Before heading off for a break Alison asked me to post some detailed
info about the concept virus because many readers did not have access to
the world wide web.
Some basic points
- opening an email message will not activate a virus. Opening an
attachment might.
- the hoax virus message pollute more than virus' themselves. Do not
pass them on unless you are certain it is genuine.
Those with web access who are interested in learning more about viruses
or getting virus scanning software are directed to:
http://www.antivirus.com/
http://www.mcafee.com
The article that Shelley Banks found follows:
"PC Magazine -- February 6, 1996
The Winword.concept Virus
M. David Stone
As you may have already heard, there's a virus floating around that
attaches itself to Microsoft Word for Windows documents and will infect
every document you save with the Save As command. This Winword.concept
virus--called the Word prank macro by Microsoft--represents a newly
prevalent class of virus. And although this particular virus happens to
be aimed at Word for Windows, it's something that even non-Word users
should know about. Any program with a sufficiently sophisticated macro
language is open to attack by similar viruses.
While viruses have traditionally attached themselves to program files or
boot records, this type of virus attaches itself to data files created
by applications that associate macros with data files. That's what makes
it so pernicious. The virus can infect any Word-format file saved by
Word 6, Word 95, Mac Word 6, and Word NT.
You can protect yourself from traditional viruses by simply not booting
from floppy disks and not running new programs until you check them for
viruses. But if you often exchange document files with others,
particularly in a busy workgroup where documents regularly travel among
many people, contamination may be difficult to avoid.
An infected document is actually a template masquerading as a document.
The virus can manage this trick because although Word uses a .DOT
extension by default for templates, it doesn't require that .DOT
extension. And a template, by any name, can store macros. The key to the
Winword.concept virus is an AutoOpen macro, which runs each time you
open the document. When you open an infected document, the virus
modifies the Normal template, Normal.dot, which Word keeps loaded at all
times--even when you're using another template. Once infected,
Normal.dot will infect any file you save with the Save As command. And
since WinWord calls on the Save As command every time you save a new
document, that means every new document you create will be infected.
The good news about the Winword.concept virus is that, in its original
form at least, it's only annoying, not harmful. (The virus contains the
comment "That's enough to prove my point." Obviously the anonymous
author wanted to show that a virus could be transmitted via a macro, but
didn't feel the need to be destructive about it.) The bad news is that
the virus was unleashed on the world in unencrypted form. That means
anyone who gets ahold of it and understands just a little Word Basic can
modify it to do serious harm--like erasing files from your hard disk. (I
won't get more specific for obvious reasons.)
Fortunately, the virus is easy to spot. And it's easy to prevent, too,
once you know to look out for it. The first thing to do is to make sure
you're not infected yet. Load WinWord, choose Tools | Macro, and set the
Macros Available In box to Normal.dot (Global Template). Then browse
through the list of macros, looking for the names AAAZAO or AAAZFS.
These are the virus's macros. If you see them, don't create any new
files or use your Save As command until you've decontaminated your
system.
Microsoft has developed a set of tools for eliminating the
Winword.concept virus and inoculating your copy of WinWord against it.
You can find the tools on Microsoft's World-Wide Web site at
http://www.microsoft .com/msoffice, on the Microsoft Network using the
go word "wordprankfix," and on the Word forums on America Online and
CompuServe. You can also call Microsoft product support at 206-462-9673.
You'll find the tools--three macros--in a WinWord file generically
called SCAN.DOC. (The file is actually named SCAN831.DOC as of this
writing; 831 is a version number.) One macro, CleanAll, runs when you
open SCAN .DOC, scanning a specific directory and all subdirectories.
CleanAll looks for all documents and templates saved since January 1,
1995; it opens them and checks for the virus macros, then cleans these
out if it finds any.
SCAN.DOC installs the other two macros in your Normal template.
AutoClose scans all documents when you save them, cleaning out any virus
macros it finds. Payload prevents the virus from installing in your
Normal template in the first place. (The virus needs to create a macro
called Payload when it installs. If there's already a Payload macro
there, the infection fails.)
If you aren't infected, you can create your own Payload macro to guard
against the virus. Simply choose Tools | Macro to open the Macro dialog
box and set the Macros Available In box to Normal.dot. Then enter
Payload as the name of the macro and choose Create. WinWord will open a
macro-editing window, with Sub Main and End Sub statements already in
place. Add a space on the blank line between the two statements or
perhaps a comment like "Protection against Winword.Concept virus; do not
delete." (If you don't add something, WinWord will close the window
without saving the macro.) Select File | Close and answer Yes when
WinWord asks whether to save the macro, then choose File | Save All to
save the new macro to disk.
Once you've installed the Payload macro in your Normal template, you're
safe from the Winword.concept virus, but don't get overconfident. You're
not protected from viruses that work on the same principle but change
the details. A more general defense is to prevent an AutoOpen macro from
running on a document unless you're absolutely sure it is virus-free.
The easy way to do this is to hold down the Shift key when you open the
document (that is, hold down the Shift key as you click OK in the File |
Open dialog box). Lotus Notes users should also hold the Shift key down
when using the Launch command to open a WinWord document attached to a
Notes message.
If you use Word 95 with Windows 95 and you've set up Word to act as your
Exchange mail program using WordMail, be assured that you can't get
infected by reading a message. But you can get infected by
double-clicking on an attached Word file to open it and read it. Here
again, hold the Shift key down when you double-click on the icon.
Alas, these precautions will guard only against viruses that depend on
an AutoOpen macro to spread. They still leave you vulnerable to a virus
that waits until after you've opened the infected file and waits for,
say, your first keystroke. The only way around that problem is to avoid
opening any files that are supposed to be documents but are actually
templates with macros.
By the time you read this, Microsoft should have released a new Macro
Virus Protection Tool to accompany SCAN.DOC. The tool--a macro--will
warn you when a document you're about to load is actually a template
with macros and will let you choose whether to load it. While this can
protect you from accidentally loading a file that may contain macro
viruses, you can't actually open the file to see the text inside.
Luckily, there's a quick, easy workaround that uses the Organizer.
To see a list of macros in a file, choose File | Template, then
Organizer. Click the Close File button on either the left or right side
of the Organizer dialog box and the button will become an Open File
button. Click that button and use the Open dialog box to find and open
the file you want to inspect.
Now choose the Macros tab to see a list of the macros in the file. If
the file purports to be a simple data file--rather than a template--it
shouldn't contain any macros. If you see any, you can delete them and
then safely open the file.
One note of caution: Some third-party packages use templates to ease
installation of their macros. So the fact that a file masquerades as a
document when it's really a template doesn't necessarily mean it has a
virus. Before you start deleting macros, make sure they really shouldn't
be there.
"
|
