A new virus, Suppl.doc, is quietly replicating itself using some of the same techniques as Worm.ExploreZip, and waiting a week before it starts rendering files unusable, according to a security vendor.
Network Associates and its AVERT (Anti-Virus Emergency Response Team) division has placed a "Medium" risk assessment on the new Suppl Word Macro virus after analysing its code and seeing it posted to more than 25 alt.sex newsgroups since Friday, September 17. That is where the Melissa virus first surfaced.
"It is taking the destructive power of ExploreZip and it was posted on over 25 alt.sex newsgroups, where the original posting of Melissa was found," said Sal Viveros, group marketing manager for Total Virus Defense for Network Associates Inc. (NAI). "It has the makings of something that could become high risk, that's why we want to get out there ahead of time."
Suppl does not send itself to other users from an infect machine but instead spreads by monitoring a user's email usage, and attaching an infected document entitled "suppl.doc" to all outbound Internet email.
If a recipient opens the attachment, they will see only a blank screen while the system is infected. Approximately 163 hours after infection, the virus will begin "nulling," or setting the file's length to zero bytes rendering data inaccessible. All files with the extensions .doc, .xls, .txt, .rtf, .dbf, .zip, .arj, and .rar on local fixed disks, including the user's C drive, are affected, according to AVERT.
Network Associates found the virus on the news sites Friday night, and has only had two customers report an infection as of Monday, giving the virus its medium risk. The virus may become more prevalent and dangerous in the coming days, since a user may be infected and not see any ill effects until seven days the infection occurred.
"With this one, the virus writer wanted the virus to spread longer without being detected," said Viveros. "If people do not have protection updated, they wouldn't have noticed it for a week. You don't know it's happening, any email you are sending it's attaching itself too."
SUPPL.DOC has macro code which makes use of two routines found in the DLL files, LZ32.DLL and KERNEL32.DLL. When the document is opened, if Word's macro warning feature is enabled, a warning appears. The virus will write three files to the Windows directory -- WININIT.INI, DLL.LZH, and ANTHRAX.INI -- then automatically expand the compressed file DLL.LZH to DLL.TMP.
The file DLL.TMP is a replacement WSOCK32.DLL file. The contents of the new WININIT.INI file instruct the operating system to replace the current WSOCK32.DLL file by first renaming it to WSOCK33.DLL, then renaming DLL.TMP to WSOCK32.DLL.
Windows uses the WININIT.INI file at boot time to perform these actions. The new WSOCK32.DLL includes the instructions to both monitor outbound email and to begin nulling files approximately 163 hours after infection, according to AVERT.
Users should not open any attachments labeled suppl.doc included with email, and as always, Network Associates recommends that users update their DAT files to protect against new viruses.