Autor: Michał Jaskólski (jj_at_gdansk.sprint.pl)
Data: Mon 31 Mar 1997 - 14:04:07 MET DST
New Office 97 Viruses
Received: March 28, 1997 06:23am EST From: PC Computing
>From PC Computing for May 1, 1997
Word 97 Virus Alert
Q: I've heard that there are now Word macro viruses that infect Office
97. Rumor?
A: Fact. A few of the old Word 6/95 viruses can infect Word 97 systems.
Word 97's macro language, VBA/Word, is quite different from WordBasic,
the macro language in older versions of Word. Word 97 includes an
automatic macro converter that translates WordBasic macros into
VBA/Word. This translator contains a rudimentary "brick wall" that keeps
most old WordBasic macro viruses from being converted into VBA/Word
macro viruses--so most old Word 6/95 viruses can't run on Word 97. The
brick wall intercepts nearly all strains of the common macro viruses,
including Concept and Wazzu. But there are some exceptions.
Of the Word 6/95 macro viruses reported "in the wild" by virus watcher
Joe Wells (www.virusbtn.com/WildLists), only a few obscure ones
successfully translate into Word 97.
You should be more concerned, however, about a new Word 97- specific
macro virus called W97M/Wazzu.A. The virus attacks only Word 97 and
infects only Word 97 files. W97M/Wazzu.A works much like the old,
widespread Word 6/95 Wazzu.A virus: In infected documents, the virus
randomly moves an arbitrarily chosen word from one place to another.
Independently, also at random intervals, the virus may insert the string
wazzu into the document.
How Word 97 Wazzu Got Started
Q: Where did this new virus come from?
A: It was created when an Office 97 beta tester, using an early version
of Word 97 that didn't yet have a fully functioning brick wall, opened a
Word 95 document infected with the old Wazzu.A virus. The Word 95
document was automatically translated into Word 97 format. And, since
the brick wall wasn't working, the Word 95 (WordBasic) version of the
Wazzu.A virus was automatically converted into a new, Word 97 (VBA/Word)
version of the macro virus.
Microsoft posted a W97M/Wazzu.A-infected document on its Web page in
early February. It was in a self-extracting compressed file called
REVCODES.EXE. That file, when run, produced a Word 97 document called
WORD97~1.DOC. The W97M/Wazzu.A virus was first identified inside the
WORD97~1.DOC. (The REVCODES.EXE file has since been cleaned and, in
fact, contains a highly useful document that helps WordPerfect converts
adapt to Word 97. For details, see "Resource Guide," page A34.)
Protect Yourself from Wazzu
Q: What can I do to protect my data?
A: First, search your hard drive, company LANs, and favorite Web sites
for the file REVCODES.EXE. If you find the file, run it and see if it
produces a single file called WORD97~1.DOC. If it does, delete
REVCODES.EXE and WORD97~1.DOC immediately. Report the incident to a LAN
and/or Web site administrator. It's also a good idea to file an incident
report with your antivirus software company to help them track the
spread of W97M/Wazzu.A.
Second, if you were part of the Office 97 beta test (tens of thousands
of "Beta 2" CDs were distributed around the world), throw away the old
beta CDs and delete the beta test version of Office 97 from any hard
disks. By doing so, you will reduce the possibility of accidentally
creating another renegade mutation. This step is vitally important. If
you know anyone who participated in the Office 97 beta test, please have
them destroy their beta CDs as well.
Third, install and use antivirus software that specifically recognizes
and destroys W97M/ Wazzu.A and other Word 97-specific macro viruses.
Traditional antivirus software companies may not be reacting to this new
threat as quickly as you might expect.
Among those antivirus software companies with a good handle on the
situation, McAfee pioneered detection of the W97M/Wazzu.A strain. The
company posted a test version of VirusScan on its site (www.mcafee.com)
that handled it within 24 hours of receiving notice of the virus's
existence. In addition, try Macro Button, a feature of the freeware
Padgett's Word Macro Antivirus 1.10 at
www.netmind.com/~padget/index.html.
Finally, realize that just because something's from Microsoft doesn't
guarantee that it's virus-free. In addition to having W97M/Wazzu.A on
its U.S. Web site, the company has also distributed several Word 6/95-
infected documents in the United States and Europe. When Word 97 asks if
you want to enable macros, consider the distinct possibility that
Microsoft is not necessarily a trusted source.
[...]
--- I co wy na to? Kup naszego wirusa (Win95) i weź udział w testach Office97 - drugiego wirusa dostaniesz zupełnie gratis ! Czy to, że wirus był umieszczony w dokumencie poświęconym przejściu z WordPerfecta na Worda 97 coś znaczy ? Wesołego Alleluja. Michał Jaskólski [ jj_at_gdansk.sprint.pl ] http://www.gdansk.sprint.pl/~jj/ [ homepage ] http://www.gdansk.sprint.pl/~jj/jw23/ [ JWww23 ] -- Nie rób nic na siłę; weź większy młotek --
To archiwum zostało wygenerowane przez hypermail 2.1.7 : Tue 18 May 2004 - 15:59:30 MET DST