Parent class: VirWare
Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:- file viruses
- boot sector viruses
- macro viruses
- script viruses
Class: Virus
Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.Read more
Platform: MSWord
Microsoft Word (MS Word) is a popular word processor and part of Microsoft Office. Microsoft Word files have a .doc or .docx extension.Description
Technical Details
This virus contains only one macro autoOpen and infects files when MS Word opens them, and copies its macros to Global area (NORMAL.DOT) when MS Word opens an infected document. The virus is not encrypted and may be easily detected by scanning for text strings:
RndWorddo wazzu do RndWorddRgVAfter infecting a document or installing into the system the virus takes a random selected word from document and moves it to random selected position. The virus repeats that up to three times depending on the random counter. Then it also depending on the random counter inserts the string "wazzu " at random selected position within document.
In detail: the virus has three subroutines in its macro:
MAIN - it is main routine and it takes control when autoOpen macro is executed Payload - is called by MAIN, replaces words and inserts "wazzu". RndWord - is called by Payload, sets random selected position within documentThe virus modifies the document with the probabilities (p): replacing words - three times with p=1/5, inserting "wazzu" - p=1/4.
Wazzu-related viruses
The original "Wazzu" ("Wazzu.a") virus is one of the most widespread viruses on the world. The possible reason is that this virus was placed on the Microsoft WWW site, infected documents also were (are) distributed on several CD disks. As a result there are several dozens of related viruses, and the number of such related viruses is increasing every month. Below short descriptions are given, to name viruses CARO standard names are used (AVP does detect and disinfect majority of these viruses as "Wazzu.a")."Wazzu.b,i" differ from original one only by included comment:
< - - - - - - here 's the payload"Wazzu.c,t,ac" do not manifest themselves in any way - they have no Payload subroutine (RndWord subroutine presents in virus, but is never called).
"Wazzu.d,f,q,w,ad" do not have both Payload and RndWord subroutines. "Wazzu.f" is a shortest virus in the family - its code (binary data in infected file) has only 318 bytes of length.
"Wazzu.e,h" are encrypted variants of original "Wazzu". "Wazzu.h" is slightly corrupted and may halt MS Word or cause an error message.
"Wazzu.g,r" are encrypted viruses. "Wazzu.g" contains EatThis subroutine instead of original Payload. With probability 1/10 these viruses display a MessageBox with the text:
Microsoft Word This one's for you, Bosco."Wazzu.k" is corrupted "Wazzu.a".
"Wazzu.l" do not have any subroutines in macro except MAIN. With probability 1/10 it appends the string " wazzu!" to the end of document.
"Wazzu.m,s" have no Payload subroutine, but call it. That will cause Word's error message.
"Wazzu.u,aa,ad" are the same as "Wazzu.a", but do not insert the "wazzu" string.
"Wazzu.x" does not contains any subroutines except MAIN. It contains the text:
The Meat Grinder virus - Thanks to Kermit the Frog, and Kermit the Protocol"Wazzu.y,z" are the same as "Wazzu.a", but code of these virus is slightly modified, for example all TAB (09h) symbols are replaced with 8 spaces in "Wazzu.y".
Read more
Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com