Virus Update -
Comments from a Guru
This valuable collection of comments, gleaned from various sources, was passed on
by Vesselin Vladimirov Bontchev, who works for F-PROT in Iceland
This valuable collection of comments, gleaned from various sources, was passed on
by Vesselin Vladimirov Bontchev, who works for F-PROT in Iceland
>Winword-Nuclear
1) The attempt to drop Ph33r fails due to a syntax error - not
closed IF statement, which makes this payload never executed.
Even if this error is corrected, the payload will still fail but
for other reasons. It drops the virus by SHELLing to DEBUG and
passing it a debug script that decodes the virus into a file,
then executing this file. However, when this task terminates (it
is a DOS task), the memory is released, including the memory-resident
virus.
2) The attempt to trash the system files fails too, because WordBasic
can't reset the attributes of a file which has the System attribute
set.
> Also, next time you start up Word, the virus looks at the clock. If
Right, it only attempts to. The attempt always fails - for the
reasons mentioned above.
> There's absolutely no reason to believe it hasn't been spread to
Consider it confirmed. The link was http://www.io.org/~ronl -
and then something like "Source codes galore" or "Source
of the week" or something like that. I purposely set up my
browser to launch WinWord to read the file and confirmed that
you can get infected this way. After a whole month of flame wars
with the sysadmin of that site, he finally forced the user (Ron
Low) to remove the direct link to the infected file - but then
that idiot put there the source of the virus in plain ASCII!
> You might wish to use one of Word's auto-execute macros to your
Ain't gonna help you. :-) Consider a virus which does not contain
any auto macros, but which is contained in a macro called FileSave
or FileClose, or FileExit, or something like that. As soon as
you close the infected document, it will infect you; even if you
have the auto macros disabled. Worse, there already is a virus
like that.
Some more info:
1) In the Web page describing Concept, you say that Microsoft never distributed an infected document.
2) There are at least two more WinWord viruses - DMV and Colors.
The latter was posted on October 14 on alt.comp.virus. It is a
really sophisticated sucker, even intercepts ToolsMacro, so that
if you attempt to view the macros in the template, you can't, and will activate
the virus. Take a look at http://www.datafellows.com/macrovir.html
or something like that - all the four viruses are described there.
There are a couple of macro Trojan horses as well, but they are
not interesting.
> ...infective macros into your Word environment. It also runs a macro
> called PayLoad, which wipes out your DOS system files (IO.SYS,
> MSDOS.SYS and COMMAND.COM) on the fifth of April.
Paul is mistaken here. Almost all payloads of the virus fail due
to bugs. The only payload that works is the one which appends
text to the documents that are being printed. Of the others:
> it is between 17h00 and 17h59 (or, as a comment in the virus
> suggests, "5PM - approx time before work is finished"), the virus
> attempts to inject a DOS file virus named "Ph33r"
into yoursystem.
> other files by now. There is at least one unconfirmed report that
> there is a web page with a hyperlink to an infected file. Click on
> the link and your browser will dutifully download the document and
> launch Word for you so you can read it.
> advantage. Under Tools/Macro, create a macro called AutoExec that
> looks like this:
>
> Sub MAIN
> DisableAutoMacros
> MsgBox "AutoMacros off!", "Safety
First!", 64
> End Sub
You are wrong - they did,
and even admitted it. It was an infected document on an infected
CD-ROM - fortunately with a very low circulation; only about 200
copies were sent before they figured out that there's a virus
on it.
