Solutions for:
Home Products
Small Business
Medium Business
Enterprise
Vulnerabilities Threats
Home Threats Virus MSWord

Virus.MSWord.Story

Class
Virus
Platform
MSWord

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: MSWord

Microsoft Word (MS Word) is a popular word processor and part of Microsoft Office. Microsoft Word files have a .doc or .docx extension.

Description

Technical Details

This macro-virus contains one macro that has different auto-names in infected documents ("Document_Open") and in the global macros area (NORMAL.DOT - "Document_Close"). As a result, the virus activates upon document opening and closing. It infects the global macros area upon infected document opening, and spreads to other documents upon closing.

While infecting, the virus also disables the Word macro virus protection (Virus Warning), as well as disables the Word menus: "Tools/Macro", "Tools/Customize...", "View/Toolbars", "View/Status Bar".

The virus has a comment line that is used by the virus to separate infected and uninfected documents. This text appears as follows:

Jack-In-The-Box

The virus has worm ability and spreads its copy via IRC channels. To do this, the virus-worm looks for the mIRC client installed in a system, and creates a new SCRIPT.INI file there. The virus looks for the mIRC client in only one directory, C:MIRC, and fails to infect the mIRC in the case when it is installed in any other directory. While infecting the mIRC client, the virus also disables its security warning messages. To spread itself via IRC channels, the virus sends the infected document C:WINDOWSSTORY.DOC that is created by the virus when it infects a system. The virus simply saves the current (infected) document there.

The virus' script file contains a set of mIRC commands (about 4.5Kb of mIRC instructions) that perform many functions, including spreading via channels, displaying messages, sending spam messages and hiding itself.

The virus sends its copy (the STORY.DOC document) in three instances:

instance 1. Upon receiving any file from any person via IRC, the virus script immediately sends back the infected STORY.DOC file.

instance 2. The virus uses the mIRC's notify list. The notification list in the mIRC client contains a list of nicks, and in the case that any of these nicks appears on the net, the current client is informed of this (receives notification). In the case that an affected mIRC client is notified about such a person, the virus performs the following: removes this nick from the notification list; ignores all messages from this nick; and in 5 seconds, sends a message, which in turn is followed 15 seconds later by a copy of the virus (infected Word document - C:WINDOWSSTORY.DOC). The message that is sent to the nick appears as follows:

Hey, I can't talk right now but I wanted to send you this file.  It has a
funny story you should read, and also has macros inside that protect you
from a lot of viruses. Just open the document, enable the macros, and if
you are infected it will get rid of the virus

instance 3. Upon receiving the "Invite" command from any nick, the virus script, within 10 seconds, joins this channel and then sends the message to this person followed by the same infected STORY.DOC file:

Thanks for the invite
I'm a little busy so I can't talk much now. I thought you might want to
look at this file I got. It has a funny story and also has macros in it
which get rid of any macro viruses. Just enable the macros when the
prompt comes up and it will scan for any viruses and clean them.

The virus also seems to inform its author about its activity. Upon connecting to the mIRC server, the virus adds a "SimpleSmn" nick to the notification list - the affected mIRC will be notified if such a nick appears in the IRC net. The infected mIRC client then detects when a person with a "SimpleSmn" nick appears in the IRC net. In this case, the virus informs this person with the message "I'm on irc.", so the virus informs its author about infected computers online.

Upon a "Notice" command from the "Simplicity" nick, the virus then opens the C: drive on the infected computer as a file server (with full access), so the virus has Backdoor ability.

Upon connecting to IRC server, the virus hides its script and restores it upon disconnecting: upon connecting, it copies SCRIPT.INI from the C:MIRC directory to the C:WINDOWSSCRIPT1.INI file, reloads it into the mIRC client, and then erases the C:MIRCSCRIPT.INI contents. Upon disconnecting, the virus copies the C:WINDOWSSCRIPT1.INI back to C:MIRCSCRIPT.INI and erases the C:WINDOWSSCRIPT1.INI file.

In case the affected client enters a channel that has "help" or "nohack" sub-strings in the channel name, the virus script immediately exits this channel.

The virus disables any messages from any user on a channel, if s/he sends a message that has any of the following strings:

script  worm  virus  infect  Jack Box  macro  Story.doc

If an infected client enters a custom IRC command "/BY" (added by script), the virus displays the text:

Mirc Worm Jack-In-The-Box
By SimpleSimon

If the texts are "Hi", "!", "Hey", or "Hello", the virus opens one of the anti-viruses and other Internet addresses that have a mail server with open public relay ability:

mirc.com, georgecarlin.com, carrottop.com, anvdesign.net, symantec.com,
drsolomon.com, www.bocklabs.wisc.edu, ebay.com

and looks for the SendMail system allowed on there. If it is available, the virus, using this e-mail server, sends spam messages with the following fields:

mail from: Addr1@Addr2.com
rcpt to: Addr3
to: Addr3
from: Addr1@Addr2.com
Subject: RndText
Message body: Jack-In-The-Box Has Popped Up Again!

where Addr1 and Addr2 are randomly generated text strings up to eight letters of size, RndText is randomly generated text up to 50 symbols of the length, and Addr3 is randomly selected from the list:

evrt@avp.com
samples@datafellows.com
virus_research@nai.com
tech_support@nai.com

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Related articles
22 April 2024
Securelist
ToddyCat is making holes in your infrastructure
18 April 2024
Securelist
DuneQuixote campaign targets Middle Eastern entities with “CR4T” malware
17 April 2024
Securelist
SoumniBot: the new Android banker’s unique techniques
15 April 2024
Securelist
Using the LockBit builder to generate targeted ransomware
12 April 2024
Securelist
XZ backdoor story – Initial analysis
28 March 2024
Securelist
DinodasRAT Linux implant targeting entities worldwide
Found an inaccuracy in the description of this vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Found a new Threat or Vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Solutions for
Home Products
Small Business
Medium Business
Enterprise
Select language
Sorting
Threat
Confirm changes?
Your message has been sent successfully.