Boot sector type viruses are the most prevalent of the reported PC viruses in 1993. Of these, the top two are Form and Stoned. Hence, CIAC urges users to have NO DISKETTES in the A drive during the boot up process. CIAC also encourages use of the capability some clone computers have to disable bootup from the A drive. Check the hardware manual to see if your computer has this capability and how to set it. Beware! Even if a diskette is not bootable, it can transfer a boot sector virus to the hard drive during the boot up process [unless bootup from the floppy drive(s) is disabled].
The Satan Bug Virus represents a new generation of polymorphic, self-encrypting viruses. This virus is described in CIAC Bulletin D-22. CIAC has reports of it at three sites in the U.S., one site within and two others outside of the DOE. The virus infects programs (.COM, .EXE, and .OVL files) and drivers (.SYS files) on MS-DOS/PC-DOS computers. When an infected program is executed, the virus runs first, loads itself into memory and then runs the infected program. The only thing you might notice is that an infected program seems to load a little slower than normal. The virus then watches the operating system for file open requests (Open or Execute) and infects each opened file, if it is not already infected. It keeps track of which files are infected by adding 100 years to the file's modification date. This isn't obvious when listing a directory by using the DIR command because only the last two digits of the year are displayed.
Because the virus also attacks drivers, and drivers are often located in limited sized holes in high memory, an infected driver will often no longer fit into its hole. When that happens, the system will fail. Since drivers control access to networked file servers, a machine with the Satan Bug Virus may be unable to connect to a file server. This is a primary symptom of a Satan Bug Virus infection.
Satan Bug is not widespread, is not intentionally damaging, but does result in a loss of time and a loss of access to facilities especially while it is being removed. At the moment, most current versions of anti-viral programs detect and remove the virus. Be careful when scanning disks for viruses. If your scanner is infected or if the virus is in memory and the scanner didn't detect it (or it did detect it and you told it to scan your disk anyway) the act of opening each file to scan for viruses may infect every file on your hard disk. If your scanner indicates that a virus is in memory, or that the scanner has been infected, DO NOT COMPLETE THE SCAN. Reboot your system from a clean, locked floppy disk, then run a clean version of the scanner on another locked floppy disk.
For further information, contact William J. Orvis, CIAC at 510-422-8193, or send e-mail to ciac@llnl.gov.
Two new Macintosh viruses have recently been discovered, CODE-1 and MBDF-B. Neither appear intent on doing damage, but can cause system failures due to poor programming. New versions of Macintosh anti-virus software now detect and eradicate these viruses.
CODE-1's only explicit action is to rename the hard disk to "Trent Saburo" if the system is restarted on October 31 of any year. On any other day, the virus simply spreads. The MBDF-B virus is a simple variant of the MBDF-A virus. It has some of the same symptoms: Claris applications indicate that they have been altered; BeHierarchic shareware ceases to work properly; and some programs crash if a menu bar item is selected with the mouse. The MBDF-B virus is so similar to MBDF-A that some antivirus packages actually report MBDF-B as the MBDF-A virus.
The Merry Xmas Virus, discovered at the end of 1992, infects Hypercard stacks on the Macintosh. The virus is written in Hypercard's scripting language and resides in the Stack script. Whenever a card is opened or closed, the virus checks to see if the current stack and the Home stack are infected. If either is not, the virus infects it. A symptom of the virus is many short disk accesses when you are not doing anything, as the virus continually tests the current stack for the infection. The virus is not intentionally damaging and does little more than copy itself from stack to stack. It can only infect the currently open stack and the Home stack. It does not infect stacks that are not open.
Some anti-virus utilities detect the virus in stacks that had the virus previously but have had it removed. They find remnants of the virus on a disk in unused portions of the disk file. These remnants cannot infect but are sufficient to set off some virus detection programs.
If you have a Hypercard Stack that has been reported as having the virus, you can check that stack by examining the Stack script. If at the end of the Stack script you find script comments of the form "-- merryxmas" at the ends of many of the lines, the stack is infected. Probably your Home stack is infected as well. To get rid of the virus, select the lines of virus code (about the last 54 lines of the script), delete them and save the script. Quickly switch to your Home stack's stack script and check it as well. Continue checking both the Home's and the stack's stack script until they both no longer have the virus, because as you are switching from one stack to the next, the virus may be reinfecting the stack you have just disinfected. Running Hypercard and the Home stack from a locked disk will prevent reinfection.
For further information, contact William J. Orvis, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov.
Version 2.04C of PKZIP, the popular file compression utility is known to cause false positive detections of the Maltese Amoeba virus by several well-known anti-virus scanners. The current versions of anti-virus scanners have been updated to correct for this problem, and PKZIP has been updated to version 2.04D, which does not cause a positive detection with the old versions of the scanners. If you have a detection of the Maltese Amoeba in PKUNZIP.EXE, and it came from the version 2.04C package (PKZ204C.EXE), and you are using an old version of an anti-virus scanner, then you probably don't have a virus infection. However, you should still treat it as a virus infection until you can scan the program with a newer version of your virus scanner.
To obtain further information, contact William J. Orvis, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov.
The discovery of a new Macintosh virus was announced March 3rd, 1994. This virus, the INIT-9403 virus, is a malicious virus which will erase disk information on all connected hard drives, as well as erase the boot volume after a preset number of files have been infected.
The virus initially infects by altering the Finder file, then may insert copies of itself in various compaction, compression, and archive programs (programs most likely to be shared with other Macintoshes). This virus has only been seen on Italian systems so far. If you detect this virus on a non-Italian system, please contact CIAC immediately.
New releases of anti-virus software for the Macintosh have been released to detect and eradicate this virus. At least one vendor has decided to call the INIT-9403 virus the "SysX" virus, although they will list INIT-9403 as an alias. There is no common naming scheme for new Mac viruses. The majority of anti-virus vendors and researchers have decided to use the name INIT-9403 as the primary name in an attempt to reduce user confusion. Therefore "SysX" is a possible alias for other vendors.
An unexpected system conflict sometimes results in Disinfectant 3.4 giving "unexpected error -192" messages when running on Macs with enabler versions 003 (the LC III) and 040 (the Centris/Quadra 610, 650, and 800), and with the 32 bit system enabler. You can safely ignore this error message as it does not signify a real problem.
Disinfectant 3.4 and the Disinfectant INIT can both be safely used on all Macintosh systems to protect against all known Macintosh viruses. John Norstad, the author of Disinfectant, released version 3.4.1. It is announced and available in all the usual places where Disinfectant is available: ftp.acns.nwu.edu, sumex-aim.stanford.edu, rascal.ics.utexas.edu, AppleLink, America Online, CompuServe, Genie, Calvacom, MacNet, Delphi, comp.binaries.mac. CIAC would like to thank Gene Spafford of Purdue University for releasing the information about this virus.
To obtain further information, contact Karyn Pichnarczyk, CIAC, 510-422-8193 or send E-mail to ciac@llnl.gov.
In the early part of December, CIAC started to receive information requests about a supposed "virus" which could be contracted via America OnLine, simply by reading a message. The following is the message that CIAC received:
Here is some important information. Beware of a file called Goodtimes.THIS IS A HOAX. Upon investigation, CIAC has determined that this message originated from both a user of America Online and a student at a university at approximately the same time, and it was meant to be a hoax.Happy Chanukah everyone, and be careful out there. There is a virus on America Online being sent by E-Mail. If you get anything called "Good Times", DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot.
CIAC has also seen other variations of this hoax, the main one is that any electronic mail message with the subject line of "xxx-1" will infect your computer.
This rumor has been spreading very widely. This spread is due mainly to the fact that many people have seen a message with "Good Times" in the header. They delete the message without reading it, thus believing that they have saved themselves from being attacked. These first-hand reports give a false sense of credibility to the alert message.
There has been one confirmation of a person who received a message with "xxx-1" in the header, but an empty message body. Then, (in a panic, because he had heard the alert), he checked his PC for viruses (the first time he checked his machine in months) and found a pre-existing virus on his machine. He incorrectly came to the conclusion that the E-mail message gave him the virus (this particular virus could NOT POSSIBLY have spread via an E-mail message). This person then spread his alert.
As of this date, there are no known viruses which can infect merely through reading a mail message. For a virus to spread some program must be executed. Reading a mail message does not execute the mail message. Yes, Trojans have been found as executable attachments to mail messages, the most notorious being the IBM VM Christmas Card Trojan of 1987, also the TERM MODULE Worm (reference CIAC Bulletin B-7) and the GAME2 MODULE Worm (CIAC Bulletin B-12). But this is not the case for this particular "virus" alert.
If you encounter this message being distributed on any mailing lists, simply ignore it or send a follow-up message stating that this is a false rumor.
Karyn Pichnarczyk
CIAC Team
ciac@llnl.gov
CIAC recently sent out a Notes 94-04 telling its clients that the "good times" virus message circulating around the Internet was a bogus virus alert. Having malicious code (malware) buried in the body of an E-mail message that would "infect" your computer is not a very likely possibility because characters in an E-mail message are displayed, not executed.
CIAC still affirms that reading E-mail, using typical mail agents, will not activate malware delivered in or with the message. However, the amount of E-mail CIAC received in response to issue 4 was extrordinary. To summarize what we received: lots of thank you's for exposing "good times" and "xxx-1" viruses as urban legends (hoaxes); no E-mail viruses have been captured (and brought to us for examination); the FCC warning concerning "good times" was retracted; the warning message and its denounciation are seen to behave like viruses (memetic lifeforms) with a human serving as the replicating mechanism (just like chain letters); many people believe "in theory" that malware can be delivered and activated by some mail agents that have automated services. The best example of such malware was mail delivered to a PC that has embedded, seemingly invisible escape sequences which affect screen display or program the keyboard to do some nastiness when some key is "accidently" pressed. This case is described more fully below.
CIAC did not claim that E-mail could not be a delivery agent for malware. A real threat comes from attached files which could contain viruses or Trojan programs. You should scan any executable attachment before executing it in the same way that you scan all new software before using it. It is possible to create a file that remaps keys when displayed on a PC/MS-DOS machine with the ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines with the text displayed on the screen in text mode. It would not work in Windows or in most text editors or mailers. A key could be remapped to produce any command sequence when pressed, for example DEL or FORMAT. However, the command is not issued until the remapped key is pressed and the command issued by the remapped key would be visible on the screen. You could protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS programs use the functionality of ANSI.SYS to control screen functions and colors. Windows programs are not effected by ANSI.SYS, though a DOS program running in Windows would be.
PowerMAC and Macintosh users who also use PC emulator programs such as SoftPC or SoftWindows need to remember that they need to have both DOS and Mac virus checkers. Currently CIAC knows of no single product that scans both the Mac and DOS sides of a Macintosh. The hard disk drive for a PC emulator running on a Macintosh is a Macintosh file. While a Macintosh anti-virus scanner can read the file, it only recognizes Macintosh viruses, and won't recognize any PC viruses contained in the file. To scan the file for PC viruses, you must run the PC emulator program and then run a DOS anti-virus product within the emulator to scan for PC viruses. Neither SoftPC (which can run on a 68K Macintosh) or SoftWindows use a disk partition for the PC side, both use a Mac file.
This edition of CIAC NOTES describes the recent rebirth of "Good Times", and reiterates CIAC's previous position that "Good Times" is a hoax. Please send your comments and feedback to ciac@llnl.gov.
There is a rebirth of the "Good Times" urban legend. CIAC and other response teams, along with the Federal Communications Commission and America Online, have received numerous queries regarding the validity of the "Good Times" virus. The current "Good Times" message appears to be a repeat of the hoax perpetuated last December.
CIAC first released CIAC NOTES 94-04 in December 1994 which is titled "The 'Good Times' Virus is an Urban Legend." The original "Good Times" message that was posted and circulated contained the following:
Here is some important information. Beware of a file called Goodtimes.Soon after the release of CIAC NOTES 04, another "Good Times" message was circulated. This is the same message that is being circulated during this recent "Good Times" rebirth. This message includes a claim that the Federal Communications Commission (FCC) released a warning about the danger of the "Good Times" virus. This "Good Times" hoax message contains the following:Happy Chanukah everyone, and be careful out there. There is a virus on America Online being sent by E-Mail. If you get anything called "Good Times", DON'T read it or download it. It is a virus that will erase your hard drive. Forward this to all your friends. It may help them a lot.
The FCC released a warning last Wednesday concerning a matter of major importance to any regular user of the InterNet. Apparently, a new computer virus has been engineered by a user of America Online that is unparalleled in its destructive capability. Other, more well-known viruses such as Stoned, Airwolf, and Michaelangelo pale in comparison to the prospects of this newest creation by a warped mentality.CIAC contacted the FCC to ensure that this reference was fabricated and that the "Good Times" is truly a hoax.What makes this virus so terrifying, said the FCC, is the fact that no program needs to be exchanged for a new computer to be infected.
... { stuff deleted } ...
Many people believe "in theory" that malware can be delivered and activated by some mail agents that have automated services. An example of such malware is mail delivered to a PC that has embedded, seemingly invisible escape sequences which affect screen display or program the keyboard to do some nastiness when some key is "accidently" pressed. The following is an excerpt from CIAC Notes 05 which included and update to the "Good Times" urban legend.
CIAC did not claim that E-mail could not be a delivery agent for malware. A real threat comes from attached files which could contain viruses or Trojan programs. You should scan any executable attachment before executing it in the same way that you scan all new software before using it. It is possible to create a file that remaps keys when displayed on a PC/MS-DOS machine with the ANSI.SYS driver loaded. However, this only works on PC/MS-DOS machines with the text displayed on the screen in text mode. It would not work in Windows or in most text editors or mailers. A key could be remapped to produce any command sequence when pressed, for example DEL or FORMAT. However, the command is not issued until the remapped key is pressed and the command issued by the remapped key would be visible on the screen. You could protect yourself by removing ANSI.SYS from the CONFIG.SYS file, but many DOS programs use the functionality of ANSI.SYS to control screen functions and colors. Windows programs are not effected by ANSI.SYS, though a DOS program running in Windows would be.
A Trojaned version of the popular, DOS file compression utility PKZIP is circulating on the networks and on dial-up BBS systems. The Trojaned files are PKZ300B.EXE and PKZ300B.ZIP. CIAC verified the following warning from PKWARE:
Some joker out there is distributing a file called PKZ300B.EXE and PKZ300B.ZIP. This is NOT a version of PKZIP and will try to erase your harddrive if you use it. The most recent version is 2.04G. Please tell all your friends and favorite BBS stops about this hack.PKZ300B.EXE appears to be a self extracting archive, but actually attempts to format your hard drive. PKZ300B.ZIP is an archive, but the extracted executable also attempts to format your hard drive. While PKWARE indicated the Trojan is real, we have not talked to anyone who has actually touched it. We have no reports of it being seen anywhere in the DOE.Thank You.
Patrick Weeks Product Support PKWARE, Inc.
According to PKWARE, the only released versions of PKZIP are: 1.10, 1.93, 2.04c, 2.04e and 2.04g. All other versions currently circulating on BBS's are hacks or fakes. The current version of PKZIP and PKUNZIP is 2.04g.
The current version of PKZIP is available in the CIAC Archive, or directly from PKWARE.
From CIAC:
The following note circulated around the networks last month warning of a new and potentially deadly computer virus. However, after chasing down the sources of the note, CIAC has found that this is another hoax, similar to the Good Times Hoax.
Start of HOAX
** Imporant! VIRUS ALERT **End of HOAX
A message has just been recieved from DataTech Development in Westhills, Texas. It reads as follows:
"A very *Dangerous* virus has just been released, Primarily Affecting Unix users who have FTP'd files from a Major server in the last few days. This virus patches itself onto the source code of FTP, and automatically piggybacks on files FTP'd to another site or user where it again patches iself onto FTP. When an infected User runs ELM or PINE, the virus secretly sends one of several pre-written disgusting letters to the user's SysAmin, addressed from the unlucky victim. The letters contain graphic appeals for sexual favors of a deviant nature , or explicitly describe Diane Sawyer bondage fantasies. As a result of this, many have had their access revoked, causing both users and sysadmins alike much grief, and creating an administrative backlog for the re-instation of accounts. As yet, we have not been able to properly trace the distribution of the EBOLA Virus, so you are best advised to Disinfect any files recently FTP'd from a Unix based-server. Standby for Updates, |>ataTech |>evelopment."
As of this date, we have not been able to locate a DataTech Development of Westhills, Texas, in fact, we have not even been able to locate a town of Westhills, Texas. Also, we have not been able to locate the person who uploaded this message to several newsgroups, or anyone who has actually seen it.
Pending any evidence to the contrary, we believe that this message is a hoax.
The initial warnings about the outrageous behavior of the Caibua virus (alias: Butthead, BUA-2263) made us suspect that it was another hoax, but this one is real.
The Caibua virus was originally distributed in the package BESTSSVR.ZIP which contained the program COOLSAVR.COM. This is supposed to be an interesting screen saver, and does contain some interesting graphics. While you are watching the graphics, it is infecting two of your .COM files with the Caibua virus.
The Caibua is a relatively unsophisticated virus, of a kind that doesn't normally spread very well in the wild. It is a non-resident infector of *.COM files in the current directory and on the PATH. Each time an infected program is executed, two .COM files are infected with the virus. Because of this, slow multiplication factor, the virus does not spread very rapidly.
If the date is May 5, 1995 or after, and the time is between 3pm and 7pm, it displays a phallic symbol marching across the screen. The damage routines are executed after the virus has been run about 20 times. Damage consists of creating directories named "Caibua", "FUCK YOU", "EAT SHIT" and "BITE ME!", the erasing of the first file in the current directory on the default drive, and overwriting the system and boot areas of the C: drive, rendering it unreadable.
Most current anti-virus scanners do not detect the Caibua virus. A free virus scanner is available from the makers of InVircible, in: XCAIBUA.ZIP. XCAIBUA.ZIP is available on the CIAC archive, or directly from InVircible. Note that XCAIBUA does not detect the infection in the original file, COOLSAVR.COM.
From CIAC:
The July 1995 issue of Virus Bulletin contains a listing of most commonly reported viruses. According to them, the Form, Parity_Boot, and AntiCMOS virus make up 42% of all reported viruses. Here is a quick description of each, all which have been seen in the DOE:
Form (18.3%) - A boot sector virus that randomly destroys files.
Parity_Boot (12.0%) - A memory resident boot virus that infects floppy disk boot records and hard disk parition tables.
AntiCMOS (11.4%) - A primitive floppy disk boot sector and hard disk parition sector infector. It is buggy and causes unintentional hangs as well as leaving its intended payload.
AntiEXE.A (8.6%) - This virus hides in the boot sector of a floppy disk. It is not known to be destructive, but it does have an ominous name. Some anti-virus programs refer to it as the Generic Boot virus.
Because of the high rate of virus rumors on the Internet, CIAC has avoided making official bulletins on them. But, many were concerned about rumors of a "BUPT" virus on AOL's installation diskettes. Here is the official response from AOL regarding this rumor:
========================Begin AOL Response======
AOL Statement regarding BUPT virusDear Member:
We have received several inquiries over the last couple of days regarding a rumored "BUPT virus" on new AOL registration diskettes that are being distributed.
We have never had an occurence of a virus through the installation of AOL's registration diskettes. AOL uses a very careful and quality ensured process to duplicate its registration diskettes. While there has been quite a bit of rumor regarding this "BUPT virus, AOL has not been able to confirm a single incident of a member getting this virus when installing AOL software and registering as a member.
We recommend that our members safeguard their computers against any viruses that could potentially be received from using software applications. We suggest that you visit the Virus Center on AOL, keyword: Virus. This area is where you'll find information about the latest virus or trojan horse, along with updates to all the popular commercial, shareware, and freeware anti-virus tools.
Warm Regards,
America Online
=======================End AOL Response=====
The Die_Hard or DH2 virus has been seen at a DOE site, so users sharing PC software with other DOE sites should watch for it. The virus only infects executable files (.COM and .EXE) so data disks, that contain no executables, will not carry the infection.
*** Note that VirHunt 4.0E does not detect it! ***
As far as we know, the virus does not intentionally damage a machine, it only replicates itself by infecting other executable files. We have seen it lock up a machine while infecting COMMAND.COM. It is a memory resident virus that reduces the memory available by 9232 bytes. Die Hard infects all executed or opened .COM and .EXE files. Infected files grow by exactly 4000 bytes.
Because the DOE site licensed scanner (VirHunt) does not detect this virus and a new site license for a PC virus scanner is currently being negotiated, users will have to use other products to scan and remove this virus.
The shareware programs F-PROT v. 2.18e, ThunderByte Antivirus v. 635, and SCAN v. 224e detect and remove it, as should most other up-to-date commercial and shareware products. These three scanners are available at most shareware sites and on the CIAC Archive. The virus was discovered in 1994, so scanners older than a year will not detect it.
Another way to remove the virus is to use its own stealth capabilities against it. When an infected file is opened by another program, the memory resident virus removes the virus from the file as it is being read to make it appear uninfected, even though the file on disk is infected. To remove the virus, boot with a clean locked floppy, then run and quit an infected program to put the virus in memory. The virus is in memory, but can not infect any files on the locked boot floppy. The virus will infect any executable file on the hard drive if you try to run the file. Copy any infected .COM or .EXE files, changing the file name extensions to something non-executable, such as .COV or .EXV. The memory resident virus will remove the infection from the infected files as they are being copied, but will not infect the copies because they are not executable files. Reboot the computer with the clean, locked floppy to remove the virus from memory, delete the infected files, and then change the extensions on the copies back to their original names.
by William J. Orvis
Macro viruses, that's right, its plural now. Currently at least two macro viruses in the wild infect Microsoft Word documents; the WinWord.Concept (Word Prank) and WordMacro.Nuclear viruses. Both of these viruses infect document files for Microsoft Word version 6 or later on any platform. The viruses don't overwrite a document, but attach a macro program to the document that is loaded and run when the document is loaded. These first two viruses are not particularly damaging, but could easily have been so.
Microsoft Word version 6 and later have a macro capability known as WordBasic (for more information, choose the Programming with Microsoft Word section in the Word Help Contents). WordBasic is essentially the Basic programming language with extensions to make it easy to access the contents of open documents. WordBasic was intended to be used to perform special editing and formatting tasks that were not part of Word's built-in command set. A publisher I know uses WordBasic to initialize a writer's document, insert standard headers and footers, and set the default formatting. Most Word users don't even know they have it, but it is available in all the current versions. If you are using a version of Word that does not have WordBasic, you are not at risk. To see if you have WordBasic, see if a Macro command exists on the Tools menu. If so, then you have WordBasic.
Like most macro capabilities, WordBasic has the capability of creating auto execute (AutoExe), auto open (AutoOpen), and auto close (AutoClose) macros, which are the mechanisms the viruses use to take control of a computer and install themselves. An auto execute macro is one that automatically runs every time you start Word. The auto open and auto close macros run whenever you open or close the document they are attached to. When you open an infected document, its auto open macro runs and installs an auto execute macro in your global macro file (normal.dot). Once that is done, the virus code is executed every time you startup Word. The virus code then writes copies of itself onto every document you save with Word.
WordBasic is an interpreted language, that is, the programs are written in text form, which are read and executed whenever the program is run. This facility makes the code and the virus independent of the platform they are running on. The virus does not have to be written in machine language, but runs on any machine with a WordBasic interpreter. Thus, the viruses run equally well on a Macintosh, or any machine running Windows or Windows NT.
WW6I=1Microsoft has made a disinfector available to detect and remove this virus from a system and from infected documents. The disinfector is a document named scan831.doc. It is available directly from Microsoft at:
You can detect the virus by listing the macros installed in Word, using the Tools Macros command. In the Macro dialog box that appears, make sure that the Macros Available In: box is set to: All Active Templates. If all the macros in the following list are listed in the Macro Name list, you probably have the virus. If only some are there, you probably don't.
AutoExec
AutoOpen
DropSuriv
FileExit
FilePrint
FilePrintDefault
FileSaveAs
InsertPayload
Payload
You can also detect the virus when printing a document during the last 5
seconds of any minute. If you do, the following text appears at the top of the
printed page.
"And finally I would like to say:"
"STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!"
It is not known at this time if scan831.doc will protect or remove this virus.
To install some protection by hand, create an AutoExec macro in your normal.dot
file. It does not have to do anything, it just has to be there. If the virus
finds this macro already in the normal.dot file it does not infect a machine.
To clean documents and normal.dot by hand, you must delete all the macros in the above list from the document's and from normal.dot's macro list. Note again that all of the macros in the above list must be present for the virus to work. If only some are present, they likely came from some other source, for example, scan831.doc installs a Payload and an AutoClose macro in your normal.doc template, which you don't want to delete. To delete a macro from a file, open the file and select the Tools Macro command. On the Macro dialog box, click the Organizer button. On the Organizer dialog box, click the Macros tab and you will see two lists. One is usually set to the normal.dot file and the other is available. Click on a macro name and click Delete to remove it. To open another file to clean it, click Open File to select and open the file, then delete any macros.
For example, in Word for Windows, holding Shift when starting the program or opening a file disables any autoexecute macros that would have been started by that action. To permanently disable auto-execute macros, add /mDisableAutoMacros to the winword startup line. Select the Word icon in the Program Manager, select File Properties, and in the Program Item Properties dialog box, add the flag /mDisableAutoMacros to the right of the text in the Command Line box, so it reads something like the following (Note that the path to winword.exe may be different on your machine.)
C:\MSOFFICE\WINWORD\WINWORD.EXE /MDISABLEAUTOMACROSThe next time you start Word, all auto-execute macros will be disabled, including those in the scan831.doc file. To use auto-execute macros again, you must remove the flag you just added.
By Bill Orvis
Here is the latest news on the Microsoft Word Macro Virus:
CIAC is located at Lawrence Livermore National Laboratory in Livermore, California, and is a part of its Computer Security Technology Center. Further information can be found at CIAC. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. See FIRST for more details.
Previous CIAC notices, anti-virus software, pgp public key, and other information are available from the CIAC Computer Security Archive: