-----BEGIN PGP SIGNED MESSAGE----- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE OUTSIDE ADVISORY REDISTRIBUTION 05 August 1996 12:00 GMT Number: ERS-OAR-E01-1996:014.1 =============================================================================== The IBM-ERS Outside Advisory Redistribution is designed to provide customers of the IBM Emergency Response Service with access to the security advisories sent out by other computer security incident response teams, vendors, and other groups concerned about security. IBM makes no representations and assumes no responsibility for the contents or accuracy of the advisories themselves. IBM-ERS is forwarding the following information from NASIRC. Contact information for NASIRC is included in the forwarded text below; please contact them if you have any questions or need further information. =============================================================================== ********************** FORWARDED INFORMATION STARTS HERE ********************** NASIRC BULLETIN B-96-34 August 02, 1996 MDMA Word Macro Virus =========================================================== NASA Automated Systems Incident Response Capability __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/\ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ Serving NASA and the International Aerospace Communities =========================================================== This bulletin reports a recently announced security vulner- ability. It may contain a workaround or software patch. Bulletins should be considered urgent as vulnera- bility information is likely to be widely known by the time a patch is issued or other solutions are developed. =========================================================== SYSTEMS AFFECTED Systems running Microsoft Word 6.x and 7.x running on Windows, Win95, WinNT, or Macintosh are affected. PROBLEM DESCRIPTION MDMA, (also called Stickykeys), is a macro virus which spreads via Microsoft Word documents. This virus is able to infect any language version of Microsoft Word 6.x and 7.x running Windows 3.x, Win95, WinNT or Macintosh. It is destructive and may potentially delete files. This Word macro virus was discovered to be in the wild in the USA in July, 1996. WordMacro/Stickykeys contains only one macro: AutoClose. The virus will replicate in the system macro "NORMAL.DOT" when an infected file is closed. After infection, it will spread to other Microsoft Word documents when they are saved, placing a copy of AutoClose in the global template. The AutoClose macro is encrypted. Indications of Infection: If an infected document is closed on the first day of any month, the virus will try to destroy data and display a message box stating: You are infected with MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern Anarchists) The destructive routines are unique within each operating system: 1. Macintosh: All files on the system will be deleted. 2. Windows 3.x: The virus will modify the AUTOEXEC.BAT by adding the line "deltree /y c:" to the end. This line will delete all files on C: drive when the machine is rebooted. 3. Windows NT: All files in the current directory will be deleted (provided that the user has sufficient rights). 4. Windows 95: The virus will delete all Control Panel applets and help files (*.cpl, *.hlp) from the Windows directory. In addition, the virus will modify the user registry as follows: A) Turn off logon prompting during Windows startup, and B) Turn on two system settings designed for handicapped users: "Sticky Keys" and "High Contrast". These will cause all shift keys to stay 'pressed down' when they are used and change the screen colors to be "easily readable", respectively. According to Symantec Corporation: On the first day of any month this virus checks the platform it is running on, and attempts to delete files on the user's system. Because of a bug in the code, the virus always assumes it is running on a Windows 95 system. If the day is correct, it will attempt to delete files in the following directories: C:\SHMK (all files) C:\WINDOWS (all help files) C:\WINDOWS\SYSTEM (all Control Panel files) These commands will be unsuccessful on Macintosh platforms, but have a high probability of deleting at least some files on PCs running DOS, Windows 3.x, Windows 95 or Windows NT. Full descriptions can be found at: http://www.symantec.com/avcenter/wmacro.html RECOMMEND ACTIONS Removal Run anti-virus software known to detect and eradicate the MDMA Macro virus. Prevention 1. Set NORMAL.DOT as read-only. This prevents NORMAL.DOT from infection. 2. Continue to vigilantly scan with anti-virus software. 3. Windows 95 users are recommended to use Office 95A from Microsoft. 4. Install MVTools from Microsoft or download from NASIRC's archives at: Windows-ftp://nasirc.nasa.gov/ftp/toolkits/DOS/macro_virus/mvtool10.exe Mac-ftp://nasirc.nasa.gov/ftp/toolkits/Mac/macro_virus/scanprot.dot Vendor Information The following list is not a NASIRC recommendation for any product. This list is not exhaustive and is only provided as a convenience. Vendors Product Detects Eradicates DataFellows Fprot yes Manually Microsoft in development yes yes Symantec SAM/NAM yes yes McAfee McAfee Unspecified Unspecified Special Note: Users of VirusScan are encouraged to run VirusScan from a clean, virus-free environment. Please follow these steps: 1. Turn off your computer. Do not reset or reboot. Some viruses may remain intact in the computer's memory. 2. Ensure your clean start-up diskette is write-protected and insert it in drive A: 3. Turn on your computer and wait for the system prompt ( A: ). 4. Remove the clean start-up diskette from drive A: 5. Insert the original VirusScan diskette into drive A: (If running VirusScan for Windows, you may need to use diskette #2 of 2 or depending on your version of VirusScan, you may have a diskette labeled "Emergency Disk".) 6. Eliminate the virus(es) on your hard drive(s) by typing the following command at the A: prompt: scan c: /clean /all 7. After the virus has been removed, restart your computer. 8. If VirusScan was not previously installed, install it now. 9. If VirusScan still reports a virus in memory, in most cases the boot diskette was not clean. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ACKNOWLEDGMENTS: ASSIST, AT&T, Data Fellows, Microsoft, Symantec, and McAfee, for bringing this situation to NASIRC's attention. BULLETIN AUTHOR: Tom Baxter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory may be forwarded without restriction. Persons within the NASA community or operating in support of a NASA contract may contact NASIRC with any questions about this advisory. Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853 International: +1-301-441-4398 STU III: 1-301-982-5480 Internet E-Mail: nasirc@nasa.gov 24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 WWW: http://nasirc.nasa.gov/NASIRC_home.html FTP: nasirc.nasa.gov, login "anonymous" Anyone requiring assistance or wishing to report a security incident but not operating in support of NASA may contact the Forum of Incident Response and Security Teams (FIRST), an international organization of incident response teams, to determine the appropriate team. A list of FIRST member organizations and their constituencies may be obtained by sending E-mail to "docserver@first.org" with an empty "subject" line and a message body containing the line "send first-contacts" or via WWW at http://www.first.org/ . *********************** FORWARDED INFORMATION ENDS HERE *********************** =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, Integrated Systems Solutions Corporation, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBMgXsNvWDLGpfj4rlAQGa4QQAu2jWdxwliBKqly3CEQng5gBgsYJO/tNm QGB/qN165DHjiyVEtBJF9g/eNLpJMwiOpabX7u2CaQhHrUlU46fcMVqZAsX4Liws 0NpuInQssvKjg62uIrtVjPo3dBrr/l5YaZufnIztW1lCEumnNGvuy8BdPtL9tf2O irHj5l5FBM0= =xZxV -----END PGP SIGNATURE-----