From ciac@rumpole.llnl.gov Thu Feb 4 03:49:46 1999 From: CIAC Mail User To: ciac-bulletin@rumpole.llnl.gov Date: Wed, 3 Feb 1999 10:35:13 -0800 (PST) Subject: CIAC Bulletin J-025: W97M.Footprint Macro Virus Detected [ For Public Release ] -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN W97M.Footprint Macro Virus Detected February 2, 1999 19:00 GMT Number J-025 ______________________________________________________________________________ PROBLEM: A new word 97 macro virus has been detected at a DOE site and is known to have been in documents sent to other sites. It is not yet detected by most antivirus tools. PLATFORM: Windows 95, or Windows NT running Microsoft Word 97 (version 8). Word 98 on the Macintosh is probably not susceptible as the virus explicitly writes to the C: hard drive which does not exist on the Macintosh. DAMAGE: Overwrites the footers on all open documents. It also overwrites all macros in open documents and open and attached templates with the macro virus code. SOLUTION: Use an updated antivirus product when one is available. Until then, password the normal.dot file, turn on macro virus detection in Word, and take care when opening files containing macros. ______________________________________________________________________________ VULNERABILITY Risk of infection is high because this virus has been seen in ASSESSMENT: the wild within the DOE complex. The risk of damage is low, because most users do not have macros in files and would be alerted by Word's macro detector. Also fixing damaged footers in Word documents is a relatively easy task. ______________________________________________________________________________ The W97M.Footprint Word macro virus has been seen within the DOE complex. This macro virus attaches to Word objects in Word 97 in much the same way as W97M.Class. Because of this method of infection, this virus will not infect older versions of Microsoft Word. When an infected document is opened, the virus writes the body of the virus code into two files: C:\footprint.$$$ C:\footprint.$$1 Finding these two files on a system indicates the system has been infected. The virus then tests the currently open documents for a custom property: Property Name Value ----------------------- FootNote1 True If the property exists, the virus knows the file has already been infected. If the property does not exist, the virus creates the custom property, overwrites the document footer with the document path, deletes any existing macros attached as Word objects, and copies the virus macro into the file. The virus then deletes all the macros attached as Word objects in all attached document templates and copies itself into the templates as well. Detecting The Virus =================== Finding the two footprint files in the root directory of the C: drive is strong evidence that the virus has infected a system. If you open a document and the Word macro virus protection detects a macro in the document being opened, disable the macro and then use the File, Properties command to see the document properties. Check the Custom tab and if a custom property named: FootNote1 exists the document has been infected. We expect that most antivirus scanners will be updated to detect this virus in the near future. Protecting A System =================== To protect a system from this and other Word macro viruses, the normal.dot file should be password protected and macro virus protection should be turned on. Password Protecting The Normal.dot File - --------------------------------------- To password protect the Normal.dot file in Word 97, perform these steps: 1. Start Word. 2. Choose the Tools, Macro, Visual Basic Editor command. 3. In the Project window of the Visual Basic Editor, click on Normal. 4. Choose the Tools, Normal Properties command, Protection tab. 5. Check the Lock Project for Viewing check box and type in a password twice. 6. Close the dialog box, close the Visual Basic editor. 7. Quit Word. The next time you start Word, the normal.dot template will be protected. WARNING: If you ever have to type in the password to make changes to the normal.dot file be aware that the file remains unprotected until you quit Word and restart it. Turning On Macro Virus Protection - --------------------------------- Some simple macro virus protection is built into Word 97. It does not detect specific macro viruses but only informs you if macros exist on a document you are trying to open. Macros detected by Macro Virus Protection are not necessarily a virus. However, if you are alerted to a macro attached to a document you should be extremely wary because most people do not have macros attached to their documents. To turn on macro virus protection, perform these steps: 1. Start Word. 2. Choose the Tools, Options command, General tab. 3. Check the Macro Virus Protection check box. 4. Close the dialog box. Whenever you open a document that contains macros, the macro virus protection opens a dialog box telling you that there are macros in the document and giving you the option to: Open the document with the macros enabled, open the document without the macros, or cancel the open operation. You should only open a document with macros enabled if you are expecting there to be macros on that document and you know what they are supposed to do. Manual Cleaning of a System =========================== Until the commercial antivirus scanners are able to detect and clean this virus, it can be cleaned by hand using the following procedures. The procedure assumes that your copy of Word is not infected with the virus. If your copy of Word is infected, it must be cleaned first. The Word program is not actually infected with a macro virus, it is the normal.dot file that Word loads at startup that is infected. To clean a copy of Microsoft Word that has been infected with a macro virus, perform these steps: 1. Start Word. 2. Choose the Tools, Templates and Add-Ins command. 3. Make a note of all templates that load at startup (normal.dot plus those checked in the dialog box.) 4. Quit Word. 5. Find the normal.dot file that Word loads at startup and delete it. It is normally in /Program Files/Microsoft Office/Templates. 6. Delete any other templates that you noted in step 3. 7. Start Word then quit Word to create a new normal.dot file. 8. Password protect normal.dot as indicated above. 9. Delete the files: C:\footprint.$$$ and C:\footprint.$$1. To clean a document infected with a macro virus, perform these steps: 1. Make sure the Normal.dot template is locked. 2. Make sure macro virus protection is turned on. 3. Open the file and disable the macros with the macro virus protection dialog box. 4. Choose the File, Properties command, Custom tab. 5. Select the FootNote1 property and press the delete button. 6. Close the File properties dialog box. 7. Save the document with a new name as a Word6/95 document. If you save it as a Word 97 document, the virus will be deleted, but the macro detector will still alert every time the document is opened. 8. Open the document again and save it as a word 97 document if you want to change it back to the current format. If after cleaning Word and your documents the files, C:\footprint.$$$ C:\footprint.$$1 reappear, then you have missed an infected file somewhere and your system is still infected. You must go back and clean Word and the documents again. Most likely you missed an attached template that was set to load when Word starts. CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 925-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ (or http://ciac.llnl.gov -- they're the same machine) Anonymous FTP: ftp.ciac.org (or ciac.llnl.gov -- they're the same machine) Modem access: +1 (925) 423-4753 (28.8K baud) +1 (925) 423-3331 (28.8K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 3. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called Majordomo, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting ciac-bulletin, spi-announce OR spi-notes for list-name: E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov: subscribe list-name e.g., subscribe ciac-bulletin You will receive an acknowledgment email immediately with a confirmation that you will need to mail back to the addresses above, as per the instructions in the email. This is a partial protection to make sure you are really the one who asked to be signed up for the list in question. If you include the word 'help' in the body of an email to the above address, it will also send back an information file on how to subscribe/unsubscribe, get past issues of CIAC bulletins via email, etc. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) J-015: HP SharedX Denial-of-Service Vulnerability J-016: Cisco IOS DFS Access List Leakage Vulnerabilities J-017: HP-UX vacation Security Vulnerability J-018: HTML Viruses J-019: Intelligent Peripherals Create Security Risk J-020: SGI IRIX fcagent daemon Vulnerability J-021: Sun Solaris Vulnerabilities ( dtmail, passwd ) J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command ) J-023: Cisco IOS Syslog Denial-of-Service Vulnerability J-024: Windows NT Remote Explorer -----BEGIN PGP SIGNATURE----- Version: 4.0 Business Edition iQCVAwUBNriHCLnzJzdsy3QZAQFLYwP/fbz1To/p8x2SMYJe+5cZgm9yLhcfmUWi OmIXbV8UfEIbFYX9UdSlxBOChyxqsjCssRPmfqg0ZpZhFnkvyFAHN8A5l76JUVeK Upj6Hr4Q/WMLx+D+hGs7ADb9/qMGmAlyDb99q2Il6MtLw23oZ5V9ZvnWVE1v6VS/ 3c2Kvi5KMJU= =0LiG -----END PGP SIGNATURE-----