Taming Viruses in the Wild

Articles and Tips:

Cheryl Walton

01 Jan 1999

The last time NetWare Connection took an in-depth look at the types of viruses infecting networks was in 1993 when Dr. David J. Stang wrote "Virus Dangers to NetWare LANs: Fact Versus Fiction." (See Jan./Feb. 1993, pp. 10-21. You can download this article from http://www.nwconnection.com/nwc/mar-apr.96/virus13.) As you might suspect, computer viruses have changed since then. For example, the number of viruses "in the wild" has increased. Viruses are said to be in the wild if they are at large in the community of computer users. If a virus exists only in a computer laboratory, on the other hand, the virus is "in the zoo."

Obviously, you must protect your company's computers from viruses in the wild. WildList, a compilation of the in-the-wild viruses reported by virus researchers worldwide, reported 104 viruses in the wild in July 1993. By August 1998, that number had grown to 255. (You can view or download past and current WildLists at http://www.virusbtn.com/WildLists.)

The number of virus infections has also grown. In 1997, the three hundred organizations that responded to the International Computer Security Association (ICSA) Computer Virus Prevalence Survey reported 62.5 encounters with viruses for every 1,000 computers. In 1998, the three hundred organizations that responded to the ICSA Computer Virus Prevalence Survey reported 86.53 virus encounters for the same number of computers. (You can download the ICSA Computer Virus Prevalence Survey for 1997 and 1998 at http://www.icsa.net/services/consortia/anti-virus/educational_material.shtml.)

In addition, users are likely to encounter different types of viruses today than they encountered in 1993. Although the once-popular file viruses and boot sector viruses have not disappeared, they have given way to macro viruses--a species of virus that existed only in theory prior to December 1994. Users may also encounter other new viruses such as multipartite and polymorphic viruses. (For information on the most commonly reported viruses for 1998, see "The ICSA's Ten Most Gotten (1998)." This list highlights the ten most frequently reported viruses according to the ICSA Computer Virus Prevalence Survey for 1998. You can view a more extensive list on the NetWare Connection World-Wide Web site at http://www.nwconnection.com.)

Some of these new viruses have made the virus fiction of 1993 the virus fact of today. For example, in 1993 viruses could affect only the data and program files--not the computer itself. Today, however, at least one virus in the wild (the Win95/CIH virus) can affect certain kinds of computer firmware.

In addition, file viruses and boot sector viruses were once written to infect particular types of operating systems. As a result, these viruses behaved differently in different network environments. However, today's most prevalent viruses were written to infect particular applications and thrive on servers and workstations, regardless of what operating system is running on the server.

Despite everything that has changed since Dr. Stang wrote his article, his observation that computer viruses should be a cause for concern rather than panic is as true today as it was in 1993. It is also still true that to effectively address these concerns, you need to separate virus fact from virus fiction.

This article presents the most recent information available on the new types of viruses. This article also explains how viruses can infect an unprotected network and what you can do to prevent viruses from infecting your company's network.

THE NATURE OF THE BUG

Of course, not all of today's viruses are new. Many file viruses and boot sector viruses in the wild still infect computer systems in familiar, avoidable ways. File viruses are still programs that attach themselves to executable files. The effect a file virus can have depends on what type of operating system the file virus encounters, what the writer of that particular file virus intended to do, and whether or not the writer successfully achieved his or her goal. (Even a file virus that does no intentional damage can damage files that run on operating systems other than the operating system for which the virus was intended.)

Likewise, boot sector viruses are still programs that attach themselves to the boot sector of floppy diskettes and to the boot sector and/or master boot record of a computer's hard drive. The only way to be infected by a boot sector virus is the old-fashioned way: by attempting to boot from an infected diskette. The effect a boot sector virus can have depends on what type of operating system the boot sector virus encounters, what the writer of the boot sector virus intended to do, and whether or not the writer achieved his or her goal.

When you boot your computer from an infected floppy diskette, a boot sector virus will infect the master boot record of your computer's hard drive. (The boot does not necessarily have to be successful in order to infect the hard drive.) Depending on the type of virus you encounter, the boot sector virus either becomes memory resident when you boot from the infected floppy diskette, or it becomes memory resident the next time you boot your computer from the infected hard drive. In either case, once the virus becomes memory resident, it goes on to infect the boot sectors of any floppy diskettes to which the virus has access.

For example, because boot sector viruses take over your computer's read/write interrupt, the virus will have access to any floppy diskette you write files to. Likewise, the virus will have access to unprotected floppy diskettes you read (such as with a DIR command).

However, some file viruses and boot sector viruses have changed in a few significant ways. For example, file viruses were once written almost exclusively to infect DOS-based COM and EXE files. Although no viruses are known to target NetWare operating systems, some file viruses target executable files in Windows and Macintosh operating systems, such as the W.95.Marburg virus that infects Windows 95 portable executable (PE) files.

In the past, boot sector viruses were boot sector viruses, and file viruses were file viruses. However, today's viruses can be both. For example, a multipartite virus is composed of two different types of viruses--more often than not, a combination of a file virus and a boot sector virus.

Other new viruses include polymorphic viruses and macro viruses: Polymorphic viruses avoid detection by changing their code each time they are executed. Today's file, boot sector, and multipartite viruses can also be polymorphic.

As the name suggests, macro viruses infect macros in applications and in the data and document files users create with these applications. Macro viruses can also be polymorphic and multipartite, although multipartite macro viruses are rare.

Macro viruses spread more infections than boot sector viruses spread. Although boot sector viruses are still quite successful in terms of the number of computers they infect, the reported number of macro virus infections far exceeds the reported number of boot sector virus infections. In fact, according to both the ICSA Computer Virus Prevalence Survey for 1998 and a poll conducted by Secure Computing magazine, macro viruses currently account for more than 80 percent of the virus infections in the computing community. (See Figure 1.) To find out more about the Secure Computing poll, see "Anti-Virus Review 1998" at http://www.westcoast.com/securecomputing/1998_01/buyers/buyers.html.

Figure 1: According to the ICSA Computer Virus Prevalence Survey for 1998, macro virus infections occur more frequently than any other virus infection.

THE MACRO MITE

Macros operate within some of the most popular applications, such as Microsoft Word and Lotus Ami Pro. Some macros, called auto macros, are actually embedded in the data and document files you create while using these applications. When you make a request to perform certain functions, auto macros run automatically, completing the functions you request. For example, when you open, save, or close a file, auto macros, such as Microsoft Excel's AutoOpen, run automatically.

Auto macros are embedded in Object Linking and Embedding (OLE) files. Microsoft and a growing number of other application vendors use OLE technology to store unrelated types of data, called streams, within one file. For example, a file could contain the following streams:

A data stream, which contains the document text or the spreadsheet data
A graphics stream, which contains the file's graphics (bar charts, for example)
A macro stream, which contains document formatting information and auto macros

A macro virus typically uses auto macros in an OLE file's macro stream to infect applications and/or OLE files. If an auto macro were carrying a macro virus, the macro virus would become active, or run, when you triggered the infected auto macro (by requesting to open, close, or save a file, for example).

When a macro virus becomes active, one of two things can happen:

The virus can look for other OLE files to infect directly.
The virus can copy itself to an application file.

If a macro virus looks for other OLE files to infect directly, the macro virus might choose to infect any files it finds in the application's Most Recently Used list. (You can access the Most Recently Used list from the File pull-down menu in many applications.) If the macro virus wanted to infect documents later, it would copy itself to a file that is loaded automatically each time the application is run. For example, the macro virus could copy itself to the PERSONAL.XLS file in Excel's XLSTART or the NORMAL.DOT file in Word. (To find out how a typical macro virus could infect all of the OLE files and applications on a network, see "The Life and Times of A. Macro.")

Like any other virus, the main goal of the macro virus is to propagate. The effect a macro virus can have on your company's network varies widely, depending on the macro virus you encounter. A macro virus can have a relatively benign effect, such as a message from the virus writer to the application user, or a macro virus can wreak havoc by corrupting data or executable files. (To find out more about specific viruses and how they can affect your computer, see "The ICSA's Ten Most Gotten (1998)"

Although computer professionals recognized the potential existence of macro viruses as early as 1989, Concept, the first macro virus, was not reported in the wild until September 1995. In its original form, Concept is a nondestructive virus that propagates through Word applications and OLE files. One of Concept's virus macros (Payload) contains the statement "That's enough to prove my point" in its comment line.

In spite of Concept's late-comer status, by March 1996, Concept was already the most frequently reported virus in the wild. Microsoft's scanner/disinfector for Concept is available as a free download from the U.S. Department of Energy's (DOE's) Computer Incident Advisory Capability (CIAC). (To download this software, go to http://ciac.llnl.gov and click Tools. Scroll down until you see Public Tools, click Anti-Virus Packages under MS-DOS, and then click Microsoft Macro Virus Tool.)

Applications that give users the ability to write their own macros, the ability to change default macros, and the ability to copy these new and modified macros from one file to another are most vulnerable to macro viruses. Word and Excel are two such applications.

Another factor that makes an application a likely target for computer viruses is the ease with which the virus writer is able to learn the application's macro language. For example, Microsoft's macro languages are WordBasic (in Word 6 and 7), VisualBasic 4 (in Excel 5 and 7), and VisualBasic 5 (in Word 97 and Excel 97). WordBasic is based on BASIC, a language many programmers are familiar with. VisualBasic is even easier to use and more powerful than WordBasic. Not surprisingly, most macro viruses are written to infect either Word or Excel, although a few macro viruses are written to infect other applications, such as Lotus Ami Pro.

Igor Grebert, a senior virus researcher for Trend Micro Inc., thinks that the use of VisualBasic as the macro language in Word and Excel may account for the growing number of macro viruses in the wild. Writing a program in VisualBasic is so simple that, as Grebert implies, virtually any novice programmer could write virus code. "A piece of code that a macro virus might have," Grebert explains, could be as simple as "something like this: 'Open NORMAL.DOT. Copy virus code to NORMAL.DOT.' "

Greg McClanahan, an antivirus technician for Network Associates Inc., also believes that using VisualBasic as a macro language is one of the main reasons macro viruses in the wild are rapidly increasing. McClanahan asserts that VisualBasic is so easy to use that a would-be virus writer doesn't even have to be a programmer to write malicious code. In fact, with any number of do-it-yourself virus tool kits available over the Internet and with VisualBasic as a macro language, McClanahan says anyone who "can bake a cake can make a virus."

Because Microsoft uses VisualBasic 5 for Word 97, Excel 97, and Access 97, cross-application macro viruses are possible. To date, only a few cross-application macro viruses exist in the wild: Shiver, Cross, and Teocatal.

Of the three, only Shiver is able to do what it was written to do--that is, successfully cross-infect Word 97 and Excel 97 applications and OLE files. Shiver is a nondestructive virus that displays multiple dialog boxes containing the words Shiver (DDE) by ALT-F-11.

Cross, which is also nondestructive, attempts to cross-infect Word 97 and Access 97 applications and OLE files. If Cross first infects Word, then Cross can successfully spread to Access. If Cross first infects Access, however, then Cross cannot infect Word.

Teocatal attempts to infect both Word 97 and Excel 97 applications and OLE files. Although a bug in Teocatal prevents it from successfully cross-infecting, Teocatal exists as both a Word 97 and an Excel 97 macro virus. If the Word version of Teocatal is active on the 26th day of any month, Teocatal first displays a dialog box containing lyrics from the Doors' song "Strange Days" and then deletes all files in the current directory.

Although cross-application viruses are uncommon now, they may become the most prevalent viruses in the future. However, the future of macro viruses is not limited to cross-application viruses. Macro viruses are also capable of virtual evolution.

For example, each new version of Word and Excel has the capability to convert older version OLE files to the current version. When an OLE file is converted, the macros in that file's macro stream are also converted--even if the macro is a virus.

This conversion process often changes the virus code so that the macro virus can run in the new version of the application. In other words, the macro virus evolves to survive in its current environment, ensuring a sort of virtual survival of the species.

IT'S TWO! TWO! TWO VIRUSES IN ONE!

As mentioned earlier, macro viruses can be one part of a multipartite virus--a type of virus that is composed of two separate viruses. For example, Anarchy.6093 is a combination of a macro virus and a file virus. However, this virus is unusual because multipartite viruses are rarely part macro virus. In fact, multipartite viruses themselves are relatively rare in the world of computer viruses, accounting for less than one percent of the viruses reported. (See Figure 1.)

The vast majority of the few multipartite viruses that exist are a combination of a file virus and a boot sector virus. Because multipartite viruses are a combination of two types of viruses, they can typically infect computers and networks in two ways.

For example, suppose you booted a computer from a floppy diskette infected with a multipartite virus that was composed of a file virus and a boot sector virus. Depending on the type of operating system running on the computer, the computer's master boot record would probably become infected. The results of this infection would depend upon the type of multipartite virus you had encountered. If the computer's master boot record became infected, the multipartite virus would infect any floppy diskette you accessed (assuming the diskette was not write-protected), just as an ordinary boot sector virus would do. For example, the multipartite virus would infect any unprotected diskette you accessed with a DIR command.

Unlike a typical boot sector virus, however, the multipartite virus contains a file virus, which would also try to infect executable files, such as COM, EXE, or PE files. The multipartite virus could then spread throughout your network via these executable files, regardless of whether or not any of the other computers on the network were booted from an infected floppy diskette.

In fact, whether or not the boot sector code of the multipartite virus succeeded in infecting the computer, under certain circumstances, the file virus code could load itself into the computer's memory. The multipartite virus could then begin to infect executable files as well as watch for unprotected floppy diskettes.

Despite the small number of multipartite viruses, some of them have been remarkably successful at propagating in the wild. For example, Ripper, a multipartite virus composed of a file virus and a boot sector virus, is listed among the most prevalent viruses in the ICSA Computer Virus Prevalence Survey for 1998. According to the CIAC's virus database, Ripper will reformat a computer's hard drive the 16th time you reboot from an infected master boot record. However, other virus databases report a one in 1,024 probability that Ripper will corrupt any file you write to. (For a more in-depth description of Ripper, see "The ICSA's Most Gotten (1998)" on the NetWare Connection web site at http://www.nwconnection.com.)

To make matters worse, the creators of multipartite viruses can add code that allows these two-headed viruses to morph into slightly different multipartite viruses each time they run. For example, one line of meaningless code might be added each time a particular multipartite virus infected a new file. The resulting multipartite virus would behave as the original virus did but would look different: This multipartite virus would also be a polymorphic virus.

SHAPE-SHIFTERS OF THE VIRUS WORLD

Any type of virus can be a polymorphic virus--a type of virus that changes its signature each time it is executed. Like your own signature, a virus signature has a shape that is defined by the number, kind, and arrangement of the characters (or code) it contains. Antivirus vendors typically design their scanning engines to recognize virus signatures.

By shape-shifting, polymorphic viruses try to avoid being detected by a search engine. For example, suppose a Word macro virus had a virus signature that consisted of the following VisualBasic code: "Copy virus to NORMAL.DOT." Antivirus vendors might design their scanning engine to recognize this code as the virus signature.

If the macro virus was a polymorphic virus, however, the second generation of the virus would have an altered signature, such as "Set font to Times Roman. Copy virus code to NORMAL.DOT." Then the third generation of the virus signature might consist of the following: "Set font size to 12. Set font to Times Roman. Copy virus code to NORMAL.DOT." The virus code could continue to morph with each generation of the virus.

Polymorphic viruses have other ways to change their signature to avoid detection. For example, polymorphic viruses, such as the W.95.Marburg virus, change their signatures by encrypting random sections of their virus code. (The W.95.Marburg virus infects Windows portable executable files and then deletes certain antivirus system files.) Each time such polymorphic viruses are run, different sections of their code are encrypted using a different encryption key.

THE VIRUS WORLD ACCORDING TO NETWARE

Not only have viruses changed in the last six years, NetWare has also changed. The recent release of NetWare 5, for example, included a number of enhancements such as NetWare support for a pure IP environment. You may be wondering if NetWare 5 is still resistant to boot sector viruses.

NetWare Nature

Fortunately, the NetWare 5 architecture is as resistant to boot sector viruses as previous versions of NetWare are. According to Stan Field, a senior support technician for the antivirus software company Command Software Systems Inc., if a NetWare server were booted from an infected floppy diskette, the boot sector virus would affect the server in one of the following ways:

The boot sector would be damaged enough that NetWare could not load. In this case, you would know a problem existed and would take care of it.
The system would boot, the virus would load, and then NetWare would take over. In this scenario, NetWare would effectively quarantine the virus. Boot sector viruses are designed to replicate or function in a DOS-like environment. In NetWare, DOS and the boot sector reside in a separate partition. Once NetWare is booted, it forgets about the DOS partition. Because the boot sector virus would be "locked" away in the DOS partition, this virus could not infect floppy drives. Since you will of course be running antivirus software this software should then detect the virus in the DOS partition.

Since boot sector viruses account for about 17 percent of viral infections in the wild, NetWare's resistance to these viruses increases your chances of warding off a virus attack. (See Figure 1.)

The success of file viruses in an unprotected NetWare network depends on both the virus and the means by which it is introduced to the NetWare server. Of course, this is true of file viruses that infect other operating systems as well.

Since NetWare servers are typically the repositories for shared applications as well as data files and other services, file viruses that are specific to other operating systems can spread to workstations on the network via an infected NetWare server. For example, the much-publicized Win95/CIH virus affects Windows '95 portable executable files. However, if a server were the repository for shared applications that contained these portable executable files (as Word does), the files on this server could become infected.

Although the Win95/CIH virus affects a fairly small number of computers, this virus has received attention recently because it can cause serious damage. Under certain circumstances, the Win95/CIH virus can not only overwrite a megabyte of the hard drive on an infected Windows 95 workstation but can also successfully attack the workstation's BIOS. If the portable executable files on a server became infected with the Win95/CIH virus, each workstation that shared these infected files through a server application would also become infected. If any of these infected workstations were running Windows 95, the Win95/CIH virus could overwrite the workstation's hard drive or even attack its BIOS.

Even if a file virus that attacks a specific operating system could not damage the NetWare server itself, the file virus could, via shared applications, infect all the workstations on the network that run that operating system. And because most multipartite viruses are partly file viruses, multipartite viruses that attack a specific operating system could also infect workstations via shared applications.

Macro viruses can infect applications and files regardless of the type of network or desktop operating system they encounter. Although NetWare is "actually a good platform for avoiding viruses" in general, affirms Narender Mangalam, an antivirus researcher for Computer Associates Intl. Inc., NetWare is not immune to macro viruses--no operating system is.

A macro virus can spread through an entire network regardless of whether or not shared applications are stored on servers. How? Macro viruses sneak onto a server via an infected file. For example, if a user copied a data file that had been infected with a macro virus onto a NetWare server and other users opened that shared file, the macro virus would spread from workstation to workstation, infecting application files and OLE files until the entire network was affected.

Mangalam points out the obvious dangers: "People use NetWare servers to store files, and files are very susceptible to macro viruses." If users copy data files onto a NetWare server and share these files through that server, a macro virus can spread throughout an unprotected network. (See "The Life and Times of A. Macro.")

NetWare Nurture

You can improve NetWare's native resistance to viruses by flagging executable files as Read-Only. (If you are running NetWare 3.11, you will also need to revoke users' Modify right to these files.) You can also flag DOS-executable files as Execute-Only. (If you flag Windows NT, Windows 98, or Win-dows 95 executable files as Execute-Only, Windows will be unable to run the files.) Either of these actions prevents file and multipartite viruses from writing their code to executable files, effectively disabling these viruses. (See "File Attribute Protection in NetWare.")

You can also set attributes on Word's NORMAL.DOT file to help prevent the spread of macro viruses that target Word. If users are accessing Word via a shared application running on your NetWare server, you can use the NetWare Administrator (NWADMIN) utility to flag NORMAL.DOT as Read-Only, just as you could flag any other file. If Word is running on a user's Windows 95 workstation, that user can set NORMAL.DOT's attributes to Read-Only by clicking Properties on the pull-down menu under File. Likewise, you can set file attributes on Excel's PERSONAL.XLS in XLSTART to Read-Only in order to help prevent the spread of macro viruses that target Excel.

Unfortunately, not all macro viruses use these files to propagate. For example, some macro viruses infect OLE files directly, such as those that target the files in an application's Most Recently Used list. In addition, setting attributes on Word and Excel files might prohibit users from writing macros (or customizing existing macros) that could help them do their jobs more easily and more efficiently.

Even if you set file attributes for the NORMAL.DOT and PERSONAL.XLS files, users could still copy infected files onto the server and other users could retrieve these files. So how can you protect your company's network against macro viruses?

AN OUNCE OF PREVENTION

Taking the following steps can help protect your company's network from computer viruses:

Virus Education
An Antivirus Policy
Antivirus Software

Your first line of defense against any type of virus is education. Both you and your company's users should know which viruses are in the wild and how these viruses can infect a network. You should then use this information to create or update your company's antivirus policy. The ICSA Computer Virus Prevalence Survey for 1998 cited several reasons for an increase in macro viruses, including a company's failure to update antivirus policies to include macro viruses.

The procedures you outline in your company's antivirus policy must be simple to remember and follow. Otherwise, users will probably not follow these procedures.

You should ensure that your company's antivirus policy requires users to notify you immediately if they suspect they have encountered a computer virus. If the current antivirus policy requires users to check all incoming floppy diskettes for viruses, you might amend that rule to include all incoming files. If this rule were too cumbersome, you could require Word 97 users to check for viruses on all files that cause this application's pop-up warning box to appear.

Assuming that you have installed virus-scanning software on your network, your next line of defense should be to make sure that your virus-scanning software can find and clean the viruses that are most likely to infect a network today. If your company's virus-scanning software is outdated, you will obviously have difficulty detecting new viruses. (For more information about protecting your network with antivirus software, see "Protecting the Network From Virus Attacks," NetWare Connection, Oct. 1998, pp. 38-41. You can download this article from http://www.nwconnection.com/oct.98/techsp08.)

Many antivirus software vendors now provide product suites, which can identify viruses in more than one way and can work at several network levels. For example, one product in a suite might be an on-access scanner, which stays resident in a computer's memory and automatically scans all documents that come in to that computer. You could set up the on-access scanner to run on an Internet gateway and scan all incoming packets from the Internet, including e-mail attachments.

Another product in a suite might be a heuristic scanner which scans all of the files on a NetWare server at scheduled intervals. A heuristic scanner is a program that is designed to find polymorphic viruses by looking for virus activity (such as file growth or changes to file structure) rather than for virus signatures.

Another product in the suite might be an on-demand scanner. Users can load this scanner on their workstations to check incoming diskettes and files. (As the name implies, an on-demand scan-ner runs only when the user loads it.)

In addition to providing generic antivirus suites that run on a variety of operating systems, several vendors provide products that are designed to work specifically in NetWare environments. (For more information about antivirus software, see "Flu Shots for Your Network" and "Product Focus." You can also see Secure Computing's "Anti-Virus Review 1998" at www.westcoast.com/securecomputing/1998_01/buyers/buyers.html.)

AAACHOO! WHAT TO DO

Just as getting a yearly flu shot decreases your chances of getting the flu but doesn't guarantee you won't get it, the best antivirus policies and antivirus software cannot guarantee you won't get a computer virus. If you think you've encountered a virus that your antivirus software failed to catch and clean, call the technical help staff for your antivirus software vendor. Many vendors update their software hourly, and a technician can help you download the latest scanning software. The technician can even help you clean one workstation, log in to the server from that disinfected workstation, clean the server, and then clean the remaining workstations on your network.

If the technician can't help you find and clean the suspected virus, he or she will ask you to send the virus to your vendor. To send the virus, you should double-zip the file that you think is infected and attach that file to an e-mail message addressed to the vendor's antivirus laboratory. If you have a virus that the scanning software failed to recognize and clean, many vendors can analyze the virus and develop software within 48 hours to help you clean that particular virus. (For more information about cleaning viruses, visit the U.S. Department of Energy's CIAC web site at http://ciac.llnl.gov/ciac/CIACVirusDatabase.html.)

CONCLUSION

Given that there are more viruses in the wild than ever before, and (perhaps consequently) that there are more encounters with viruses than ever before, you could easily become a virtual hypochondriac. However, becoming a virtual hypochondriac would be as costly and potentially destructive as becoming an actual hypochondriac.

On the other hand, the costs of a potential virus infection are too great to ignore. The ICSA Computer Virus Prevalence Survey for 1998 reported that companies affected by virus encounters suffered loss of data, loss of server uptime, loss of worker productivity and morale, and loss of money. The average cost per virus encounter was reported to be U.S. $2,454.

How much protection is enough? What Dr. Stang had to say on the subject in 1993 is unfortunately still true today: "The nature and magnitude of virus risk to NetWare networks are something on which opinions seem to differ, as is the best means of defending a network." In other words, no one has an easy answer to the how-much-is-enough question. Only you can decide for your company.

Cheryl Walton works for Niche Associates, an agency that specializes in editing and writing technical documents.

The ICSA's Ten Most Gotten (1998)

NAME	CONCEPT	BEHAVIOR
WM/Concept (AKA Concept, WM.Concept.A, WinWord.Concept, and Word Prank)	Macro	WM/Concept was the first known virus to infect a data file. Infection occurs when a user opens an infected Microsoft Word file in Word '97, 7.x, or 6.x. When an infected file is opened, the virus attaches to the AutoOpen macro and looks for either a FILESAVEAS or a PAYLOAD macro. If either of these macros is present, the virus does not continue with the infection process. If neither the FILESAVEAS nor the PAYLOAD macro is present, the virus displays a box containing the number one and an OK button. When the user clicks the OK button, the virus gains control. WM/Concept replaces the SaveAs command in the pull-down box under File with a command that saves data files as templates, allowing the virus to save its code to every file the virus accesses thereafter. The virus also replaces the AutoOpen macro with its own macro (AAAZAO) and writes macros AAAZFS, AAAZAO, and PAYLOAD to a new macro file. The PAYLOAD macro contains the words: "That's enough to prove my point."
WM/Wazzu (AKA Wazzu and WM.Wazzu.1)	Macro	WM/Wazzu is a Word 7.x and 6.x virus that corrupts data files. Infection occurs when a file is opened. Once the file is infected, there is a 20 percent chance that three randomly selected words within the file will be moved from their original location and inserted elsewhere. There is a 20 percent chance that the word wazzu will be inserted into the file in a random position. This virus propagates by first copying its macro code (AutoOpen) in an unencrypted form into the NORMAL.DOT file and, thereafter, by infecting uninfected files when they are opened.
WM/CAP (AKA WM.CAP.A)	Macro	WM/CAP is a Word 7.x and 6.x virus that interferes with the application's ability to run normally. The virus code runs when an infected file is opened. The virus first deletes all of the macros in the NORMAL.DOT file and then replaces these macros with its own macros: AutoClose, AutoOpen, AutoExec, CAP, FileClose, FileOpen, FileSave, FileSaveAs, FileTemplates, and ToolsMacro. All of these macros are encrypted using the Word execute-only feature except ToolsMacro. ToolsMacro is a procedural shell and is not encrypted. Using the ToolsMacro command executes the virus code.
XM/Laroux (AKA LAROUX)	Macro	XM/Laroux infects Microsoft Excel 7 and 5 spreadsheets and the PERSONAL.XLS file in the XLSTART directory of Excel. XM/Laroux is a nondestructive virus and has no payload. If the PERSONAL.XLS file does not exist, XM/Laroux will create one. The virus then installs the following macros in order to propagate: Auto_Open and Check_Files. This virus also creates a hidden worksheet named laroux. XM/Laroux runs successfully on Windows NT, 95, and 3.1x, platforms. On Macintosh platforms, the virus displays the "Path not found" error.
Stealth B or C (AKA: STB, AMSES, and Stelboo)	Boot Sector	Stealth infects a computer's master boot record when the computer is booted from an infected floppy diskette. The next time the infected computer is booted, the virus becomes memory resident and infects accessed floppy diskettes. The virus is six sectors in length and uses 4 KB of memory. Stealth infects 360 KB and 1.2 MB floppy diskettes by formatting an extra track and writing its code in the first five sectors, followed by the misplaced original boot sector. Stealth infects 720 KB and 1.44 MB floppy diskettes by marking the last cluster, head 1, as bad and writing its code there. On the computer's hard drive, Stealth writes itself to track 0, head 0, sectors 2 through 7. True to its name, Stealth hides its code by returning an image of the original boot sector and, on the hard drive only, returning nulls on the other six sectors. This virus does no intended damage but inadvertently causes problems with some memory managers and interferes with the operation of Windows. If you start Windows with Stealth resident, you will be returned to the DOS prompt.
NYB (AKA B1, Stoned.I, and New York Boot)	Boot Sector	NYB first infects the master boot record when a computer is booted from an infected floppy diskette. The next time the infected computer is booted, the virus becomes memory resident and infects accessed floppy diskettes. On hard drives, NYB copies the original boot sector to track 0, head 0, sector 17. On floppy diskettes, NYB copies the original boot sector to the last sector of the root directory. This virus allocates 1 KB of DOS-based memory and returns an image of the original boot sector to conceal itself. Each time a floppy diskette is accessed, there is a 1 in 512 chance that NYB will send the floppy head from track 0, sector 0 to track 255, sector 62. Under the right circumstances, this action could damage the floppy diskette drive. If a user writes to an infected hard drive just after midnight, the virus crashes the computer.
Form (AKA Form Boot, FORM Virus, and Forms)	Boot Sector	Form infects floppy diskettes and hard drive boot sectors but not the master boot record. Since Form overwrites the boot record on the first logical drive (C:), this virus occasionally makes booting difficult. Form can also randomly destroy files and corrupt data on floppy diskettes. Either Form marks a cluster of sectors as bad and overwrites that cluster with the part of the virus code that would not fit in the boot sector, or Form finds leftover sectors at the end of the drive that are not part of a cluster and hides there. In memory, Form terminates and stays resident (TSR) above the top sector of the computer's memory, moving down the top of memory by 2 KB. The most common symptom of Form is the clicking noise speakers emit on the 18th or 24th day of any month and the following message (written in the boot sector): "The FORM-Virus sends greetings to everyone who's read this text."
AntiCMOS (AKA AntiCMOS.B, Lenart, Anti CMOS, xibin, AntCMos, LiXi, and Anticmos)	Boot Sector	AntiCMOS infects floppy diskettes and the partition table of the master boot record on the computer's hard drive. The virus becomes resident at the top sector of the computer's memory when the computer is booted from an infected hard drive. The virus then infects accessed floppy diskettes. AntiCMOS's intent is to erase the Complimentary Metal Oxide Semiconductor (CMOS) or setup information. This virus also unintentionally "hangs" the computer because of the changes the virus makes to the master boot record. This virus moves the top of memory down by 2,048 bytes.
WM/Npad (AKA WM.Npad.A, Npad, and Jakarta)	Boot Sector	WM/Npad is a Word virus that adds one macro, AutoOpen, to data files and the NORMAL.DOT file. This virus adds a variable, Npad328, to the Windows WIN.INI file. The variable is a counter that produces the following message, which bounces from side to side on the status bar at the bottom of the Word screen the 23rd time the virus is activated: "DOEUNPAD94, v. 2.21, (c)Maret 1996, Bandung, Indonesia."
AntiEXE (AKA Anti EXE, AntiEXE.A, D3, NewBug, CMOS4, Antiexe.d, and Antiexe.c)	Boot Sector	When the computer is booted from an infected floppy diskette, AntiEXE infects floppy diskettes and the partition table of the master boot record on the computer's hard drive. Upon infection, the virus becomes memory resident, decreasing available memory by 1,024 bytes. The virus then infects any accessed floppy diskettes. When infecting the partition table on the hard disk, the virus moves the original partition table to cylinder 1:0, side 0, sector 15. The virus conceals itself by returning an image of the original partition table. There is a 3 in 256 chance that this virus will activate its payload each time a read call is made. The payload targets EXE files that are 200,768 bytes long (the length of a specific Russian antivirus program), and corrupts these files. This virus infects diskettes on both A and B drives, potentially corrupting files.

The Life and Times of A. Macro

Most--but not all--macro viruses that target Microsoft Word use similar methods to propagate themselves in the wild. The following example explains one common method of infection. Although not every macro virus uses this method of infecting files, this example will help you understand macro viruses in general and help you prevent infection by these viruses.

A typical macro virus infection starts when you receive a Word file as an e-mail attachment from a coworker. You save this attached file on your workstation's hard drive. For example, the file might be called TARGET.RTF. When you run Word and open the TARGET.RTF file, you see exactly what you expect to see: a typical Word document.

What you don't see is that the text is really a data stream embedded in an Object Linking and Embedding (OLE) file. This OLE file contains many streams, among them a stream composed of WordBasic command sequences called macros. One of these macros, called A. Macro, contains a series of commands that someone has written to propagate A. Macro, which is a macro virus.

Furthermore, when you clicked the TARGET.RTF file to open it, you activated a Word macro in the TARGET.RTF file's OLE macro stream called AutoOpen. However, the version of AutoOpen embedded in the TARGET.RTF file's macro stream is not Word's version. The AutoOpen macro in the TARGET.RTF file has been altered to include A. Macro's virus code, and A. Macro is now alive and running.

A. Macro first checks the NORMAL.DOT file, Word's global template. Since the NORMAL.DOT file loads automatically each time you run Word, this file is prime real estate for A. Macro's progeny--unless one of A. Macro's family members has already taken up residence in the NORMAL.DOT file. To make sure the NORMAL.DOT file is not yet infected, A. Macro looks for a macro called FILESAVEAS. When infecting Word, A. Macro creates FILESAVEAS in the NORMAL.DOT file.

If A. Macro finds FILESAVEAS in the NORMAL.DOT file, A. Macro does nothing. In such a case, A. Macro remains where it is until you finish working and close the TARGET.RTF file. A. Macro then snuggles back into its home, which is the OLE file in your document, and waits for you to send the TARGET.RTF file to another coworker whose computer is not yet infected.

However, in this specific instance, A. Macro does not find FILESAVEAS. Fortunately, A. Macro is a well-behaved, nondestructive virus. If it does not find FILESAVEAS, A. Macro displays a little greeting, a box with an oblique message that may appear to be a slight glitch in Word. The box then disappears, never to be seen again, and you go on modifying the TARGET.RTF file.

In the meantime, A. Macro makes a clone of itself, called A.' Macro, which takes up residence in the NORMAL.DOT file as FILESAVEAS. When you finish modifying the TARGET.RTF file and close it, A. Macro returns to the macro stream of the OLE file. You then save the TARGET.RTF file to your company's server, where A. Macro waits until another user opens the TARGET.RTF file.

If another user opens the TARGET.RTF file, he or she will release A. Macro again, and A. Macro will look for another opportunity to procreate. Whether or not A. Macro propagates, A. Macro returns to the OLE file whenever the TARGET.RTF file is saved.

Meanwhile you open another file, and since A.' Macro never sleeps when Word is running, A.' Macro watches each file you open, checks for any relatives in these files, and deposits a clone in the macro stream of every uninfected file. A.' Macro is vigilant even when most of the files you open are already infected.

If your files have been infected, you will notice that each time you attempt to save a document using the pull-down menu under File, Word displays the "Microsoft Office--Save As" box. Eventually, of course, you recognize that Word is not behaving correctly and decide to run antivirus software on your workstation. This antivirus software spots A.' Macro and deletes it from the NORMAL.DOT file.

That's life if you're a virus. But since A.' Macro, like A. Macro, has progeny who have probably gone on to far-off networks, A.' Macro lives on.

File Attribute Protection in NetWare

The following information from "Virus Dangers to NetWare LANs" (NetWare Connection, Jan./Feb. 1993, p. 20) shows how effective flagging executable files as Execute-Only or Read-Only can be. Note: The test was conducted on a NetWare 3.11 network. In the test on the Read-Only attribute, the user was given the Modify right to the test directory in which the viruses resided. However, if you are running NetWare 4.11 or above, flagging a file as Read-Only automatically prevents a file from being modified.

Virus Name	Execute-Only	Read-Only
Cascade.1701	No infection	Infection
Cascade.1704	No infection	Infection
Jerusalem.Standard	No infection	Infection
Yankee Doodle 2885	No infection	Infection

Flu Shots for Your Network

Vendor Name	Product	Features
Command Software Systems Inc. 1-800-423-9147 1-561-575-3200 http://www.commandcom.com	Command AntiVirus with F-PROT Professional 4.52 for NetWare	Heuristic analysis; on-access, on-demand, scheduled, and compressed file scanners; repair of infected files
Computer Associates Intl. Inc. 1-800-225-5224 1-516-342-5224 http://www.cai.com	Inoculan AntiVirus 5.0	Heuristic analysis; on-access, on-demand, scheduled and compressed file scanners; repair of infected files
Cybec Pty. Ltd. 1-612-937-1107 1-800-872-2599 http://www.vet.com.au	Vet NetWare Server 9.91	Heuristic analysis; on-access, on-demand, and scheduled scanners; repair of infected files
NetWork Associates Inc 1-888-377-6566 1-408-988-3832 http://www.networkassociates.com	Dr. Solomon's Anti-Virus Toolkit for Server 7.76	Heuristic analysis; on-access, on-demand, scheduled, and compressed file scanners; repair of infected files
http://www.drsolomon.com http://www.mcaffee.com	McAfee VirusScan 3.1.2	Heuristic analysis; on-access, on-demand, scheduled, and compressed file scanners; repair of infected files
Trend Micro Inc. 1-800-228-5651 1-408-257-1500 http://www.trend.com	PC-cillin 2.21	Heuristic analysis; on-access, on-demand, scheduled, and compressed file scanners; repair of infected files

* Originally published in Novell Connection Magazine

Disclaimer

The origin of this information may be internal or external to Novell. While Novell makes all reasonable efforts to verify this information, Novell does not make explicit or implied claims to its validity.