Solutions for:
Home Products
Small Business
Medium Business
Enterprise
Vulnerabilities Threats
Home Threats Virus MSWord

Virus.MSWord.Wazzu

Class
Virus
Platform
MSWord

Parent class: VirWare

Viruses and worms are malicious programs that self-replicate on computers or via computer networks without the user being aware; each subsequent copy of such malicious programs is also able to self-replicate. Malicious programs which spread via networks or infect remote machines when commanded to do so by the “owner” (e.g. Backdoors) or programs that create multiple copies that are unable to self-replicate are not part of the Viruses and Worms subclass. The main characteristic used to determine whether or not a program is classified as a separate behaviour within the Viruses and Worms subclass is how the program propagates (i.e. how the malicious program spreads copies of itself via local or network resources.) Most known worms are spread as files sent as email attachments, via a link to a web or FTP resource, via a link sent in an ICQ or IRC message, via P2P file sharing networks etc. Some worms spread as network packets; these directly penetrate the computer memory, and the worm code is then activated. Worms use the following techniques to penetrate remote computers and launch copies of themselves: social engineering (for example, an email message suggesting the user opens an attached file), exploiting network configuration errors (such as copying to a fully accessible disk), and exploiting loopholes in operating system and application security. Viruses can be divided in accordance with the method used to infect a computer:
  • file viruses
  • boot sector viruses
  • macro viruses
  • script viruses
Any program within this subclass can have additional Trojan functions. It should also be noted that many worms use more than one method in order to spread copies via networks.

Class: Virus

Viruses replicate on the resources of the local machine. Unlike worms, viruses do not use network services to propagate or penetrate other computers. A copy of a virus will reach remote computers only if the infected object is, for some reason unrelated to the virus function, activated on another computer. For example: when infecting accessible disks, a virus penetrates a file located on a network resource a virus copies itself to a removable storage device or infects a file on a removable device a user sends an email with an infected attachment.

Read more

Platform: MSWord

Microsoft Word (MS Word) is a popular word processor and part of Microsoft Office. Microsoft Word files have a .doc or .docx extension.

Description

Technical Details

This virus contains only one macro autoOpen and infects files when MS Word opens them, and copies its macros to Global area (NORMAL.DOT) when MS Word opens an infected document. The virus is not encrypted and may be easily detected by scanning for text strings: 

RndWorddo
wazzu do
RndWorddRgV
After infecting a document or installing into the system the virus takes a random selected word from document and moves it to random selected position. The virus repeats that up to three times depending on the random counter. Then it also depending on the random counter inserts the string "wazzu " at random selected position within document.

In detail: the virus has three subroutines in its macro: 

MAIN -    it is main routine and it takes control when autoOpen
macro is executed
Payload - is called by MAIN, replaces words and inserts "wazzu".
RndWord - is called by Payload, sets random selected position
within document
The virus modifies the document with the probabilities (p): replacing words - three times with p=1/5, inserting "wazzu" - p=1/4.

Wazzu-related viruses

The original "Wazzu" ("Wazzu.a") virus is one of the most widespread viruses on the world. The possible reason is that this virus was placed on the Microsoft WWW site, infected documents also were (are) distributed on several CD disks. As a result there are several dozens of related viruses, and the number of such related viruses is increasing every month. Below short descriptions are given, to name viruses CARO standard names are used (AVP does detect and disinfect majority of these viruses as "Wazzu.a").

"Wazzu.b,i" differ from original one only by included comment: 

< - - - - - - here 's the payload
"Wazzu.c,t,ac" do not manifest themselves in any way - they have no Payload subroutine (RndWord subroutine presents in virus, but is never called).

"Wazzu.d,f,q,w,ad" do not have both Payload and RndWord subroutines. "Wazzu.f" is a shortest virus in the family - its code (binary data in infected file) has only 318 bytes of length.

"Wazzu.e,h" are encrypted variants of original "Wazzu". "Wazzu.h" is slightly corrupted and may halt MS Word or cause an error message.

"Wazzu.g,r" are encrypted viruses. "Wazzu.g" contains EatThis subroutine instead of original Payload. With probability 1/10 these viruses display a MessageBox with the text: 

Microsoft Word
This one's for you, Bosco.
"Wazzu.k" is corrupted "Wazzu.a".

"Wazzu.l" do not have any subroutines in macro except MAIN. With probability 1/10 it appends the string " wazzu!" to the end of document.

"Wazzu.m,s" have no Payload subroutine, but call it. That will cause Word's error message.

"Wazzu.u,aa,ad" are the same as "Wazzu.a", but do not insert the "wazzu" string.

"Wazzu.x" does not contains any subroutines except MAIN. It contains the text: 

The Meat Grinder virus - Thanks to Kermit the Frog,
and Kermit the Protocol
"Wazzu.y,z" are the same as "Wazzu.a", but code of these virus is slightly modified, for example all TAB (09h) symbols are replaced with 8 spaces in "Wazzu.y".

Read more

Find out the statistics of the vulnerabilities spreading in your region on statistics.securelist.com

Found an inaccuracy in the description of this vulnerability? Let us know!
Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Related articles
25 June 2025
Securelist
AI and collaboration tools: how cyberattackers are targeting SMBs in 2025
23 June 2025
Securelist
SparkKitty, SparkCat’s little brother: A new Trojan spy found in the App Store and Google Play
11 June 2025
Securelist
Toxic trend: Another malware threat targets DeepSeek
09 June 2025
Securelist
Sleep with one eye open: how Librarian Ghouls steal data by night
06 June 2025
Securelist
Analysis of the latest Mirai wave exploiting TBK DVR devices with CVE-2024-3721
05 June 2025
Securelist
IT threat evolution in Q1 2025. Non-mobile statistics
Found an inaccuracy in the description of this vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Found a new Threat or Vulnerability?
If you found a new Threat or Vulnerability, please, let us know by email:
newvirus@kaspersky.com
Solutions for
Home Products
Small Business
Medium Business
Enterprise
Select language
Sorting
Threat
Confirm changes?
Your message has been sent successfully.