New Virus Waits Before Attacking
- By Scott Bekker
- September 21, 1999
A new virus is said to wait a week or so before replicating itself. Suppl.doc, first found at the end of last week, replicates itself with some of the same techniques employed by the Worm.ExploreZip virus, and cripples files so they are unusable.
Security vendor Network Associates Inc. (www.nai.com) classifies Suppl.doc with a medium risk warning on its Anti-Virus Emergency Response Team (AVERT) Web site.
AVERT describes the virus as a Word97 document with a class module macro having an Internet worm binary file. The worm binary is an appended EXE file with a trojan payload. The virus is sent and received in a file attachment named SUPPL.DOC.
Once opened, the virus functions similar to W32/Ska in that the local file WSOCK32.DLL is replaced with a rogue copy self-contained at the end of the document. The new WSOCK32.DLL contains instructions to attach the file SUPPL.DOC to e-mail messages using SMTP protocol.
The virus’ macro code was written to make use of routines found in the DLL files LZ32.DLL and KERNEL32.DLL.
About a week after initially infecting the local machine, the trojanized WSOCK32.DLL will seek all files within all local drives with the following extension and null them similar to W32/ExploreZip: .doc, .xls, .txt, .rtf, .dbf, .zip, .arj and .rar.
As with all potential viruses, users are warned against opening attachments named Suppl.doc. -- Thomas Sullivan
Scott Bekker is editor in chief of Redmond Channel Partner magazine.