MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCINASA:080296:01:P1R1 Report Date: 08/06/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ------------------------------------------------------------------------------- ----- Begin Included Message ----- NASIRC BULLETIN B-96-34 August 02, 1996 MDMA Word Macro Virus =========================================================== NASA Automated Systems Incident Response Capability __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/\ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ Serving NASA and the International Aerospace Communities =========================================================== This bulletin reports a recently announced security vulner- ability. It may contain a workaround or software patch. Bulletins should be considered urgent as vulnera- bility information is likely to be widely known by the time a patch is issued or other solutions are developed. =========================================================== SYSTEMS AFFECTED Systems running Microsoft Word 6.x and 7.x running on Windows, Win95, WinNT, or Macintosh are affected. PROBLEM DESCRIPTION MDMA, (also called Stickykeys), is a macro virus which spreads via Microsoft Word documents. This virus is able to infect any language version of Microsoft Word 6.x and 7.x running Windows 3.x, Win95, WinNT or Macintosh. It is destructive and may potentially delete files. This Word macro virus was discovered to be in the wild in the USA in July, 1996. WordMacro/Stickykeys contains only one macro: AutoClose. The virus will replicate in the system macro "NORMAL.DOT" when an infected file is closed. After infection, it will spread to other Microsoft Word documents when they are saved, placing a copy of AutoClose in the global template. The AutoClose macro is encrypted. Indications of Infection: If an infected document is closed on the first day of any month, the virus will try to destroy data and display a message box stating: You are infected with MDMA_DMV. Brought to you by MDMA (Many Delinquent Modern Anarchists) The destructive routines are unique within each operating system: 1. Macintosh: All files on the system will be deleted. 2. Windows 3.x: The virus will modify the AUTOEXEC.BAT by adding the line "deltree /y c:" to the end. This line will delete all files on C: drive when the machine is rebooted. 3. Windows NT: All files in the current directory will be deleted (provided that the user has sufficient rights). 4. Windows 95: The virus will delete all Control Panel applets and help files (*.cpl, *.hlp) from the Windows directory. In addition, the virus will modify the user registry as follows: A) Turn off logon prompting during Windows startup, and B) Turn on two system settings designed for handicapped users: "Sticky Keys" and "High Contrast". These will cause all shift keys to stay 'pressed down' when they are used and change the screen colors to be "easily readable", respectively. According to Symantec Corporation: On the first day of any month this virus checks the platform it is running on, and attempts to delete files on the user's system. Because of a bug in the code, the virus always assumes it is running on a Windows 95 system. If the day is correct, it will attempt to delete files in the following directories: C:\SHMK (all files) C:\WINDOWS (all help files) C:\WINDOWS\SYSTEM (all Control Panel files) These commands will be unsuccessful on Macintosh platforms, but have a high probability of deleting at least some files on PCs running DOS, Windows 3.x, Windows 95 or Windows NT. Full descriptions can be found at: http://www.symantec.com/avcenter/wmacro.html RECOMMEND ACTIONS Removal Run anti-virus software known to detect and eradicate the MDMA Macro virus. Prevention 1. Set NORMAL.DOT as read-only. This prevents NORMAL.DOT from infection. 2. Continue to vigilantly scan with anti-virus software. 3. Windows 95 users are recommended to use Office 95A from Microsoft. 4. Install MVTools from Microsoft or download from NASIRC's archives at: Windows-ftp://nasirc.nasa.gov/ftp/toolkits/DOS/macro_virus/mvtool10.exe Mac-ftp://nasirc.nasa.gov/ftp/toolkits/Mac/macro_virus/scanprot.dot Vendor Information The following list is not a NASIRC recommendation for any product. This list is not exhaustive and is only provided as a convenience. Vendors Product Detects Eradicates DataFellows Fprot yes Manually Microsoft in development yes yes Symantec SAM/NAM yes yes McAfee McAfee Unspecified Unspecified Special Note: Users of VirusScan are encouraged to run VirusScan from a clean, virus-free environment. Please follow these steps: 1. Turn off your computer. Do not reset or reboot. Some viruses may remain intact in the computer's memory. 2. Ensure your clean start-up diskette is write-protected and insert it in drive A: 3. Turn on your computer and wait for the system prompt ( A: ). 4. Remove the clean start-up diskette from drive A: 5. Insert the original VirusScan diskette into drive A: (If running VirusScan for Windows, you may need to use diskette #2 of 2 or depending on your version of VirusScan, you may have a diskette labeled "Emergency Disk".) 6. Eliminate the virus(es) on your hard drive(s) by typing the following command at the A: prompt: scan c: /clean /all 7. After the virus has been removed, restart your computer. 8. If VirusScan was not previously installed, install it now. 9. If VirusScan still reports a virus in memory, in most cases the boot diskette was not clean. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ACKNOWLEDGMENTS: ASSIST, AT&T, Data Fellows, Microsoft, Symantec, and McAfee, for bringing this situation to NASIRC's attention. BULLETIN AUTHOR: Tom Baxter -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This advisory may be forwarded without restriction. Persons within the NASA community or operating in support of a NASA contract may contact NASIRC with any questions about this advisory. Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853 International: +1-301-441-4398 STU III: 1-301-982-5480 Internet E-Mail: nasirc@nasa.gov 24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 WWW: http://nasirc.nasa.gov/NASIRC_home.html FTP: nasirc.nasa.gov, login "anonymous" Anyone requiring assistance or wishing to report a security incident but not operating in support of NASA may contact the Forum of Incident Response and Security Teams (FIRST), an international organization of incident response teams, to determine the appropriate team. A list of FIRST member organizations and their constituencies may be obtained by sending E-mail to "docserver@first.org" with an empty "subject" line and a message body containing the line "send first-contacts" or via WWW at http://www.first.org/ . -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMgIguWOrrK//NbM5AQH5KgP/Qt+l50efpdd0hWjvTHJQff0fIF6ILSjQ NZn6M6xmGv6wPQbf3cRP3/q6+Ick35yKHuxBxS2QPH6aAdeBRLYS/3nONsjnC8lQ o4i4janA4bFNAxURJ4cVnclib+9TH9d4wSZgV2PCH+Gm8McXtT0xAuGykZIzNmn7 urMK14z3Ljo= =Ktzx -----END PGP SIGNATURE----- ----- End Included Message ----- ===============================================================