Kaspersky Threats

Class

Platform

Description

Technical Details

This virus contains only one macro autoOpen and infects files when MS Word
opens them, and copies its macros to Global area (NORMAL.DOT) when MS Word
opens an infected document. The virus is not encrypted and may be easily
detected by scanning for text strings:



RndWorddo

wazzu do

RndWorddRgV

After infecting a document or installing into the system the virus takes a
random selected word from document and moves it to random selected
position. The virus repeats that up to three times depending on the random
counter. Then it also depending on the random counter inserts the string
“wazzu ” at random selected position within document.

In detail: the virus has three subroutines in its macro:



MAIN –    it is main routine and it takes control when autoOpen

macro is executed

Payload – is called by MAIN, replaces words and inserts “wazzu”.

RndWord – is called by Payload, sets random selected position

within document

The virus modifies the document with the probabilities (p): replacing words
– three times with p=1/5, inserting “wazzu” – p=1/4.

Wazzu-related viruses

The original “Wazzu” (“Wazzu.a”) virus is one of the most widespread
viruses on the world. The possible reason is that this virus was placed on the
Microsoft WWW site, infected documents also were (are) distributed on
several CD disks. As a result there are several dozens of related viruses,
and the number of such related viruses is increasing every month. Below short
descriptions are given, to name viruses CARO standard names are used (AVP
does detect and disinfect majority of these viruses as “Wazzu.a”).

“Wazzu.b,i” differ from original one only by included comment:



< - - - - - - here 's the payload

“Wazzu.c,t,ac” do not manifest themselves in any way – they have no Payload
subroutine (RndWord subroutine presents in virus, but is never called).

“Wazzu.d,f,q,w,ad” do not have both Payload and RndWord subroutines.
“Wazzu.f” is a shortest virus in the family – its code (binary data in
infected file) has only 318 bytes of length.

“Wazzu.e,h” are encrypted variants of original “Wazzu”. “Wazzu.h” is
slightly corrupted and may halt MS Word or cause an error message.

“Wazzu.g,r” are encrypted viruses. “Wazzu.g” contains EatThis subroutine
instead of original Payload. With probability 1/10 these viruses display a
MessageBox with the text:



Microsoft Word

This one’s for you, Bosco.

“Wazzu.k” is corrupted “Wazzu.a”.

“Wazzu.l” do not have any subroutines in macro except MAIN. With
probability 1/10 it appends the string ” wazzu!” to the end of document.

“Wazzu.m,s” have no Payload subroutine, but call it. That will cause
Word’s error message.

“Wazzu.u,aa,ad” are the same as “Wazzu.a”, but do not insert the “wazzu”
string.

“Wazzu.x” does not contains any subroutines except MAIN. It contains the
text:



The Meat Grinder virus – Thanks to Kermit the Frog,

and Kermit the Protocol

“Wazzu.y,z” are the same as “Wazzu.a”, but code of these virus is slightly
modified, for example all TAB (09h) symbols are replaced with 8 spaces in
“Wazzu.y”.

Class	Virus
Platform	MSWord
Description	Technical Details This virus contains only one macro autoOpen and infects files when MS Word opens them, and copies its macros to Global area (NORMAL.DOT) when MS Word opens an infected document. The virus is not encrypted and may be easily detected by scanning for text strings: RndWorddo wazzu do RndWorddRgV After infecting a document or installing into the system the virus takes a random selected word from document and moves it to random selected position. The virus repeats that up to three times depending on the random counter. Then it also depending on the random counter inserts the string “wazzu ” at random selected position within document. In detail: the virus has three subroutines in its macro: MAIN – it is main routine and it takes control when autoOpen macro is executed Payload – is called by MAIN, replaces words and inserts “wazzu”. RndWord – is called by Payload, sets random selected position within document The virus modifies the document with the probabilities (p): replacing words – three times with p=1/5, inserting “wazzu” – p=1/4. Wazzu-related viruses The original “Wazzu” (“Wazzu.a”) virus is one of the most widespread viruses on the world. The possible reason is that this virus was placed on the Microsoft WWW site, infected documents also were (are) distributed on several CD disks. As a result there are several dozens of related viruses, and the number of such related viruses is increasing every month. Below short descriptions are given, to name viruses CARO standard names are used (AVP does detect and disinfect majority of these viruses as “Wazzu.a”). “Wazzu.b,i” differ from original one only by included comment: < - - - - - - here 's the payload “Wazzu.c,t,ac” do not manifest themselves in any way – they have no Payload subroutine (RndWord subroutine presents in virus, but is never called). “Wazzu.d,f,q,w,ad” do not have both Payload and RndWord subroutines. “Wazzu.f” is a shortest virus in the family – its code (binary data in infected file) has only 318 bytes of length. “Wazzu.e,h” are encrypted variants of original “Wazzu”. “Wazzu.h” is slightly corrupted and may halt MS Word or cause an error message. “Wazzu.g,r” are encrypted viruses. “Wazzu.g” contains EatThis subroutine instead of original Payload. With probability 1/10 these viruses display a MessageBox with the text: Microsoft Word This one’s for you, Bosco. “Wazzu.k” is corrupted “Wazzu.a”. “Wazzu.l” do not have any subroutines in macro except MAIN. With probability 1/10 it appends the string ” wazzu!” to the end of document. “Wazzu.m,s” have no Payload subroutine, but call it. That will cause Word’s error message. “Wazzu.u,aa,ad” are the same as “Wazzu.a”, but do not insert the “wazzu” string. “Wazzu.x” does not contains any subroutines except MAIN. It contains the text: The Meat Grinder virus – Thanks to Kermit the Frog, and Kermit the Protocol “Wazzu.y,z” are the same as “Wazzu.a”, but code of these virus is slightly modified, for example all TAB (09h) symbols are replaced with 8 spaces in “Wazzu.y”.

Virus.MSWord.Wazzu

Technical Details

Wazzu-related viruses