version 2.26b/rev.19 (02/11/97)
Q: What document other that this I should read to know how to get rid of the WAZZU virus.
Q: Why this virus was named the WAZZU:
Q: How the WAZZU had achieved such a wide distribution ?
Q: What are dangers from this virus
Q: What is the list of macros WAZZU consists of ?
Q: How many versions of the WAZZU were found?
Q: How could I know that an attachment is infected by the WAZZU ?
Q: Will all infected documents will be detected automatically by disk scanner ?
Q: Will the SCANPROT set of protective macros detect the WAZZU ?
Q: How it can be disinfected automatically on the local hard drive and network home directory
Q: How can the user detect this virus himself ?
A: Please read documents MACROVIR and DOC2RTF. It is very easy to get rid of WAZZU virus as this is one macro virus that does not hide itself.
A: WAZZU is the second macro virus that has received wide distribution (the first was Concept virus). The name of the virus is a nickname for the Washington State University, so probably virus was written there.
A: As the Concept macro virus before, the WAZZU virus was also distributed on CD ROM. The September edition of Microsoft’s The Microsoft SPCD [Solution Provider CD] contained a file \SIA\MKTOOLS\CASE\ED3905A.DOC which is an MS word document infected with the WAZZU macro virus.
The Microsoft SPCD, which includes Microsoft Internet Explorer, Links to worldwide web sites, Product demos, Solution Provider logos and other items, has been distributed to approximately 10,000 sites. The static web-site CD-ROM, distributed by Microsoft at the recent Orbit trade-show in Basle, Switzerland, also contained a document infected with the WAZZU. Yet another case was that an infected document was made available on Microsoft’s Swiss web-site for several days or may be weeks. Microsoft is aware of these virus incidents; and the infected document has been removed from the Swiss web-site.
A: Basically it is only time lost. Virus is not harmful per se and I never saw a strain that change a random word to WAZZU. As any macro virus WAZZU spreads only when infected document is sent as an e-mail attachment in native MS Word format (.DOC format). So users need to be especially careful when sending MS Word documents to substantial number of users and should use .RTF format instead of .DOC whenever possible. Let me reiterate this point again. It is strongly recommended to use .RTF format for documents that are sent to several designations whenever possible. MS Word documents are more mobile than executable files or floppy disks, so macro viruses are now the main source of new infections.
After disinfection of any file of you hard drive one need to analyze attachments in recent e-mail and (probably) disinfect some them manually by opening and deleting autoOpen macro
A: WAZZU is an MS Word macro virus that consists of only one macro, autoOpen. As MS Word macro names are not case sensitive and name "AutoOpen" is used in all international versions of MS Word the WAZZU will replicate equally effectively in all international versions of Word for Windows including German version of MS Word. That also means that is it very easy to disinfect document from the WAZZU virus by just deleting this macro and saving document.
This method works for infected e-mail attachments too.
A: It seems that virus exists in more than 30 versions, but differences between than are mostly minor and the whole number is probably inflated by AV researchers but counting really insignificant modifications ;-).
Only 3 of them (WAZZU.S, WAZZU.X, WAZZU.AF) were found in NJ. None of these 3 viruses have payload. So these strains just spread not causing any additional harm
There were reports about strains of WAZZU that that have payload: when the infected document is opened, the virus calls a routine three times; each time there is a 20% probability that the virus will move one word to a random place in the document. There is then a 25% probability that the virus will also insert the word ‘WAZZU’ at a random point in the document. I never saw such a strain.
A: Virus is not completely debugged, so appearance of the message "WordBasic Err 124" ( Unknown Command, Subroutine, or Function) in most cases means that opened document contain the WAZZU macro virus. If SCANPROT 4.0 is installed than a warning message should flash (SCANPROT is moderately useful in MS Word 6.0, moderately harmful in Word 95 (one should use Word 95b or Word 97 instead) and useless in Word 97). In Word 95b and 97 a warning message should be flashed, as it has warning features similar to SCANPROT built in.
A: Not exactly. Infected attachments are not scanned in most e-mail program used in corporate environment (Lotus Mail, MS Mail, etc.) -- the mail box is encrypted. Autodetection feature of Ms Word 95b or Ms Word 97 should be used.
A: Yes, in most cases it will. Again SCANPROT makes sense only in Word 6.0. When user opens infected attachment he/she will receive warning screen that will give him or her the possibility not to load virus macros e.g. stay clean of virus.
A: If one is using F-macro, than only known strains will be disinfected. Disinfection was bad in early versions F-macro (early versions had used a really stupid idea if checksum for macro ;-) and somewhat improved in latest. But there is no guarantee that all strains will be detected. Manual disinfection in this sense is more reliable.
A: By checking names of macro in Tools/Macro box. If autoOpen macro is present than most probably NORMAL.DOT and all loaded documents are infected with the WAZZU virus.
A: That's not a big problem. virus consists of only one macto and you can use one of the generic disinfection methods instead. The simplest generic approach that could be used for most macro viruses is to use for disinfection MS Word itself. In this case user needs to remove the autoOpen macro manually.
To remove the autoOpen macro one need to go to the Tools menu, select option Macro, and highlight name autoOpen in the list of available macros. Then press Delete button. After that you need to save the file.
Copyright 1998, Nikolai Bezroukov. Standard disclaimer applies. As long as this copyright notice is preserved, and any changes are clearly marked as such, the author gives his consent to republish and mirror this text.
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008