HIT: Non-hoax e-mail transmitted virus
Dianne L Parham
DZP at library.sannet.gov
Tue May 27 11:39:10 EDT 1997
http://www.mcafee.com/support/techdocs/vinfo/v3333.html
Virus Characteristics
This virus propagates by infecting Word Documents in
Microsoft WORD Versions 6.x / 7.x on Windows and Macintosh platforms.
The virus consists of these macros:
AUTOOPEN, FILECLOSE, AUTOEXEC, FILEEXIT, FILESAVE,
FILEOPEN, FILETEMPLATES, TOOLSMACRO, SHARETHEFUN
in an infected document. The virus becomes active by
using Auto- and SystemMacros. All macros are encrypted using the
standard Word execute-only feature. Meaning that the user is unable to
edit or view the macro code.
Indications of Infection
On an infected system the virus hides the FILE|TEMPLATE and
TOOLS|MACRO functionality. Warning: It is important not
to use this command, as you will execute the viral code.
When opening a document there is a 1-in-4 chance that
the virus tries to invoke a running version of Microsoft Mail. If
successfully, it randomly picks up 3 addresses from the address book and
starts sending 3 emails:
Subject: 'You have GOT to read this!'
Attachment: 'C:\doc1.doc'
, which is a copy of the current infected document.
Afterwards Microsoft Mail will be closed.
Otherwise it will force Windows to exit.
Method of Infection
General Macro Virus Information
Removal
How To Clean Your System With VirusScan
Additional Information
How to Repair Macro Virus Damages
Prevention
How to Prevent Macro Virus Infection
Virus Information
Discovery Date
Feb 1997
Origin
US
Length
Not Applicable
Type
General Macro Virus Information
Prevalence
Common
Copied from McAfee website.
Dianne Parham
San Diego Public Library
dzp at library.sannet.gov
---------- Forwarded message ----------
Date: Tue, 27 MAY 1997 15:05:43 -0700
From: Bill Crosbie <crosbie at AESOP.RUTGERS.EDU>
To: Multiple recipients of list <web4lib at library.berkeley.edu>
Subject: Re: A non-hoax e-mail transmitted virus
At 02:57 PM 5/25/97 -0500, you wrote:
>If you can provide authentication for this, please do so. I checked both
>the DOE's CIAC site and McAfee's site, and could find no mention of a
>virus called Sharefun.
>
Dorothy,
First of all, thank you for the excellent reminder that you shouldn't post
such messages without verifying them. Of course, looking at the URL posted
in my message, you will see such verification. My only error may be that
the actual virus name is SHAREFUN.A
I am not some net newbie taken in by the Good Times hoax. I am a network
administrator and know my way around the on-line world. This threat is
_real_ according to McAfee.
>> 8<x-----------SNIPPITY SNIP----------------x
>> For an in depth look at ShareFun visit McAfee:
>> http://www.mcafee.com/support/techdocs/vinfo/v3333.html
>>
>>
>> MCAFEE DISCOVERS SHAREFUN VIRUS; FIRST MACRO VIRUS TO AUTOMATICALLY EMAIL
>> ITSELF TO UNSUSPECTING VICTIMS
>>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Always dream and shoot higher | Bill Crosbie
than you know you can do. | Microcomputer Analyst
Don't bother just to be better than | Chang Science Library
your contemporaries or predecessors. | Rutgers University
Try to be better than yourself. | New Brunswick, NJ USA
| crosbie at aesop.rutgers.edu
~~William Faulkner~~ | 908-932-0305 x114
More information about the Web4lib
mailing list