How to get rid of that virus if you get it....

[Guest guest]

Here is some info about a new Word Macro Virus that is beginning to spread. Read

the articles and click on the links to find out how to identify and inoculate

yourself against these new Macro Virus.

Be especially careful of e-mails that start with " Important Message From.... "

It is always better to just delete a suspect message and have someone ask you

later on if you received their e-mail (if the message was legit).

Email virus spreading rapidly

By Shankland

Staff Writer, CNET News.com

March 26, 1999, 5:20 p.m. PT

A new virus is actively spreading itself across the Internet, taking advantage

of users' email address books to replicate " extremely quickly, " according to one

expert.

The virus, W97M_, uses a combination of Microsoft Word macros and

Microsoft Outlook to send a list of 80 pornographic Web sites. It works with

either Word 97 or Word 2000, according to antivirus companies TrendMicro,

McAfee, and Network Associates.

The program is somewhat devious in that it sends itself from the email addresses

of people who are likely to be familiar contacts, arriving as email with the

subject line " Important message from... " followed by the sender's name. The body

says " Here is that document you asked for ... don't show anyone else ;-). " The

email includes an attached Word file " list.doc, " which includes the porn sites'

addresses.

The virus doesn't appear to cause any damage to infected computers except in

rare cases when the minutes of the current time match the date--for example at

4:26 p.m. on March 26. In this instance, the virus will insert the Bart Simpson

quotation, " Twenty-two points, plus triple-word-score, plus fifty points for

using all my letters. Game's over. I'm outta here, " into a user's active

document.

Because the virus sends itself to potentially thousands of contacts contained in

a user's address distribution list, however, there's a possibility that the

virus could overwhelm mail servers.

" We've been swamped all day with customers calling in with this, " said Dan

Schrader, director of product marketing at TrendMicro. " It's spreading extremely

quickly. Twenty major corporate sites have called us. "

additional info:

W97M/

is a Word 97 Class Module Macro virus that can also be upconverted to a

Word 2000 Macro Virus. It was first discovered by NAI's Dr 's VirusPatrol

today on the alt.sex newgroup. The virus has spread rapidly around the world,

and has infected thousands

Symptom

The virus can infect a system by being received from another infected user via

Outlook. This appears to be the most common method of infection. Users will not

know they have been infected, nor will the sender know the document has been

sent. A user may become alerted to the infected document if the Macro Security

settings are enabled. This warning will be displayed to the user when the

document is opened.

Pathology

When the infected document is opened, the virus checks for a setting in the

registry to test if the system has already been infected.

If the system hasn't been infected, the virus creates an entry in the registry:

HKEY_CURRENT_USER\Software\Microsoft\Office\ " ? " = " ... by Kwyjibo "

(If this key exists the email process will not execute, the virus will still

infect. AVERT advises that it not be removed.)

(As a preventive message you can create this registry key to prevent the virus

from launching)

This virus also creates an Outlook object using Visual Basic instructions and

reads the list of members from Outlook Global Address Book. An email message is

created and sent to the first 50 recipients programatically all the address

books, one at a time. The message is created with the subject

" Important Message From – <User Name> "

The message body of text reads

" Here is that document you asked for ... don’t show anyone else ;-) " .

The active infected document is attached and the email is sent. The most

prevalent document being seen is one called List.DOC, however this is NOT the

only document that can be sent or received. Once the system is infected all

documents that are opened are infected. As any document can be sent, a user that

receives the infected document, who hasn’t been infected, can become infected

with this document, and the process will continue.

The virus does have a payload. If the day equals the minute value, and the

infected document is opened this text is inserted at the current cursor

position:

" Twenty-two points, plus triple-word-score, plus fifty points for using all my

letters. Game's over. I'm outta here. "

This virus checks for low security in Office2000 by checking the value from the

registry; if the value

HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\ " Level " is not

null,

the virus will disable the " MACRO/SECURITY " menu option. Otherwise Word97 menu

option " TOOLS/MACRO " is disabled.

Comments inside the macro virus include:

'WORD/ written by Kwyjibo

'Works in both Word 2000 and Word 97

'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!

'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!

Cure

For detection and cleaning, use the following combinations ONLY!

VirusScan 3 requires engine 3.2.2 + hourly .DAT

ftp://ftp.nai.com/pub/antivirus/engine/eng322sp.zip

http://www.avertlabs.com/public/datafiles/3xupdates.asp

VirusScan 4.0.x + EXTRA.DAT

http://www.avertlabs.com/public/datafiles/extra_drivers.asp

Toolkit 7 requires engine Special Edition 7.93 + extra.drv (below)

http://www.avertlabs.com/public/datafiles/7xupdates.asp

http://www.avertlabs.com/public/datafiles/extra_drivers.asp

--

Ira

MSN Shopping Community Manager

http://communities.msn.com/shopping/