McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

This virus propagates by infecting Word Documents in Microsoft WORD Versions 97 on Windows and Macintosh platforms. The virus consists of the following macros:

CODE MODULE ANTIMARC -> ANTIMARC, AUTOCLOSE, AUTOEXEC, AUTOOPEN, FILECLOSE, FILEEXIT, FILESAVE, FILESAVEAS, TOOLSMACRO, FILETEMPLATES, VIEWVBCODE, FORMATSTYLE

in an infected document. The virus becomes active by using Auto- and SystemMacros.

Symptoms

The virus will disable the macro warning protection and export its code to microsof.386 in the windows SYSTEM directory. This file is not infected. Tools/Macro, Tools/Macro/VisualBasicEditor and File/Template are disabled.

When the main macro ANTIMARC is executed by any of the system or auto macros, there is a [1]-in-[1024] chance that it will run a mIRC routine and modify the MIRC.INI file with "WARNING=OFF" in the section FSERVE and FILESERVER. Also this routine will create a SCRIPT.INI file which is coded to send infected documents to the joined mIRC group.

There is also a [1]-in-[1024] chance that it attempt to use Outlook Express to email infected documents to users listed in the address book (WAB.EXE).

The virus may save itself as c:\windows\xxxpasswords.doc.

Method of Infection

General Information about Macros

Macro Viruses can potentially spread across different platforms such as PC to Mac, etc. Macro Viruses exist and spread within the application environment, which for macros is common among the different platform versions. Some Macro Viruses that try to do damage to a part of the user's system outside of Word will not be able to do that damage on a different machine platform. For example, a Macro Virus that tries to edit the user's Config.sys file on a PC is going to have a hard time doing the same thing on a Mac, which has no Config.sys file. So a Macro Virus that spreads and does damage on one machine could spread to another type of machine and replicate but do no damage. It is possible for a Macro Virus to figure out what kind of system its running on, and change its behavior accordingly, but this is not common.  

Removal

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Characteristics

Characteristics -

This virus propagates by infecting Word Documents in Microsoft WORD Versions 97 on Windows and Macintosh platforms. The virus consists of the following macros:

CODE MODULE ANTIMARC -> ANTIMARC, AUTOCLOSE, AUTOEXEC, AUTOOPEN, FILECLOSE, FILEEXIT, FILESAVE, FILESAVEAS, TOOLSMACRO, FILETEMPLATES, VIEWVBCODE, FORMATSTYLE

in an infected document. The virus becomes active by using Auto- and SystemMacros.

Symptoms

Symptoms -

The virus will disable the macro warning protection and export its code to microsof.386 in the windows SYSTEM directory. This file is not infected. Tools/Macro, Tools/Macro/VisualBasicEditor and File/Template are disabled.

When the main macro ANTIMARC is executed by any of the system or auto macros, there is a [1]-in-[1024] chance that it will run a mIRC routine and modify the MIRC.INI file with "WARNING=OFF" in the section FSERVE and FILESERVER. Also this routine will create a SCRIPT.INI file which is coded to send infected documents to the joined mIRC group.

There is also a [1]-in-[1024] chance that it attempt to use Outlook Express to email infected documents to users listed in the address book (WAB.EXE).

The virus may save itself as c:\windows\xxxpasswords.doc.

Method of Infection

Method of Infection -

General Information about Macros

Macro Viruses can potentially spread across different platforms such as PC to Mac, etc. Macro Viruses exist and spread within the application environment, which for macros is common among the different platform versions. Some Macro Viruses that try to do damage to a part of the user's system outside of Word will not be able to do that damage on a different machine platform. For example, a Macro Virus that tries to edit the user's Config.sys file on a PC is going to have a hard time doing the same thing on a Mac, which has no Config.sys file. So a Macro Virus that spreads and does damage on one machine could spread to another type of machine and replicate but do no damage. It is possible for a Macro Virus to figure out what kind of system its running on, and change its behavior accordingly, but this is not common.  

Removal -

Removal -

Use current engine and DAT files for detection and removal.

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.

AVERT Recommended Updates:

* Office 2000 updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch)

Variants

Variants -

N/A