[Thread Prev] [Thread Next] [Thread Index] [Date Prev] [Date Next] [Date Index]

Report on a New Computer Virus

A new virus report! This item is cross-posted from TidBITS. Let's be
careful out there.

Norm MacLeod



Cross-Platform Virus Strikes Word Users
---------------------------------------
  by Mark Anbinder, News Editor <mha@tidbits.com>

  Though the possibility of a cross-platform virus moving as
  interpreted commands in data documents has been considered by
  computer experts, none had been seen in the user community until
  this month's discovery that a new virus was spreading within
  document macros interpreted by Microsoft's WordBasic macro
  language. The virus, dubbed "Word-Macro-9508" by the Macintosh
  antivirus community, can spread on any computer system using a
  version of Microsoft Word 6.0.

  So far the virus has been seen mostly on DOS, Windows, and OS/2
  computers running Word 6, in various locations in North America
  and Europe. It has been referred to as "WinWord.Concept", "WW6",
  and "WW6Macro" in the Windows community, though it is by no means
  restricted to the Windows version of Word 6. Microsoft's name for
  the virus is "Prank Macro". The code can be spread merely by
  opening an infected Word document - even one that has been
  transferred from a different operating system - since Word's
  macros are stored as data and are automatically recognized by any
  current version of the application.

  The virus adds several new macros to Word's global macro pool,
  named "AAAZA0", "AAAZFS", "Payload", and "FileSaveAs". This last
  activates the virus in an infected file when the user chooses Save
  As from the File menu. The altered macros are then saved with the
  file. If the virus has infected your Word documents, you may see
  an alert window with the digit "1" in it when the virus is
  triggered, or you may notice that infected Word files are saved as
  templates rather than normal documents.

  IBM has gathered a fair amount of information on the virus and how
  to combat it, and published it at:

http://www.research.ibm.com/xw-D953-wconc/

  Microsoft has released tools to combat the virus, obtainable on
  the Internet. As of this writing, Microsoft's fix renames the
  virus rather than removing it, and there have been reports that a
  supplied file system scan function may not find all infected files
  on a Macintosh.

http://www.microsoft.com/kb/softlib/mslfiles/mw1222.hqx
ftp://ftp.microsoft.com/softlib/mslfiles/mw1222.hqx

  [Note that Microsoft still isn't posting BinHex files correctly
  and this file must be downloaded in binary mode. Try using
  Netscape, which downloads most everything in binary, or Fetch,
  which has a Binary button that forces a binary download.
  Otherwise, configure your FTP client to treat the file suffix
  ".hqx" as a binary file, and be sure to change the setting back
  when you're done. -Geoff]

  Datawatch Corporation has released an update (version 5.6.1) of
  its commercial Virex utility for Macintosh, available on
  commercial online services and at:

ftp://gateway.datawatch.com/pub/

  No updates are currently planned for the other Macintosh antiviral
  utilities; most do not attempt to address viruses that don't take
  a machine-code form.

  Since Mac versions of Microsoft Word prior to 6.0 don't
  incorporate WordBasic, and since even on newer versions these
  macros are easily spotted and removed, users need not panic about
  this virus.

  Information from:
    Gene Spafford
    IBM



----------------------------------------------------------------------------
Norman MacLeod
Senior Scientific Officer
N.MacLeod@nhm.ac.uk (Internet)
N.MacLeod@uk.ac.nhm (Janet)

Address: Dept. of Palaeontology, The Natural History Museum,
         Cromwell Road, London, SW7 5BD

Office Phone: 071-938-9006
Dept. FAX:  071-938-9277
----------------------------------------------------------------------------

Partial index: