Speaking of "*****WARNING WORD FOR WINDOWS V.6 VIRUS*******", Graeme Hoose
\"Grazoid\" hath scrawled:
|> Clean up
|>
|> 1) Host system
|>
|> There are two methods of cleaning up a host system:
|>
|> i) Microsoft have issued a document SCAN.DOC which wil=
l
|> look for the four macros AAAZFS, AAAZA0, FileSaveAs an=
d
|> PayLoad. If it finds these macros then it renames the
|> first three by adding a "1" to the end of the name and
|> it leaves the Payload macro unchanged. It renames
|> rather than deletes the macros as it can't be sure tha=
t
|> there isn't a genuine macro with these names being use=
d
|> by the user. It leaves the PayLoad macro in place as
|> this is one of the checks the infection mechanism uses
|> to decide whether to infect a system or not. If the
|> system is found to be clean as a result of the scan it
|> gives the option of creating a "PayLoad" macro as a
|> preventative action.
|>
from TidBITS#292/28-Aug-95:
|> Cross-Platform Virus Strikes Word Users
|> ---------------------------------------
|> by Mark Anbinder, News Editor <mha@tidbits.com>
|>
|> Though the possibility of a cross-platform virus moving as
|> interpreted commands in data documents has been considered by
|> computer experts, none had been seen in the user community until
|> this month's discovery that a new virus was spreading within
|> document macros interpreted by Microsoft's WordBasic macro
|> language. The virus, dubbed "Word-Macro-9508" by the Macintosh
|> antivirus community, can spread on any computer system using a
|> version of Microsoft Word 6.0.
|>
|> So far the virus has been seen mostly on DOS, Windows, and OS/2
|> computers running Word 6, in various locations in North America
|> and Europe. It has been referred to as "WinWord.Concept", "WW6",
|> and "WW6Macro" in the Windows community, though it is by no means
|> restricted to the Windows version of Word 6. Microsoft's name for
|> the virus is "Prank Macro". The code can be spread merely by
|> opening an infected Word document - even one that has been
|> transferred from a different operating system - since Word's
|> macros are stored as data and are automatically recognized by any
|> current version of the application.
|>
|> The virus adds several new macros to Word's global macro pool,
|> named "AAAZA0", "AAAZFS", "Payload", and "FileSaveAs". This last
|> activates the virus in an infected file when the user chooses Save
|> As from the File menu. The altered macros are then saved with the
|> file. If the virus has infected your Word documents, you may see
|> an alert window with the digit "1" in it when the virus is
|> triggered, or you may notice that infected Word files are saved as
|> templates rather than normal documents.
|>
|> IBM has gathered a fair amount of information on the virus and how
|> to combat it, and published it at:
|>
|> http://www.research.ibm.com/xw-D953-wconc/
|>
|> Microsoft has released tools to combat the virus, obtainable on
|> the Internet. As of this writing, Microsoft's fix renames the
|> virus rather than removing it, and there have been reports that a
|> supplied file=7F system scan function may not find all infected files
|> on a Macintosh.
|>
|> http://www.microsoft.com/kb/softlib/mslfiles/mw1222.hqx
|> ftp://ftp.microsoft.com/softlib/mslfiles/mw1222.hqx
|>
|> [Note that Microsoft still isn't posting BinHex files correctly
|> and this file must be downloaded in binary mode. Try using
|> Netscape, which downloads most everything in binary, or Fetch,
|> which has a Binary button that forces a binary download.
|> Otherwise, configure your FTP client to treat the file suffix
|> ".hqx" as a binary file, and be sure to change the setting back
|> when you're done. -Geoff]
|>
|> Datawatch Corporation has released an update (version 5.6.1) of
|> its commercial Virex utility for Macintosh, available on
|> commercial online services and at:
|>
|> ftp://gateway.datawatch.com/pub/
|>
|> No updates are currently planned for the other Macintosh antiviral
|> utilities; most do not attempt to address viruses that don't take
|> a machine-code form.
|>
|> Since Mac versions of Microsoft Word prior to 6.0 don't
|> incorporate WordBasic, and since even on newer versions these
|> macros are easily spotted and removed, users need not panic about
|> this virus.
|>
|> Information from:
|> Gene Spafford
|> IBM
|>