Virus.MSWord.Wazzu

Class Virus
Platform MSWord
Description

Technical Details


This virus contains only one macro autoOpen and infects files when MS Word
opens them, and copies its macros to Global area (NORMAL.DOT) when MS Word
opens an infected document. The virus is not encrypted and may be easily
detected by scanning for text strings:


RndWorddo
wazzu do
RndWorddRgV

After infecting a document or installing into the system the virus takes a
random selected word from document and moves it to random selected
position. The virus repeats that up to three times depending on the random
counter. Then it also depending on the random counter inserts the string
“wazzu ” at random selected position within document.


In detail: the virus has three subroutines in its macro:


MAIN – it is main routine and it takes control when autoOpen
macro is executed
Payload – is called by MAIN, replaces words and inserts “wazzu”.
RndWord – is called by Payload, sets random selected position
within document

The virus modifies the document with the probabilities (p): replacing words
– three times with p=1/5, inserting “wazzu” – p=1/4.

Wazzu-related viruses


The original “Wazzu” (“Wazzu.a”) virus is one of the most widespread
viruses on the world. The possible reason is that this virus was placed on the
Microsoft WWW site, infected documents also were (are) distributed on
several CD disks. As a result there are several dozens of related viruses,
and the number of such related viruses is increasing every month. Below short
descriptions are given, to name viruses CARO standard names are used (AVP
does detect and disinfect majority of these viruses as “Wazzu.a”).


“Wazzu.b,i” differ from original one only by included comment:


< - - - - - - here 's the payload

“Wazzu.c,t,ac” do not manifest themselves in any way – they have no Payload
subroutine (RndWord subroutine presents in virus, but is never called).


“Wazzu.d,f,q,w,ad” do not have both Payload and RndWord subroutines.
“Wazzu.f” is a shortest virus in the family – its code (binary data in
infected file) has only 318 bytes of length.


“Wazzu.e,h” are encrypted variants of original “Wazzu”. “Wazzu.h” is
slightly corrupted and may halt MS Word or cause an error message.


“Wazzu.g,r” are encrypted viruses. “Wazzu.g” contains EatThis subroutine
instead of original Payload. With probability 1/10 these viruses display a
MessageBox with the text:


Microsoft Word
This one’s for you, Bosco.

“Wazzu.k” is corrupted “Wazzu.a”.


“Wazzu.l” do not have any subroutines in macro except MAIN. With
probability 1/10 it appends the string ” wazzu!” to the end of document.


“Wazzu.m,s” have no Payload subroutine, but call it. That will cause
Word’s error message.


“Wazzu.u,aa,ad” are the same as “Wazzu.a”, but do not insert the “wazzu”
string.


“Wazzu.x” does not contains any subroutines except MAIN. It contains the
text:


The Meat Grinder virus – Thanks to Kermit the Frog,
and Kermit the Protocol

“Wazzu.y,z” are the same as “Wazzu.a”, but code of these virus is slightly
modified, for example all TAB (09h) symbols are replaced with 8 spaces in
“Wazzu.y”.