
 AntiViral Toolkit Pro for Microsoft Word (AVPWW)
 ------------------------------------------------
                  version 1.02

This package contains the anti-virus utility for two known viruses infected
the Microsoft Word documents. This package is FREEWARE.

To check your Microsoft Word for the viruses you should load Microsoft Word 
and open the AVPWW102.DOC file. If your Word is already infected AVPWW 
displays the warning message. To install AVPWW "memory resident" you should 
press "Install" button while reading AVPWW102.DOC file.

See AVPWW102.DOC for more details.

To find out all the infected files you should use anti-virus database 
WINWORD.AVB and AVP for DOS anti-virus scanner. You should run it in 
"Redundant" mode (see AVP for DOS "Setup" menu). Then you should load all 
infected document into Word with installed AVPWW utility. AVPWW does 
automatically disinfection being installed.


 The contents of package
 -----------------------

There are the files:

 AVPWW102.TXT - this file
 AVPWW102.DOC - anti-virus utility AVPWW ver. 1.02
 WINWORD.AVB  - anti-virus database for AVP for DOS scanner
 FILE_ID_DIZ  - ID file


 The viruses infect Microsoft Word documents
 -------------------------------------------

1995 year brings new type of the viruses - Microsoft Word documents 
infectors. These viruses hit (not overwrite!) the DOC-files of the 
Microsoft Word ver.6 format. 

The system gets infection while READING the infected file. To infect the 
computer is it necessary only to run Microsoft Word ver.6 and open the 
infected file. Then the virus spreads into all the newly created DOC files.  
After sending the newly created and infected file to another (clear) 
computer that file can infect that computer too (while opening in Microsoft 
Word).

These viruses are VERY FAST infectors. The DOC files are sent/received more 
often than executable ones.

These viruses can hit the Microsoft Word files on any computer, not only 
IBM-PC. The viruses work very well under Microsoft Word7 and Microsoft 
Word6 for NT.


While opening the Word Document file the Word executes the internal file 
macros. It that document is infected, Word executes *infected* macros, i.e.  
the virus code. The virus copies the macros into the Global Macros area, 
defines FileSaveAs macro, and then it copies its macros into all the newly 
created documents (i.e. documents are saves with "Save as" command). The 
virus also converts the MicrosoftDocument files into Template format while 
saving.

On exiting from Word the Global Macros are automatically saved into system 
DOT-files (NORMAL.DOT or other). So on next Word execution the virus 
receives control before reading of the first document, it infects the 
environment while loading the Global Macros from DOT file.


 WinWord.Concept virus (aka WW6Macro)
 ------------------------------------

Fortunately, that virus does not call any dangerous trigger routine, the
place for that routine contains only the string:

 That's enough to prove my point

But it is not clear up to now is that virus free of another "deep" effects 
(i.e. is that virus 100% compatible with Word or not). 

The infected files contains the strings:

 see if we're already installed
 iWW6IInstance
 AAAZFS
 AAAZAO
 That's enough to prove my point

and other.

The WINWORD6.INI on infected system contains the file:

 WW6I= 1

On the first execution of the virus code (i.e. on the first opening of the
infected file) the MessageBox with digit "1" appears.


 WinWord.Nuclear virus
 ---------------------

The WinWord.Nuclear virus infects the Microsoft Word documents as well as 
COM, EXE and NewEXE (Windows) files.

The virus in documents is the encrypted macros. It can drop the 
COM/EXE/NewEXE virus.

Being dropped COM/EXE/NewEXE virus stays memory resident and hit executable 
files, but it cannot hit Microsoft Word documents.

That virus contains the macros:

 AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
 InsertPayload, Payload, DropSuriv, FileExit

While installation these macros are copied into Global Macros area.

All these macros call to "DropSuriv" macro which check the system time and 
drops the COM/EXE/NewEXE virus if the time is in 17:00 / 18:00. While 
dropping the virus uses DEBUG utility.

First, the virus checks the C:\DOS\DEBUG.EXE. If there is such one the 
virus creates temporary file PH33R.SCR in C:\DOS directory, and writes hex 
dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus 
creates the temporary file EXEC_PH.BAT with the strings inside:

 @echo off
 debug < ph33r.scr > nul

and executes that. As the result DEBUG utility creates the copy of 
COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT 
21h and writes itself at the end of COM/EXE/NewEXE files while opening, 
execution, renaming and changing their attributes.

The execution of BAT-file is doing in background, so the user does not know 
that there are two(!) viruses on his PC.

Them the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files.


While printing of documents the virus appends the text approximately to 
each 12th file (if the seconds are 55 or more):

 And finally I would like to say:
 STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

These strings are appended to the document immediately before printing, so 
the uses does not see them (often documents occupy more that one screen). 
This is very curios effect, especially while sending documents via fax.


On 5th of April the virus erases IO.SYS and COMMAND.COM files.


There are text strings in COM/EXE/NewEXE part of that virus:

 =Ph33r=
 Qark/VLAD



 New AVP Shareware Releases / Updates
 ------------------------------------

Information about new releases/updates is available in local conferences:

Internet:    relcom.comp.virus     Russia

FidoNet:     AVP.SUPPORT           Russia
             AVP.FR                France

New releases and updates for Antiviral Toolkit Pro (AVP) are available on:


Anonymous FTP sites:

a) Weekly & Cumulative Updates, Shareware versions:

Server:                        Path:                           Filenames:
===========================================================================

ftp.command-hq.com             /pub/command/avp/               *.*
io.com                         /pub/usr/pmonti/avp/            *.*
ftp.informatik.uni-hamburg.de  /pub/virus/progs/avp/           *.*
sunsite.unc.edu
           /pub/docs/security/hamburg-mirror/virus/progs/avp/  *.*
ftp.sct.fr            /pub/virus/tools/antivirus/avp/updates/  *.*
ftp.sunet.se                   /pub/security/virus/progs/avp/  *.*
ftp.uu.net                     /pub/security/virus/progs/avp/  *.*
ftp.icomm.rnd.su               /ANTIVIRUS/AVP/                 *.*

b) Cumulative Updates and Shareware versions:

Server:                        Path:                           Filenames:
===========================================================================

SimTel:
oak.oakland.edu                /pub/msdos/virus/               avp*.*

SimTel Mirrors:   (a small selection, there are many more)
ftp.switch.ch                  /mirror/simtel/msdos/virus/     avp*.*
ftp.cyf-kr.edu.pl              /pub/mirror/simtel/msdos/virus/ avp*.*
ftp.icm.edu.pl                 /pub/simtel/msdos/virus/        avp*.*
micros.hensa.ac.uk             /mirrors/simtel/msdos/virus/    avp*.*
ftp.ibp.fr                     /pub/pc/SimTel/msdos/virus/     avp*.*
ftp.cs.cuhk.hk                 /pub/simtel/msdos/virus/        avp*.*
ftp.sun.ac.za                  /pub/simtel/msdos/virus/        avp*.*

WWW-Sites:

URL:                                 Desc.                         Lang.
==========================================================================

http://www.marktplatz.ch/metro/      AVP-Information / News, etc.  E/D
http://www.command-hq.com/command    AVP-Information               E
http://www.icomm.rnd.su/icomm/avp/   AVP-Information               R/E

                                         Lang.:  E=English  D=Deutsch (German)
                                                 R=Russian

BBSs:

 Switzerland:
 Metropolitan Network BBS:
 +41 (0)31 348-1331   (2 lines) 2400-33600bps V.34+/V.FC/V.32bis/HST
 +41 (0)31 348-0422   (1 line)  2400-28800bps V.34/V.FC/V.32bis/HST

 Russia:
 +7 (8632) 69-6931 (8 lines) 2400-14400 V32bis
 +7 (095) 278-9949
 +7 (095) 932-8465
 +7 (092) 223-7354



 AVP distributors and technical support sites
 --------------------------------------------

Belgium:
  bvba DataRescue sprl, 110 route du Condroz, 4121 Neupr, Belgium
  contact     : Dr Pierre Vandevenne
  Phone/Fax   : +32-41-729114
  BBS/Fax     : +32-41-729110
  E-mail      : peterpan@datarescue.knooppunt.be
  FIDO        : 2:293/2213

France:
  Editions Gerard MANNIG, BP 7, F-76161 DARNETAL CEDEX
  contact     : Gerard MANNIG
  Phone/FAX   : +33 3559-9344/+33 3559-9344
  E-mail      : mannig@world-net.sct.fr
  FIDO        : 2:322/2.1

Germany:
  Howard Fuhs Elektronik, Computer Virus Research Lab Germany
  Rheingaustr. 152 65203 Wiesbaden - Biebrich
  Phone       : +49 611 67713
  Fax         : +49 611 603789
  CompuServe  : 100120,503
  Internet    : 100120.503@compuserve.com
  FIDO        : 2:244/2120.7

  PROKON software - Theo Christoph, Hauptstrasse 42
  07751 Rothenstein - Deutschland
  Phone       : +49 36424-56509
  Fax         : +49 36424-56511
  BBS         : +49 36424-56512  (v.32bis/terbo/V.FC/V.34 - soon available)
              : +49 36424-56513  (v.32bis/terbo/V.FC/V.34 - soon available)
  E-mail      : prokon@gtc11.gtc.net

Italy:
  C.S.I. srl
  Mail address: Rome, Aquileia st. n. 7 (Italy)
  Phone(s)    : +39-6-8607663, +39-6-5020879
  Fax         : +39-6-86321371
  E-mail:     : MC3162@mclink.it
                pmonti@io.com
  FIDO:       : 2:335/420

Netherlands:
  Address     : Roggekamp 416, 2592 VH The Hague, The Netherlands
  Contact     : Titia Vlaardingerbroek
  Phone       : +31703836044
  Fax         : +31703471256
  E-mail      : vrch@knoware.nl
  FIDO        : 2:281/552
  VIRNET      : 9:3110/0
  BBS         : +31703857867

Poland:
  Address     : VACIMEX Al. Stanow Zjednoczonych 46/24 04-036 Warszawa
  Tel/Fax     : +48-22 106246
  e-mail      : bored@maloka.waw.pl, vacimex@.maloka.waw.pl

Russia:
  KAMI Ltd., Moscow 109052 Nizhegorodskaya st. 29,
  Phone       : +7-095-278-9412
  Fax         : +7-095-278-2418
  E-mail      : eugene@kamis.msk.su
  BBS         : +7-095-278-9949
  FIDO        : 2:5020/156

 Intercommunications CO, 107/25 Oborony st, 344007, Rostov-na-Donu, Russia
 Contact      : Mikhael Monastyrsky, Alexander Ivanov
 Phone(s)     : +7 (8632) 62-0562, 63-1360, 64-3088
 Fax          : +7 (8632) 63-1360
 E-mail       : avp-support@icomm.rnd.su
 BBS          : +7 (8632) 69-6931 (8 lines) 2400-14400 V32bis
                or telnet icomm.rnd.su
 FTP          : ftp.icomm.rnd.su
 WWW          : www.icomm.rnd.su

 call for more AVP distributors in Russia

Switzerland:
  Metropolitan Network BBS, AVP, Postfach 827, 3000 Bern 8
  Contact     : Gerard VUILLE
  Phone(s)    : +41 (0)31 348-1333
  Fax         : +41 (0)31 348-1335
  E-mail      : avp-support@metro-net.ch
  BBS         : +41 (0)31 348-1331    (2400-33600bps V.34/V.FC/HST)
  WWW         : http://www.thenet.ch/metro/
                http://www.marktplatz.ch/metro/

USA:
  Company     : Central Command Inc.
  Address     : P.O. Box 856 Brunswick, Ohio 44212
  Phone       : 216-273-2820
  FAX         : 216-273-2820
  Contact     : Keith A. Peer
  E-mail      : keith@command-hq.com
  Support     : support@command-hq.com
  Sales       : sales@command-hq.com
  FTP         : ftp.command-hq.com  /pub/command/avp
  WWW         : http://www.command-hq.com/command  [not operational yet]

