|
-------------------------------------------------------------- MS WORD 6.x MACRO VIRUSES FAQ V2.0 <Frequently Asked Questions> for the ALT.COMP.VIRUS Newsgroup -------------------------------------------------------------- Before we get to the details, here is some info regarding the terms I have chosen to use in this FAQ. Vx or VX refers to the Virus Writing Community at large, regardless of any individuals virus writing experience, or popularity. AV refers to the Anti-Virus Community, including Researchers, Hobbyists, and Software/Hardware Developers. GUI refers to Graphical User Interface. <ex. Windows 3.1> MAC refers to Apple MacIntosh Computers, usually both the Current POWER PC MAC<PPC> and the earlier models. <unless otherwise stated> MS refers to MicroSoft Corporation, and products made by them. PC refers to IBM Brand Computers running on the x86 <including early x88, AT, XT models> series of processors produced by INTeL, AMD, NeXTGEN, and CYRIX, as well as IBM Clone or Compatible computers. OS, or Operating System, will refer to the Disk Operating Systems that handle basic I/O, file management, etc. MS-DOS, PC-DOS, DR-DOS, DIP-DOS, Tandy DOS, COMPAQ-DOS all fit into this category. Operating Systems with GUI's like WINDOWS NT, OS/2 WARP, MacOS, AMIGADos, and WINDOWS '95 also fit this category. <it could be argued that WINDOWS '95 is NOT AN OS, as an enhanced version of the classic MS-DOS OS is loaded prior to the loading of WINDOWS Environment.> Operating Environments, refers to interfaces that run on top of NON-GUI OS's such as Windows 3.0, 3.1, 3.11, Windows for Workgroups, early OS/2 versions prior to WARP. Operating Platform, refers to the combination of Computer Architecture, OS, and sometimes GUI. Examples of Platforms can include, but are not limited to the following... x86 PC's running DOS x86 PC's running either DOS/Windows 3.0 - 3.11 <most popular> x86 PC's running DOS/OS/2 2.x or lower x386 PC's running DOS/Windows For WorkGroups 3.1 - 3.11 X386 PC's running Windows NT 3.5 X386 PC's running Windows '95 x86 PC's running OS/2 Warp Apple Macs running MacOS <system x-7.5> POWERMacs running MacOS Alpha's running NT When Possible, distinctions between PC and MAC centric issues will be made, but be forewarned this document is PC heavy. NOTE: Use of VIRII as a plural of VIRUS has been dropped from this FAQ. The term VIRUSES will be used instead. Complaints can be forwarded to ALT.COMP.VIRUS where someone will be glad to argue with you till they're blue in the face! :) -------------------------------------------------------------- WARNING: User definable virus search strings are littered thoughout this document. They will help users with older version of Anti-Virus software. However, we suggest that you should acquire up-dated copies of the AV software, which will have these strings included, and save you some trouble. Also note that using TOOL/MACRO as a way of hunting down macro infections can be dangerous. It is preferred that you use dedicated AV software to hunt down infection. -------------------------------------------------------------- [[[[ NEWS ]]]] NOTE: HIGH SPEED DEMONZ now has it's own WWW homepage. you will find updated copies of this FAQ at... http://learn.senecac.on.ca/~jeashe/hsdemonz.htm as well as other sites, including many popular AV sites. Keep an eye on the Page, as new things will shortly be added, plus an HTML version of the FAQ is being prepared. With any luck, things will return to normal around here. Updated copies of the FAQ should resume it's former schedule of updates once every 2 weeks. -------------------------------------------------------------- TOPICS/QUESTIONS: Preface: INTRODUCTION ===================== 1) WHAT IS A MACRO? WHAT IS A WORD MACRO? 1.1> WHAT IS A VIRUS? 1.2> WHAT IS A MS WORD MACRO VIRUS? 2) HOW DOES INFECTION OCCUR? 3) KNOWN FEATURES AND LIMITATIONS OF THE WINWORD FAMILY OF VIRUSES 4) VIRUS EXAMPLES - 4.1 - CONCEPT - 4.2 - NUCLEAR - 4.3 - COLORS - 4.4 - DMV - 4.5 - HOT * NEW * - 4.6 - MS WORD 2/MS WORD 6.x MACRO TROJAN WEIDEROFFEN * NEW* - 4.7 - AMI PRO 3.0 MACRO VIRUS GREEN STRIPE * NEW * - 4.8 - WORDMACRO ATOM / ATOMIC * NEW * - 4.9 - FORMATC MACRO TROJAN * NEW * 5) STRATEGY FOR CLEANING AND PREVENTING WORD MACRO INFECTIONS 6) SUGGESTED SOFTWARE: -PRODUCTS THAT CAN DETECT/CLEAN WINWORD VIRUSES INFECTIONS IN DOCUMENTS 7) CREDITS & THANKS 8) DISTRIBUTION INFORMATION 9) WHERE CAN I OBTAIN UPDATED COPIES OF THIS FAQ? 10) QUESTIONS THAT STILL NEED TO BE ANSWERED... 11) DISCLAIMER -------------------------------------------------------------- INTRODUCTION: ============= During the last year, we have witnessed the birth of a whole new type of virus, the WORD 6.0 MACRO VIRUS. The opening statement isn't entirely true, as the idea of MACRO viruses isn't a new one, but this is the first time that a macro virus has spread to the point of being considered "IN THE WILD" by the Anti-Virus Community. It is possibly the first Virus to be truly a CROSS-PLATFORM <not including WORMS> infector, since any systems running compatible copies of WORD 6.0, or those systems that emulate Word 6.0's macro language can be infected. It is also the first group of viruses that prove NON-Executables can infect systems. It had been theorized for years by the best in the industry, as people started to realize the power of the MACRO Languages that were included with program like 1-2-3, Excel, and numerous Word-Processors. It is far less important to classify these viruses as data or executable code or both, than to acknowledge their existence, and the need for preventive measures against them. To better understand the issues covered in this FAQ, the WORD MACRO VIRUSES, it's necessary to first explain what a virus and a macro is. -------------------------------------------------------------- TOPIC 1: WHAT IS A MACRO? WHAT IS A WORD MACRO? ================================================ It is best to first describe what a Macro is. A macro is a collection of instructions to be carried out by a program or computer. These instructions, typically handle tasks that are boring, awkward, and tedious in nature. Dos users have been using a macro language for years to automate the mundane and repetitive tasks common to maintaining a computer system. Commonly known as the BATCH Language. In DOS, Files with the .BAT extension are interpreted <by the Command Processor COMMAND.COM> and are executed line by line, automating tasks <the most common example of a batch file is the AUTOEXEC.BAT file, found in the root directory on every MS DOS based PC in the world>. NDOS & 4DOS Users have their own enhanced version of the batch languages <files with the extensions .BTM>, which allows the same batch files, with additional commands, to be read by the NDOS or 4DOS command interpreters <NDOS.COM & 4DOS.COM> as a whole file into memory for execution <which increases the speed of the batch file>. OS/2 Users have enjoyed an even better Macro Language, the REXX batch/Programming language. It is much more robust, and better suited to deal with demanding tasks. WORD MACROS, are Macros that can carry out and follow lists of instructions, usually saving a user keystrokes. The abilities of the WORD MACROS are limited to the functions provided by the MS WORD WordBasic Environment, included with the WORD 6.x level of Word Processors from MicroSoft. NOTE: WordBasic included with WORD 1.x, 2.x have enought similar commands in their languages to warrant consideration. Imagine having to add your name, address, phone#, and other personal info to dozens of documents daily, it would become tedious fast. Macros can automate the process, saving alot of time and effort. The power of the WordBasic Macro Environment gives the users, both home users and business users alike the ability to automate many tasks, including file management, from within MS WORD. Macros also include the ability to affect other running applications, via the Word Macro language, by DDE etc. Unknown to the author at this time, it's been theorized that OLE abiltiy may also exist in the WORDBASIC macro Language. <BOTH DDE and OLE may be entry point for future viruses> MS WORD MACROS are only executable by the WORDBasic environment, which is limited to functional copies of MS WORD 6.x /7.x and sometimes 2.0, as well as WORDVIEW 7.1. For the sake of this FAQ, MACROS will be considered Data files. Macros require interpretation by the WordBasic Environment, and are not executed in the classic DOS sense. Executables will be defined as files that follow the classic standards, including EXE, COM, NEWEXE, BAT <yes they are interpreted, but they are also almost always DIRECTLY executed by the user, and as such almost fall into the same GREY area that these macro viruses fall into> as well as the programs in the boot-sector, master boot sectors. It could be argued that WORD macro are a combination or data and executable code. A notable exception to the batch file rule, is the WINSTART.BAT file, which Windows 3.11 for WorkGroups looks for in every directory in the path, and tries to execute. It'll be executed whether the user wishes it to be or not. NOTE: David Harley <harley@europa.lif.icnet.uk> and Joseph Stafford (stafford@twsuvm.uc.twsu.edu) have noted that MicroSoft Word Wizards are also WORD Macros. Wizards are simply templates with the WIZ extension, which include an AutoNew Macro, which call a Start Wizard Macro. WIZ files may soon fall prey to macro infections. -------------------------------------------------------------- TOPIC 1.1: WHAT IS A VIRUS? =========================== A computer VIRUS, is a <usually compiled> computer program, that is able to replicate in whole or part it's code, by infecting or modifying other programs, and adding to or overwriting the code of uninfected files with code <possibly evolved or unique forms of the infector> that will in turn infect other programs. Viruses must be able to replicate. A Virus that is unable to replicate isn't technically a virus. <by our definition> NOTE: Viruses can and sometimes do infect files indirectly, without altering the CODE of executable files. For instance, File System or Cluster viruses ( Dir-II, BYWay ) are those which alter directory entries, pointing a legitimate directory entry first to it's malicious code, so the virus can be executed, and then the desired program is executed. The program itself is not physically altered, but the directory entry is. Viruses may, and often do have destructive bombs or payloads, which do something other than replicate. Many payloads include destroying data, deleting files, encrypting parts of hard drives, etc. Common targets for Viruses include standard Executables like *.COM, *.EXE, and NEWEXE files, as well as the programs used by the computer to boot up, including the programs <executable code> found in Boot sectors, and Master Boot Sectors. Other DOS executables can also be infected, such as *.DLL and *.BIN, *.DRV, *.OV? *.OB? and *.SYS files. Not all of these executable will allow for the proper execution of viral code, and can/may either hang the machine, crash a session, or simply not function, producing numerous errors. Common examples of executable files include COMMAND.COM, EMM386.EXE, Windows Executables, MOUSE.DRV, DRVSPACE.BIN, and HIMEM.SYS. <everyone with Modern release of MS-DOS and WINDOWS should recognize these files> A sub-class of viruses, known as Trojan Horses, are commonly, and possibly incorrectly considered viruses. A Trojan Horse, named after the Greek Battle Tactic, is a program, that is stated and promoted as being able to do something useful or interesting <like a game or utility>, but in turn does something malicious.<like drop a virus for later infection> Trojans typically DO NOT ACTIVELY REPLICATE. They may inadvertently get copied around and distributed, but this has little or nothing to do with any replication code in the TROJAN. NOTE : It can be argued that Viruses by the above definition, are Trojans. This argument would have Viruses listed as replicating Trojans. Defining these two groups of programs isn't really relevant, as long as you understand the premise behind both groups. For a more detailed definition of VIRUSES, refer to the ALT.COMP.VIRUS VIRUS FAQ, by David HARLEY, or the COMP.VIRUS/VIRUSL FAQ's on VIRUSES. Both are an excellent source of virus related info. Both are reposted regularly to their respective newsgroups. -------------------------------------------------------------- TOPIC 1.2: WHAT IS A MS WORD MACRO VIRUS? ========================================= An MS WORD MACRO Virus, is a macro <list of instructions> or template file <usually with the .DOT extension> which masquerades as legitimate MS WORD documents <usually with the extension *.DOC>. An infected *.DOC file, doesn't look any different to the average PC user, as it can still contain a normal document. The difference is that this document is really just a template or macro file, with instructions to replicate, and possibly cause damage. MS WORD will interpret the *.DOT macro/template file regardless of extension, as a template file. This allows for it being passed off as a legitimate document <*.DOC> This FAQ takes the position that a document is meant to be DATA, and a MACRO is at least partially executable CODE. When a document has been infected, it has been merged with executable code in a multi-part file, part data/part executable. This tends to be hidden from the user, who expects a document to be data that is READ, and not some combination of DATA and executable code designed to be executed, often against the will of the user, to wreck havok. These viruses commonly tend to infected the global macros, which get automatically saved at the end of each session. When the next session of MS WORD opens, the infected Global Macros are executed, and the WORD Environment is now infected, and will in turn be likely to infect documents whenever they are opened, closed, and created during all future sessions. As a Virus, the WORD MACRO VIRUSES do REPLICATE. They can spread in most cases to any MS WINDOWS Environment or OS that runs a compatible copy of MS WORD 6.x or 7.x, MS WORD 6.x running on OS/2, as well as WORD for MAC 6.0 for MacOS. This makes it a multi-platform/multi-OS file infector. It also makes it one of the first non-research viruses to be successfully spread to all of these environments and OS's MS Word Macro Viruses reside in interpreted data that can spread to different OS's/platforms. These viruses do not spread via modification of executable machine code, but by modification of data in files that are interpreted by the Microsoft Word 6.0 program and any other versions of Word that support macros and WordBasic. MacIntosh Word Users have an advantage over the PC world, as infected documents appear with the template icon, rather than the usual document icon. This means that Mac Users can visually tell before-hand whether a Document is infected or not. For responsible Word 6.x users, Macros can also be of great use. The Macro Language of WORD 6.x <WORD BASIC> is a powerful tool, and can accomplish many tasks, including altering files, copying files, and executing other programs. What makes this macro language so powerful is also what makes it a target for the Vx community. The idea of the Vx community exploiting macro languages had been theorized for years, but has only recently been developed and spread throughout the world. WordBasic Macro Language is much simpler to learn and master than ASSEMBLER, or other popular higher Level programming languages, and for this reason, Vx people <both new and old alike> have taken to it as a viable alternative to learning and coding ASM . The thought of ticking users off on more than one platform has been around for years, and now thanks to MS WORD, and all it's compatible versions on other popular platforms, the Vx people have their wish. Another Bonus of this new outlet for Vx writers, is that many virus scanners only scan Executable files, leaving the .DOC files of WORD alone. It is important to note that many AV producers have now included scanners/cleaners to their software, allowing for the detection of existing MS WORD Macro Viruses. Vx people also know that many people never exchange programs, but regularly exchange documents <those in the corporate circles for example> which meant that there was a whole new region of unsuspecting users to infect. On top of the power and lower learning curve of this language, and the popular past conception that non-executables are relatively safe from infection and becoming themselves infectors has allowed the Word Macro Virus spread like "Wildfire". < Editor smiles :) > Even until just recently, members of the respected AV community inadvertently continues these classic misconceptions that NON-executables <DATA FILES> cannot infect systems, and that no VIRUS can infect on a CROSS-PLATFORM basis. F-PROT V2.21 <Dec '95> continues these misconceptions in the file VIRUS.DOC, included with their DOS command line scanner... "A virus cannot spread from one type of computer to another. For example, a virus designed to infect Macintosh computers cannot infect PCs or vice versa." "A virus cannot infect a computer unless it is booted from an infected diskette or an infected program is run on it. Reading data from an infected diskette cannot cause an infection." This isn't meant to be a knock on F-PROT... they easily have one of the best virus scanners on the market. They're just too busy keeping us VIRUS-FREE that they simply haven't gotten around to updating this older file! :) <Info on obtaining a copy of F-PROT is included in the SUGGESTED SOFTWARE area of this FAQ.> Heck, a year ago, those two quotes were standard replies to virus related questions regarding how viruses spread, and at the time you'd be hard-pressed to prove these quotes wrong. Now, the new realities are setting in. The MS WORD Macro Virus Family have changed the rules. Infection from simply reading a document is NOW possible. So, a WORD MACRO Virus, is a collection of instructions, known as a macro or template which WinWord <Word 6.x> executes. The list of instructions in the macro can copy and delete files, alter them, make whole changes to template files, drop other viruses, and execute programs, including ones it has dropped. These Macro Viruses <as defined in section 1> aren't directly executable. They are actually read <and interpreted and executed> by the MS WORD WordBasic Interpreter. This is the first time a virus infection has occurred in the mainstream user market where a file was only read <or at least the user thought was only going to be read> for it to be executed. MSN - MicroSoft Network, and other similar ON-LINE services, have also contributed to the spread of Word Macro Viruses, via a feature included in their terminal programs, MIME-compliant mailers (e.g., Eudora). and WWW browsers (e.g., Mosaic and Netscape). This features, allows users to download and view .DOC files while on-line... the terminals can run the associated program for .DOC files, <MS WORD> and therefore immediately infect users systems. This mechanism WILL also allow the virus to be introduced into your system via mail or a WWW page. Use such automatic execution with caution. Had the Macro Viruses never been created, this feature would be of benefit. NOTE: Reading Infected documents with anything other than a copy of MS WORD will not activate and spread the infection. For the virus to become active, MS WORD is required, and it must be WORD that is used to view the document. For example, NORTON UTILITIES Norton Commander <DOS> has a document viewer, able to view 10-12 of the most popular formats for documents, including various versions of WORKS, WORD and WordPerfect documents. Using the viewer to read an infected document, and telling it to use WORD 6.x format, will allow you to view the document, but will NOT and CAN NOT execute any macros. At the time of this writing, it was mentioned to me that MicroSoft had released a WORD Document Viewer, that does not execute Macros, that could be used in place of WORD for the purpose of viewing Documents while on-line. MSN or it's affiliated BBS services should have the file available for download. UPDATE: Eric Phelps noted that a newer version to the WORD Viewer is now available from MS, called WordView 7.1. Unlike it's predecessor, it will execute some MACROS. Users who uses the Veiwer to prevent macro infection, should stick to the previous version. This WordView 7.1 doesn't have a NORMAL.DOt to infect, but it still allows for an entry point into your system. Use WordView 7.1 with caution. -------------------------------------------------------------- TOPIC 2: HOW DOES INFECTION OCCUR? =================================== Typically, a MACRO infection occurs when an infected macro instructs the system to overwrite or alter existing system macros with infected ones, by adding to or altering macros in the GLOBAL MACRO list, which in turn tend to infect all documents opened and written thereafter. When Word opens a document <.DOC>, it first looks for all included macros in it. This is alittle misleading... MS WORD looks at the DOC, first thinking it is a DOC, but finds that it has TEMPLATE/MACRO code <meaning it isn't technically a document, but a template file> If it finds the AutoOpen Macro, or other AUTO macros, Word will automatically execute this macro. Typically, in the case of an infected .DOC file, this macro will instruct the system to infect important key macros and template files. Those Macros will in turn infect any documents opened thereafter. <hence the Term VIRUS> Typically, the FileSaveAs Macro is replaced or overwritten, so that an infected copy can then determine how all future documents will be saved. This means it gains the control of what file format to save in, and what macros to include into the document. All this is seamless, and most of the time you may not even realize this is happening. When the user executes the FileSaveAs command, the virus (e.g., Concept) displays the *usual* dialog box, letting the user fill in the fields for the file name, location, type, etc. Onl *afterwards* the virus changes the type of the file to template - so the user doesn't see anything unusual. AutoOpen and other Macros are then included into documents. When exchanging documents with uninfected computers, the system becomes instantly infected as soon you try to view and load the infected document <macro/template> with a compatible copy of MS WORD! At the end of a WORD session, MS Word automatically saves all Global Macros into the Global Macro File, typically the Normal.DOT file. Now all future sessions of Word will infect documents it opens until you replace NORMAL.DOT with an uninfected copy. <or delete the infected macros> Otherwise, MS Word Loads, and will load infected GLOBAL MACROS before you do a single thing. NOTE: Some macros will save to the Global macros on their own! -------------------------------------------------------------- TOPIC 3: KNOWN FEATURES AND LIMITATIONS OF THE WINWORD FAMILY OF VIRUSES ======================================================================== Common features of this family of viruses include the inability to save an infected document in any format other than Word Template Format, the documents are converted into Template format <used internally in Word, and by the user>, and tends to disallow saving of file/document in any other directory using the SAVE AS command<You can save the infected document anywhere you want - when it is first infected. Only if you *load* an *already infected* document, and *then* try to use the FileSaveAs command on it, will Word try to force you to save it in the template directory - because it is now a template; not a simple document.>. Most WORD MACRO VIRUSES and TROJANS to DATE only affect ENGLISH ONLY Copies. Some exceptions apply. In Nationalized copies of WORD, the macro language commands have been translated to the national language, therefore macros created with the English version of Word will not work. <makes perfect sense to me... anyone know how AutoOpen is spelled in French? :) > [ according to Vesselin Bontchev <bontchev@complex.is> The auto macros are always spelled in one and the same way in al nationalized versions. It is things like FileSaveAs that are translated ]. NOTE: PC Users will likely not notice the difference between a TEMPLATE infected file masquerading around as a document file, as word will recognize Macro Templates in a file regardless of the extension used by the Template <Default *.DOT>. <Send Complaints to BILL GATES, C/O MICROSOFT CORP.> MacIntosh Users can visually tell whether a Document is infected or by, since infected documents appear with the template/macro icon, instead of the normal document icon. A file that is indicated by a template icon may simply be a harmless template, that the user has made, containing legitimate macros. This MAC advantage will depend on how the document is opened. Opening with the File / Open command will not help a MAC user make the distinction. Viewing parameters for a folder will also determine whether a MAC user will notice the template file. Viewing by size, name, or date will not help, as the icon isn't displayed properly. A Feature common to most viruses of this type is the ability to spread to other platforms, making this family of viruses unique, and dangerous. They can and will spread to almost any platform operating with a compatible copy of MS Word 6.x+. <some exceptions apply> Although other word processors like WordPerfect and Ami Pro do support reading MS Word documents, they can not be infected by these viruses. These program have the ability to read documents, but not to execute the macro language command that may be imbedded. It's worth noting that macro viruses whose payloads have no effect on a Mac (PC emulators excepted) will nevertheless replicate on the Mac unless they use one of the relatively few WordBasic functions specific to Windows in the infection/replication routine. -------------------------------------------------------------- TOPIC 4: VIRUS EXAMPLES ======================= There are a number of Word Macro viruses in the wild, the first and foremost being the CONCEPT Virus. <although DMV was created first, CONCEPT is what pushed this new breed of viruses into the wild FIRST. It was the first to be widely recognized as a nuisance. -------------------------------------------------------------- 4.1: Concept Virus : ==================== Also known by the Aliases of WW6Macro, WinWord.Concept, Word Basic Macro Virus (WBMV), Word Macro 9508 <MAC> and Prank Macro <MicroSoft named it Prank, to downplay the seriousness of the situation>. This was the first MS Macro Virus to be detected by the Anti-Virus community, and the first Macro Virus to be considered in the wild, with infections spreading to the US, UK, France, Germany, Bulgaria, Canada, the Netherlands, Turkey, and Finland, and other Countries. The proliferation of this virus is widespread, mainly due to 2 companies ACCIDENTLY shipping this virus in infected documents found on their CD-ROMS. The first CD-ROM was... MicroSoft Windows '95 Software Compatibility Test which was shipped to thousands of OEM companies in mid 1995. In August/September Microsoft distributed the Concept virus on a CD-ROM in the UK called... "The Microsoft Office 95 and Windows 95 Business Guide" The infected file is \Office95\Evidence\Helpdesk.DOC, dated August 17th, 1995, <121,856 bytes> The third CD was... Snap-On Tools for Windows NT which was distributed by ServerWare, who immediately withdrew it, warned recipients, and re-mastered it. MicroSoft Corp. is to be commended for acknowledging their part in the spreading of this new virus, <calling it a PRANK> and their effort in controlling the spread of it. They were quick to respond to this new Virus threat with a Macro Scanner/Cleaner which is available freely for download from MSN and associated services. <Note: it's buggy> This commendation should be taken with a grain of salt, as MicroSoft waited up to two months before admitting there was a problem, down playing the seriousness of the situation, and calling it a PRANK Macro, not befitting an acknowledgment as a REAL virus in their view. MS in turn requested help from AV insiders, and subsequently released their own flawed FIX. AV people wanted info regarding internal information of the WORDBASIC Macro Template Format. Such help wasn't forthcoming, at least not until months later. During the whole time that the bulk of the AV people waited for help, MS cited their FIX as being the only thing that CAN deal with this new virus, and that Current AV Products were useless. <not the first time MS has thrown rocks at competitors...> The statement from MicroSoft is only partially true, as a number of AV companies figured out the Macro format on their own, and released their own fixes. Those of us who are used to dealing with MicroSoft would agree that 5 months of waiting, being told you're wrong, then finally getting the help you asked for was "a quick response". :) A CONCEPT Infection is easy to notice, on the first execution of the virus infected document (on the first opening of the infected file) the MessageBox appears with digit "1" inside, and "Ok" button. Also, simply checking the TOOLS/MACROS option to check loaded macros, the presence of concept is apparent by the appearance of these 5 macros : AAAZFS * AAAZAO * AutoOpen PayLoad * FileSaveAs NOTE: Using the Tools/Macro option to view in memory macros can be misleading, and dangerous, as some viruses will intercept this call. The Tools/Macro option should be used with caution with all viruses, and shouldn't be considered as a genera way to look for macro viruses. The Colors virus for example intercepts this comman and activates if it is used. You may be currently using legitimate macros that go by the names of AutoOpen and FileSaveAs, so these two may not be out of place. However, it is unlikely that you use legitimate macros with names like Payload, AAAZFS, and AAAZAO. These 3 are the clearest signs of an infection. Note: As has been noted in some press releases, the virus code is simple for a novice to modify, so variants may also be present or appear soon. The Macros are UNEnencrypted, and are easily viewable. The following Text strings are in the infected documents... see if we're already installed iWW6IInstance AAAZFS AAAZAO That's enough to prove my point Also, the line... WW6I=1 is added to WINWORD6.INI on infected systems. The Concept Virus is able to run on compatible systems running Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. In Macintosh Word, infected documents appear with the template icon, rather than the usual document icon. NOTE TO WINDOWS '95/WORD '95 USERS: Those of you who are running Windows 95 and Word 95, and have Word set up to act as your Exchange mail program; <WordMail.> are protected from the spreading abilities of CONCEPT, as WORDMAIL disables the capability that lets Concept spread, so you cannot get infected by reading mail with WordMail. However, if an incoming message has an attached infected Word document, and you double-click on that document to open it in Word, you will get infected. F-Prot has made an Anti-Viral FIX for this ONE virus, known as WVFIX. It detects a Concept Infection, and can make modifications to WORD settings on PC's to prevent further re-infection by this one virus. Available now from... Data Fellows FTP URL ftp://ftp.datafellows.fi/pub/f-prot/wvfix.zip and... Command Software System's FTP site ftp://ftp.commandcom.com/pub/fix/wvfix.zip. and is included on F-PROT for DOS Diskettes. If you don't have F-PROT Professional which detects this virus, you can detect it manually with older F-PROT versions, by placing the following 2 lines into your F-PROT USER.DEF file, found in your F-PROT for DOS Directory... CE WordMacro/Concept 646F02690D6957573649496E7374616E63650C67 then turn on the USER-DEFINED section of the Targets menu, and add *.DO? as an extension to scan for, or scan for ALL FILES. If F-PROT finds an infected document with this method, use WVFIX to do an additional scan of to confirm infection, as legitimate documents may get flagged using the above search string. SOPHOS SWEEP users can add detection of this virus to their older scanners by executing Sweep in full Mode with the following <meant as one line, but displayed below as 2...> command... SWEEP C:\*.* -F -REC -PAT=575736496e666563746f720606646f026904734d65240c67 Sweeps SWEEP.PAT file can also hold this pattern for you, so that you do not need to type it out every time you wish to scan. Add the following to the SWEEP.PAT file using an ASCII Text Editor... Concept 5757 3649 6e66 6563 746f 7206 0664 6f02 6904 734d 6524 0c67 Users of IBM's Anti-Virus can add protection to their system for this Virus Manually, or can acquire updated copies of AntiVirus from IBM. To Manually add detection of CONCEPT to IBM AntiVirus add the following three lines to an ADDENDA.LST file in the same directory as VIRSIG.LST 07734D6163726F24126A0D476C6F62616C3A4141415A414F %s the WordMacro.Concept %s DOC and DOT (COM format) files. Mismatches=0. No fragments. Then use the "Check System" dialog to add "*.DOT" to the list of patterns to check, or simply instruct IBM Anti-Virus to scan ALL FILES. PC Users can also acquire the Macro Virus Protection Tool. (On CompuServe or AOL, GO MS; on Microsoft Network, GO MACROVIRUSTOOL.) Follow the instructions to run the file. It will look for macro viruses, both among your macros, and any documents you specify. It will also install special macros that will help prevent any further infection. If you use SCAN.DOC, make sure that your copy of the "cleanall" macro is not one of the early releases which contained a typo! Look for the line Dlg.Pat$ = "*.doc;*.dot" used to set up the ".Name" argument for FileFind. There should be NO space between the semicolon and the second asterisk. A space here (found in early releases) prevents looking for ".DOT" files. Microsoft has also made software available to counter this virus <on MACS>, obtainable via the WWW from... <http://www.microsoft.com/kb/softlib/mslfiles/mw1222.hqx> and via ftp from... <ftp://ftp.microsoft.com/softlib/mslfiles/mw1222.hqx>. This FIX from Microsoft only renames the virus rather than removing it. Also note that the file system scan function supplied ("Scan.doc") may not actually find every occurrence of infected files on a Macintosh. A few others vendors of major Macintosh anti-virus software are planning minor releases of their products to cope with this virus or help identify its presence. If you need additional information, call Microsoft Product Support Services at... 206-462-9673 for Word for Windows 206-635-7200 for Word for the Macintosh or send an Internet e-mail message to... wordinfo@microsoft.com Further info on CONCEPT Virus <albeit with an emphasis on the DOS, OS/2 and Windows environments> is available from IBM's WWW server: <http://www.research.ibm.com/xw-D953-wconc>. Note: A Personal Solution for this Virus is possible. Simply make 2 dummy macros <they don't need to do anything>, one as Payload, the other as FileSaveAs. This virus checks for the presence of these macros, and if found, DOES NOT infect your system<The virus checks for the presence of *either* of these macros, so usin just one (any) of them is sufficient>. This is a CONCEPT virus solution only, and will likely become useless with any future variants of Concept. -------------------------------------------------------------- 4.2: Nuclear : ============== Known widely as Winword.Nuclear, Wordmacro-Nuclear and Wordmacro-Alert. This virus was the first WordMacro virus to infect <or at least to attempt to infect> both data/documents <Word Documents .DOT and .DOC> as well as executables <.COM/.EXE/NEWEXE> In truth, it is 2 viruses, a macro virus which alters the Operating Environment of WORD, and an executable file infector <as well as a system file deleter>. This makes NUCLEAR the first Macro Virus to also incorporate, or at least try to incorporate a classic File Infector Virus. This virus is actually quite ineffective in the destructive sense, detailed later in this document. The infected documents contains the following nine Macros... AutoExec AutoOpen FileSaveAs FilePrint FilePrintDefault InsertPayload * Payload * DropSuriv * FileExit which get copied into the GLOBAL Macro List. General detection of NUCLEAR is easy, simply view the macros listed under the Macros command under the Tools Menu. If Macros "InsertPayload", "Payload", and "DropSuriv" are listed, then you'll likely have a NUCLEAR infection. <unless you named legitimate macros with the same names... :) > NUCLEAR hides itself from detection, by disabling the "PROMPT FOR CHANGES TO NORMAL.DOT" option. Changes are made, and the user doesn't notice anything. NOTE: Use of the TOOL/MACRO command can be dangerous. Some viruses subvert this command. Use with caution. Use AV software to find and delete infected macros. The "InsertPayload" Macro will cause the following text to be added to the end of printouts when printing documents. Every 12th printout will have the following text added... And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! which is appended to the file after the command to print is issued but prior to the actual printing. FAX's sent via a FAX Print Driver will also be affected, this much I know first hand. From testing, I came to the realization that some Vx putz will start messing with my outgoing faxes behind our backs. Another included Macro, is "Payload" which tries to delete IO.SYS, MSDOS.SYS and COMMAND.COM on April 5th. It is ineffective, as WordBasic can't reset the attributes of a file which has the System attribute set. It has been noted that a variant that does work is being circulated. The Second part of the Nuclear Virus is the executable infector. The DropSuriv Macro checks system time, and will attempt to drop the file infector between 17:00/18:00. However, the routine is flawed, and shouldn't work on any system. <fails due to a syntax error - not closed IF statement, which makes this payload never executed> If DropSuriv DID work properly, it would search for the standard DOS util DEBUG.EXE, if found, the macro drops PH33r.SCR & EXEC_PH.BAT. The Bat File is executed, and then the hex dump file PH33r.SCR is converted from a DEBUG script into an executable, and is in turn executed. Later, the .SCR and the .BAT files are deleted to cover its tracks. The File infector then hooks INT 21h and writes itself at the end of COM/EXE/NewEXE files. <however, the memory is released once this DOS task is completed, includes the memory resident virus Ph33r> Unconfirmed reports state that a NUCLEAR infected Macro with a fully operational DropSuriv Macro exist. The following text strings are in the executable infector... =Ph33r= Qark/VLAD SOPHOS SWEEP users can use a user-defined search string to find NUCLEAR, simple by executing the following command <the following 2 lines are actually ONE log one> using Sophos' SWEEP in full mode... SWEEP C: -F -ALL -PAT=63e6e5e5ee8fe6e3e48fefe3fd87b1c98aeaad8ca7918c93 Discovered on the internet, the discovered infected file ironically was supposed to provide info on a previous Macro Virus, Concept. Mac Users will notice an infected document, since infected documents appear with the template icon, instead of the usual document icon. -------------------------------------------------------------- 4.3: Colors: ============= Colors, is the first WINWORD Macro Virus that could be called cute <IMHO>. This Virus has the noticeable ability to alter the Windows colors settings. Mac Word is immune to the payload <the system colors attack> but is still susceptable to the infection mechanism, which will attack documents. Detection of infections is easy, as infected documents appear with the template icon, rather than the usual document icon. Commonly known as Rainbow or WordMacro.Colors, this virus was freely posted to usenet newsgroups on October 14th, 1995. The Colors Virus will infect the global template <usually NORMAL.DOT> upon opening of an infected document. An infected document contains the following macros: AutoOpen AutoClose AutoExec FileNew FileExit FileSave FileSaveAs ToolsMacro, and other macros. All Macros included in COLORS are Execute-Only, and cannot be viewed or edited by MicroSoft Word. If normal "clean" macros with the same names existed prior to infection, they will be overwritten by COLORS. The AutoExec Macro of COLORS is an EMPTY Macro, possibly designed to defeat any ANTI-MACRO-VIRUS schemes developed by the AV community. It accomplishes this by overwriting a "CLEANING/SCANNER" AutoExec Macro with COLORS empty one, effectively making the AV Scanner/Cleaner useless. The Cleaner Provided by Microsoft would fall victim to this attack, and subsequently be rendered useless. COLORS will also enable AutoMacros in case you were smart and disabled them! It will also disable the MS Word's Prompt to save changes to NORMAL.DOT. COLORS is crafty, as it can spread without the use of AUTO macros... thus defeating the DISABLE AUTOMACROS Feature. It does so via the Macros: File/New File/Save File/SaveAs File/Exit Tools/Macro COLORS will infect NORMAL.DOT whenever a user chooses any of the above functions. It also has limited stealth ability, earning it the title of being the first WINWORD STEALTH MACRO VIRUS. It accomplishes it's stealth actions, by hiding itself from the active listing, since attempting to view active macros would run the COLORS infected Tools/Macro, thus hiding it's own presence while simultaneously infecting your system. However, deleting these macros is easy, simply use the File/Templates/Organizer/Macros to view the names of virus' macros and delete them. The COLORS virus will keep track of infections via a counter, named "countersu", which can be found under the [Windows] section of the WIN.INI file. Whenever an infected macro is executed, the counter is incremented by a count of one. It quickly adds up, when you consider how much you OPEN, CREATE, SAVE, EXIT, and CLOSE documents. When the increment counter reaches 299, and every 300th execution thereafter, COLORS will be triggered. COLORS will then make changes to the system colors setup, including text, background, borders, buttons, etc., using randomly determined colors. The new color scheme becomes apparent to the user during the next session of Windows. NOTE: MicroSoft Word for Macintosh is immune to this effect. In Macintosh Word, infected documents appear with the template icon, rather than the usual document icon, which alerts the user to this infection. Only Copies of WORD running on a Windows OS or Windows Operating Environments will suffer these effects. PPC Macs running emulation software that allows Windows and Windows WORD 6.x to run could be hit by this payload. <Does current PPC MAC allow for Windows and Word to be run on it??? > Colors ability to spread without the use of AutoExecute Macros, and its use of Advanced Stealth techniques signals a new level of MACRO virus technology. <Hiding itself from view when you actively look for it defines STEALTH in my book, since it evades detection> It also adds fuel to the VxD argument, as an on access scanner could prevent infection by this type of stealthy virus. NOTE: Check SUGGESTED SOFTWARE section for AV developers with VxD scanners F-Prot Users should note that F-PROT Professional 2.20 is not able to detect the Colors macro virus, but you can detect it manually by following the same method used in the CONCEPT section of this FAQ for Scanning with F-PROT and it's user Defined Strings. In this Case, use the following 2 lines, which are to be added to your USER.DEF file. CE WordMacro/Colors 0100066D6163726F730100084175746F45786563 -------------------------------------------------------------- 4.4: DMV: ========= Commonly known as WordMacro.DMV, DMV is an unremarkable TEST Virus, possibly the first to be created using the WORDBasic Language. Joel McNamera wrote it in the fall of 1994, as a real time TEST for some MACRO Virus Theories. The Virus was kept under wraps, and a detailed paper was published. This TEST virus was only released, as an educational aid, after the CONCEPT virus was discovered. DMV isn't a threat to anyone, as it announce itself upon infecting the system. MAC Word Users can visually detect DMV, since infected documents will appear with the template icon, instead of the usual document icon. The Writer of DMV is rumored to be playing with some EXCEL Viruses, based on details he published about a virus that would infect MicroSoft EXCEL Spreadsheet Files. <anyone get the feeling 6 months from now I'll be writing an EXCEL MACRO Virus FAQ ??? :) > [ DOES ANYONE HAVE THE PUBLISHED PAPER? ] -------------------------------------------------------------- 4.5: HOT: ========= Also known as WORDMACRO HOT, WinWord.Hot. Not the most ingenious of the Macro Virus Family, it's biggest kick, is the ability to wait or sleep for awhile <up to 14 days> and then delete a file. WordMacro/Hot appears to be the first Word macro virus written in Russia. It was found in the wild in Russia in January 1996. Infected documents contain four execute-only macros: AutoOpen DrawBringInFrOut InsertPBreak ToolsRepaginat. MacIntosh Word Users will notice HOT, by examining the icon of the file... infected documents appear with the template icon, normal documents appear with the normal document icon. NOTE: WordMacro/Hot appears to be the first macro virus to use external functions, allowing Word macros to call any standard Windows API call. This makes the spreading function Windows 3.x specific, preventing Word for MAC and Word 7 for Win '95 from spreading the Virus. An error dialog will be displayed under Microsoft Word 7.0. Unable to load specified library HOT activates automatically via it's AutoOpen Macro <assuming no attempt to disable AutoMacros has been made> adding a line LIKE... QLHot=34512 to Ms Word for Windows 6's WinWord6.INI file, which acts as a counter recorder system, setting a date 14 days in the future for payload activation. HOT then copies the included macros to the Global Template, NORMAL.DOT usually, revising their names... AutoOpen ==> StartOfDoc DrawBringInFrOut ==> AutoOpen InsertPBreak ==> InsertPageBreak ToolsRepaginat ==> FileSave A listing of the currently loaded macros in this infected environment will reveal the names in the right list. Loading another infected document <actually a template> will add the left list to the macro list plus the right list. NOTE: Macros have been saved with the 'execute-only' feature, which means that a user can't view or edit them. A clean <AutoMacros disabled> WORD environment will produce the left list when viewing an infected document. HOT's FileSave macro cause the virus to randomly decide within 1-6 days from the infection date to activate whenever an effort to open files is made. Upon activation, a document will have it's contents deleted, by opening it, slecting the entire contents, delting them, and closing the document, saving it in it's now empty state. Users with c:\DOS\EGA5.CPI should be protected from this macro, as the author included a check for this file as a protective measure, noted in the source code as follows: '--------------------------------------------------------------- '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) --- '- and if File C:DOSega5.cpi not exist (not for OUR friends) --- '--------------------------------------------------------------- HOT's InsertPBreak Macro inserts a page-break in current documents, which is used as a sign of a document already being infection by HOT. NOTE: WordMacro/Hot relies on the existence of KERNEL.EXE To clean existing in memory infected macros, use the TOOLS/MACROS/DELETE function to delete all infected macros. Do the same for Document you find that are infected, by doing so from a session of word with AutoMacros Disabled, and using the Tools/Macros/Delete function. NOTE: Use of the TOOL/MACRO command can be dangerous. Some viruses subvert this command. Use with caution. Use AV software to find and delete infected macros. SOPHOS SWEEP Users can add detection NOW to their scanner with the line... Winword/Hot a186 9dad 889d 8ca7 86cd e58e 0369 ec8e ee69 ec8e e868 ecef <the above 2 lines are to be entered as one line> by adding the line to SWEEP.PAT, then scanning in FULL MODE <-f> -------------------------------------------------------------- 4.6: MS WORD 2/MS WORD 6.x MACRO TROJAN WEIDEROFFEN: ==================================================== This is a new MACRO Trojan, <that's been around for 2 years> that goes by the alias WinWord.Weideroffnen. It is technically a WinWord 2 infected document, that works eqwually well under MS WORD 6.x. It intercepts AutoClose, and attempts to play tricks with boot-up file AUTOEXEC.BAT. It is rumored to exist in Germany, known locally in Germany as "Weideroffen Macro Virus" No other information is available at this time, other than the post by Graham Cluley, which states... "Dr Solomon's FindVirus has been detecting this virus for a while (I think we call it WinWord.Weideroffnen). Our WinGuard VxD can also intercept documents infected with it thus stopping an outbreak dead in its tracks" Since it basically goes after AUTOEXEC.BAT, Mac users have nothing to fear from this trojan macro. PC users on the otherhand... :) Please have mercy on us Graham <Graham.Cluley@uk.drsolomon.com>, and provide some more info... :) -------------------------------------------------------------- 4.7: AMI PRO 3.0 MACRO VIRUS GREEN STRIPE ========================================= NOTE: THIS IS NOT AN MS WORD MACRO VIRUS! IT IS INCLUDED IN THIS FAQ FOR THE PURPOSE OF HELPING THE PUBLIC. THIS FAQ IS PRIMARILY WORD MACRO BASED, BUT MAY BE ALTERED IN THE FUTURE, IF MACRO VIRUSES APPEAR IN INCREASING NUMBERS FOR OTHER MAJOR PROGRAMS, LIKE EXCEL, AMIPRO, ETC. Also known as AMIMACRO GREENSTRIPE. The name of this virus comes from it's main macro procedure, called Green_Stripe_virus. Quite possibly the first Macro Virus to hit the AMI PRO 3.0 Word Processor, GREEN STRIPE, was first reported to Computer Weekly, by those who first detected it Reflex Magnetics. <reported to A.C.V by David Phillips (D.Phillips@open.ac.uk) > Reflex Magnetics is reported to has a program able to detect this virus available on their WEB sites by the time you read this. Ami Pro Macros are somewhat different than their WORD equivalents, as an AMI PRO MACRO is a totally separate file, whereas WORD Macro viruses turn documents into combination files, part data, part macro. The Ami Pro macros are stored in a separate file, with the SMM extension. This makes it difficult to spread an AMI PRO virus, as it is likely to not get copied with the normal document, effectively disabling the virus. Ami Pro's File/Save and File/Save As commands are intercepted by Green Stripe, and used to infect all documents in comes in contact with. You could say that GREEN STRIP is the first COMPANION MACRO VIRUS, as it doesn't even touch the original document. NOTE: Using File/Save As and saving an infected document to a network drive or a floppy is the only likely way this virus will spread from a machine to another. When an infected document is loaded, it has a link to an AMI PRO auto-macro file of the same name <as the document> but different extension. This macro is then executed, and attempts to open ALL other documents in the same directory <to infect them> This is apparent to the user, as they can see this happening on the screen! It is reported to do a Search and Replace on SAVE, searching and replacing all occurances of "Its" with " It's". Reportedly, this fails to work properly. GREEN STRIPE was first Published in Mark Ludwigs virus writing newsletter, this virus makes itself obvious to the user, since it attempts to infect all files found in AMI PRO 3.0 Document Directory, during the initial infection process which takes a long time, and the user is likely to notice that something is going on,. NOTE: Removal of AMI PRO 3.0 infected macros is simple, just delete the macro from the directory. To see if a Macro has been attached to a document, simply open the Tools/Macros/Edit menu and check whether the document has a .SMM macro file assigned to be executed on open. If you find one, delete it <unless YOU created a legitimate macro> Documents and Macros in AMI PRO are ASCII files, making viewing and detection of infected macros easy using any other program other than AMI PRO. This virus is difficult to spread, as the path to the Macro is hard-coded, preventing the macro from spreading if programs other than AMI PRO are used to move it about. Thanks to Vesselin Bontchev <bontchev@complex.is> and Dr David Aubrey-Jones <davidj@reflexd.demon.co.uk> for detailing this virus. -------------------------------------------------------------- 4.8 WORDMACRO ATOM / ATOMIC ============================= This is a new Macro Virus, found in February 1996, which works along the same general ideas as the original Concept virus. The WordMacro/Atom virus is not known to be in the wild. The differences, when compared to the Concept Virus, follows: - All the macros in this virus have been marked EXECUTE ONLY, making them encrypted - Replication occures both during file openings, and file saves. - Atom comes with 2 destructive payloads On December 13th, it's first point of activation occures. It will attempt to delete all files in the current file directory. The second activation, password protects documents, restricting the users access to their own documents. This happens when the system clock seconds counter equals 13, and a File/Save As command is issued. The passowrd assigned to the documents is ATOM#1. If the user disables AUTOMACROS, Atom will be unable to execute and spread to other documents. Enabling the Prompt To Save NORMAL.DOT will prevent Atom from attacking and infecting the NORMAL.DOT file. -------------------------------------------------------------- 4.9 FORMATC MACRO TROJAN ========================== Also known as WORDMACRO.FORMATC, and FORMAT.C.Macro.Trojan The FORMATC Macro Virus, isn't ieven a virus, as it DOES NOT SPREAD. This makes it another MACRO TROJAN. This Trojan contains only one macro, AutoOpen, which will be executed automatically when a document is opened. The Macro AutoOpen, is READ ONLY, making it encrypted, and unreadable and editable. It is visiable in the Macro List. When FORMATC is executed, "triggered", it will run a dos session, in a minimized DOS box. It will run an Unconditional Format of the C drive. NOTE: Get your hands on some up to date scanners, and pre-screen all documents. Also acquire some AV VxD's, as they should prevent the Trojan from wiping your drive clean. Thanks to Symantec for providng the info on this trojan. -------------------------------------------------------------- TOPIC 5: STRATEGY FOR CLEANING AND PREVENTING WORD MACRO INFECTIONS: ===================================================================== The best Strategy for dealing with this new VIRUS Menace, is to acquire at least one, maybe even a couple decent Anti-Virus products. This is a good idea whether you are dealing with classic viruses, or this new MS WORD MACRO family of viruses. If you have some of the popular virus scanners, you can add macro virus signature definitions to them from the previous sections of this FAQ, or acquire updated copies of your favorite AV programs, which should have them built in. Some products are now including Windows Mode VxD Virtual On-access Scanners, that run co-operatively with Windows. <insert bad joke about windows reliability here :) > These VxD's tend to have the same capabilities as the classic scanners. Others that don't yet include VxD's are also worth acquiring, as the command-line scanners are some of the best in the industry. Most of the Virus Scanners Listed in the SUGGESTED SOFTWARE area of this FAQ will in the worst case detect known MACRO Viruses, and at best, clean existing infections, and prevent future infections by MACRO viruses. The Following AV products now include an option to Scan for Word Macro viruses, Including F-PROT, TBAV, AVP, AVTK, SOPHOS SWEEP, McAFEE, and others. Fans of ChekMate will be glad to hear about CkekMate.DOC, part of the CHECKMATE 2.00 Generic Anti-Vitus Package, which will detect and prevent Macro infections. Learning to scan documents as well as program files will now be necessary to maintain a clean system environment. So, keeping these new viruses out of your system isn't really any harder than keeping standard viruses out. Most of these products are listed in the SUGGESTED SOFTWARE area of this FAQ. A file, SCAN831.zip, common on various AV FTP Sites on the internet, can deal with the WORD.Concept <Prank> virus. Unzipping it into the Winword directory, and opening the included document SCAN831.DOC, will check your documents for the presence of Concept. NOTE: This is only a solution for preventing/removing Concept Infections. Also, Windows '95 users will need to dump the contents of their Start Menu document menu, and remove desktop shortcuts before using this solution. NOTE: This `fix' distributed by Microsoft isn't complete - there are ways to open documents (like from the recently used files list) that don't trigger the protection macros. Fans of Symantec can download a free copy of REPAIR.ZIP, which contains virus definition files for the macro viruses. You can use REPAIR.ZIP with either NAV 95 or NAV 3.0. NOTE: To detect the MS Word macro viruses, scan your hard drive from DOS only; either version of NAV will not detect them from within Windows. Disinfectant For the MAC, although a great AV product, doesn't generally address macro viruses or hypercard infectors. <At least it didn't the last time I played with a MAC :) > Disinfectant does not deal with non-machine code viruses, so no update is needed. Mac users will want to contact some of the AV producers listed below, as many of them are now offering MAC AV solutions which DO deal with MS WORD MACRO VIRUSES. Some of the Word macro viruses will work at least in part on a MAC, Dr Solomon's Anti-Virus Toolkit for Macintosh will detect such infections, and will detect PC Boot Sector Viruses. Mac Users will have one advantage fighting and finding WORD MACRO VIRUSES, since MAC displays the icon of the data files, users will notice that infected documents appear with the template icon, rather than the usual document icon. A Good Back-Up routine is also a sensible addition to any AV strategy. No AV product is perfect, especially against new and unknown Viruses <unless you are ZVI NETIZ, his AV products catch 100% of all viruses, including the cold viruses you've suffered with this winter! Unfortunately ZVI's product will delete all copies of your SOFIA files :) > It is often preferable to replace infected files with clean uninfected copies, regardless of format, than to execute a "cleansed" file, that may be corrupt, or at least unstable. This is good advice for standard executables.. but MS WORD docs can be cleaned most of the time simply by removing the infected macros, and saving the file as a NORMAL Document! Personal MACRO VIRUSES PREVENTION... For those of you who would rather deal with the MACRO problem yourself, without using one of the recommended products, there are a few things you can do to add an extra measure of security <although it is really a false sense of security...> Disabling of AutoOpen Macros is possible by invoking the Word system Macro DisableAutoMacros. An once of prevention equals a pound of cure. :) NOTE: this can be disabled by some Macro viruses. :( The Manual for WORD for Windows says you can also do this from the command line, by executing WORD with the following command... WINWORD.EXE /mDisableAutoMacros However, due to a Flaw, Feature, or Bug <Gotta Love MS> this doesn't appear to work! Thanks MS! :( The Manual also states that holding <SHIFT> while opening documents will prevent any AutoExecute type macros from running, but this suggestion also doesn't appear to work! Thanks Again MS! :( Or better yet, you could create your own AutoExec Macro, it isn't hard, simply select the TOOLS Menu, hit the MACRO command, and create a new macro call "AutoExec". Alter line 3 as you see fit... Sub Main DisableAutoMacros MsgBox "MS WORD AutoMacros Disabled.", "Some Protection!", 64 End Sub or... Sub Main DisableAutoMacros MsgBox "MS WORD AutoMacros Disabled!", 0 End Sub The second macro should display the message in the status line. <I hope> :) NOTE: Use of the TOOL/MACRO command can be dangerous. Some viruses subvert this command. Use with caution. Use AV software to find and delete infected macros. This method will effectively prevent CONCEPT, HOT, DMV, and NUCLEAR word macro viruses from infecting the WORD environment, by fooling these 3 viruses into thinking they've already infected your system. It also Disables AutoMacros, which will help with some Macro infectors. This is a temporary fix, as WORD gives priority to macros in documents over system macros. <MS will need to ship an update to WORD for all platforms that will give control back to the users. Can you all say WORD '99? > All legitimate owners of copies of MS WORD should CALL MICROSOFT Support staff, and let them know you want an updated copy WORD. Let them know you want the BUGS FIXED. It's your right! Call Microsoft Product Support Services at 206-462-9673 for Word for Windows, or send an Internet e-mail message to wordinfo@microsoft.com <wonder if we could cause a class action suit....> Another option is to check the TOOLS/OPTION Menu and set it to prompt before saving NORMAL.DOT. Setting the File Attributes of the file to read-only may help, but anyone going to the effort of writing a Macro Virus can easily disable that attribute. <and if you've read this FAQ, you also know that some macro viruses can enable AutoMacros even if you specifically disable them! :( > NOTE: Use of the TOOL/MACRO command can be dangerous. Some viruses subvert this command. Use with caution. Use AV software to find and delete infected macros. AMI PRO 3.0 Users, who want to clean their system of infected AMI PRO 3.0 GREEN STRIPE MACROS, need only look in their document directory, and delete and infected macros <which will have the same names as documents> Note: detection of GREEN STRIPE infection is easy, view all macros with a NON-AMI PRO viewer, like DOS edit. Find infected macros, and delete them. that's it!. SOFTWARE ALTERNATIVES TO USING WINWORD.EXE... At the time of this writing, it was mentioned to me that MicroSoft had released a WORD Document Viewer, that does not execute Macros, that could be used in place of WORD for the purpose of viewing Documents while on-line. MSN or it's affiliated BBS services should have the file available for download. Also, a number of Shareware and Freeware shells can directly view WORD documents, without executing macros. Eric Phelps has noted that an updated version of the WordViewer is now available. The new WordView 7.1 free viewing utility from Microsoft now runs some Word macros!! If you want to view documents without the abiltiy to run macros, then stick to versions of WordView previous to version 7.1 Users of NETSCAPE 2 who fear virus infection by macro viruses while onl the WWW, can now acquire Inso's new Word Plug-In Viewer (Inso wrote the Quick View utility in Win95). Inso's URL is: http://www.inso.com/ and there is a link to download the Word Plug-In Viewer on the opening page. If you need additional information, call Microsoft Product Support Services at 206-462-9673 for Word for Windows, or 206-635-7200 for Word for the Macintosh, or send an Internet e-mail message to wordinfo@microsoft.com -------------------------------------------------------------- TOPIC 6: SUGGESTED SOFTWARE: ============================ PRODUCTS THAT CAN DETECT/CLEAN WINWORD VIRUSES INFECTIONS IN DOCUMENTS MICROSOFT Available on MicroSoft Download Services... WD1215.EXE 51078 10-10-95 WD1215.EXE Macro Virus Protection Tool MW1222.HQX 83729 11-09-95 MW1222.HQX Macro Virus Protection Tool for Mac Word 6.0 SCANPROT.EXE 29996 01-02-96 SCANPROT.EXE Word pour Windows, "Prank Macro" Protection Template (for french Word) Available at WWW.MICROSOFT.COM or WWW.MSN.COM... A self-extracting archive, MVTOOL10.EXE, being distributed by Microsoft. It is an way to protect yourself against the Concept virus, as well as to warn you against document files that contain macros without your knowledge. It will create these files: README.DOC 36864 10-02-95 1:08p SCANPROT.DOT 49152 10-02-95 3:44p Enter Word and read the README.DOC to see if this package is suitable for your environment. ============================ DR SOLOMON'S ANTI-VIRUS TOOLKIT -FindVirus can Detect & Clean Macro Viruses, scanning recursively inside compressed and archived files (ZIP, LZH, ARJ, ARC, etc) without writing to the hard disk. WinGuard VxD on-access scanner can prevent future infections. (available for DOS, Win 3.x, Win 95, Win NT, OS/2, Novell NetWare, Unix, and soon Apple Mac) Web: http://www.drsolomon.com USA Tel: +1 617-273-7400 CompuServe: GO DRSOLOMON UK Support: support@uk.drsolomon.com UK Tel: +44 (0)1296 318700 US Support: support@us.drsolomon.com USA Tel: +1 617-273-7400 Canadian Representative: SSS-Sensible Security Solutions Inc. Tel. 613-623-6966 Fax. 613-623-3992 e-mail: secure-1@magi.com * Editors of 'Virus News' and on-line Security Alerts ============================ AVP & AVPLITE -Detects & Cleans Macro Viruses Infections. USA: Central Command Inc. <AVP> P.O. Box 856 Brunswick, Ohio 44212 Phone: 216-273-2820 FAX : 216-273-2820 Support: support@command-hq.com Sales: sales@command-hq.com FTP: ftp.command-hq.com /pub/command/avp WWW: http://www.command-hq.com/command [not operational yet] Compuserve: GO AVPRO ============================ F-PROT -Currently Only Detects Known WINWORD Macro Viruses, Cannot clean in Macro infections. Macro Virus Clean will be added shortly. Frisk Software International Postholf 7180 IS-127 Reykjavik Iceland Fax: +354-5617274 Email: sales@complex.is [North America, South America, Australia and New Zealand] Command Software Systems Inc. Tel: +1-407-575 3200 Fax: +1-407-575 3026 [Canada] DOLFIN Developments Tel: +1-905-829-4344 Fax: +1-905-829-4380 [Most of Europe, Africa, Middle and Far East:] Data Fellows Ltd Paivantaite 8 FIN-02210 ESPOO FINLAND Tel: +358-0-478 444 Fax: +358-0-478 44 599 E-mail: F-PROT@DataFellows.com WWW: http://www.DataFellows.com/ ============================ VIRUSCAN -Currently Only Detects Macro Viruses, but will soon add it's own internal Cleaners to the software. In the meantime, McAfee included MicroSoft's MVTOOL10.EXE WinWord.Concept Cleaner with their product. McAfee 2710 Walsh Avenue Santa Clara, California 95051-0963 USA For questions, orders and problems call (M-F, 6:00AM - 5:00PM PST): (408) 988-3832 Business For Faxes (24 hour, Group III FAX): (408) 970-9727 FAX Bulletin Board System (24 hour US Robotics HST DS): (408) 988-4004 Internet Email: support@mcafee.com Internet FTP: ftp.mcafee.com WWW: http://www.mcafee.com America On-line: MCAFEE CompuServe: GO MCAFEE The Microsoft Network: GO MCAFEE ============================ THUNDERBYTE -Detects Currently Existing Word Macro Viruses ThunderBYTE International Affiliates ESaSS B.V.-ThunderBYTE International P.O. Box 1380 6501 BJ Nijmegen The Netherlands Phone: +31 (0)8894 - 22282 Fax: +31 (0)8894 - 50899 TCT-ThunderBYTE Corporation 49 Main St., Suite 300 Massena, N.Y. 13662 USA Toll-Free: 1-800-667-8228 Phone: (315) 764 1616 Fax: (613) 936 8429 TCT-ThunderBYTE Inc. 3304 Second St. E., P.O. Box 672 Cornwall, Ont. K6H 5T5 Canada Toll-Free: 1-800-667-TBAV Phone: (613) - 930 4444 Fax: (613) - 936 8429 ============================ INTEGRITY MASTER -Detection of Macro Viruses + Integrity Checking in one package Stiller Research 2625 Ridgeway St. Tallahassee, FL. 32310-5169 U.S.A. Email: 72571.3352@compuserve.com PHSH44A on Prodigy. Stiller on GEnie ============================ CHEKMATE (2.0) -Generic Virus Detection Utility + ChekResQ utility that can remove boot sector and partition table viruses both from memory and your hard disk. ChekMate, using Generic Techniques avoids the major problem of false alarms. <MS or PC-DOS 3.3 or later, Windows 3.0, 3.1. 3.11. Workgroups, Windows '95, and Windows NT, as well as OS/2 2.0, 2.1 and Warp> NOTE: Requires DEBUG.EXE. Package Includes CHEKWORD.DOC, Macros in the GLOBAL template (normally NORMAL.DOT) are checked and the user is informed of the number(s), name(s) and desriptions of macros in this template. For your protection, the AutoExec and AutoOpen macros are also disabled automatically. Chekword.Doc also scans documents you open. Martin Overton (ChekWARE), 8 Owl Beech Place, Horsham, West Sussex, RH13 6PQ, ENGLAND. FTP at: ftp.coast.net/SimTel/msdos/virus/cm200.zip ftp.demon.co.uk/pub/simtel/msdos/virus/cm200.zip ftp.demon.co.uk/antivirus/ibmpc/av-progs/cm200.zip ftp.gate.net/pub/users/ris1/cm200.zip At the World-Wide Web site: http://www.valleynet.com/~joe/avdos.html Email: chekmate@salig.demon.co.uk ============================ Simtel, the Software Depository, is a great source for Anti-Virus software! Many AV producers posts updated versions of their software regularly to SIMTEL. SIMTEL is a free service, which you can access via Internet. The following list will allow anyone with Internet access to freely access and obtain Most AV shareware/freeware. For those of you who cannot FTP to a Simtel site, do a search for "SIMTEL" with a decent search engine like YAHOO or WEB CRAWLER, and you'll see SIMTEL listed. SimTel's primary mirror site is ftp.Coast.NET (205.137.48.28) located in Detroit, Michigan, and there the programs may be found in the directory /SimTel/msdos/virus. Secondary SimTel mirror sites in the US include: Concord, CA ftp.cdrom.com 192.216.191.11 Urbana, IL uiarchive.cso.uiuc.edu 128.174.5.14 Rochester, MI OAK.Oakland.Edu 141.210.10.117 St. Louis, MO wuarchive.wustl.edu 128.252.135.4 Norman, OK ftp.uoknor.edu 129.15.2.20 Corvallis, OR ftp.orst.edu 128.193.4.2 Salt Lake City, UT ftp.pht.com 198.60.59.5 Users outside the US should in general select the "closest" mirror site from the list below: Australia archie.au 139.130.23.2 Brazil ftp.unicamp.br 143.106.10.54 China ftp.pku.edu.cn 162.105.129.30 Czech Republic pub.vse.cz 146.102.16.9 England micros.hensa.ac.uk 194.80.32.51 src.doc.ic.ac.uk 155.198.1.40 ftp.demon.co.uk 158.152.1.44 France ftp.ibp.fr 132.227.60.2 Germany ftp.ruhr-uni-bochum.de 134.147.32.42 ftp.tu-chemnitz.de 134.109.2.13 ftp.uni-mainz.de 134.93.8.129 ftp.uni-paderborn.de 131.234.10.42 ftp.uni-tuebingen.de 134.2.2.60 Hong Kong ftp.cs.cuhk.hk 137.189.4.110 hkstar.com 202.82.0.48 Israel ftp.technion.ac.il 132.68.7.8 Italy cnuce-arch.cnr.it 131.114.1.10 Japan ftp.saitama-u.ac.jp 133.38.200.1 ftp.riken.go.jp 134.160.41.2 Korea ftp.kornet.nm.kr 168.126.63.7 ftp.nuri.net 203.255.112.4 Netherlands ftp.nic.surfnet.nl 192.87.46.3 New Zealand ftp.vuw.ac.nz 130.195.2.193 Poland ftp.cyf-kr.edu.pl 149.156.1.8 ftp.icm.edu.pl 148.81.209.3 Portugal ftp.ua.pt 193.136.80.6 South Africa ftp.sun.ac.za 146.232.212.21 Slovak Republic ftp.uakom.sk 192.108.131.12 Slovenia ftp.arnes.si 193.2.1.72 Sweden ftp.sunet.se 130.238.127.3 Switzerland ftp.switch.ch 130.59.1.40 Taiwan nctuccca.edu.tw 140.111.1.10 Thailand ftp.nectec.or.th 192.150.251.33 Turkey ftp.metu.edu.tr 144.122.1.101 -------------------------------------------------------------- TOPIC 7: CREDITS & THANKS: ========================== I would like to extend my appreciation and thanks to all those who provided info to me on this matter. Most of the Anti-Virus producers were extremely helpful in the production of this much needed FAQ for ALT.COMP.VIRUS. Special Thanks goes to Bruce Burrell <bpb@us.itd.umich.edu> for reminding me to DOT my "i"'s and cross my "t"'s. ACKNOWLEDGMENTS I would like to thank the following individuals who have helped and contributed to this document: Graham Cluley <gcluley@uk.drsolomon.com>, Senior Technology Consultant, Dr Solomon's Anti-Virus Toolkit. Dr Alan Solomon <drsolly@ibmpcug.co.uk, drsolly@chartridge.win-uk.net>, Chief Designer of Dr Solomon's Anti Virus Toolkit, S&S International. Vesselin Vladimirov Bontchev <bontchev@complex.is>, FRISK Software International. Wolfgang Stiller <72571.3352@compuserve.com>, Stiller Research Keith A. Peer <keith@command-hq.com>, Central Command Inc. <AVP> Sarah Gordon, <sgordon@commandcom.com>, Command Software System's F-PROT Professional Support. Paul Kerrigan, <pkerrign@iol.ie> Paul Ducklin <duck@sophos.com>, and SOPHOS <www@sophos.com> for providing early info and the detection string for this new macro virus. David Harley <harley@icrf.icnet.uk> David Phillips (D.Phillips@open.ac.uk) Dr David Aubrey-Jones <davidj@reflexd.demon.co.uk> of REFLEX MAGNETICS Martin Overton <chekmate@salig.demon.co.uk> and Ed Fenton <ris@transit.nyser.net> -------------------------------------------------------------- TOPIC 8: FAQ DISTRIBUTION INFORMATION: ====================================== Any distribution of this FAQ is subject to the following restrictions: This FAQ may be posted to any USENET newsgroup, on-line service, or BBS as long as it is posted in its entirety and includes this copyright statement. This FAQ may not be distributed for financial gain. This FAQ may be made freely available and posted on FTP, WWW, and BBS sites, Newsgroups and Networks, as well as included within software packages and AV products, and on CD-ROMs containing other FAQ's/shareware/freeware programs, such as the SIMTEL and GARBO collection CD-ROMs, as long as this FAQ is always distributed complete and without modifications, and proper credits are given to the author. Mass distribution of this FAQ in magazines, newspapers or books requires approval from the author, Richard John Martin. Email Bd326@Torfree.Net for FREE APPROVAL. NOTE: I, the AUTHOR, will re-post copies of this FAQ to ALT.COMP.VIRUS every one-two weeks. <or more frequently when the need arises> Anyone with additional info, critiques, suggestions, etc. to add to this FAQ, please send it to Bd326@Torfree.Net Copyright (c) 1995-1996 by Richard John Martin, all rights reserved. -------------------------------------------------------------- TOPIC 9: WHERE CAN I OBTAIN UPDATED COPIES OF THIS FAQ? ======================================================= ChekMate <ChekWare Software> will usually have the most up-to-date copy of this faq on their Internet Site. <Thanks Guys> You can find it at... ftp.gate.net/pub/users/ris1/word.faq or try our own HIGH SPEED DEMONZ WWW homepage. You will find updated copies of this FAQ at... http://learn.senecac.on.ca/~jeashe/hsdemonz.htm as well as other many popular AV sites. Keep an eye on the Page, as new things will shortly be added, plus an HTML version of the FAQ is being prepared. With any luck, things will return to normal around here. Updated copies of the FAQ should resume it's former schedule of updates once every 2 weeks. An Updated copy of this FAQ can also be obtained by sending Email to Bd326@TorFree.Net, with a SUBJECT header of "PLEASE SEND FAQ", which will result in a return email message that will include an updated copy of this FAQ. To be added to an experimental MAILING LIST for updates of this faq, send EMAIL with the SUBJECT header "ADD TO MAIL LIST". The MAILING LIST may be cancelled at anytime. You can also remove yourself from the list, by sending an email with the SUBJECT header: "REMOVE FROM FAQ MAIL LIST" For those of you who live in Toronto, Ontario, Canada, or don't mind a call up here to the Great White North, set your modem to 8n1, and call: VIRUS WATCH BBS (416)654-3814 Simply do a search on the BBS for MACRO and you see updated copies of the FAQ listed. The file will be an ASCII text file, with the name format of WORDMACR.xxx The xxx will refer to the month. This particular edition is WORDMACR.MAR I'm still looking for BBS's to ARCHIVE this FAQ, so if anyone would like to ARCHIVE it on their BBS, please let me know. -------------------------------------------------------------- TOPIC 10: QUESTIONS THAT STILL NEED TO BE ANSWERED... ====================================================== Any help with the following questions would be appreciated. 1: [ HOW MANY DIFFERENT VERSIONS OF MS WORD HAVE BEEN RELEASED ON POPULAR PLATFORMS? ] 2: [ HOW MANY DIFFERENT NATIONALIZED VERSIONS OF MS WORD HAVE BEEN RELEASED? WHICH LANGUAGES? ] 2.1: [ HOW MANY DIFFERENT NATIONALIZED VERSIONS OF MS WORD FOR MAC HAVE BEEN RELEASED? WHICH LANGUAGES? ] 3: [ WHAT ARE THE NAMES OF MACROS EQUIVALENT TO AUTOOPEN, AUTOCLOSE, FILESAVEAS, etc. IN THE NATIONALIZED VERSIONS OF MS WORD? ] 4: [ DOES MS WORD FOR DOS EXIST? IF SO, WHICH VERSIONS HAVE BEEN RELEASED? ] 4.1: [ DOES IT HAVE A COMPATIBLE MACRO LANGUAGE? ] 5: [ GENERAL INFO ON MAC WORD INTERFACE, MENUS, MACRO, ETC.??? ] 6: [ ANY NEW INFO TO ADD? ] 7: [ LIST ANY PROGRAMS YOU KNOW THAT CAN VIEW WORD 6.x or 7.x DOCUMENTS??? ] 8: [ HOW TO DISABLE AUTOMACROS OR MACROS IN GENERAL UNDER WORD FOR MAC? ] 9: [ IS THE ATARI ST CAPABLE OF RUNNING DOS, WINDOWS, and WORD FOR WINDOWS? ] 10: [ DOS THE AMIGA HAVE A NATIVE MS WORD? ] 11: [ DOES WINDOWS OLE and DDE ALLOW FOR THE POSSIBILITIES OF INFECTING OTHER FILE FORMATS? ] 12: [ DOES ANYONE HAVE INFO ON THE "HOT" & "WEIDEROFFEN" VIRUSES? ] Anyone with additional info, critiques, suggestions, etc. to add to this FAQ, please send it to Bd326@Torfree.Net -------------------------------------------------------------- TOPIC 11: DISCLAIMER ==================== This article is provided as is without any express or implied warranties. While every effort has been taken to ensure the accuracy of the information contained in this article, the author assume(s) no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein. -------------------------------------------------------------- This FAQ is Copyright (c) 1996 Richard John Martin, HIGH SPEED DEMONZ Anti-Virus Research Labs, Canada. All rights reserved. MicroSoft (tm), MicroSoft Windows, MicroSoft Word, MicroSoft EXCEL are Copyright (c) 1995-96 MicroSoft Corp. All rights reserved. -------------------------------------------------------------- --