OK, I ll be the first to admit
complacency. I've let my guard down, I ve been less than paranoid.
Though I ve not been burned yet, I had a definite slap in the face
recently. It seems that one of our old friends has come back to haunt
us again, this time in a completely different way.
Just
when you thought it was safe to use your computer again, the old
microcomputer virus rears its ugly heads. Yes, heads, because the
latest threats are coming at us in a completely different way. Instead
of the same boot sector or file infector viruses, these new evils
reside in your Microsoft Word
documents as a malignant macro. Dubbed the WordMacro viruses, they
have sent our notions of virus protection out the window, even though
the concept is something that was investigated several years ago.
The first of these ugly
beasties is called the WordMacro.Concept virus. Essentially, it was a
macro that would run when an infected document was opened and would
rewrite several default system macros so that it would be written into
other Word documents. (This is a very superficial description of this
virus, but David Chess at IBM has
posted a much more detailed (and very accurate) description of the
operation of this virus on the Web. [http://www.research.ibm.com/xw-D953-wconc] If you would like to
know more detail about the virus, please look there.) Fortunately, the
virus did no damage as part of its actions, it merely replicated. But
this replication proved what some had only theorized. As this was a
fairly simple virus, it was easily located and easily dealt with. In
fact, a fix for it can be found via ftp. [ftp://ftp.commandcom.com/pub/fix/wvfix.zip]
The
second known instance of this strain, the WordMacro. Nuclear virus,
was not as nice. Unlike the WordMacro.Concept virus, WordMacro.Nuclear
added text regarding nuclear testing in France to the open document.
The macro is also set as execute-only, so the macro commands
cannot easily be viewed, making a fix like that for the
WordMacro.Concept virus not easily available. But this virus also
dropped a payload on the unsuspecting user: it created a small
executable on the hard disk that contained a virus, and then executed
that DOS executable, infecting the computer in another way. The
question of why someone would even open an infected Word document
comes to mind. The WordMacro.Nuclear virus was first distributed in a
Word document describing the fix for the WordMacro.Concept virus.
Clever, huh?
Probably the scariest aspect of this new thread of virus is that it is cross-platform and not necessarily application-specific. The Word macro language functions the same for both Word for Windows and Word for Macintosh. Other word processing programs on the market today are macro-compatible with Word, and would therefore inflict the same damage. In the case of the WordMacro.Nuclear virus, the creation and execution of the DOS virus program would have no effect on a Macintosh user, but other ugly things could happen.
The
anti-virus community is still responding to the situation. Even though
the WordMacro. Nuclear virus is set execute-only and not
text-readable, it still has an identifiable binary signature. Some
anti-virus products have published extra search strings to use with
their scanners to detect this virus. And, for the most part, we should
be able to expect that anti-virus vendors will be able to identify
these viruses and incorporate search strings for them into the
existing packages. Disinfection like we have come to know, however,
will probably not be possible.
Though several suggestions
on avoiding getting infected with these viruses have been made, the
best one is still to open a suspect document with an application that
does not execute Word macros. At UNT, the WordPerfect products will import Word documents and retain their
formatting while ignoring the macro content of the documents. Other
programs with Word file translators may work the same way.
You can practice the same protection techniques for WordMacro viruses as you do with other viruses with very similar results. One, do not open Word documents from questionable sources. Two, check the files before using them to see if they re infected. This is a little more difficult with the WordMacro viruses as there are not many ways to check them, but opening a Word document in another program, such as WordPerfect in this brief example, saving the document as a WordPerfect file, then opening that file in Word would eradicate the malignant macros from the file. Of course, it would also remove ALL macros from the document, so that may not be the best solution. And it doesn t help if your Word global macros are infected anyway.
As I mentioned in the last
issue of Benchmarks, I ve created a Web page dealing with
the virus issue. It is a collection of reliable information about
viruses, though it is not comprehensive. I will be keeping the page up
to date with the latest virus information, especially new WordMacro
viruses that creep into the wild. You can access the page at http://lipsmac.acs.unt.edu/Virus/virinfo.html. The page also has
pointers to the latest anti-virus tools for you to download.
The world of viruses is constantly changing. I m reminded of the
first Michelangelo scare back in 1991. There was such a media blitz
surrounding that outbreak of that virus that it incurred limited
damage. The public, however, sensing an overreaction to the virus, let
down its guard the following year, and Michelangelo caught many people
by surprise. These WordMacro viruses pose the same sort of threat. I
sincerely hope the world at large takes this particular threat more
seriously than it did the Michelangelo virus. Last I heard,
Michelangelo still hits in March.
To report any problems or questions about this server please contact us by sending mail to www@unt.edu. Thanks!