ALINK="#FF0000">

"Linux Gazette...making Linux just a little more fun!"


The Answer Guy


By James T. Dennis, tag@lists.linuxgazette.net
Starshine Technical Services, http://www.starshine.org/


(?)Macro Virus?

From garygonegolfing@juno.com on 14 Oct 1998

Hello, Answerguy,

I found you on the web. Your name simply dictates that I must ask you a question:

A user has a Dell Laptop running Windows 95, Office97, and Outlook 98. Apparently, he has acquired some sort of virus (I'm assuming here) because when he opens Outlook 98 (Exchange 5.5) and sends and email (replies or writes a new message) three windows automatically open and the cursor continuously types a character until he hits the spacebar. This happens when he opens a Word document and an Excel document, too.

(!)You only know part of the story. My full "name" is "The Linux Gazette Answer Guy" (tag).
So, I answer LINUX questions.
However....

(?)Background:

I've run McAfee 3.2 (with latest DAT files) and found no trace of viruses (clean boot, et al.). This laptop was sent back to Dell and they (supposedly) Fdisked it and reinstalled the OS. Worked for a while, but IT'S BAAAACK. Definitely sounds like some sort of file infection, but I'm at my witt's end. I've scanned all files on the network and found one Macro-infected virus (cleaned).

Any information or insight that you can provide would be welcome.

Thanks for your time, AG.

Gary Hollifield
MIS Manager
FOCUS Enhancements, Inc.

NOTE: Please reply to all (I would like to get this at work, too). Thanks again.

(!)As it happens I used to work for McAfee (as a Unix sysadmin, and their BBS SysOp). I also did some QA on SCAN.
While the behaviour you describe is suspicious, we can't definitely say that it is a virus solely from the symptoms you describe.
I would wipe the system personally (don't send it off to the chop shop, do it yourself). Leave it completely off of the network for a few days (at least twice as long as it seemed to take for the problem to appear on the prevous occasions).
Install all software, OS, Office, etc from the orginal CD's. Manually disable the "boot from floppy" options in the CMOS setup and the "autoexecute macro" features from WinWord and Excel. Manually inspect all documents that go onto the system (and limit yourself to short documents).
It could be some strange compatibility problem. If you don't see this happening on any other systems in your network, and with which this system as been sharing files, floppies and users, than it's not a virus (it's not spreading!).
Other than that, I'd consider putting Linux on it, and running that. Although there as been one "virus" for Linux (Bliss, a piece of sample code that actually managed to honestly infect a couple of users), they are simply not a problem for Linux, FreeBSD, or other Unix users.


Copyright © 1998, James T. Dennis
Published in Linux Gazette Issue 34 November 1998


[ Answer Guy Index ] apache current digi ether goodtimes intlX largedisk
maybe numlock quota recovery script serial session
sound tape testsuite w95ie w95ras w95virus xdm


[ Table Of Contents ] [ Front Page ] [ Previous Section ] [ Next Section ]