SDSC Security Bulletin 97.01.sharefun Original Issue Date: 1997/03/10 Updated: Version: $Id: 97.01.sharefun,v 1.4 1997/03/10 19:41:17 tep Exp $ Topic: ShareFun Virus ________________________________________________________________________________ This advisory is furnished by SDSC Security Technologies as a service to the SDSC user community. It summarizes information from other sources. Note that SDSC does not use or support Microsoft Mail (MS-Mail), but if a MS-Mail user sends you an infected message, and you open it it in Microsoft Word, you will be infected, whether or not you use MS-Mail. In other words, Eudora users could receive this virus. This virus can infect any computer that uses Microsoft Word, including Macintoshes and PCs running Windows 95 or Windows NT. I. Description There is a new virus making the rounds of the Internet. It is spread by email combined with Microsoft Word documents. Infected messages will come from someone you know, with a Subject line of "You have GOT to read this!", and a Microsoft Word attachment. According to McAfee, once activated, this virus searches through a user's email Microsoft Mail (MS-Mail) user directory and automatically generates and transmits email messages with virus-infected attachments to random addresses selected from the directory. You can get all the details at: http://www.mcafee.com/corp/press/022497.html A full technical description of this virus can be found at: http://www.mcafee.com/support/techdocs/vinfo/v3333.html There were also numerous sensational news stories written in February 1997, which included a few mis-conceptions and flat-out incorrect information. For additional explanation of this virus, you should check out: http://www.kumite.com/myths/myths/myth029.htm II. Impact It appears that this virus has no effects beyond spreading to other users and infecting Microsoft Word documents. Once activated, there is a 1-in-4 chance the virus will launch MS Mail and attach infected documents to messages sent to three people. The virus selects the three recipients randomly from the user's address book. Since SDSC does not support or supply MS-Mail, you should not be able to spread the virus to other users. The subject line of the infected email will read, "You have GOT to read this!" echoing previous hoax viruses such as Good Times. This virus requires the use of Microsoft MS-Mail *to spread*, but does infect Microsoft Word version 6 or 7 documents, so even if you don't use MS-Mail, you could be sent a copy of this virus in a Word Attachment and have some of your documents infected. III. Solution Do not forward the message to anyone else. Send *this* information to the person who sent the message to you. They probably don't know that they have this virus. McAfee is making a special update of its anti-virus software (VirusScan) available for free download. This version appears to be for PC only at this time. McAfee has also released a new version of VirusScan which will find and remove this virus. However, VirusScan does not run properly under Windows NT at this time. The stand-alone program will be available from NT support on the main NT server by the time you read this. You can also find pointers to it from the McAfee press release, and pointers to other (non-McAfee) anti-viral software from the "kumite" page. There is no known Macintosh anti-viral software that handles this virus at this time. This is not expected to remain the case for very long. Prevention of infection is the key here. IV. Detecting an attack Read your email. If there is a message that says "You have GOT to read this!", do not open the message via Microsoft Word. V. Acknowledgments Information in this bulletin was produced by Tom Perrine, from various information sources on the Internet (listed above). San Diego Supercomputer Center: http://www.sdsc.edu VI. Disclaimers Copyright 1997 San Diego Supercomputer Center. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to SDSC. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community.