News

New Virus Waits Before Attacking

A new virus is said to wait a week or so before replicating itself. Suppl.doc, first found at the end of last week, replicates itself with some of the same techniques employed by the Worm.ExploreZip virus, and cripples files so they are unusable.

Security vendor Network Associates Inc. (www.nai.com) classifies Suppl.doc with a medium risk warning on its Anti-Virus Emergency Response Team (AVERT) Web site.

AVERT describes the virus as a Word97 document with a class module macro having an Internet worm binary file. The worm binary is an appended EXE file with a trojan payload. The virus is sent and received in a file attachment named SUPPL.DOC.

Once opened, the virus functions similar to W32/Ska in that the local file WSOCK32.DLL is replaced with a rogue copy self-contained at the end of the document. The new WSOCK32.DLL contains instructions to attach the file SUPPL.DOC to e-mail messages using SMTP protocol.

The virus’ macro code was written to make use of routines found in the DLL files LZ32.DLL and KERNEL32.DLL.

About a week after initially infecting the local machine, the trojanized WSOCK32.DLL will seek all files within all local drives with the following extension and null them similar to W32/ExploreZip: .doc, .xls, .txt, .rtf, .dbf, .zip, .arj and .rar.

As with all potential viruses, users are warned against opening attachments named Suppl.doc. -- Thomas Sullivan

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Starting To Roll Out New Excel Connected Data Types

    Microsoft on Thursday announced some Excel and Power BI enhancements that add "connected data types" on top of the standard strings and numbers options.

  • Windows 10 Users Getting New Process for Finding Optional Driver Updates

    Accessing Windows 10 drivers classified as "optional updates" will be more of a manual seek-and-install type of experience, starting on Nov. 5, 2020, Microsoft explained in a Wednesday announcement.

  • Microsoft Changes Privacy Platform Name to SmartNoise

    Microsoft Research has changed the name of its "differential privacy" platform from "WhiteNoise" to "SmartNoise," according to a Wednesday announcement.

  • Why Restarting a Failed SCVMM Job Might Be a Bad Idea

    Occasionally, restarting a failed System Center Virtual Machine Manager job can leave your virtualization infrastructure in an unknown state. Here's how to avoid that.

comments powered by Disqus