------- Forwarded Message Follows -------
Date:          Wed, 26 Jun 1996 14:37:58 -0400
From:          NASIRC 
To:            (NASIRC General Distribution)
Subject:       NASIRC BULLETIN - B-96-27: ( ) Wazzu Macro Virus - NASA
Center Confirms Infection
Priority:      Urgent
Organization:  NASA Automated Systems Incident Response Capability
Reply-to:      NASIRC 

-----BEGIN PGP SIGNED MESSAGE-----



        NASIRC BULLETIN B-96-27         June 26, 1996

               Wazzu Macro Virus - NASA Center Confirms Infection
         ===========================================================
            NASA Automated Systems Incident Response Capability
               __    __      __      ___   ___  ____     ____
              /_/\  /_/|    /_/\    / _/\ /_/| / __/ \  / __/\
              | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/
              | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |
              | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
              |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/
          Serving NASA and the International Aerospace Communities
         ===========================================================

         This bulletin reports a recently announced security vulner-
         ability.    It   may   contain   a   workaround or software
         patch.  Bulletins should be considered urgent  as  vulnera-
         bility information is likely to be widely known by the time
         a patch is issued or other solutions are developed.

         ===========================================================

        The MS-Word Macro viruses continue to thrive.  The latest version
        to propagate appears to be the "Wazzu" variant.  This is a small
        virus using the AutoOpen macro to infect and spread.



SYSTEMS AFFECTED


        Any system able to run MS-Word can be affected.



PROBLEM DESCRIPTION


        The Wazzu Macro virus is propagating via MS-Word documents.
        Infected documents can be delivered using any available transport
        method including floppy disk, network transfer, and E-mail.  The
        virus has been seen in the wild and is now confirmed to be in the
        US.  The payload is currently known to be a possible modification
        of document contents.

        Macro viruses spread easily through E-mail packages. The ability
        of these packages to send and quickly launch documents can infect
        hundreds of users at a time.



ATTACK SUMMARY


        This virus uses the AutoOpen macro file and is therefore
        operating system independent.   When the Wazzu virus is active
        and a document is opened using MS-Word, the AutoOpen macro
        proceeds to infect the newly opened document.

        Infected documents may exhibit minor modifications.  The word
        "Wazzu" may appear in the document or as many as three words may
        be rearranged.  All infected documents insist on being saved in
        the template directory.



RECOMMENDED ACTION


        NASIRC recommends installing the scanprot.dot utility created by
        Microsoft.  This utility will provide the user an option to not
        execute macros.  The system must not be infected with the Wazzu
        virus for scanprot.dot to work. Scanprot.dot will not eradicate
        the Wazzu virus.

        Prior to installing the scanprot.dot utility the system must not
        be infected with the Wazzu virus. If the system contains a macro
        file called AutoOpen, then the system must be checked for the
        Wazzu virus.

        To check macros, users can do the following:

                Invoke Microsoft Word:
                Open new file:                  FILE, NEW (normal)
                Look at macros:                 TOOLS, MACRO

        All macros associated with Normal.dot template will be listed.
        If the AutoOpen is not found, the user is finished and Wazzu is
        not present.  If the AutoOpen macros does exist, the user should
        check the contents and look for the word WAZZU, which may be
        mixed case, all capitals, or all lower case.

        If users find the word WAZZU in the AutoOpen macro, you should
        delete the macro.  This is accomplished as follows:

                Highlight the "AutoOpen" macro
                Click Delete
                Confirm with "Yes"

        Users clear the most recently active files list as follows:

                FILE, NEW
                TOOLS, OPTIONS, GENERAL
                Deselect the "Recently Used File List"
                "OKAY"

        Then users can install the scanprot.dot utility from Microsoft.
        They should be aware that scanprot.dot can be bypassed if files
        are accessed using the following techniques:

                Using the "Recently Used File List" to select
                a file

                Dragging a document and dropping it in the
                Word program window.

                Opening a file using the Find File utility.

                In MS-Word for Macintosh, clicking a file on
                the Finder's Recent files menu

        The scanprot utility is available from NASIRC under the heading
        of "Macro Virus" at


                http://nasirc.nasa.gov/nasa/toolkits.html


        NASIRC also recommends acquiring a reputable anti-virus software
        package that meets the following minimal criteria:

                Using a well-known and established anti-virus vendor.

                Frequent virus updates issued (no longer than 30-day period.)

                Software works for macro viruses.

                Software that is able to detect and eradicate viruses.

                Easy to use.

        Most of the major anti-virus software vendors who's product
        support detection and eradication of macro viruses appear to have
        incorporated the signature for the Wazzu strain.



        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                ACKNOWLEDGMENTS: Charlie Petty for alerting NASIRC of
                        the Wazzu propagation. Datafellows, Inc. and
                        McAfee Associates for publishing virus
                        information on the WWW.  Rocketdyne for providing
                        technical insight into scanprot.dot weaknesses.

                BULLETIN AUTHOR: Jordan Gottlieb
        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


        This advisory may be forwarded without restriction.  Persons
        within the NASA community or operating in support of a NASA
        contract may contact NASIRC with any questions about this
        advisory.

            Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853
            International: +1-301-441-4398         STU III: 1-301-982-5480
            Internet E-Mail: nasirc@nasa.gov
            24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
            WWW: http://nasirc.nasa.gov/NASIRC_home.html
            FTP: nasirc.nasa.gov, login "anonymous"

        Anyone requiring assistance or wishing to report a security
        incident but not operating in support of NASA may contact the
        Forum of Incident Response and Security Teams (FIRST), an
        international organization of incident response teams, to
        determine the appropriate team.  A list of FIRST member
        organizations and their constituencies may be obtained by
        sending E-mail to "docserver@first.org" with an empty "subject"
        line and a message body containing the line "send first-contacts"
        or via WWW at  http://www.first.org/  .

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMdGDR2OrrK//NbM5AQFXYAP/VVPt/FyYGYDxdAlqFW+H9mG52AUoeJQh
Eq2JE6ftbBzIjQHVL2evMQcWut827DeGQn4DUs+eLiRBpz4RrgWHGJCibMbA5YZD
+LKo5cUzrhsiyYTt+fkBuYzi4SjU0qqEqiFk6mZXWQEHa91uWWR098W7UPlQ9uba
EsZQtQ2y5m8=
=1eoq
-----END PGP SIGNATURE-----
-+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+
This message was posted through the FIRST mailing list server.  if you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-teams" to majordomo@FIRST.ORG
-+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+==--+

Message courtesy of Michael Hines, Purdue University

* * * * * * * * *

John Broughton
Audit Manager
Audit and Management Services
University of California, San Francisco     Ph:  (415) 476-9544
1855 Folsom Street, Room 107                Fax: (415) 476-3326
San Francisco, CA  94143-0818               E-mail:  auditjb@itsa.ucsf.edu