The Latest |
 |
by Beverly Rosenbaum |
Here are some staggering new numbers for you to consider:
There currently are about 210 documented macro viruses, up from 42 in April 1996, according to a spokesman from Symantec, maker of Norton Anti-Virus. Of those 210 macro viruses, 205 have been documented for Word and five for Excel.
Technical support personnel at McAfee and Associates, maker of ViruScan, list three Word macro viruses in the top ten reported worldwide, while Symantec ranks the original Concept virus as number one.
And yet, the National Computer Security Association (www.ncsa.com), an organization in Carlisle, Pa., that tests and certifies anti-virus software, estimates that only 40 percent of PC owners have installed programs to detect a virus before it does any damage. Unfortunately, the NCSA also found that many of these people installed the software only after being victimized.
Even though the first macro virus, Concept, was considered a harmless prank, the latest viruses can have a payload. This means that, once a system is infected, the virus can do something destructive based on a certain date or "trigger" event.
MDMA is a macro virus which has been reported close to home, not only by a HAL-PC member, but also by a Houston-based software company. MDMA is destructive and has the potential to delete files. This virus infects across many platforms: Windows, Windows 95, Macintosh and Windows NT. MDMA infects NORMAL.DOT and files using the AutoClose macro. Upon closing a document, it will be saved as a template with a copy of AutoClose.
MDMA activates on the first day of the month, if the virus is executed. The payloads for MDMA are as follows (organized according to operating system):
On Macintosh: Kill MacID$("****") (deletes all files)
On Windows 3.x: Kill "c:\shmk."; "deltree /y c:" is added to autoexec.bat
On Windows NT: Kill "*.*"; Kill "c:\shmk."
However, if none of the above (Windows 95): All Control Panel applets and help files are deleted:
Kill "c" \shmk."; Kill "c:\windows\*.hlp"; Kill "c:\windows\system\*.cpl"
and the following text is displayed in a message box: "You are infected with MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern Anarchists)."
In the more destructive variant MDMA.C, the trigger date is altered. If the infected system is running Windows 3.1x, Windows NT or Windows 95, the trigger day is from the 21st to the 31st of the month. However, if an infected system is running under the Macintosh environment, the trigger day is any date greater than the 4th of the month. The payloads are the same.
The FUNYOUR or APPDER virus will delete your TrueType font files, among others. It is an encrypting, stealth, macro virus reported in December 1996 that infects .DOC and .DOT files. It is language independent and is triggered after 20 files have been opened. Its payload kills the following files:
c:\DOC\*.exe c:\DOC\*.com c:\windows\*.exe c:\windows\system\*.ttf c:\windows\system\*.fot
It will also create 3 macros: APPDER; Autoclose; AutoOpen
Upon infection, the Winword6.ini file will contain the following string:
NTTHNTA=xx
[where xx is the payload counter]
The LUNCH.A,B macro virus infects Microsoft Word documents by copying itself to the Global Template NORMAL.DOT or the active template. Lunch.A,B contains system and auto macros. Once infected with Lunch.A, the Global Template will contain the following macros: FileSave, NEWFS and NEWAO and the infected document will contain the macros: AutoOpen, NEWAO and NEWFS.
When an infected document is opened, the virus becomes active and copies itself to the Global Template and changes the name of one of its macros to FileSave. A clean document becomes infected when it is saved (File/Save).
The differences between "Lunch.A" and "Lunch.B" are:
1. "Lunch.B" checks for FileSave macro before infecting the Global Template.
2. "Lunch.B" does not check for the existence of either FileOpen or AutoExit macros.
Once an infected file is saved, at 12:01 p.m. the macro displays the following message: "!Whatya doin' here? Take a lunch break!" in a message box titled "Lunch Time!"
There is now a Word macro virus, "ShareFun", that makes use of Microsoft Mail to distribute itself further. It is loosely based on the Word macro virus Wazzu and spreads by infecting Word documents in Microsoft Word versions 6.x and 7.x on Windows and Macintosh platforms.
ShareFun was reported in February by Microsoft as well as antivirus software makers McAfee, Symantec, Dr. Solomon, Datafellows, and EliaShim. It had been discovered at one site in the US and there was *no* indication that this virus had been seen at any other sites, but the potential for spreading quickly is certainly possible.
With ShareFun, every time an infected file is opened there is a 25% chance the virus will trigger. If Microsoft Mail is running, the virus retrieves the names of three random people from the local address book, and tries to send them e-mail.
The subject of the e-mail is: "You have GOT to see this!"
The message itself contains no text, but there is a file attached (DOC1.DOC), a copy of the document the user had open when the virus activated, including the virus infection. If a recipient of the e-mail double-clicks on the attachment he will also be infected by the virus, and the virus will consequently try to spread further via his own MSMail. Thus, ShareFun can be considered to be a mix between a macro virus and an automatic chain letter, with which the user can unknowingly send his own confidential documents to random recipients!
ShareFun also has code to protect itself. If a user tries to analyze a sample of the virus via Tools/Macro or File/Templates menus, the virus will activate and infect the NORMAL.DOT template. Once this has occurred, any new document opened will be infected. So if you receive a message with the subject or banner: "You have GOT to read this!", do not execute its attachment. Delete the entire message. Do not attempt to look at the macros. Both the Tools/Macro and File/Templates will activate the virus. The macro FileSave is copied to the Global Template file NORMAL.DOT. Once this has occurred, any new document opened will be infected.
Because there are many viruses discovered every day, it is important to know which ones are hoaxes. Following is a list of viruses that DO NOT EXIST, despite any rumors.
You should ignore any messages regarding these hoaxes and should not forward such messages to anybody. Passing on messages about non-existent viruses only helps to further propagate them and cause alarm. These are the known hoaxes to date: Irina, Deeyenda, Free Money, Good Times, Ghost, and Penpal.
Regardless of which antivirus software you choose, your protection is only as good as your most recent update. The producers of these software programs offer frequent and free updated virus signature files, as soon as new strains are found. You owe it to yourself to preserve your data by keeping your antivirus software current.
Beverly Rosenbaum is a HAL-PC member.
E-mail me at webmaster@hal-pc.org with any comments you have and tell me what you want to see here.
Back to the Magazine Home Page