HIT: Non-hoax e-mail transmitted virus

Dianne L Parham DZP at library.sannet.gov
Tue May 27 11:39:10 EDT 1997


http://www.mcafee.com/support/techdocs/vinfo/v3333.html

Virus Characteristics

This virus propagates by infecting Word Documents in 
Microsoft WORD Versions 6.x / 7.x on Windows and Macintosh platforms. 
The virus consists of these macros:

                 AUTOOPEN, FILECLOSE, AUTOEXEC, FILEEXIT, FILESAVE,
                 FILEOPEN, FILETEMPLATES, TOOLSMACRO, SHARETHEFUN

in an infected document. The virus becomes active by 
using Auto- and SystemMacros. All macros are encrypted using the 
standard Word execute-only feature. Meaning that the user is unable to 
edit or view the macro code. 

Indications of Infection

On an infected system the virus hides the FILE|TEMPLATE and
TOOLS|MACRO functionality. Warning: It is important not 
to use this command, as you will execute the viral code. 

When opening a document there is a 1-in-4 chance that 
the virus tries to invoke a running version of Microsoft Mail. If 
successfully, it randomly picks up 3 addresses from the address book and 
starts sending 3 emails:

                 Subject: 'You have GOT to read this!'

                 Attachment: 'C:\doc1.doc' 

, which is a copy of the current infected document. 
Afterwards Microsoft Mail will be closed. 

                 Otherwise it will force Windows to exit. 

                   Method of Infection

                 General Macro Virus Information 

                   Removal

                 How To Clean Your System With VirusScan

                   Additional Information

                 How to Repair Macro Virus Damages 

                   Prevention

                 How to Prevent Macro Virus Infection 

                   Virus Information


                       Discovery Date
                                     Feb 1997
                       Origin
                                     US
                       Length
                                     Not Applicable
                       Type
                                     General Macro Virus Information 
                       Prevalence
                                     Common

Copied from McAfee website.

Dianne Parham
San Diego Public Library
dzp at library.sannet.gov
                    

---------- Forwarded message ----------
Date: Tue, 27 MAY 1997 15:05:43 -0700
From: Bill Crosbie <crosbie at AESOP.RUTGERS.EDU>
To: Multiple recipients of list <web4lib at library.berkeley.edu>
Subject: Re: A non-hoax e-mail transmitted virus

At 02:57 PM 5/25/97 -0500, you wrote:
>If you can provide authentication for this, please do so. I checked both
>the DOE's CIAC site and McAfee's site, and could find no mention of a
>virus called Sharefun.
>

Dorothy,

First of all, thank you for the excellent reminder that you shouldn't post
such messages without verifying them.  Of course, looking at the URL posted
in my message, you will see such verification.  My only error may be that
the actual virus name is SHAREFUN.A

I am not some net newbie taken in by the Good Times hoax.  I am a network
administrator and know my way around the on-line world.  This threat is
_real_ according to McAfee.

>> 8<x-----------SNIPPITY SNIP----------------x
>> For an in depth look at ShareFun visit McAfee:
>> http://www.mcafee.com/support/techdocs/vinfo/v3333.html
>>
>>
>> MCAFEE DISCOVERS SHAREFUN VIRUS; FIRST MACRO VIRUS TO AUTOMATICALLY EMAIL
>> ITSELF TO UNSUSPECTING VICTIMS
>>

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Always dream and shoot higher         |      Bill Crosbie
 than you know you can do.             |      Microcomputer Analyst
 Don't bother just to be better than   |      Chang Science Library
 your contemporaries or predecessors.  |      Rutgers University
 Try to be better than yourself.       |      New Brunswick, NJ USA
                                       |      crosbie at aesop.rutgers.edu
      ~~William Faulkner~~             |      908-932-0305 x114




More information about the Web4lib mailing list