Computer security officials from 30th Communication Squadron and local contractors are scurrying to cope with an onslaught of the Microsoft Word Macro computer virus. Because it operates in a new way, computer virus software written before last winter is completely ineffective against it.
Several calls a week have been received since November 1995; most involving multiple systems. A technician responding to one such call discovered that 47 computers had been compromised by that one outbreak alone! In each case, the technician must install anti-virus software and repair all of the effected systems.
The virus is not showing any partiality. Computers being used by active duty military, government civilians, and contractor employees are all being struck. The activities involved include space launch, base support, and research and development. One official estimated that as many as 60% of Vandenberg’s computers which are connected to networks may have been attacked, and that all are at risk. A quick check at other locations, including Los Angeles AFB, CA, disclosed that the virus is widespread there also.
Unlike previous viruses, this new type infects data and document files, not just “executables” like “.EXE,” “.COM” and “.BAT”. It does this by using the WordBasic macro language to infect and replicate in Microsoft Word documents and templates. Unlike older viruses which were usually confined to a single computer platform, the new virus attacks documents and templates on DOS, Mac, Windows 3.x, Windows 95, and Windows NT operating systems. Variations of the virus, called DMV, Concept, and Nuclear, appeared shortly after the initial virus.
Once an infected document is opened, the virus launches itself. Generally it will infect the user’s NORMAL.DOT template. This template is the basis for most other documents and quickly spreads to all other documents and templates as they are opened. It forces the users’ computers to save documents as templates instead of documents, since only templates can contain the macro language which contains the virus.
The virus has spread so quickly because many sophisticated users employ e-mail to share documents, instead of printing them and sending the resulting paperwork via “snail mail.” Several of the original infections came in documents titled “FURLOUGH.DOC” (about the furlough of government civilians) and “CONNESTOGA.DOC” (about the failure of the Connestoga commercial space vehicle launched last year at Wallops Island, VA).
The Microsoft Word Macro Virus, unlike most others, will warn you immediately when it infects your computer. It will bring up a dialog box with the title “Microsoft Word,” the numeral “1,” and an “OK” button. If you see the dialog box right after you open a document, stop what you are doing, and notify your help desk IMMEDIATELY.
The Nuclear strain of the virus is the only macro virus currently known to cause damage to your print outs and DOS system files. If you open the document between 55 seconds and the next minute, any print job will have the text STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! appended to it. If you open the document between 5 and 6 PM, it will attempt to infect your machine with the ph33r virus. This part is not damaging however, because it installs a Terminate and Stay Resident (TSR) program in a DOS session that ceases to exist when the macro finishes. On April 5 of any year, IO.SYS and MSDOS.SYS are zeroed out, and COMMAND.COM is deleted from your root directory. DOS can no longer boot, and presumably, by zeroing out the crucial files, won't notify you that DOS is gone at boot time.
In October 1995, Microsoft released its Macro Virus Protection Tool, SCANPROT.DOT. If you already have it loaded, exiting Word will automatically clean up the document and your Microsoft Word program templates. The macro virus protection tool alerts users anytime a document containing macros is opened. Since the virus is spread through macros, users will be alerted when they try and open a document containing the virus. Users can protect themselves from the virus by choosing to open the file without macros.
Computer security and help desk people, including 30th Communications Squadron and B D Systems, Inc., have the new anti-virus software available. If you think your system may have been effected, call them immediately.
No comments:
Post a Comment