal dump
of that virus into there. Then the virus creates the C:\DOS\EXEC.BAT file,
and writes the strings into there:
@echo off
debug < script.scr>nul
rem debugger.com
echo @c:\dos\debugger.exe>>c:\autoexec.bat
del c:\dos\script.scr
del c:\dos\exec.bat
Then the virus executes that file. As the result DEBUG.EXE creates the
DEBUGGER.EXE file, and C:\AUTOEXEC.BAT has new string at its end:
@c:\dos\debugger.exe
So, the last command of AUTOEXEC.BAT launches dropper of "Neurobasher.b"
virus.
Word.Excel-viruses
While processing the document Word (as well as Excel while processing
spreadsheets) performs different actions: opens the file, closes it, reads
the date, saves and prints it. At the same time Word executes corresponding
macro-program with standard name - FileSave while file saving, FileSaveAs
while saving the file with new name, FilePrint while printing, and so on,
if there macros are defined.
While opening the document Word checks it for the AutoOpen macro presence.
If there is such one, Word executes that macro (if it is not disabled by
DisableAutoMacros). While file closing Word executes AutoClose macros.
The Macro.Word-viruses contain at least one of Auto-macros: AutoOpen,
AutoClose, AutoExec, AutoExit, AutoNew. If the document is infected with
Macro.Word virus Word executes infected Auto-macros, i.e. executes the
virus code.
The Auto-macros in the viruses contains the code of moving other virus
macros into the area of Global Word macros, and the virus copies itself
into Word Global macros by this way. While exiting Microsoft Word saves all
Global macros (including the virus ones) into the DOT file (usually
NORMAL.DOT). Being started Word loads all global macros (including virus
ones) from DOT file, as the result on next loading the virus infects Word
at the moment Word initialize its system areas, and Word is infected before
loading the first document.
Then the virus replaces or defines other system macros (FileOpen, FileSave,
FileSaveAs, FilePrint), and hooks in such way the file accessing functions.
When any of hooked function is executed, the virus receives the control,
and performs different branches of its code, including infection routine.
While infecting the virus converts the document into Template format, and
copies all virus macros (including Auto-macros) into the document. Being
converted to Template format the document cannot be converted in any other
format. The presence of Auto-macros allows the virus infect other
computers while reading just infected document.
I.e. if the virus hooks FileSaveAs macros, it infects the files that are
saved by "File/Save As" call. If the virus hooks FileOpen macros, it hits
the files while Word is opening them.
Note: MS Word allows to encrypt the code of macroses, and some of
Macro.Word-viruses are encrypted.
Known Macro.Word viruses infect the documents of Microsoft Word ver.6
format. The system gets infection while reading the infected document. Then
the viruses infect all newly created DOC files. The Macro.Word viruses can
infect the computers of different platforms, not IBM-PC only. To spread
they need for the text processor compatible with Microsoft Word.
The common features of these viruses are:
1) It is impossible to convert the infected document in any other format.
2) It is impossible to save the document in any other subdirectory/disk by
using "Save As" command.
3) The infected documents have the Template internal format. While
infection the documents are converted by the viruses from Microsoft
Document into Template format.
Majority of Macro.Word viruses do not infect localized Word versions, but
only English one, other viruses infect only local Word versions (French,
German), and do not work under English version. But anyway the virus stays
active in infected document, and may spread on other computers with
necessary version of Word installed.
It is possible to protect oneself against these virus by disabling AutoOpen
macro by using the Word system macro DisableAutoMacros.
AmiPro-viruses
AmiPro creates two files while processing the text: the first file contains
the text and has the name extension SAM, the second one contains macroses
and other system data and has the name extension SMM.
It is possible to assign to document any macros of SMM-file by
AssignMacroToFile command. The assigned macros has the same mean as
AutoOpen in Word-documents, and it is executed while the file opening.
I see it is impossible to copy AmiPro macros into Global area, so AmiPro
viruses may infect the system only while opening the infected document, but
not while system loading (as Word does with the NORMAL.DOT file).
AmiPro, as well as MS-Word, allows to hook the system events (macros) such
as SaveAs and Save. It is possible by the command ChangeMenuAction. While
calling hooked functions the virus' macros receives the control.
Macro.AmiPro.GreenStripe
This virus contains four macroses (functions): Green_Stripe_Virus,
Infect_File, SaveFile, SaveAsFile. They receives the control when infected
document is opening, then the virus searches for *.SAM-files of current
directory, and infects them.
While infecting a SAM-file the virus creates SMM-file, and copies itself to
there by the command DosCopyFile. Then the virus assigns the
Green_Stripe_Virus macros for that file, the virus does it by the
AssignMacroToFile command.
Then the virus hooks SaveFile and SaveAsFile macroses. When "Save As"
command is performed, the virus infects that document. In case of
"Save" command the virus replaces the "its" string with "it's" one within
the file.
==========================================================================
Microsoft Word and Micorsoft Excel are trademarks of Microsoft Corporation
Lotus Amipro is a trademark of Lotus Corporation
