VIRUS ALERT
Footprint Macro Virus
W97M.Footprint Macro Virus Detected
The following information is from the CIAC bulletin number J-025 -- February 2, 1999
CIAC Is the U.S. Department of Energy Computer Incident Advisory Capability
| PROBLEM: |
A new word 97 macro virus has been detected at a DOE site and
is known to have been in documents sent to other sites. It is
not yet detected by most antivirus tools. |
|
| PLATFORM: |
Windows 95, or Windows NT running Microsoft Word 97 (version
8). Word 98 on the Macintosh is probably not susceptible as the
virus explicitly writes to the C: hard drive which does not
exist on the Macintosh. |
|
| DAMAGE: |
Overwrites the footers on all open documents. It also
overwrites all macros in open documents and open and attached
templates with the macro virus code. |
|
| SOLUTION: |
Use an updated antivirus product when one is available. Until
then, password the normal.dot file, turn on macro virus
detection in Word, and take care when opening files containing
macros. |
|
VULNERABILITY
ASSESSMENT: |
Risk of infection is high because this virus has been seen in
the wild within the DOE complex. The risk of damage is low,
because most users do not have macros in files and would be
alerted by Word's macro detector. Also fixing damaged footers
in Word documents is a relatively easy task. |
|
The W97M.Footprint Word macro virus has been seen within the DOE complex.
This macro virus attaches to Word objects in Word 97 in much the same way as
W97M.Class. Because of this method of infection, this virus will not infect
older versions of Microsoft Word. When an infected document is opened, the
virus writes the body of the virus code into two files:
C:\footprint.$$$
C:\footprint.$$1
Finding these two files on a system indicates the system has been infected.
The virus then tests the currently open documents for a custom property:
| Property Name | | Value |
| FootNote1 | | True |
If the property exists, the virus knows the file has already been infected. If
the property does not exist, the virus creates the custom property, overwrites
the document footer with the document path, deletes any existing macros
attached as Word objects, and copies the virus macro into the file. The virus
then deletes all the macros attached as Word objects in all attached document
templates and copies itself into the templates as well.
Detecting The Virus
Finding the two footprint files in the root directory of the C: drive is
strong evidence that the virus has infected a system.
If you open a document and the Word macro virus protection detects a macro in
the document being opened, disable the macro and then use the File, Properties
command to see the document properties. Check the Custom tab and if a custom
property named: FootNote1 exists the document has been infected.
We expect that most antivirus scanners will be updated to detect this virus in
the near future.
Protecting A System
To protect a system from this and other Word macro viruses, the normal.dot
file should be password protected and macro virus protection should be turned
on.
Password Protecting The Normal.dot File
To password protect the Normal.dot file in Word 97, perform these steps:
- Start Word.
- Choose the Tools, Macro, Visual Basic Editor command.
- In the Project window of the Visual Basic Editor, click on Normal.
- Choose the Tools, Normal Properties command, Protection tab.
- Check the Lock Project for Viewing check box and type in a password twice.
- Close the dialog box, close the Visual Basic editor.
- Quit Word.
The next time you start Word, the normal.dot template will be protected.
WARNING: If you ever have to type in the password to make changes to the
normal.dot file be aware that the file remains unprotected until you quit Word
and restart it.
Turning On Macro Virus Protection
Some simple macro virus protection is built into Word 97. It does not detect
specific macro viruses but only informs you if macros exist on a document you
are trying to open. Macros detected by Macro Virus Protection are not
necessarily a virus. However, if you are alerted to a macro attached to a
document you should be extremely wary because most people do not have macros
attached to their documents.
To turn on macro virus protection, perform these steps:
- Start Word.
- Choose the Tools, Options command, General tab.
- Check the Macro Virus Protection check box.
- Close the dialog box.
Whenever you open a document that contains macros, the macro virus protection
opens a dialog box telling you that there are macros in the document and
giving you the option to: Open the document with the macros enabled, open the
document without the macros, or cancel the open operation. You should only
open a document with macros enabled if you are expecting there to be macros on
that document and you know what they are supposed to do.
Manual Cleaning of a System
Until the commercial antivirus scanners are able to detect and clean this
virus, it can be cleaned by hand using the following procedures. The procedure
assumes that your copy of Word is not infected with the virus. If your copy of
Word is infected, it must be cleaned first. The Word program is not actually
infected with a macro virus, it is the normal.dot file that Word loads at
startup that is infected.
To clean a copy of Microsoft Word that has been infected with a macro virus,
perform these steps:
- Start Word.
- Choose the Tools, Templates and Add-Ins command.
- Make a note of all templates that load at startup (normal.dot plus those checked in the dialog box.)
- Quit Word.
- Find the normal.dot file that Word loads at startup and delete it. It is normally in /Program Files/Microsoft Office/Templates.
- Delete any other templates that you noted in step 3.
- Start Word then quit Word to create a new normal.dot file.
- Password protect normal.dot as indicated above.
- Delete the files: C:\footprint.$$$ and C:\footprint.$$1.
To clean a document infected with a macro virus, perform these steps:
- Make sure the Normal.dot template is locked.
- Make sure macro virus protection is turned on.
- Open the file and disable the macros with the macro virus protection dialog box.
- Choose the File, Properties command, Custom tab.
- Select the FootNote1 property and press the delete button.
- Close the File properties dialog box.
- Save the document with a new name as a Word6/95 document. If you save it as a Word 97 document, the virus will be deleted, but the macro detector will still alert every time the document is opened.
- Open the document again and save it as a word 97 document if you want to change it back to the current format.
If after cleaning Word and your documents the files,
C:\footprint.$$$
C:\footprint.$$1
reappear, then you have missed an infected file somewhere and your system is
still infected. You must go back and clean Word and the documents again. Most
likely you missed an attached template that was set to load when Word starts.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
HOME
Back to the MAIN PAGE
Back to the VIRUS ALERT INDEX PAGE
Read the DISCLAIMER
Site development and administration by PCS
