Virus.MSWord.Story

Class Virus
Platform MSWord
Description

Technical Details

This macro-virus contains one macro that has different auto-names in
infected documents (“Document_Open”) and in the global macros area (NORMAL.DOT
– “Document_Close”). As a result, the virus activates upon document opening
and closing. It infects the global macros area upon infected document
opening, and spreads to other documents upon closing.

While infecting, the virus also disables the Word macro virus protection (Virus
Warning), as well as disables the Word menus: “Tools/Macro”,
“Tools/Customize…”, “View/Toolbars”, “View/Status Bar”.

The virus has a comment line that is used by the virus to separate
infected and uninfected documents. This text appears as follows:


Jack-In-The-Box

The virus has worm ability and spreads its copy via IRC channels. To do
this, the virus-worm looks for the mIRC client installed in a system, and creates a new
SCRIPT.INI file there. The virus looks for the mIRC client in only one
directory, C:MIRC, and fails to infect the mIRC in the case when it is installed in any
other directory. While infecting the mIRC client, the virus also disables its
security warning messages. To spread itself via IRC channels, the virus
sends the infected document C:WINDOWSSTORY.DOC that is created by the virus
when it infects a system. The virus simply saves the current (infected) document there.

The virus’ script file contains a set of mIRC commands (about 4.5Kb of mIRC
instructions) that perform many functions, including spreading via
channels, displaying messages, sending spam messages and hiding itself.

The virus sends its copy (the STORY.DOC document) in three instances:

instance 1. Upon receiving any file from any person via IRC, the virus script
immediately sends back the infected STORY.DOC file.

instance 2. The virus uses the mIRC’s notify list. The notification list in the mIRC
client contains a list of nicks, and in the case that any of these nicks appears on the
net, the current client is informed of this (receives notification). In
the case that an affected mIRC client is notified about such a person, the virus performs the following: removes
this nick from the notification list; ignores all messages from this nick; and in 5
seconds, sends a message, which in turn is followed 15 seconds later by a copy of the
virus (infected Word document – C:WINDOWSSTORY.DOC). The message that is
sent to the nick appears as follows:


Hey, I can’t talk right now but I wanted to send you this file. It has a
funny story you should read, and also has macros inside that protect you
from a lot of viruses. Just open the document, enable the macros, and if
you are infected it will get rid of the virus

instance 3. Upon receiving the “Invite” command from any nick, the virus script, within
10 seconds, joins this channel and then sends the message to this person
followed by the same infected STORY.DOC file:


Thanks for the invite
I’m a little busy so I can’t talk much now. I thought you might want to
look at this file I got. It has a funny story and also has macros in it
which get rid of any macro viruses. Just enable the macros when the
prompt comes up and it will scan for any viruses and clean them.

The virus also seems to inform its author about its activity. Upon connecting
to the mIRC server, the virus adds a “SimpleSmn” nick to the notification list – the
affected mIRC will be notified if such a nick appears in the IRC net. The
infected mIRC client then detects when a person with a “SimpleSmn” nick appears
in the IRC net. In this case, the virus informs this person with the message
“I’m on irc.”, so the virus informs its author about infected computers
online.

Upon a “Notice” command from the “Simplicity” nick, the virus then opens the C:
drive on the infected computer as a file server (with full access), so the
virus has Backdoor ability.

Upon connecting to IRC server, the virus hides its script and restores it upon
disconnecting: upon connecting, it copies SCRIPT.INI from the C:MIRC directory to the
C:WINDOWSSCRIPT1.INI file, reloads it into the mIRC client, and then
erases the C:MIRCSCRIPT.INI contents. Upon disconnecting, the virus copies the
C:WINDOWSSCRIPT1.INI back to C:MIRCSCRIPT.INI and erases the
C:WINDOWSSCRIPT1.INI file.

In case the affected client enters a channel that has “help” or “nohack”
sub-strings in the channel name, the virus script immediately exits this channel.

The virus disables any messages from any user on a channel, if s/he
sends a message that has any of the following strings:


script worm virus infect Jack Box macro Story.doc

If an infected client enters a custom IRC command “/BY” (added by script),
the virus displays the text:


Mirc Worm Jack-In-The-Box
By SimpleSimon

If the texts are “Hi”, “!”, “Hey”, or “Hello”, the virus opens one of the anti-viruses
and other Internet addresses that have a mail server with open public relay ability:


mirc.com, georgecarlin.com, carrottop.com, anvdesign.net, symantec.com,
drsolomon.com, www.bocklabs.wisc.edu, ebay.com

and looks for the SendMail system allowed on there. If it is available, the
virus, using this e-mail server, sends spam messages with the following fields:


mail from: Addr1@Addr2.com
rcpt to: Addr3
to: Addr3
from: Addr1@Addr2.com
Subject: RndText
Message body: Jack-In-The-Box Has Popped Up Again!

where Addr1 and Addr2 are randomly generated text strings up to eight
letters of size, RndText is randomly generated text up to 50 symbols of the
length, and Addr3 is randomly selected from the list:


evrt@avp.com
samples@datafellows.com
virus_research@nai.com
tech_support@nai.com