Anthony
>Return-Path: <wgabree>
>Date: Sat, 24 Jan 1998 23:43:38 -0500
>From: "Wayne S. Gabree" <wgabree@oeb.harvard.edu>
>To: everyone@oeb.harvard.edu
>Subject: [ciac@tholia.llnl.gov: CIAC Bulletin I-023: Macro Virus Update]
>Reply-to: help@oeb.harvard.edu
>X-Status:
>
>Everyone:
>
>Important info about the Word Macor viruses. Anyone using Microsoft
>Word 6.0 or greater, on any platform, needs to read and follow the
>recommendations from this bulletin.
>
>Queries to:
>help@oeb.harvard.edu
>
>-Wayne
>
>------- Start of forwarded message -------
>Return-Path: <owner-ciac-bulletin@tholia.llnl.gov>
>Date: Thu, 22 Jan 1998 10:40:57 -0800 (PST)
>From: CIAC Mail User <ciac@tholia.llnl.gov>
>To: ciac-bulletin@tholia.llnl.gov
>Subject: CIAC Bulletin I-023: Macro Virus Update
>Sender: owner-ciac-bulletin@tholia.llnl.gov
>Precedence: bulk
>
>[ For Public Release ]
>- -----BEGIN PGP SIGNED MESSAGE-----
>
> __________________________________________________________
>
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________________
>
> INFORMATION BULLETIN
>
> Macro Virus Update
> (WM.CAP, XM.Laroux, WM.Concept, WM.Wazzu, WM.NPAD)
>
>January 22, 1997 18:00 GMT Number I-023
>_____________________________________________________________________________
>
>PROBLEM: Macro viruses are a significant problem on the Internet with now
> well over 1000 different types and variants. This problem is
> caused by the ease with which a macro virus can be written
> and the speed with which infected documents can be spread.
>PLATFORM: Any platform that can run Microsoft Word 6.0 or later:
> Windows 3.1, WFW 3.11, Windows 95, Windows NT, and Macintosh.
>DAMAGE: Files can be modified or deleted and may not be recoverable.
>SOLUTION: Scan all Word 6 or later documents before opening them or obtain
> a scanning tool that performs a "scan on launch" function.
> Install the SCANPROT.DOT macro detector in Word 6.0 through 7.0
> or turn on macro virus detection in Word 7.0a and later.
>_____________________________________________________________________________
>
>VULNERABILITY The vulnerability of systems to this type of virus is high for
>ASSESSMENT: two reasons. First, documents are much more mobile than
> executable files. Second, because macro viruses are easy to
> write or modify, the growth rate of macro viruses is very high
> making it likely that you will encounter a new virus
> that your scanner will not detect.
>_____________________________________________________________________________
>
> CRITICAL Information Concerning Word Macro Viruses
>
>In September of 1995, we reported (CIAC Notes 95-12) on the creation of a new
>computer virus, the WinWord Macro Virus, which infects documents from
>Microsoft Word 6.0 or later. At the time, the only known macro viruses were
>Concept and DMV, both of which were not damaging. In February of 1996, we
>reported (CIAC Bulletin G-10) on the detection of five new macro viruses, of
>which two could actually do damage to a system, such as formatting a disk or
>deleting the contents of files. Since that time, macro viruses have become
>the most reported virus incident type around the world. According to the
>September 1997 issue of the "Virus Bulletin" (Virus Bulletin Ltd., England),
>macro viruses occupy the top five positions in a table of virus prevalence.
>The number of incidents of the top macro virus is more than five times that
>of the top program virus. This report parallels our observations within the
>DOE. There are currently over 1000 macro virus types and variants; the most
>prevalent are listed below in order of descending prevalence.
>
>o WM.CAP - The WM.CAP virus is currently the number one reported virus in
> the world with more than five times the number of incidents reported than
> the highest reported program virus (AntiCMOS). The WM.CAP family of
> viruses
> do not contain a destructive payload.
>o XM.Laroux - The XM.Laroux macro virus is the second highest reported
> virus. This is actually an Excel macro virus, which infects the macros in
> Excel spreadsheets instead of Word documents. The virus adds a macrosheet
> named Laroux to any infected Excel notebook. The virus infects only
> Windows versions of Excel 5 and 7. The virus does not have a destructive
> payload.
>o WM.Concept - The WM.Concept virus is the original demonstration of a macro
> virus that was distributed in the document describing it. While not
> damaging, it spreads easily.
>o WM.Wazzu - The Wazzu macro virus currently has at least 100 variants and
> has spread throughout the world. In the original Wazzu virus, when a
> document is opened the virus macro runs and with a probability of 0.2
> randomly moves 3 words in the document and then with a probability of 0.25
> inserts the text "Wazzu " at some random location in the text. The
> original Wazzu virus consists of a single page of relatively simple code
> and was not encrypted. Because of this, everyone who caught the virus had
> a working copy of the virus source code to play with which accounts for
> the large number of variants of this virus.
>o WM.NPAD - The NPAD macro virus also spreads rapidly. Most variants display
> text on the screen after some number of infections. They do no damage
> other than spread.
>
>
>How Macro Viruses Work
>======================
>
>Macro viruses use the built-in Word.Basic macro language available in
>Microsoft Word 6.0 and later. A variant of this language existed in Word 2.0
>for Windows, but these macro viruses only run on the version of Word.Basic in
>Word 6.0 and later. Macintosh versions of Word earlier than 6.0 do not have a
>macro language though converters are available to allow Word 5 to read Word 6
>files. Any Word 6 files converted to Word 5 will have all their macros
>removed during the conversion process and cannot be infected with a virus.
>
>A virus needs two things to infect a system: they need to get on the system
>and they need to get executed. Macro viruses get on a system by being
>attached to template files in Word versions 6 and 7 or any document in Word
>version 8. Template files can contain text just like a normal document, but
>they can also hold macros. To get executed on your system, macro viruses take
>advantage of the fact that if a macro is named AutoOpen or AutoClose the
>macro is run automatically when a document is opened or closed. They also
>take advantage of the fact that if a macro has a name like FileOpen or
>FileSaveAs the macro replaces the menu command with the same name and runs
>when the menu command is selected. These two methods allow a macro to be run
>without the user explicitly running the macro or even realizing that he has
>done so.
>
>When a macro virus has gotten onto a system and is run, the first thing it
>does is to see if it is in the normal.dot template file or in a document. If
>the virus is running on the normal.dot template, it looks for a document to
>infect. When it has infected a document, it saves that document as a Word
>template file but changes the file name to end in .DOC instead of .DOT, to
>make the file appear to be a document instead of a template. If it is running
>on a document, it copies itself onto the normal.dot template.
>
>When the virus is finished infecting a document file, it runs its payload
>procedure which can do nothing or can do something nasty such as format your
>hard drive. Word.Basic is a full programming language and a Word.Basic macro
>can do anything any other program can do including read or write files, send
>e-mail, change system settings, and so forth. What it does depends on the
>whim or malicious intent of the virus writer.
>
>Virus Scanners
>==============
>
>Most commercial and shareware scanners can detect macro viruses but not all
>of them can repair a damaged document. Also, some scanners repair an infected
>document by flipping the bit that identifies the document as a template and
>not actually removing the macro. While the virus is deactivated in those
>documents, other virus scanners may still identify them as infected.
>
>A feature of most new scanners is a scan-on-launch capability that scans a
>document when you double click it. This capability is important for detecting
>macro viruses because most users will not run a scanner every time they
>download a new document. Also, because documents enter a system in so many
>different ways today (e-mail, floppy, CD, download, network disk), even users
>that scan often may miss an infected file. By scanning every document as it
>is launched you insure that the document is checked at least once.
>
>Another useful feature of new scanners is the "Safe Folder." Whenever a file
>is placed in the designated "Safe Folder" that file is automatically scanned.
>By designating the "Safe Folder" as the download folder and directing all
>downloads to that folder no matter what the source, you insure that all new
>files are scanned.
>
>A major problem with the current scanners is their inability to reliably
>detect new viruses. While some scanners are trying to heuristically detect
>new viruses, they are not wholly successful yet. This problem is especially
>acute for macro viruses, because of the large number of new macro viruses
>appearing every day. To manage all these new macro viruses, most antivirus
>companies who previously had quarterly updates now have monthly updates of
>their scanners. A few companies are even offering daily updates.
>
>Using Microsoft's Macro Detector (mvtool) SCANPROT.DOT
>======================================================
>
>An anti-virus scanner is not sufficient to protect a system from new macro
>viruses. To handle all the new macro viruses, you need to use a macro
>detector in addition to a virus scanner. A macro detector detects the
>presence of macros in a Word document as you open it. In general, macros
>belong in templates, not documents. In fact, macros can only be in templates
>in Word 6 and 7 (Word 95), though they can exist in documents in Word 8 (Word
>97). Detecting the presence of a macro in what you believe to be a document
>is a good indication that something is wrong with your document.
>
>To that end, Microsoft has made two options available for Microsoft Word. For
>Word versions 6.0 through 7.0, you can load Microsoft's macro detecting
>macro, SCANPROT.DOT (mvtool). This macro program checks each document as you
>open it using the File, Open command and warns you if the document contains a
>macro. At that point, you can continue opening the document, open it without
>macros or cancel opening the document. Any document the scanner detects as
>containing a macro should be immediately suspect.
>
>*****WARNING: You must use the File, Open command to open new documents in
>order for the scanner to work. It does not work if you open a document by
>double clicking or by selecting the document from the list of previously
>opened documents. *****
>
>The second option is available in Word version 7.0a (Word 95a) and later.
>Essentially, Microsoft built the capabilities of SCANPROT.DOT into Word so
>you do not need to install the SCANPROT.DOT macro.
>
>When either SCANPROT or the Macro Virus Protection detects a macro, it
>displays a dialog box giving you the option of opening the document anyway,
>opening it without macros, or canceling the open. One thing to remember about
>SCANPROT and Macro Virus Protection, they do not detect viruses; they only
>detect macros. Many templates in use today have macros attached that are not
>viruses but are extensions to the Word program. If SCANPROT detects a macro
>on a document, you must decide if it is a virus or if it is a legitimate
>macro.
>
>The SCANPROT program and instructions for installing it are available from
>the Microsoft web site at:
>http://www.microsoft.com/word/freestuff/mvtool/mvtool2.htm
>
>Testing for Macro Protection
>============================
>
>To see if your version of Word has the built-in scanner, choose the Tools,
>Options command, General tab, and see if there is an "Enable Macro Virus
>Protection" or "Macro Virus Protection" check box. If one is present, make
>sure it is checked. To see if you have the SCANPROT.DOT macro installed,
>choose the Tools, Macro command and select Normal.dot in the list at the
>bottom of the dialog box. If you have SCANPROT.DOT installed, you will see
>the AutoExit, FileOpen, InstVer, and ShellOpen macros listed in the Macros
>dialog box. Click on any of these macros and the Description box at the
>bottom of the dialog box identifies it as part of the ScanProt package.
>
>Protecting NORMAL.DOT in Word 8 (Word 97)
>=========================================
>
>Word version 8 (Word 97) has the ability to protect the NORMAL.DOT global
>template file. As most macro viruses infect this file, protecting it from
>changes defeats those viruses. To protect NORMAL.DOT,
>
> 1. Start Word 8.
> 2. Choose the Tools, Macro, Visual Basic Editor command.
> 3. In the Project Explorer window, right click on the Normal item and
> choose Normal Properties from the drop down menu.
> 4. In the Normal-Project Properties dialog box that appears, choose the
> Protection tab.
> 5. Check the "Lock project for viewing" check box and type and confirm a
> password.
> 6. Click OK and close the Visual Basic Editor.
>
>Your NORMAL.DOT template is now password protected. In order to make changes
>to the NORMAL.DOT template, such as adding or changing styles, you will have
>to type the password.
>
>More detailed instructions are available on the Microsoft Web site at:
>http://www.microsoft.com/word/freestuff/mvtool/virusinfo.htm
>
>Checking For A Macro Without Opening A Document
>================================================
>
>To see what macros are in a document without opening the document and risking
>infection, open the document in the Organizer window. To do this:
> 1. Start Word.
> 2. Choose the File, Templates or Tools, Macros or the Tools, Templates and
> Add-Ins command depending on the version of Word you have.
> 3. Click the Organizer button.
>
>A dialog box like that shown below appears.
>
>================================= Organizer =================================
>| ________________ _________________ __________________ _________________ |
>| | Styles | AutoText | Toolbars | Macros | |
>| |-----------------------------------------------------------------------| |
>| | To CONCEPT.DOC. In Normal: | |
>| | __________________________ _________ _____________________________ | |
>| | |AAAZA0 | (<< Copy ) |_AutoExit__________________| | |
>| | |AAAZFS | _________ |FileOpen | | |
>| | |AutoOpen | ( Delete ) |InsertVer | | |
>| | |Payload | _________ | | | |
>| | | | ( Rename ) | | | |
>| | | | | | | |
>| | |_________________________| |___________________________| | |
>| | Macros Available In: Macros Available In: | |
>| | ___________________________ _____________________________ | |
>| | |Concept.doc (Template) ^| |Normal (Global Template) ^| | |
>| | |_________________________| |___________________________| | |
>| | ____________ ____________ | |
>| | ( Close File ) ( Close File ) | |
>| | | |
>| | Description ------------------------------------------ _______ | |
>| | |ScanProt macro to protect and disinfect your Normal | ( Close ) | |
>| | |(Global) template. | _______ | |
>| | | | ( Help ) | |
>| | |____________________________________________________| | |
>| |_______________________________________________________________________| |
>|___________________________________________________________________________|
>
> 4. Choose either of the two list boxes
> 5. Click the Close File button below the chosen list box if the button is
> showing. The button changes to an Open File button.
> 6. Use one of the following two methods to open the suspect document.
> The method you use depends on the type of file the system thinks you
> are examining. Normally, documents have a .DOC extension and templates
> have a .DOT extension.
>
> a. To open a document, click the Styles tab and click the
> Open File button.
> b. To open a template, click the Macros tab and click the
> Open File button.
>
> 7. Select the file you want to examine in the File Open dialog box that
> appears and click Open.
> 8. Click the Macros tab and the list of macros attached to the file appears
> in the window above the button you pressed to open the file.
>
>In the figure above, the right window displays the contents of the normal
>template and the left one displays the contents of the Concept.doc document.
>The Normal template contains the macros installed by the SCANPROT.DOT macro
>detector. The macros listed for Concept.doc are (in case you didn't guess)
>those for the Concept macro virus. At this point, you could select and delete
>each of the macros in Concept.doc and then close and save it by clicking the
>Close File button. This renders the document safe to open normally and use.
>Note that opening a file in this manner does not expose your system to
>infection with a macro virus because macros do not run when files are opened
>in the organizer.
>
>When you have finished examining or cleaning the files, click the Close
>button to close the dialog box.
>
>Most macro viruses can be detected by viewing an infected document in this
>way. CIAC has seen only one macro virus that hides the macros in such a way
>that they cannot be seen in the Organizer dialog box. Luckily, this method of
>hiding the macros also renders them less likely to spread. Also, the hidden
>macros are still detected when a file is opened by the SCANPROT.DOT macro
>detector (Word 6 and 7) or by Macro Virus Protection (Word 7.0a and later).
>
>Suspicious Macro Names
>======================
>
>When you examine the macros in a document, you should watch for the Auto
>macros such as AutoOpen, AutoExec, and AutoClose. Macros of this type run
>automatically when the event indicated in the file name occurs. For example,
>most macro viruses have an AutoOpen macro that runs when the document
>containing the macro is opened. This does not mean that all Auto macros are
>malicious, just that they should be examined a little closer to see what they
>are for.
>
>Next, watch for macros with names like Payload or odd names like AAAZAO.
>These should all be considered suspicious. It is unlikely that a legitimate
>macro would use such a name.
>
>Finally, watch for macros with names like FileOpen or FileSaveAs. Macros with
>these names replace the menu command indicated by their name. For example,
>the FileOpen macro replaces the Open command on the File menu. Again, these
>may be legitimate macros but they should be examined to be sure you know
>where they came from.
>
>Testing Macro Detectors
>=======================
>
>To test a macro detector to see if it detects macros and to see when the
>different macros run, create a macro like the following in a Word document.
>To create a macro, choose the Tools, Macros command, type AutoOpen in the
>Macro Name box and click the Create button. Type the following text for the
>macro in the editor and save the document.
>
>- - --------------------------------
>Sub AutoOpen()
>'
>' AutoOpen Macro
>' Macro created
>'
>MsgBox "The AutoOpen macro ran."
>End Sub
>- - --------------------------------
>
>This macro runs automatically whenever a document is opened. Whenever the
>macro runs it displays the text "The AutoOpen macro ran." in a dialog box.
>You can test any of the auto macros using this macro. To do so, simply change
>the name of the macro from AutoOpen to one of the other auto macro names
>(AutoClose, AutoExe). You can also change the name to FileOpen and see how it
>replaces the File, Open command.
>
>___________________________________________________________________________
___
>
>CIAC, the Computer Incident Advisory Capability, is the computer
>security incident response team for the U.S. Department of Energy
>(DOE) and the emergency backup response team for the National
>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
>National Laboratory in Livermore, California. CIAC is also a founding
>member of FIRST, the Forum of Incident Response and Security Teams, a
>global organization established to foster cooperation and coordination
>among computer security teams worldwide.
>
>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
>can be contacted at:
> Voice: +1 510-422-8193
> FAX: +1 510-423-8002
> STU-III: +1 510-423-2604
> E-mail: ciac@llnl.gov
>
>For emergencies and off-hour assistance, DOE, DOE contractor sites,
>and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
>8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
>duty person, and the secondary PIN number, 8550074 is for the CIAC
>Project Leader.
>
>Previous CIAC notices, anti-virus software, and other information are
>available from the CIAC Computer Security Archive.
>
> World Wide Web: http://www.ciac.org/
> (or http://ciac.llnl.gov -- they're the same machine)
> Anonymous FTP: ftp.ciac.org
> (or ciac.llnl.gov -- they're the same machine)
> Modem access: +1 (510) 423-4753 (28.8K baud)
> +1 (510) 423-3331 (28.8K baud)
>
>CIAC has several self-subscribing mailing lists for electronic
>publications:
>1. CIAC-BULLETIN for Advisories, highest priority - time critical
> information and Bulletins, important computer security information;
>2. SPI-ANNOUNCE for official news about Security Profile Inspector
> (SPI) software updates, new features, distribution and
> availability;
>3. SPI-NOTES, for discussion of problems and solutions regarding the
> use of SPI products.
>
>Our mailing lists are managed by a public domain software package
>called Majordomo, which ignores E-mail header subject lines. To
>subscribe (add yourself) to one of our mailing lists, send the
>following request as the E-mail message body, substituting
>ciac-bulletin, spi-announce OR spi-notes for list-name:
>
>E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
> subscribe list-name
> e.g., subscribe ciac-bulletin
>
>You will receive an acknowledgment email immediately with a confirmation
>that you will need to mail back to the addresses above, as per the
>instructions in the email. This is a partial protection to make sure
>you are really the one who asked to be signed up for the list in question.
>
>If you include the word 'help' in the body of an email to the above address,
>it will also send back an information file on how to subscribe/unsubscribe,
>get past issues of CIAC bulletins via email, etc.
>
>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
>communities receive CIAC bulletins. If you are not part of these
>communities, please contact your agency's response team to report
>incidents. Your agency's team will coordinate with CIAC. The Forum of
>Incident Response and Security Teams (FIRST) is a world-wide
>organization. A list of FIRST member organizations and their
>constituencies can be obtained via WWW at http://www.first.org/.
>
>This document was prepared as an account of work sponsored by an
>agency of the United States Government. Neither the United States
>Government nor the University of California nor any of their
>employees, makes any warranty, express or implied, or assumes any
>legal liability or responsibility for the accuracy, completeness, or
>usefulness of any information, apparatus, product, or process
>disclosed, or represents that its use would not infringe privately
>owned rights. Reference herein to any specific commercial products,
>process, or service by trade name, trademark, manufacturer, or
>otherwise, does not necessarily constitute or imply its endorsement,
>recommendation or favoring by the United States Government or the
>University of California. The views and opinions of authors expressed
>herein do not necessarily state or reflect those of the United States
>Government or the University of California, and shall not be used for
>advertising or product endorsement purposes.
>
>LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>
>I-013: Count.cgi Buffer Overrun Vulnerabiliity
>I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
>I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
>I-016: SCO /usr/bin/X11/scoterm Vulnerability
>I-017: statd Buffer Overrun Vulnerability
>I-018: FTP Bounce Vulnerability
>I-019: Tools Generating IP Denial-of-Service Attacks
>I-020: Cisco 7xx password buffer overflow - DOS
>I-021: "smurf" IP Denial-of-Service Attacks
>I-022: IBM AIX "routed" daemon Vulnerability
>
>
>
>- -----BEGIN PGP SIGNATURE-----
>Version: 4.0 Business Edition
>
>iQCVAwUBNMZombnzJzdsy3QZAQGNygQA55EYUGUqONTmB2UjC0gR/rZM7WcILOAV
>Kb+wrFNyJBSrOiqftQgQUvwQSZfsKSCgxTyOUW2hLV2rBV8wUceK4TpyEHc+c9Q4
>pnACkr3oZB229rMgr4zbmdPuqYC453M0llkebKSP5joX7DbrAohsRPgYqrpkkCjy
>fHZvvjzvRXY=
>=HsAf
>- -----END PGP SIGNATURE-----
>------- End of forwarded message -------
>
>