Saver (in translation from English. - "Sohranitel") is a macro virus, which functions on the machines with installed MS Office, part of the component which includes Word 97 (version 8.0) or in Word 2003 (version 11.0 - software company Microsoft has it [version] is compatible with all previous versions of its Word, that was the reason for performance below the virus). His name was a virus for the text string "copyright", as contained in its code: Saver Virus , as well as the ability to create disk copies of the documents affected. Written February 2, 2000 in Konotop, as evidenced by the other string of text "copyright" in the body: Macro recorded 02/02/00 Konotop Saver infects documents stored in the format "DOC", as well as configuration files MS Office (DOT- files). Documents written in the format "RTF", the virus can not infect, since in the structure of the past are no macro-sections or "macros" (the section with the settings associated with the design of the current document - size and type of font, size of fields, location, facilities, etc.), which excludes the possibility of infection. The virus can be brought in the car only through contaminated instruments or configuration files with the extensions above, if any, will be opened by the user and then ignoring the warnings embedded in the Word macro security:
Infection would be the case if it is set to " Enable Macros "that somehow makes the majority of users with the appearance of this request. Thereafter Saver disables the built-in Word 97 protection from macro viruses - VirusProtection (under Word 2003, the virus can not do this because of the principle of protection there are a few others) and infects a template file setting the editor: in Word 97 : C : \ Program Files \ Microsoft Office \ Templates \ Normal.dot in Word 2003 : C: \ Documents and Settings \% current user name% \ Application Data \ Microsoft \ Templates \ Normal.dot , altering its nominal amount to 26 624 39 424 bytes 27 136 bytes or bytes per 39 936 bytes (explanation: Normal.dot may be one of the two nominal sizes, depending on certain system conditions) for Word 97 (Word 2003 the value of an infected template file can be different, because the original size of the object can vary substantially depending on a number of settings you set in Word.) The virus then deaden the file Normal.dot, turning it into a dropper of its program ("dropper" - starter, activator): change its contents so that the control is transferred to the viral code. This code keeps the virus in a file created by them saver.dll : in Word 97 : C: \ Program Files \ Microsoft Office \ Office \ saver.dll in Word 2003 : C: \ Program Files \ Microsoft Office \ Office11 \ saver.dll this file has a size of 29,696 bytes and is a modified virus template file Normal.dot.
When you start Word'a Normal.dot transfers control viral "template files" saver.dll . Experiments carried out with a virus on the test machine, the following results: 1. The virus infects documents when they are closed: write in their own makrosektsiyu code, using our own macro AutoSave ("AutoSave"). The virus is blocking the standard request for confirmation to save the document as amended, which are made to document changes in both the virus and the user are automatically saved without the knowledge of the latter. 2. In the event that the document was just opened by the user or edited and stored via the "Save" button, the virus infects the document, but if the last perezapominalsya user via the "Save As ...", then the virus infects only re-saving the document, and leaves the original unchanged. In this and in fact, and in other cases an increase in file size after the infection depends on several conditions and has no precise meaning. 3. Given the fact that the virus infects documents again, even just when you view them without making the user of any changes file size is constantly increasing, and therefore on older machines with hard drives, a small amount of free space decreases very rapidly. Also, there may be a strong inhibition of the machine when working with Word'om, due to the additional costs system resources to the processing of "bloated" virus infected makrosektsy documents and may eventually become the real cause of the hang-up the past when they are opened. 4. After infection, the first document on a clean machine it creates a subdirectory: in Word 97 : C: \ Program Files \ Microsoft Office \ Office \ Doc_Copy \ in Word 2003 : C: \ Program Files \ Microsoft Office \ Office11 \ Doc_Copy \ , in which copies each of the newly infected documents. Subsequently, if the name of the current open document, pass the virus (or the first time again - it does not matter) is the name of a copy of a document already in the directory "Doc_Copy", a virus, depending on its internal counters, can overwrite the original contents of this document contents of the file-copy, which implies irrevocable loss of the current document. Then there is the leakage of confidential data in the event that the machine have multiple users, for example, one of them works with a floppy disk with a document containing sensitive financial or any others . information that does not need to know the other users. However, after the virus makes a copy of the file in the folder " Doc_Copy ", the contents of the document may be available for viewing other users of the computer. 5. After closing the program Word'a virus off automatically - triggers a macro virus AutoClose ("Auto close" .)
When you start the editor, MS Power Point virus does not manifest itself, does not disable the macro protection of the latter and does not infect any files with the presentations.
When you start the editor, MS Excel macro warning appears protection similar to Word, but even if you ignore it and do not disable the macros, the virus does not disable the macro protection and Excel does not infect files, spreadsheets, because change and keeping the macro-configuration is different from the last of those who use Word.
I do not recommend to treat infected with the virus files (as well as other macro viruses), anti-virus program DrWeb, since he always poorly prolechivaet macro-section files, leaving the bulk of the macro virus code intact. The discovery of these "cured" of files on a clean machine involves the emergence of macro-prevention protections Word-and Excel-editors of the presence of macros in the document suspicious fragment. A typical user can not determine that the start code of the virus has already been removed from the file and finds that he is dealing with a "virus", and the new, not detektyaschimsya any of the antivirus programs on the above reason. Since January 2005, the nomenclature of the virus name some of the anti- companies have been replaced by the following: Antivirus Kaspersky AntiVirus : Virus.MSWord.Saver Antivirus Trend PC-cillin :W97M_DOCOPY.A Antivirus BitDefender Professional : W97M.Saver.E Antivirus DrWeb : W97M.SaverAfter successful treatment of a viral component machines saver.dll and subdirectory " Doc_Copy "can be deleted manually.
Follow these panels / options:
Start -> Programs -> MS Word -> Tools -> Options -> General -> Protection against macro viruses (tick "bird") -> OK
Start -> Programs -> MS Word -> Service -> Options -> General -> Security virus-in macros (note the "bird") -> OK
The study of malicious code and development description: Broido Herman (aka VirusHunter)
Date Created: 23.12.2003
Date of last change: 03.10.2006
Author Description: Broido Herman (aka VirusHunter)
No comments:
Post a Comment