--rXb2lraLdbfOYJrJu8jOtykYNovF4kEN
Content-type: text/plain; charset="us-ascii"
Warning to all WP FSers . This memeo is currently being
circulated in the company I work for - it warns of a rouge
macro, currently infecting several PC's in the network.
I hope it is useful to anyone who uses this behemoth of an app ,
and will amke all of us who still use Word 4 ,a lot happier 1
Graz feelingsmugwithlotec
--rXb2lraLdbfOYJrJu8jOtykYNovF4kEN
Content-type: text/plain; charset="us-ascii"
For I.T. Managers
Date 25th August 1995
Message From John Elmore
Re Security Alert
Microsoft Word 6 Malicious Macro Attack
This alert contains information regarding a malicious Word 6 Macro
and the mandatory action that must be taken by all Word 6 users in
the company.
A Microsoft Word 6 macro has been found to be circulating in the
company that attaches itself to Word 6 documents. The macro is
automatically run whenever an infected document is opened and the
host Word 6 environment is then infected. Any document
subsequently saved by an infected host will contain the macro and
pass on the infection if used on another system.
All users of Word 6 must check to see whether their system has
been infected and if so take the actions detailed below. All
users of Word 6 are advised to take the preventative actions
recommended later whether their system has been infected or not.
Any documents that may have been passed on to ICL customers from
infected systems must be identified and the customers contacted.
All instances of infected systems should be reported to the
I.T.Security unit at STE04 who can also provide any additional
assistance or advice required.
In many countries the writing or intentional distribution of this
type of program is a criminal offence punishable by a fine,
imprisonment or both.
J.A. Elmore
Microsoft Word 6 Malicious Macro
Names
This macro has been named as PRANK and also WW6MACRO, both of
which are misleading as the names of the macros that actually
cause the infection are neither of the above.
Description
When opening an infected document the AUTOOPEN macro is run which
first of all checks to see if the system has been previously
infected and if it hasn't then proceeds to copy four macros to the
open Word 6 template. When Word is closed down the master
template (NORMAL.DOT) is updated on the system with the four extra
macros. During the infection process a message box is displayed
that contains the number "1". The WINWORD.INI file is also updated
with an entry containing "WW6I".
Once infected, whenever the Word 6 "SAVE AS" command is used from
the file menu, one of the four extra macros is run instead of the
genuine FileSaveAs command. The substituted macro changes the
format of the document to a template, copies the four macros to
the document and sets one of the macros to become the AUTOOPEN
macro.
Identification and Detection
The presence of this particular macro can be detected in a number
of ways:
1) The most obvious manifestation of it's presence is when an
infected document is first opened. As part of the infection
process it displays a message box with the value "1" in it
and an "OK" button.
2) If the system has been infected then the following macros
will be present in the Global template: AAAZF0, AAAZFS,
PayLoad, FileSaveAs. This can be checked in one of the
following ways:
i) With a document open go to the "Tools" menu and then
"Macros". A dialog box will then appear showing all of
the global macros. These can then be checked for the
names mentioned above.
ii) With no document open go to the "File" menu and then
"Macros". The same dialog box will then appear.
3) If the system has been infected then there will be an
entry in the WINWORD.INI file which contains the characters
"WW6I". This can be checked using MS-Notepad.
4) There is a document issued by Microsoft called "SCAN.DOC"
which when opened automatically runs a macro to check for the
presence of the macros and will automatically take action to
clean up the system. This tool is described later under
clean up actions.
5) S&S International, the developers of Dr Solomon's Anti-
Virus Toolkit have issued an extra driver file which will
detect the presence of the macros if run in conjunction with
the /DOALLFILES switch in FINDVIRUS.
User Action Required
All users of Word 6 must check their systems to see whether it has
been infected using one or more of the methods detailed above.
If a system is found to be infected then the following actions
should be taken:
1) If possible identify the source from where the original
infection came from.
2) Identify who may have been sent infected documents from
the infected systems.
3) Contact any recipients of possibly infected documents to
alert them to the fact that they need to check their own
systems. Any documents sent to contacts outside of the
company need to be dealt with by the appropriate level of ICL
management.
4) Clean up the host system using one of the methods detailed
in the section "Clean up" below.
5) Clean up any infected documents using the method detailed
in the section "Clean up" below.
6) Report the infection, the extent and the actions taken to
the I.T.Security unit at STE04 (Email address I.T.Security @
ste0411).
NOTE: Under no circumstances should a copy of these macros be
retained.
All users should implement one or more of the preventative
measures detailed in the section "Preventative Measures".
Clean up
Cleaning up from these macros requires two distinct activities,
cleaning up the host system and then cleaning any infected
documents:
1) Host system
There are two methods of cleaning up a host system:
i) Microsoft have issued a document SCAN.DOC which will
look for the four macros AAAZFS, AAAZA0, FileSaveAs and
PayLoad. If it finds these macros then it renames the
first three by adding a "1" to the end of the name and
it leaves the Payload macro unchanged. It renames
rather than deletes the macros as it can't be sure that
there isn't a genuine macro with these names being used
by the user. It leaves the PayLoad macro in place as
this is one of the checks the infection mechanism uses
to decide whether to infect a system or not. If the
system is found to be clean as a result of the scan it
gives the option of creating a "PayLoad" macro as a
preventative action.
ii) The other method of cleaning up a system is to carry
out the above process by using the Word menu and
commands.
2) Infected documents
In order to clean up infected documents two objectives have
to be achieved. First the removal of the macros AAAZFS,
AAAZA0, FileSaveAs, PayLoad and AutoOpen. Secondly the re-
formatting of the document from template format to document
format. Microsoft have issued a macro called "Cleanup"
contained in the document SCAN.DOC. This macro will check
and clean up documents re-formatting them as document files.
The likely volume and complexity makes it impractical to
carry out this operation manually.
Preventative Measures
There are a number of preventative measures that can be taken.
Some of these measures will protect users from all malicious
macros of this type and some will only provide protection from
this specific one:
1) When opening a Word document hold down the "shift" key,
this will prevent any AutoOpen macro from running (All
types).
2) Set up a dummy macro called "PayLoad" in your global
template (Specific).
3) Write protect your NORMAL.DOT file (Specific). NOTE: This
will make creating new macros or changing templates difficult
and not very user friendly.
4) Set the option under the Tools/Option/Save tab for "Prompt
to save Normal.Dot" (Specific). NOTE: If a new macro were
written and released it might reset this option during the
infection stage.
Tools
A file containing the SCAN.DOC document, the Microsoft Application
note and the S&S FINDVIRUS extra driver has been placed on the ICL
information server and copies of this file can be obtained by
sending a mail item to "cwnservice" with the following in the
subject field "request:ext:ww6macro".
The file is an external file which should first be extracted and
then downloaded onto a PC into an empty directory. The downloaded
file should be called MACRO.EXE. The program MACRO should then be
executed from this directory and it will extract and expand the
files. Check the README file for details of what is in the files.
Further Assistance
Further assistance can be obtained from the I.T.Security unit at
STE04. They can be contacted by dialling 7973 from any ICL site
or externally +44 1438 786024.
Group IT Security, IPE
STE04
24.08.95
--rXb2lraLdbfOYJrJu8jOtykYNovF4kEN--