From ciac@tholia.llnl.gov Fri Jan 23 19:09:07 1998
From: CIAC Mail User <ciac@tholia.llnl.gov>
To: ciac-bulletin@tholia.llnl.gov
Date: Thu, 22 Jan 1998 10:40:57 -0800 (PST)
Subject: CIAC Bulletin I-023: Macro Virus Update

[  For Public Release  ]
-----BEGIN PGP SIGNED MESSAGE-----

             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                               Macro Virus Update
               (WM.CAP, XM.Laroux, WM.Concept, WM.Wazzu, WM.NPAD)

January 22, 1997 18:00 GMT                                       Number I-023
_____________________________________________________________________________

PROBLEM:     Macro viruses are a significant problem on the Internet with now
             well over 1000 different types and variants. This problem is
             caused by the ease with which a macro virus can be written 
             and the speed with which infected documents can be spread.
PLATFORM:    Any platform that can run Microsoft Word 6.0 or later:
             Windows 3.1, WFW 3.11, Windows 95, Windows NT, and Macintosh.
DAMAGE:      Files can be modified or deleted and may not be recoverable.
SOLUTION:    Scan all Word 6 or later documents before opening them or obtain
             a scanning tool that performs a "scan on launch" function.
             Install the SCANPROT.DOT macro detector in Word 6.0 through 7.0
             or turn on macro virus detection in Word 7.0a and later.
_____________________________________________________________________________

VULNERABILITY  The vulnerability of systems to this type of virus is high for
ASSESSMENT:    two reasons. First, documents are much more mobile than
               executable files. Second, because macro viruses are easy to
               write or modify, the growth rate of macro viruses is very high
               making it likely that you will encounter a new virus
               that your scanner will not detect.
_____________________________________________________________________________

       CRITICAL Information Concerning Word Macro Viruses

In September of 1995, we reported (CIAC Notes 95-12) on the creation of a new
computer virus, the WinWord Macro Virus, which infects documents from
Microsoft Word 6.0 or later. At the time, the only known macro viruses were
Concept and DMV, both of which were not damaging. In February of 1996, we
reported (CIAC Bulletin G-10) on the detection of five new macro viruses, of
which two could actually do damage to a system, such as formatting a disk or
deleting the contents of files. Since that time, macro viruses have become
the most reported virus incident type around the world. According to the
September 1997 issue of the "Virus Bulletin" (Virus Bulletin Ltd., England),
macro viruses occupy the top five positions in a table of virus prevalence.
The number of incidents of the top macro virus is more than five times that
of the top program virus. This report parallels our observations within the
DOE. There are currently over 1000 macro virus types and variants; the most
prevalent are listed below in order of descending prevalence.

o  WM.CAP - The WM.CAP virus is currently the number one reported virus in
   the world with more than five times the number of incidents reported than
   the highest reported program virus (AntiCMOS). The WM.CAP family of
   viruses
   do not contain a destructive payload.
o  XM.Laroux - The XM.Laroux macro virus is the second highest reported
   virus. This is actually an Excel macro virus, which infects the macros in
   Excel spreadsheets instead of Word documents. The virus adds a macrosheet
   named Laroux to any infected Excel notebook. The virus infects only
   Windows versions of Excel 5 and 7. The virus does not have a destructive
   payload.
o  WM.Concept - The WM.Concept virus is the original demonstration of a macro
   virus that was distributed in the document describing it. While not
   damaging, it spreads easily.
o  WM.Wazzu - The Wazzu macro virus currently has at least 100 variants and
   has spread throughout the world. In the original Wazzu virus, when a
   document is opened the virus macro runs and with a probability of 0.2
   randomly moves 3 words in the document and then with a probability of 0.25
   inserts the text "Wazzu " at some random location in the text. The
   original Wazzu virus consists of a single page of relatively simple code
   and was not encrypted. Because of this, everyone who caught the virus had
   a working copy of the virus source code to play with which accounts for
   the large number of variants of this virus.
o  WM.NPAD - The NPAD macro virus also spreads rapidly. Most variants display
   text on the screen after some number of infections. They do no damage
   other than spread.


How Macro Viruses Work
======================

Macro viruses use the built-in Word.Basic macro language available in
Microsoft Word 6.0 and later. A variant of this language existed in Word 2.0
for Windows, but these macro viruses only run on the version of Word.Basic in
Word 6.0 and later. Macintosh versions of Word earlier than 6.0 do not have a
macro language though converters are available to allow Word 5 to read Word 6
files. Any Word 6 files converted to Word 5 will have all their macros
removed during the conversion process and cannot be infected with a virus.

A virus needs two things to infect a system: they need to get on the system
and they need to get executed. Macro viruses get on a system by being
attached to template files in Word versions 6 and 7 or any document in Word
version 8. Template files can contain text just like a normal document, but
they can also hold macros. To get executed on your system, macro viruses take
advantage of the fact that if a macro is named AutoOpen or AutoClose the
macro is run automatically when a document is opened or closed. They also
take advantage of the fact that if a macro has a name like FileOpen or
FileSaveAs the macro replaces the menu command with the same name and runs
when the menu command is selected. These two methods allow a macro to be run
without the user explicitly running the macro or even realizing that he has
done so.

When a macro virus has gotten onto a system and is run, the first thing it
does is to see if it is in the normal.dot template file or in a document. If
the virus is running on the normal.dot template, it looks for a document to
infect. When it has infected a document, it saves that document as a Word
template file but changes the file name to end in .DOC instead of .DOT, to
make the file appear to be a document instead of a template. If it is running
on a document, it copies itself onto the normal.dot template.

When the virus is finished infecting a document file, it runs its payload
procedure which can do nothing or can do something nasty such as format your
hard drive. Word.Basic is a full programming language and a Word.Basic macro
can do anything any other program can do including read or write files, send
e-mail, change system settings, and so forth. What it does depends on the
whim or malicious intent of the virus writer.

Virus Scanners
==============

Most commercial and shareware scanners can detect macro viruses but not all
of them can repair a damaged document. Also, some scanners repair an infected
document by flipping the bit that identifies the document as a template and
not actually removing the macro. While the virus is deactivated in those
documents, other virus scanners may still identify them as infected.

A feature of most new scanners is a scan-on-launch capability that scans a
document when you double click it. This capability is important for detecting
macro viruses because most users will not run a scanner every time they
download a new document. Also, because documents enter a system in so many
different ways today (e-mail, floppy, CD, download, network disk), even users
that scan often may miss an infected file. By scanning every document as it
is launched you insure that the document is checked at least once.

Another useful feature of new scanners is the "Safe Folder." Whenever a file
is placed in the designated "Safe Folder" that file is automatically scanned.
By designating the "Safe Folder" as the download folder and directing all
downloads to that folder no matter what the source, you insure that all new
files are scanned.

A major problem with the current scanners is their inability to reliably
detect new viruses. While some scanners are trying to heuristically detect
new viruses, they are not wholly successful yet. This problem is especially
acute for macro viruses, because of the large number of new macro viruses
appearing every day. To manage all these new macro viruses, most antivirus
companies who previously had quarterly updates now have monthly updates of
their scanners. A few companies are even offering daily updates.

Using Microsoft's Macro Detector (mvtool) SCANPROT.DOT
======================================================

An anti-virus scanner is not sufficient to protect a system from new macro
viruses. To handle all the new macro viruses, you need to use a macro
detector in addition to a virus scanner. A macro detector detects the
presence of macros in a Word document as you open it. In general, macros
belong in templates, not documents. In fact, macros can only be in templates
in Word 6 and 7 (Word 95), though they can exist in documents in Word 8 (Word
97). Detecting the presence of a macro in what you believe to be a document
is a good indication that something is wrong with your document.

To that end, Microsoft has made two options available for Microsoft Word. For
Word versions 6.0 through 7.0, you can load Microsoft's macro detecting
macro, SCANPROT.DOT (mvtool). This macro program checks each document as you
open it using the File, Open command and warns you if the document contains a
macro. At that point, you can continue opening the document, open it without
macros or cancel opening the document. Any document the scanner detects as
containing a macro should be immediately suspect.

*****WARNING: You must use the File, Open command to open new documents in
order for the scanner to work. It does not work if you open a document by
double clicking or by selecting the document from the list of previously
opened documents. *****

The second option is available in Word version 7.0a (Word 95a) and later.
Essentially, Microsoft built the capabilities of SCANPROT.DOT into Word so
you do not need to install the SCANPROT.DOT macro.

When either SCANPROT or the Macro Virus Protection detects a macro, it
displays a dialog box giving you the option of opening the document anyway,
opening it without macros, or canceling the open. One thing to remember about
SCANPROT and Macro Virus Protection, they do not detect viruses; they only
detect macros. Many templates in use today have macros attached that are not
viruses but are extensions to the Word program. If SCANPROT detects a macro
on a document, you must decide if it is a virus or if it is a legitimate
macro.

The SCANPROT program and instructions for installing it are available from
the Microsoft web site at:
http://www.microsoft.com/word/freestuff/mvtool/mvtool2.htm

Testing for Macro Protection
============================

To see if your version of Word has the built-in scanner, choose the Tools,
Options command, General tab, and see if there is an "Enable Macro Virus
Protection" or "Macro Virus Protection" check box. If one is present, make
sure it is checked. To see if you have the SCANPROT.DOT macro installed,
choose the Tools, Macro command and select Normal.dot in the list at the
bottom of the dialog box. If you have SCANPROT.DOT installed, you will see
the AutoExit, FileOpen, InstVer, and ShellOpen macros listed in the Macros
dialog box. Click on any of these macros and the Description box at the
bottom of the dialog box identifies it as part of the ScanProt package.

Protecting NORMAL.DOT in Word 8 (Word 97)
=========================================

Word version 8 (Word 97) has the ability to protect the NORMAL.DOT global
template file. As most macro viruses infect this file, protecting it from
changes defeats those viruses. To protect NORMAL.DOT,

  1. Start Word 8.
  2. Choose the Tools, Macro, Visual Basic Editor command.
  3. In the Project Explorer window, right click on the Normal item and
     choose Normal Properties from the drop down menu.
  4. In the Normal-Project Properties dialog box that appears, choose the
     Protection tab.
  5. Check the "Lock project for viewing" check box and type and confirm a
     password.
  6. Click OK and close the Visual Basic Editor.

Your NORMAL.DOT template is now password protected. In order to make changes
to the NORMAL.DOT template, such as adding or changing styles, you will have
to type the password.

More detailed instructions are available on the Microsoft Web site at:
http://www.microsoft.com/word/freestuff/mvtool/virusinfo.htm

Checking For A Macro Without Opening A Document
================================================

To see what macros are in a document without opening the document and risking
infection, open the document in the Organizer window. To do this:
  1. Start Word.
  2. Choose the File, Templates or Tools, Macros or the Tools, Templates and
     Add-Ins command depending on the version of Word you have.
  3. Click the Organizer button.

A dialog box like that shown below appears.

================================= Organizer =================================
|  ________________ _________________ __________________ _________________  |
| |     Styles     |     AutoText    |     Toolbars     |     Macros      | |
| |-----------------------------------------------------------------------| |
| | To CONCEPT.DOC.                         In Normal:                    | |
| | __________________________   _________  _____________________________ | |
| | |AAAZA0                   | (<< Copy  ) |_AutoExit__________________| | |
| | |AAAZFS                   |  _________  |FileOpen                   | | |
| | |AutoOpen                 | (  Delete ) |InsertVer                  | | |
| | |Payload                  |  _________  |                           | | |
| | |                         | (  Rename ) |                           | | |
| | |                         |             |                           | | |
| | |_________________________|             |___________________________| | |
| |  Macros Available In:                    Macros Available In:         | |
| | ___________________________             _____________________________ | |
| | |Concept.doc (Template)  ^|             |Normal (Global Template)  ^| | |
| | |_________________________|             |___________________________| | |
| |        ____________                             ____________          | |
| |       ( Close File )                           ( Close File )         | |
| |                                                                       | |
| |   Description ------------------------------------------   _______    | |
| |   |ScanProt macro to protect and disinfect your Normal |  ( Close )   | |
| |   |(Global) template.                                  |   _______    | |
| |   |                                                    |  ( Help  )   | |
| |   |____________________________________________________|              | |
| |_______________________________________________________________________| |
|___________________________________________________________________________|

  4. Choose either of the two list boxes
  5. Click the Close File button below the chosen list box if the button is
     showing. The button changes to an Open File button.
  6. Use one of the following two methods to open the suspect document.
     The method you use depends on the type of file the system thinks you
     are examining. Normally, documents have a .DOC extension and templates
     have a .DOT extension.

     a. To open a document, click the Styles tab and click the
        Open File button.
     b. To open a template, click the Macros tab and click the
        Open File button.

  7. Select the file you want to examine in the File Open dialog box that
     appears and click Open.
  8. Click the Macros tab and the list of macros attached to the file appears
     in the window above the button you pressed to open the file.

In the figure above, the right window displays the contents of the normal
template and the left one displays the contents of the Concept.doc document.
The Normal template contains the macros installed by the SCANPROT.DOT macro
detector. The macros listed for Concept.doc are (in case you didn't guess)
those for the Concept macro virus. At this point, you could select and delete
each of the macros in Concept.doc and then close and save it by clicking the
Close File button. This renders the document safe to open normally and use.
Note that opening a file in this manner does not expose your system to
infection with a macro virus because macros do not run when files are opened
in the organizer.

When you have finished examining or cleaning the files, click the Close
button to close the dialog box.

Most macro viruses can be detected by viewing an infected document in this
way. CIAC has seen only one macro virus that hides the macros in such a way
that they cannot be seen in the Organizer dialog box. Luckily, this method of
hiding the macros also renders them less likely to spread. Also, the hidden
macros are still detected when a file is opened by the SCANPROT.DOT macro
detector (Word 6 and 7) or by Macro Virus Protection (Word 7.0a and later).

Suspicious Macro Names
======================

When you examine the macros in a document, you should watch for the Auto
macros such as AutoOpen, AutoExec, and AutoClose. Macros of this type run
automatically when the event indicated in the file name occurs. For example,
most macro viruses have an AutoOpen macro that runs when the document
containing the macro is opened. This does not mean that all Auto macros are
malicious, just that they should be examined a little closer to see what they
are for.

Next, watch for macros with names like Payload or odd names like AAAZAO.
These should all be considered suspicious. It is unlikely that a legitimate
macro would use such a name.

Finally, watch for macros with names like FileOpen or FileSaveAs. Macros with
these names replace the menu command indicated by their name. For example,
the FileOpen macro replaces the Open command on the File menu. Again, these
may be legitimate macros but they should be examined to be sure you know
where they came from.

Testing Macro Detectors
=======================

To test a macro detector to see if it detects macros and to see when the
different macros run, create a macro like the following in a Word document.
To create a macro, choose the Tools, Macros command, type AutoOpen in the
Macro Name box and click the Create button. Type the following text for the
macro in the editor and save the document.

- --------------------------------
Sub AutoOpen()
'
' AutoOpen Macro
' Macro created
'
MsgBox "The AutoOpen macro ran."
End Sub
- --------------------------------

This macro runs automatically whenever a document is opened. Whenever the
macro runs it displays the text "The AutoOpen macro ran." in a dialog box.
You can test any of the auto macros using this macro. To do so, simply change
the name of the macro from AutoOpen to one of the other auto macro names
(AutoClose, AutoExe). You can also change the name to FileOpen and see how it
replaces the File, Open command.

______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:

E-mail to ciac-listproc@llnl.gov or majordomo@tholia.llnl.gov:
        subscribe list-name
  e.g., subscribe ciac-bulletin

You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email.  This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.

If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

I-013: Count.cgi Buffer Overrun Vulnerabiliity
I-014: Vulnerability in GlimpseHTTP and WebGlimpse cgi-bin Packages
I-015: SGI IRIX Vulnerabilities (syserr and permissions programs)
I-016: SCO  /usr/bin/X11/scoterm Vulnerability
I-017: statd Buffer Overrun Vulnerability
I-018: FTP Bounce Vulnerability
I-019: Tools Generating IP Denial-of-Service Attacks
I-020: Cisco 7xx password buffer overflow - DOS
I-021: "smurf" IP Denial-of-Service Attacks
I-022: IBM AIX "routed" daemon Vulnerability



-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBNMZombnzJzdsy3QZAQGNygQA55EYUGUqONTmB2UjC0gR/rZM7WcILOAV
Kb+wrFNyJBSrOiqftQgQUvwQSZfsKSCgxTyOUW2hLV2rBV8wUceK4TpyEHc+c9Q4
pnACkr3oZB229rMgr4zbmdPuqYC453M0llkebKSP5joX7DbrAohsRPgYqrpkkCjy
fHZvvjzvRXY=
=HsAf
-----END PGP SIGNATURE-----