[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [New Search]
VIRUS UPDATE
The power of the Word can be destructive
There is a new strain of viruses sweeping cyber-
space. It's called the Word Macro.
This strain of viruses is very different from earlier ones. Other
viruses have traveled most commonly via diskette from system to system.
They usually attack a system's memory or hard disk drive. But "Concept"
and the other Word Macro viruses exploit a new and even more insidious
means of attack. They are the first computer viruses to spread themselves
through the use of electronic documents such as word-processing files or
spreadsheets.
To understand how these viruses work, you need to understand what a
"macro" actually is. A macro is a group of instructions (like keystrokes)
stored in memory so that you can automate complex or repetitive sequences
of commands. Many applications like the Microsoft Word word processor and
the Microsoft Excel spreadsheet program allow users to create their own
macros to make formatting documents or building spreadsheets simpler.
The Word Macro viruses exploit this software feature. They attach
themselves to text or spreadsheet files as if they were macros and use
the application's macro functions to both proliferate and do damage.
The most prevalent strain of Word Macro is called "Concept" and has
skyrocketed to the top of the list of computer viruses found "in the
wild." They have already cost many organizations a lot of time, money and
resources. And they are spreading faster than other, older forms of
computer virus.
If you are a user of Microsoft Windows 3.1, Word for Windows 3.11,
Windows 95, MS Word for the Macintosh or Windows NT, there are three
precautions you can take to help guard against infection by a Word Macro
virus.
Make sure that the anti-virus software you use has been updated to
look for the various strains of Word Macro.
You should scan all Microsoft Word documents with anti-virus software
before you open them.
You should look for any strange macros attached to files. For
example, you can use the "Organizer" to do so without opening the
document. If you've already opened a document, you can select the "Macro"
feature from the "Tools" menu to look at whatever macros are attached to
it.
UNDER THE MICROSCOPE
Concept (Prank) Macro Virus
Documents infected with the Concept virus contain the following macros:
AAAZAO
AAAZFS
AutoOpen
PayLoad
The first time the virus macros run, a dialog box containing the single
digit "1" is displayed.
When an infected document is opened, the AAAZAO macro copies the virus
file to the global marco file for MS Word and then changes its name to
FileSaveAs. In this way, the virus ensures that whenever any MS Word
document is saved, the virus files are copied into it.
Nuclear Macro Virus
Nuclear is similar to Concept, except that it contains nine macros. It
spreads the same way as Concept. But if an infected document is printed
during the last five seconds of any minute, the following message will
appear at the top of the printed page:
"And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN
THE PACIFIC."
Nuclear may seem harmless, but it was intended as more than a delivery
system for an anti-nuclear protest. After April 5th, it attempts to
delete your system files and infect the computer with another virus
(Suriv binary virus). Luckily, due to a bug in Nuclear's programming, it
doesn't succeed.
FormatC Macro Virus
FormatC is considerably nastier than the viruses mentioned above. It
consists of only one macro, AutoOpen. Like the others, it infects the
global macro file when an infected document is opened. But if the virus
payload is activated, you'll experience something much worse than a
political rant or a clashing screen display--the virus will attempt to
format your system's hard disk drive (which will eradicate all data on
the drive). It is quite possible that your data can be recovered, but it
is crucial that the procedure be undertaken by a computer security
professional.
Wordmacro/Hot
Hot is also destructive. It spreads, like the others, by attaching macros
to documents and to the global macro file. But after approximately 14
days, when the infected document is opened, the virus deletes the
contents of the file and then automatically saves it, so you can't simply
recover by choosing not to save the changes. If you discover that you
have been infected with Hot, don't open any back-up copies until you are
sure that you have cleared out the virus. Otherwise, it will do the same
to them. You may also want to turn on the Make Backup feature in your MS
Word application as a precautionary measure.