-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T
                                      
                        AL-2001.10  --  AUSCERT ALERT
                            New Word Macro Virus
                                28 June 2001

===========================================================================

PROBLEM:  

	AusCERT has received information about a new Word macro virus.
	According to UNIRAS (UK Govt CERT), this virus is a variant of
	the Marker virus (W97M.Marker), which first appeared in March
	1999. This new virus shares the most characteristics with Variant
	D but appears sufficiently different to avoid detection by some
	anti-virus utilities.

IMPACT:   

	Information about the effect that this virus has on an infected
	system is not available at this time. However, due to its reported
	similarity to the Marker virus it may be useful to check computers
	for activity similar to that generated by Marker. Please see
	Recommendations section C below for more information.


RECOMMENDATIONS: 

	A. User Education

	System Administrators are urged to inform their users about proper
	precautions with regards to handling email attachments.

	AusCERT recommends that sites should update and check their virus
	defences and either delete or do not open any email messages or
	attachments that resemble those described above or in the following
	links.

	B. Apply Microsoft Patch

	A patch is available from Microsoft that corrects a vulnerability
	in Word that this virus appears to exploit. Information on how to
	obtain this patch is contained in the AusCERT External Security
	Bulletin:

	  ftp://ftp.auscert.org.au/pub/auscert/ESB/ESB-2001.250

	Sites are encouraged to apply this patch, in addition to following
	steps A and C.

	C. Update Anti-Virus Packages

	System administrators and users are urged to ensure that the latest
	Anti-Virus software is installed and that it is using the most
	current up-to-date virus databases. Some anti-virus software
	vendors may have patches available for this virus, but as it has
	not been associated with a particular virus definition AusCERT
	cannot verify this. Check with your Anti-Virus vendor for further
	information and updates.

	Information about Marker (and its previously known variants) is
	available from:

	  http://www.europe.f-secure.com/v-descs/marker.shtml

	AusCERT is continuing to monitor this problem. 


- ----------------------------------------------------------------------------
For more information contact your Anti-Virus software vendor.

AusCERT would like to acknowledge UNIRAS (UK Govt CERT) for information which
contributed to the production of this AusCERT Alert
- ----------------------------------------------------------------------------

The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation.  The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures.  AusCERT takes no
responsibility for the consequences of applying the contents of this
document.

If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT
and AusCERT Advisories, and other computer security information.

AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business
		hours which are GMT+10:00 (AEST).  On call
		after hours for emergencies.
						       
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld  4072
AUSTRALIA
===========================================================================

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBO07Llih9+71yA2DNAQG8WgP/ReYk5uCFmC5nIxdBRPh0nK7twmrc4l5N
g1+TgPI0t+3pnRdyZje1+PX8iK62x/2CizzQ4PQty8s0WcVKi4VFzt3oTXHnPJqK
rJGDdRNHDcmUts6FrwI4+GL5hi+IC+aRohtGZ0QbN1us1Es7dMUcJ/t17Nb0PZOs
HFT0O3MSNGc=
=fLwh
-----END PGP SIGNATURE-----