From ciac@tholia.llnl.gov Fri Jan 23 19:09:07 1998 From: CIAC Mail User To: ciac-bulletin@tholia.llnl.gov Date: Thu, 22 Jan 1998 10:40:57 -0800 (PST) Subject: CIAC Bulletin I-023: Macro Virus Update [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Macro Virus Update (WM.CAP, XM.Laroux, WM.Concept, WM.Wazzu, WM.NPAD) January 22, 1997 18:00 GMT Number I-023 _____________________________________________________________________________ PROBLEM: Macro viruses are a significant problem on the Internet with now well over 1000 different types and variants. This problem is caused by the ease with which a macro virus can be written and the speed with which infected documents can be spread. PLATFORM: Any platform that can run Microsoft Word 6.0 or later: Windows 3.1, WFW 3.11, Windows 95, Windows NT, and Macintosh. DAMAGE: Files can be modified or deleted and may not be recoverable. SOLUTION: Scan all Word 6 or later documents before opening them or obtain a scanning tool that performs a "scan on launch" function. Install the SCANPROT.DOT macro detector in Word 6.0 through 7.0 or turn on macro virus detection in Word 7.0a and later. _____________________________________________________________________________ VULNERABILITY The vulnerability of systems to this type of virus is high for ASSESSMENT: two reasons. First, documents are much more mobile than executable files. Second, because macro viruses are easy to write or modify, the growth rate of macro viruses is very high making it likely that you will encounter a new virus that your scanner will not detect. _____________________________________________________________________________ CRITICAL Information Concerning Word Macro Viruses In September of 1995, we reported (CIAC Notes 95-12) on the creation of a new computer virus, the WinWord Macro Virus, which infects documents from Microsoft Word 6.0 or later. At the time, the only known macro viruses were Concept and DMV, both of which were not damaging. In February of 1996, we reported (CIAC Bulletin G-10) on the detection of five new macro viruses, of which two could actually do damage to a system, such as formatting a disk or deleting the contents of files. Since that time, macro viruses have become the most reported virus incident type around the world. According to the September 1997 issue of the "Virus Bulletin" (Virus Bulletin Ltd., England), macro viruses occupy the top five positions in a table of virus prevalence. The number of incidents of the top macro virus is more than five times that of the top program virus. This report parallels our observations within the DOE. There are currently over 1000 macro virus types and variants; the most prevalent are listed below in order of descending prevalence. o WM.CAP - The WM.CAP virus is currently the number one reported virus in the world with more than five times the number of incidents reported than the highest reported program virus (AntiCMOS). The WM.CAP family of viruses do not contain a destructive payload. o XM.Laroux - The XM.Laroux macro virus is the second highest reported virus. This is actually an Excel macro virus, which infects the macros in Excel spreadsheets instead of Word documents. The virus adds a macrosheet named Laroux to any infected Excel notebook. The virus infects only Windows versions of Excel 5 and 7. The virus does not have a destructive payload. o WM.Concept - The WM.Concept virus is the original demonstration of a macro virus that was distributed in the document describing it. While not damaging, it spreads easily. o WM.Wazzu - The Wazzu macro virus currently has at least 100 variants and has spread throughout the world. In the original Wazzu virus, when a document is opened the virus macro runs and with a probability of 0.2 randomly moves 3 words in the document and then with a probability of 0.25 inserts the text "Wazzu " at some random location in the text. The original Wazzu virus consists of a single page of relatively simple code and was not encrypted. Because of this, everyone who caught the virus had a working copy of the virus source code to play with which accounts for the large number of variants of this virus. o WM.NPAD - The NPAD macro virus also spreads rapidly. Most variants display text on the screen after some number of infections. They do no damage other than spread. How Macro Viruses Work ====================== Macro viruses use the built-in Word.Basic macro language available in Microsoft Word 6.0 and later. A variant of this language existed in Word 2.0 for Windows, but these macro viruses only run on the version of Word.Basic in Word 6.0 and later. Macintosh versions of Word earlier than 6.0 do not have a macro language though converters are available to allow Word 5 to read Word 6 files. Any Word 6 files converted to Word 5 will have all their macros removed during the conversion process and cannot be infected with a virus. A virus needs two things to infect a system: they need to get on the system and they need to get executed. Macro viruses get on a system by being attached to template files in Word versions 6 and 7 or any document in Word version 8. Template files can contain text just like a normal document, but they can also hold macros. To get executed on your system, macro viruses take advantage of the fact that if a macro is named AutoOpen or AutoClose the macro is run automatically when a document is opened or closed. They also take advantage of the fact that if a macro has a name like FileOpen or FileSaveAs the macro replaces the menu command with the same name and runs when the menu command is selected. These two methods allow a macro to be run without the user explicitly running the macro or even realizing that he has done so. When a macro virus has gotten onto a system and is run, the first thing it does is to see if it is in the normal.dot template file or in a document. If the virus is running on the normal.dot template, it looks for a document to infect. When it has infected a document, it saves that document as a Word template file but changes the file name to end in .DOC instead of .DOT, to make the file appear to be a document instead of a template. If it is running on a document, it copies itself onto the normal.dot template. When the virus is finished infecting a document file, it runs its payload procedure which can do nothing or can do something nasty such as format your hard drive. Word.Basic is a full programming language and a Word.Basic macro can do anything any other program can do including read or write files, send e-mail, change system settings, and so forth. What it does depends on the whim or malicious intent of the virus writer. Virus Scanners ============== Most commercial and shareware scanners can detect macro viruses but not all of them can repair a damaged document. Also, some scanners repair an infected document by flipping the bit that identifies the document as a template and not actually removing the macro. While the virus is deactivated in those documents, other virus scanners may still identify them as infected. A feature of most new scanners is a scan-on-launch capability that scans a document when you double click it. This capability is important for detecting macro viruses because most users will not run a scanner every time they download a new document. Also, because documents enter a system in so many different ways today (e-mail, floppy, CD, download, network disk), even users that scan often may miss an infected file. By scanning every document as it is launched you insure that the document is checked at least once. Another useful feature of new scanners is the "Safe Folder." Whenever a file is placed in the designated "Safe Folder" that file is automatically scanned. By designating the "Safe Folder" as the download folder and directing all downloads to that folder no matter what the source, you insure that all new files are scanned. A major problem with the current scanners is their inability to reliably detect new viruses. While some scanners are trying to heuristically detect new viruses, they are not wholly successful yet. This problem is especially acute for macro viruses, because of the large number of new macro viruses appearing every day. To manage all these new macro viruses, most antivirus companies who previously had quarterly updates now have monthly updates of their scanners. A few companies are even offering daily updates. Using Microsoft's Macro Detector (mvtool) SCANPROT.DOT ====================================================== An anti-virus scanner is not sufficient to protect a system from new macro viruses. To handle all the new macro viruses, you need to use a macro detector in addition to a virus scanner. A macro detector detects the presence of macros in a Word document as you open it. In general, macros belong in templates, not documents. In fact, macros can only be in templates in Word 6 and 7 (Word 95), though they can exist in documents in Word 8 (Word 97). Detecting the presence of a macro in what you believe to be a document is a good indication that something is wrong with your document. To that end, Microsoft has made two options available for Microsoft Word. For Word versions 6.0 through 7.0, you can load Microsoft's macro detecting macro, SCANPROT.DOT (mvtool). This macro program checks each document as you open it using the File, Open command and warns you if the document contains a macro. At that point, you can continue opening the document, open it without macros or cancel opening the document. Any document the scanner detects as containing a macro should be immediately suspect. *****WARNING: You must use the File, Open command to open new documents in order for the scanner to work. It does not work if you open a document by double clicking or by selecting the document from the list of previously opened documents. ***** The second option is available in Word version 7.0a (Word 95a) and later. Essentially, Microsoft built the capabilities of SCANPROT.DOT into Word so you do not need to install the SCANPROT.DOT macro. When either SCANPROT or the Macro Virus Protection detects a macro, it displays a dialog box giving you the option of opening the document anyway, opening it without macros, or canceling the open. One thing to remember about SCANPROT and Macro Virus Protection, they do not detect viruses; they only detect macros. Many templates in use today have macros attached that are not viruses but are extensions to the Word program. If SCANPROT detects a macro on a document, you must decide if it is a virus or if it is a legitimate macro. The SCANPROT program and instructions for installing it are available from the Microsoft web site at: http://www.microsoft.com/word/freestuff/mvtool/mvtool2.htm Testing for Macro Protection ============================ To see if your version of Word has the built-in scanner, choose the Tools, Options command, General tab, and see if there is an "Enable Macro Virus Protection" or "Macro Virus Protection" check box. If one is present, make sure it is checked. To see if you have the SCANPROT.DOT macro installed, choose the Tools, Macro command and select Normal.dot in the list at the bottom of the dialog box. If you have SCANPROT.DOT installed, you will see the AutoExit, FileOpen, InstVer, and ShellOpen macros listed in the Macros dialog box. Click on any of these macros and the Description box at the bottom of the dialog box identifies it as part of the ScanProt package. Protecting NORMAL.DOT in Word 8 (Word 97) ========================================= Word version 8 (Word 97) has the ability to protect the NORMAL.DOT global template file. As most macro viruses infect this file, protecting it from changes defeats those viruses. To protect NORMAL.DOT, 1. Start Word 8. 2. Choose the Tools, Macro, Visual Basic Editor command. 3. In the Project Explorer window, right click on the Normal item and choose Normal Properties from the drop down menu. 4. In the Normal-Project Properties dialog box that appears, choose the Protection tab. 5. Check the "Lock project for viewing" check box and type and confirm a password. 6. Click OK and close the Visual Basic Editor. Your NORMAL.DOT template is now password protected. In order to make changes to the NORMAL.DOT template, such as adding or changing styles, you will have to type the password. More detailed instructions are available on the Microsoft Web site at: http://www.microsoft.com/word/freestuff/mvtool/virusinfo.htm Checking For A Macro Without Opening A Document ================================================ To see what macros are in a document without opening the document and risking infection, open the document in the Organizer window. To do this: 1. Start Word. 2. Choose the File, Templates or Tools, Macros or the Tools, Templates and Add-Ins command depending on the version of Word you have. 3. Click the Organizer button. A dialog box like that shown below appears. ================================= Organizer ================================= | ________________ _________________ __________________ _________________ | | | Styles | AutoText | Toolbars | Macros | | | |-----------------------------------------------------------------------| | | | To CONCEPT.DOC. In Normal: | | | | __________________________ _________ _____________________________ | | | | |AAAZA0 | (<< Copy ) |_AutoExit__________________| | | | | |AAAZFS | _________ |FileOpen | | | | | |AutoOpen | ( Delete ) |InsertVer | | | | | |Payload | _________ | | | | | | | | ( Rename ) | | | | | | | | | | | | | | |_________________________| |___________________________| | | | | Macros Available In: Macros Available In: | | | | ___________________________ _____________________________ | | | | |Concept.doc (Template) ^| |Normal (Global Template) ^| | | | | |_________________________| |___________________________| | | | | ____________ ____________ | | | | ( Close File ) ( Close File ) | | | | | | | | Description ------------------------------------------ _______ | | | | |ScanProt macro to protect and disinfect your Normal | ( Close ) | | | | |(Global) template. | _______ | | | | | | ( Help ) | | | | |____________________________________________________| | | | |_______________________________________________________________________| | |___________________________________________________________________________| 4. Choose either of the two list boxes 5. Click the Close File button below the chosen list box if the button is showing. The button changes to an Open File button. 6. Use one of the following two methods to open the suspect document. The method you use depends on the type of file the system thinks you are examining. Normally, documents have a .DOC extension and templates have a .DOT extension. a. To open a document, click the Styles tab and click the Open File button. b. To open a template, click the Macros tab and click the Open File button. 7. Select the file you want to examine in the File Open dialog box that appears and click Open. 8. Click the Macros tab and the list of macros attached to the file appears in the window above the button you pressed to open the file. In the figure above, the right window displays the contents of the normal template and the left one displays the contents of the Concept.doc document. The Normal template contains the macros installed by the SCANPROT.DOT macro detector. The macros listed for Concept.doc are (in case you didn't guess) those for the Concept macro virus. At this point, you could select and delete each of the macros in Concept.doc and then close and save it by clicking the Close File button. This renders the document safe to open normally and use. Note that opening a file in this manner does not expose your system to infection with a macro virus because macros do not run when files are opened in the organizer. When you have finished examining or cleaning the files, click the Close button to close the dialog box. Most macro viruses can be detected by viewing an infected document in this way. CIAC has seen only one macro virus that hides the macros in such a way that they cannot be seen in the Organizer dialog box. Luckily, this method of hiding the macros also renders them less likely to spread. Also, the hidden macros are still detected when a file is opened by the SCANPROT.DOT macro detector (Word 6 and 7) or by Macro Virus Protection (Word 7.0a and later). Suspicious Macro Names ====================== When you examine the macros in a document, you should watch for the Auto macros such as AutoOpen, AutoExec, and AutoClose. Macros of this type run automatically when the event indicated in the file name occurs. For example, most macro viruses have an AutoOpen macro that runs when the document containing the macro is opened. This does not mean that all Auto macros are malicious, just that they should be examined a little closer to see what they are for. Next, watch for macros with names like Payload or odd names like AAAZAO. These should all be considered suspicious. It is unlikely that a legitimate macro would use such a name. Finally, watch for macros with names like FileOpen or FileSaveAs. Macros with these names replace the menu command indicated by their name. For example, the FileOpen macro replaces the Open command on the File menu. Again, these may be legitimate macros but they should be examined to be sure you know where they came from. Testing Macro Detectors ======================= To test a macro detector to see if it detects macros and to see when the different macros run, create a macro like the following in a Word document. To create a macro, choose the Tools, Macros command, type AutoOpen in the Macro Name box and click the Create button. Type the following text for the macro in the editor and save the document. - -------------------------------- Sub AutoOpen() ' ' AutoOpen Macro ' Macro created ' MsgBox "The AutoOpen macro ran." End Sub - -------------------------------- This macro runs automatically whenever a document is opened. Whenever the macro runs it displays the text "The AutoOpen macro ran." in a dialog box. You can test any of the auto macros using this macro. To do so, simply change the name of the macro from AutoOpen to one of the other auto macro names (AutoClose, AutoExe). You can also change the name to FileOpen and see how it replaces the File, Open command. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (510) 423-4753 (28.8K baud) +1 (510) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) I-013: Count.cgi Buffer Overrun Vulnerabiliity I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages I-015: SGI IRIX Vulnerabilities (syserr and permissions programs) I-016: SCO /usr/bin/X11/scoterm Vulnerability I-017: statd Buffer Overrun Vulnerability I-018: FTP Bounce Vulnerability I-019: Tools Generating IP Denial-of-Service Attacks I-020: Cisco 7xx password buffer overflow - DOS I-021: "smurf" IP Denial-of-Service Attacks I-022: IBM AIX "routed" daemon Vulnerability -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNMZombnzJzdsy3QZAQGNygQA55EYUGUqONTmB2UjC0gR/rZM7WcILOAV Kb+wrFNyJBSrOiqftQgQUvwQSZfsKSCgxTyOUW2hLV2rBV8wUceK4TpyEHc+c9Q4 pnACkr3oZB229rMgr4zbmdPuqYC453M0llkebKSP5joX7DbrAohsRPgYqrpkkCjy fHZvvjzvRXY= =HsAf -----END PGP SIGNATURE-----