Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Word Macro virus

5 views

Skip to first unread message

Steve Topilnycky <S.S.V.>

unread,

Sep 28, 1998, 3:00:00 AM9/28/98

Jose,
If you are using the latest definitions, and NAV is not detecting a virus,
then I suggest submitting a sample to SARC for analysis. To submit a
sample, please download the SARC Virus Submission Wizard.
After you download the WIZSETUP.EXE and install the software, the Sarc
Submission Wizard, will lead you through some steps to submit a sample to
us. You can download the Submission Wizard at:

ftp://ftp.symantec.com/public/english_us_canada/antivirus_definitions/norton
_antivirus/wizsetup.exe

Some people might not be able to use the SARC Virus Submission Wizard. In
which case, please see the info below on submitting a Sample:

A Potential Virus submission consists of two parts, the Customer System
information form (SARC.TXT), and the actual virus sample. This document
includes the SARC.TXT form, instructions for creating a virus sample and
instructions on where and how to send the Potential Virus sample.

PART 1 - Customer and System Information

Please fill out the form below as completely as possible. There is space
provided at the bottom for additional comments or instructions. When you
have completed the form, please save it as SARC.TXT.

-----------------------------SARC.TXT-------------------------

NAME:
COMPANY NAME (if applicable):
PLATINUM SUPPORT NUMBER (if applicable):
GOLD CONTRACT NUMBER (if applicable):
CASE NUMBER (if applicable):
ADDRESS (line 1):
ADDRESS (line 2):
CITY:
STATE:
ZIP/COUNTRY CODE:
PROVIDENCE:
COUNTRY:
PHONE NUMBER:
FAX NUMBER:
E-MAIL ADDRESS:
LOCATION OF SAMPLE(S)
(State or Country, if different than above):

OPERATING SYSTEM(s)
(place an "X" in the space provided for all that apply):

[ ]DOS WHAT VERSION: [ ]v3.3x [ ]v5.00 [ ]v6.X
[ ]WINDOWS 3.1x
[ ]WINDOWS 95/98/NT
[ ]NLM WHAT VERSION: [ ]v2.x [ ]v3.0

DATE OF YOUR VIRSCAN.DAT FILE (MM/DD/YY):

WHAT TYPE OF VIRUS DO YOU BELIEVE THAT YOU HAVE?
(place an "X" in the space provided for all that apply):

[ ]FILE INFECTOR
[ ]BOOT INFECTOR
[ ]WORD MACRO WHAT VERSION: [ ]6.0 [ ]7.0 [ ]8.0
[ ]EXCEL MACRO WHAT VERSION: [ ]5.0 [ ]7.0 [ ]8.0

Please describe the symptoms that you have observed. Also include any
other relevant information (e.g. other scanners that may have detected
a virus, etc.).

----------------------END OF FORM-------------------------------

PART 2 - Creating a Virus Sample

You will need the following before starting:

1. A copy of PKZIP, Version 2.04g. Copies of PKZIP 2.04g are available
from:
PKWARE Inc. (http://www.pkware.com/download.html)
Symantec Corporation (http://www.symantec.com/avcenter/download.html)
Symantec Norton Navigator (http://www.symantec.com/nn)
Niko Mak Computing WinZip (http://www.winzip.com)

2. A blank floppy disk if submitting a Boot Sector virus

3. A temporary directory on the hard drive in which to gather files, for
example:

mkdir C:\SAMPLE

4. A completed SARC.TXT form

If the operating system is Windows 3.x/MS-DOS, please refer to SECTION 1
If the operating system is Windows 95, please refer to SECTION 2
If the operating system is Windows NT, please refer to SECTION 3

SECTION 1 MS-DOS

FILE VIRUSES

If you have a Word or Excel macro virus, you may skip steps 2 - 6.

1. Start the potentially infected system from its own hard drive.
In MS-DOS, return to the DOS prompt
In Windows 3.x, exit Windows to the DOS prompt

2. Copy the following files from the DOS directory to the temporary
directory:

MEM.EXE
MODE.COM
PRINT.COM
TREE.COM

3. Run the programs that were copied to the temporary directory, ignoring
any screen messages. For example, type MEM and press Enter.

4. Copy any files whose inoculation data has changed without reason to the
temporary directory.

5. Copy any other programs that you suspect are infect to the temporary
directory.

6. Copy COMMAND.COM from the root directory of C: to the temporary
directory.

WORD MACRO VIRUS

Copy any documents that you believe are infected along with NORMAL.DOT from
the TEMPLATE directory.

EXCEL MACRO VIRUS

Copy any worksheets that you believe are infected along with any files in
the XLSTART directory.

7. Compress the infected file(s) into a password-encrypted file called
VIRUS.ZIP. The password is INFECTED. For example if PKZIP is in the
C:\PKZIP directory, and the temporary directory containing the infected
files is C:\SAMPLE, type

CD C:\SAMPLE
C:\PKZIP\PKZIP.EXE -SINFECTED VIRUS.ZIP

BOOT SECTOR VIRUS

1. Format a floppy disk from the infected computer
From the DOS prompt, enter
FORMAT A: /S

2. Copy the following executables from the DOS directory to the floppy:

MEM.EXE
MODE.COM
PRINT.COM
TREE.COM

3. Change to the A: drive

4. Type PATH; and press Enter.
(Don't forget the semicolon. This command temporarily disables your path
statement.)

5. Run the programs, ignoring any screen messages. For example, type MEM
and press Enter.

SECTION 2 Windows 95

FILE VIRUSES

If you have a Word or Excel macro virus, you may skip steps 2 - 6.

1. Start the potentially infected system from its own hard drive and boot
into SAFE MODE, COMMAND PROMPT ONLY. To boot into SAFE MODE, COMMAND PROMPT
ONLY, restart the system and press the F8 key when you see the line
"Starting Windows 95.....". Choose SAFE MODE, COMMAND PROMPT ONLY from the
menu.

2. Copy the following files from the WINDOWS\COMMAND folder to the
temporary directory:

MEM.EXE
MODE.COM
KEYB.COM
XCOPY.EXE

3. Run the programs that were copied to the temporary directory, ignoring
any screen messages. For example, type MEM and press Enter.

4. Copy any files whose inoculation data has changed without reason to the
temporary directory.

5. Copy any other programs that you suspect are infect to the temporary
directory.

6. Copy COMMAND.COM from the root directory of C: to the temporary
directory.

WORD MACRO VIRUS

Copy any documents that you believe are infected along with NORMAL.DOT from
the TEMPLATE directory.

EXCEL MACRO VIRUS

Copy any worksheets that you believe are infected along with any files in
the XLSTART directory.

CD C:\SAMPLE
C:\PKZIP\PKZIP.EXE -SINFECTED VIRUS.ZIP

BOOT SECTOR VIRUS

1. Format a floppy disk from the infected computer
From the DOS prompt, enter:
FORMAT A: /S

2. Copy the following executables from the WINDOWS\COMMAND folder to the
floppy:

MEM.EXE
MODE.COM
KEYB.COM
XCOPY.EXE

3. Change to the A: drive

4. Enter PATH;
(Don't forget the semicolon. This command temporarily disables your path
statement.)

5. Run the programs, ignoring any screen messages. For example, type MEM
and press Enter.

SECTION 3 WINDOWS NT

FILE VIRUSES
If you have a Word or Excel macro virus, you may skip steps 2 - 6.

1. Start the potentially infected system from its own hard drive and open a
DOS Window.

2. Copy the following files from %systemroot%\system32 to the temporary
directory:

COMMAND.COM
CMD.EXE
MODE.COM
MEM.EXE
MORE.COM

3. Run the programs that were copied to the temporary directory, ignoring
any screen messages. For example, type MEM and press Enter.

4. Copy any files whose inoculation data has changed without reason to the
temporary directory.

5. Copy any other programs that you suspect are infect to the temporary
directory.

6. Copy COMMAND.COM from the root directory of C: to the temporary
directory.

WORD MACRO VIRUS

Copy any documents that you believe are infected along with NORMAL.DOT from
the TEMPLATE directory.

EXCEL MACRO VIRUS

Copy any worksheets that you believe are infected along with any files in
the XLSTART directory.

CD C:\SAMPLE
C:\PKZIP\PKZIP.EXE -SINFECTED VIRUS.ZIP

BOOT SECTOR VIRUS

1. Format a floppy disk from the infected computer
From the DOS prompt, enter
FORMAT A: /S

2. Copy the following executables from %systemroot%\system32 to the floppy:
COMMAND.COM
CMD.EXE
EXPLORER.EXE
SERVICES.EXE

3. Load a DOS prompt window, run the files in the DOS window. NT will most
likely display "Illegal instructions - the applications xxx attempted to
write directly to the file system", etc. Click the "Ignore" button.

4. Enter PATH;
(Don't forget the semicolon. This command temporarily disables your path
statement.)

5. Run the programs, ignoring any screen messages. For example, type MEM
and press Enter.

Sending the Submission to SARC

1. If sending in file infectors, copy SARC.TXT to the temporary directory
and then compress the infected file(s) and SARC.TXT into a file called
SUBMIT.ZIP. Make sure that this file is not password protected.

For example, if PKZIP is installed in a PKZIP directory, you would enter:

C:\PKZIP\PKZIP.EXE SUBMIT.ZIP SARC.TXT VIRUS.ZIP

2. Attach the file to an email message and send it to
submi...@sarc.symantec.com with the words "Virus Submission" as the
Subject line. This is the preferred method.

3. If you do not have access to Internet email, or if you are sending in a
possible Boot Sector virus, copy the SARC.TXT file to the sample floppy and
send via preferred courier (FedEx, UPS, Postal Service, etc.) to:

SYMANTEC ANTIVIRUS RESEARCH CENTER
2500 BROADWAY, SUITE 200
SANTA MONICA, CA 90404

Regards,

--
Steve Topilnycky
Symantec Norton AntiVirus Support Volunteer
================================================================
Please continue to post your messages to the public discussion group as
Symantec does not provide support via private e-mail. Thank you.

If you have difficulty getting a response, please read the following
article:

http://service1.symantec.com/SUPPORT/sharedtech.nsf/docid/1998527114414

Home Brewed Computing Solutions (My Home Page):
http://ourworld.compuserve.com/homepages/steve_topilnycky/
=================================================================

Jose Puno wrote in message <980828123833.0217156710@servicenews>...
>Configuration Information:
> Version: 2.0
>
>I just recently noticed that I had a Word Macro virus made by the
>Narkotic Network. I've already gotten the latest updates for my
>product, but when I scanned, the virus wasn't detected and repaired.
>
>What do I do?

0 new messages