Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 5: Macro Viruses

version 2.26b/rev.19 (02/11/97)

Frequently asked questions
about the WAZZU macro virus

Contents

Q: What document other that this I should read to know how to get rid of the WAZZU virus.

Q: Why this virus was named the WAZZU:

Q: How the WAZZU had achieved such a wide distribution ?

Q: What are dangers from this virus

Q: What is the list of macros WAZZU consists of ?

Q: How many versions of the WAZZU were found?

Q: How could I know that an attachment is infected by the WAZZU ?

Q: Will all infected documents will be detected automatically by disk scanner ?

Q: Will the SCANPROT set of protective macros detect the WAZZU ?

Q: How it can be disinfected automatically on the local hard drive and network home directory

Q: How can the user detect this virus himself ?

Q: I have a new strain of the WAZZU that current version of F-macro could not disinfect automatically. How can I disinfect documents?


Q: What document other that this I should read to know how to get rid of the WAZZU virus.

A: Please read documents MACROVIR and DOC2RTF.  It is very easy to get rid of WAZZU virus as this is one macro virus that does not hide itself.

Q: Why this virus was named the WAZZU:

A: WAZZU is the second macro virus that has received wide distribution (the first was Concept virus). The name of the virus is a nickname for the Washington State University, so probably virus was written there.

Q: How the WAZZU had achieved such a wide distribution ?

A: As the Concept macro virus before, the WAZZU virus was also distributed on CD ROM. The September edition of Microsoft’s The Microsoft SPCD [Solution Provider CD] contained a file \SIA\MKTOOLS\CASE\ED3905A.DOC which is an MS word document infected with the WAZZU macro virus.

The Microsoft SPCD, which includes Microsoft Internet Explorer, Links to worldwide web sites, Product demos, Solution Provider logos and other items, has been distributed to approximately 10,000 sites. The static web-site CD-ROM, distributed by Microsoft at the recent Orbit trade-show in Basle, Switzerland, also contained a document infected with the WAZZU. Yet another case was that an infected document was made available on Microsoft’s Swiss web-site for several days or may be weeks. Microsoft is aware of these virus incidents; and the infected document has been removed from the Swiss web-site.

Q: What are dangers from this virus?

A: Basically it is only time lost. Virus is not harmful per se and I never saw a strain that change a random word to WAZZU. As any macro virus WAZZU spreads only when infected document is sent as an e-mail attachment in native MS Word format (.DOC format). So  users need to be especially careful when sending MS Word documents to substantial number of users and should use .RTF format instead of .DOC whenever possible. Let me reiterate this point again. It is strongly recommended to use .RTF format for documents that are sent to several designations whenever possible.   MS Word documents are more mobile than executable files or floppy disks, so macro viruses are now the main source of new infections.

After disinfection of any file of you hard drive one need to analyze attachments in recent e-mail and (probably) disinfect some them manually by opening and deleting autoOpen macro

Q: What is the list of macros WAZZU consists of ?

A: WAZZU is an MS Word macro virus that consists of only one macro, autoOpen. As MS Word macro names are not case sensitive and  name "AutoOpen" is used in all international versions of MS Word the WAZZU will replicate equally effectively in all international versions of Word for Windows including German version of MS Word. That also means that is it very easy to disinfect document from the WAZZU virus by just deleting this macro and saving document.

This method works for infected e-mail attachments too.

Q: How many version of the WAZZU were found?

A: It seems that virus exists in more than 30 versions, but differences between than are mostly minor and the whole number is probably inflated by AV researchers but counting really insignificant modifications ;-).

Only 3 of them (WAZZU.S, WAZZU.X, WAZZU.AF) were found in NJ.  None of these 3 viruses have payload. So these strains just spread not causing any additional harm

There were reports about strains of WAZZU that that have payload: when the infected document is opened, the virus calls a routine three times; each time there is a 20% probability that the virus will move one word to a random place in the document. There is then a 25% probability that the virus will also insert the word ‘WAZZU’ at a random point in the document.  I never saw such a strain.

Q: How could I know if an attachment is infected by the WAZZU ?

A: Virus is not completely debugged, so appearance of the message "WordBasic Err 124" ( Unknown Command, Subroutine, or Function) in most cases means that opened document contain the WAZZU macro virus. If SCANPROT 4.0 is installed than a warning message should flash (SCANPROT is moderately useful in MS Word 6.0, moderately harmful in Word 95 (one should use Word 95b or Word 97 instead) and useless in Word 97). In Word 95b and 97  a warning message should be flashed, as it has warning features similar to SCANPROT built in.

Q: Will all infected documents will be detected automatically by disk scanner ?

A:  Not exactly. Infected attachments are not scanned in  most e-mail program used in corporate environment (Lotus Mail, MS Mail, etc.) -- the mail box is encrypted. Autodetection feature of Ms Word 95b or Ms Word 97 should be used.

Q: Will the SCANPROT set of protective macros detect the WAZZU ?

A: Yes, in most cases it will. Again SCANPROT makes sense only in Word 6.0. When user opens infected attachment he/she will receive warning screen that will give him or her the possibility not to load virus macros e.g. stay clean of virus.

Q: How it can be disinfected automatically on the local hard drive and network home directory ?

A: If one is using F-macro, than only known strains will be disinfected.   Disinfection was bad in early versions F-macro (early versions had used a really stupid idea if checksum for macro ;-) and somewhat improved in latest. But there is no guarantee that all strains will be detected. Manual disinfection in this sense is more reliable.

Q: How can the user detect this virus himself ?

A: By checking names of macro in Tools/Macro box. If autoOpen macro is present than most probably NORMAL.DOT and all loaded documents are infected with the WAZZU virus.

Q: I have a new strain of the WAZZU that current version of  AV scanner from vendor XXX could not disinfect automatically. How can I disinfect documents?

A: That's not a big problem. virus consists of only one macto and you can use one of the generic disinfection methods instead. The simplest generic approach that could be used for most macro viruses is to use for disinfection MS Word itself. In this case user needs to remove the autoOpen macro manually.

To remove the autoOpen macro one need to go to the Tools menu, select option Macro, and highlight name autoOpen in the list of available macros. Then press Delete button. After that you need to save the file.


Copyright 1998, Nikolai Bezroukov. Standard disclaimer applies. As long as this copyright notice is preserved, and any changes are clearly marked as such, the author gives his consent to republish and mirror this text.



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May, 08, 2017