[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [New Search]
VIRUS UPDATE The power of the Word can be destructive There is a new strain of viruses sweeping cyber- space. It's called the Word Macro. This strain of viruses is very different from earlier ones. Other viruses have traveled most commonly via diskette from system to system. They usually attack a system's memory or hard disk drive. But "Concept" and the other Word Macro viruses exploit a new and even more insidious means of attack. They are the first computer viruses to spread themselves through the use of electronic documents such as word-processing files or spreadsheets. To understand how these viruses work, you need to understand what a "macro" actually is. A macro is a group of instructions (like keystrokes) stored in memory so that you can automate complex or repetitive sequences of commands. Many applications like the Microsoft Word word processor and the Microsoft Excel spreadsheet program allow users to create their own macros to make formatting documents or building spreadsheets simpler. The Word Macro viruses exploit this software feature. They attach themselves to text or spreadsheet files as if they were macros and use the application's macro functions to both proliferate and do damage. The most prevalent strain of Word Macro is called "Concept" and has skyrocketed to the top of the list of computer viruses found "in the wild." They have already cost many organizations a lot of time, money and resources. And they are spreading faster than other, older forms of computer virus. If you are a user of Microsoft Windows 3.1, Word for Windows 3.11, Windows 95, MS Word for the Macintosh or Windows NT, there are three precautions you can take to help guard against infection by a Word Macro virus. Make sure that the anti-virus software you use has been updated to look for the various strains of Word Macro. You should scan all Microsoft Word documents with anti-virus software before you open them. You should look for any strange macros attached to files. For example, you can use the "Organizer" to do so without opening the document. If you've already opened a document, you can select the "Macro" feature from the "Tools" menu to look at whatever macros are attached to it. UNDER THE MICROSCOPE Concept (Prank) Macro Virus Documents infected with the Concept virus contain the following macros: AAAZAO AAAZFS AutoOpen PayLoad The first time the virus macros run, a dialog box containing the single digit "1" is displayed. When an infected document is opened, the AAAZAO macro copies the virus file to the global marco file for MS Word and then changes its name to FileSaveAs. In this way, the virus ensures that whenever any MS Word document is saved, the virus files are copied into it. Nuclear Macro Virus Nuclear is similar to Concept, except that it contains nine macros. It spreads the same way as Concept. But if an infected document is printed during the last five seconds of any minute, the following message will appear at the top of the printed page: "And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC." Nuclear may seem harmless, but it was intended as more than a delivery system for an anti-nuclear protest. After April 5th, it attempts to delete your system files and infect the computer with another virus (Suriv binary virus). Luckily, due to a bug in Nuclear's programming, it doesn't succeed. FormatC Macro Virus FormatC is considerably nastier than the viruses mentioned above. It consists of only one macro, AutoOpen. Like the others, it infects the global macro file when an infected document is opened. But if the virus payload is activated, you'll experience something much worse than a political rant or a clashing screen display--the virus will attempt to format your system's hard disk drive (which will eradicate all data on the drive). It is quite possible that your data can be recovered, but it is crucial that the procedure be undertaken by a computer security professional. Wordmacro/Hot Hot is also destructive. It spreads, like the others, by attaching macros to documents and to the global macro file. But after approximately 14 days, when the infected document is opened, the virus deletes the contents of the file and then automatically saves it, so you can't simply recover by choosing not to save the changes. If you discover that you have been infected with Hot, don't open any back-up copies until you are sure that you have cleared out the virus. Otherwise, it will do the same to them. You may also want to turn on the Make Backup feature in your MS Word application as a precautionary measure.