-------- From academic-firewalls-owner@net.tamu.edu Wed Feb 7 23:29:22 1996 X-Sender: swift@tamiya.llnl.gov Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: comp-sec@pierce.llnl.gov Date: Wed, 7 Feb 1996 21:21:44 -0800 From: orvis@llnl.gov (Bill Orvis) (by way of uncl@llnl.gov (Frank Swift at Home)) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: 2/2 CIAC Bulletin G-10: Winword Macro Viruses web site or from the CIAC archive. A description of the scanner is available at: http://www.microsoft.com/msoffice/freestuf/ msword/download/mvtool/mvtool2.htm and the scanner itself is available at: http://www.microsoft.com/msoffice/freestuf/ msword/download/mvtool/mvtool20.exe If you don't find these files at microsoft.com, it could be that the scanner has been revised again. In that case, connect to: http://www.microsoft.com and use the search command to search for "macro virus". To install the macro virus protection, simply open the template file with Word and follow the instructions. The macros automatically install themselves in your global macro file (just like the virus). A protected version of Word should have the following four macros are attached to the "normal.dot" file: AutoExit FileOpen InstVer ShellOpen FileOpen calls ShellOpen whenever a document is opened. ShellOpen checks each newly opened document to see if it has any macros attached. If there are macros in the document that is being opened, ShellOpen displays a dialog box giving you the choice to open the document anyway, remove the macros and open it, or cancel the open command. If, for some reason, you can't use Microsoft's protection macro, you can disable auto-macros. You have three options: 1. Disable the auto-macros. 2. Disable the auto-macros and the auto-execute macro. 3. Hold down Shift whenever you open a file to disable the AutoOpen macro. To disable auto-macros, create the following macro named AutoExec in the global macro file (normal.dot). MAIN DisableAutoMacros 1 MsgBox "Auto-macros are disabled." End Sub All auto-macros are disabled but a virus could still infect a system if it is activated by a command that replaces a normal command. To disable auto-macros and the auto-execute macro, create the following macro in the global macro file (normal.dot) and name it "DisableMyAutoMacros". MAIN DisableAutoMacros 1 MsgBox "Auto-macros are disabled." End Sub In the Program Manager or the Explorer in Windows 95, select the Word icon and choose the Properties command on the File menu. Add the following switch to the command line for Word. /mDisableMyAutoMacros This command disables the AutoExec macro and runs the DisableMyAutoMacros procedure when Word starts up. Again, this does not disable macros with command names from replacing the commands. This also only works if you start Word by double clicking on the Word icon. If you start Word by double clicking on a document, it will not see the switch and will not run the DisableMyAutoMacros procedure. When you hold down the Shift key while opening or double clicking a document, the AutoOpen macro is prevented from running. Other auto- macros may still run so you must check for a virus before doing anything else. WARNING: The three methods of disabling auto-macros and the auto-execute macro do not fully protect you from a virus. While they prevent the auto-execute and auto-macro commands from running, they do not prevent any macros named the same as commands from replacing those commands. Any virus that uses replaced commands to initiate an infection will not be stopped. Only an external scanner or the Microsoft template will detect a document containing macros before it is opened. Removing Macro Viruses - - ---------------------- If you have an anti-virus scanner which detects and removes a macro virus, use it instead of trying to do it by hand. The scanner will generally do the job and is much easier than removing the virus by hand. If you have Microsoft's virus macro protection installed, it will give you the option to remove any attached macros when you open the document. If you save the document with the same name, it will overwrite the infected document. If you don't have a scanner or the protection macro, you can use the Organizer to find and remove macro viruses without infecting your system. The first step is to start Word and open the Organizer dialog box. There are two ways to open the Organizer: 1. use the Tools Macro command and press the Organizer button; 2. use the File Templates command and press the Organizer button. In the Organizer dialog box click the macros tab, click the Open File button, select the infected document and click OK. Back in the Organizer dialog box, select all the macros listed in the file and click the Delete button to remove them. Click the Close File button to close and save the file. The file can now be opened normally. If you have just infected yourself by opening an infected document, don't close the document or quit Word. If you close the infected file or quit Word, you run the risk of running another of the auto-execute macros. See if you can get to the Organizer dialog box. Once in the Organizer you can delete the virus macros from the infected document and from the "normal.dot" file. Save those files, quit Word and restart it. You can then use the Organizer to check other documents for a virus infection. If you can't get to the Organizer, quit Word without saving anything, find the "normal.dot" file and delete it. When you restart Word, it will create a new, empty "normal.dot" file. Note that you will also lose any custom styles which were stored in the "normal.dot" file and will have to redefine them. On The Macintosh - - ---------------- These macro viruses will run under Word 6 on the Macintosh, but most of the file access capability used by the viruses to damage a system will not work well. This is because file naming conventions on the Macintosh are different from those on other systems. Since the damaging parts of the viruses are written with a DOS-based file system in mind, it is unlikely that they will work. Macro Viruses and E-Mail Messages - - --------------------------------- Many rumors have been circulated around the network about there being an e-mail message that destroys your system when you read it (Good Times). This can not happen with the current batch of mail readers. While an infected document could be attached to an e-mail message and would be downloaded to your disk when you read the attached message, it will not automatically be executed. As long as it has not been executed or read, it can not infect your system with a virus. At this point, you should scan it to make sure it is not infected. Conclusions - - ----------- Macro viruses are here to stay and we must deal with them in the same manner that we have had to deal with other viruses. If you don't know where a file has been, don't use it in your computer until you scan it. That is, if it is an executable, don't run it; if it is a document, don't open it. It does not matter how you obtained the file, whether it is a download from a BBS or web site, an attachment to an e-mail message, or a shrink-wrapped package from a commercial developer, scan them all. Even blank, preformatted disks are occasionally showing up with viruses. The second thing to do is to install the Microsoft macro virus protection template to warn you if a document contains macros before you open it. Keep in mind that while Microsoft products are being targeted by these viruses, they are not the only products which have a macro capability which could be exploited. Hopefully, in the next release of software programs which include extensive macro capabilities, there will be an easy way to disable macro execution and warn the user if documents contain macros. This change will make the problem of macro viruses go away very quickly. ______________________________________________________________________________ CIAC wishes to acknowledge the help of Michael Messuri and Charles Renert of Symantec Corp. and Chuck Noble of Digital Equipment Corp. for valuable assistance in the preparation of this bulletin. ______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the backup response team for the National Institute of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 510-422-8193 FAX: +1 510-423-8002 STU-III: +1 510-423-2604 E-mail: ciac@llnl.gov For emergencies and off-hour assistance, DOE, DOE contractor sites, and the NIH may contact CIAC 24-hours a day. During off hours (5PM - 8AM PST), call the CIAC voice number 510-422-8193 and leave a message, or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC duty person, and the secondary PIN number, 8550074 is for the CIAC Project Leader. Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://ciac.llnl.gov/ Anonymous FTP: ciac.llnl.gov (128.115.19.53) Modem access: +1 (510) 423-4753 (14.4K baud) +1 (510) 423-3331 (14.4K baud) CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and valid information for LastName FirstName and PhoneNumber when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) (F-28) Vulnerability in SunOS 4.1.* Sendmail (-oR option) (G-1) Telnetd Vulnerability (G-2) SunOS 4.1.X Loadmodule Vulnerability (G-3) AOLGOLD Trojan Program (G-4) X Authentication Vulnerability (G-5) HP-UX FTP Vulnerability Bulletin (G-6) Windows 95 Vulnerabilities (G-7) SGI Object Server Vulnerability (G-8) splitvt(1) Vulnerability (G-9) Unix sendmail vulnerability RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC) Notes 07 - 3/29/95 A comprehensive review of SATAN Notes 08 - 4/4/95 A Courtney update Notes 09 - 4/24/95 More on the "Good Times" virus urban legend Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability in S/Key, EBOLA Virus Hoax, and Caibua Virus Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators, America On-Line Virus Scare, SPI 3.2.2 Released, The Die_Hard Virus Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X Windows, beta release of Merlin, Microsoft Word Macro Viruses, Allegations of Inappropriate Data Collection in Win95 - -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMReb5rnzJzdsy3QZAQFzdwP/d9yKlOO7Q+KLOAcFwixeL7gdFnCV7Mnj F+LcPMQV2J57t9LxlDIPnRbK+wiUHiSKZQN0HCnJqEoHTvlPWel6OL4POyVV80qY BgF+uOJY3ngn3o+FK8tdLfuqgLzYpaJBsXhMsumizs4EBkzMZgu/JAsV6nmFaPl8 x5pFSTNbTqA= =GtxK - -----END PGP SIGNATURE----- -------------------------------------------------------------------- William J. Orvis orvis@llnl.gov Electronics Engineering Department (510) 422-8649 Lawrence Livermore National Laboratory (FAX) (510) 423-8002 P.O. Box 808, L-303 Livermore, CA 94551 Computer Incident Advisory Capability - CIAC ciac@llnl.gov (510) 422-8193 --------------------------------------------------------------------- -------- From academic-firewalls-owner@net.tamu.edu Wed Feb 7 23:29:42 1996 X-Sender: swift@tamiya.llnl.gov Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Cc: comp-sec@pierce.llnl.gov Date: Wed, 7 Feb 1996 21:22:32 -0800 From: orvis@llnl.gov (Bill Orvis) (by way of uncl@llnl.gov (Frank Swift at Home)) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: 1/2 CIAC Bulletin G-10: Winword Macro Viruses - -----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Winword Macro Viruses (Concept, DMV, Nuclear, Colors, FormatC, Hot) February 7, 1996 18:00 GMT Number G-10 ______________________________________________________________________________ PROBLEM: Word macro viruses are no longer an isolated threat, but they are a significant hazard to the information on a computer. PLATFORM: Any platform that can run Microsoft Word 6.0 or later: Windows 3.1, WFW 3.11, Win 95, Windows NT, and Macintosh. DAMAGE: Files can be deleted and may not be recoverable. SOLUTION: Scan all new Word documents before opening them in the same way that you now scan all executable files before running them. Install version 2 of the Microsoft macro virus detection tool. ______________________________________________________________________________ VULNERABILITY The vulnerability of systems to this type of virus is high, ASSESSMENT: because most users are not in the habit of scanning documents. Documents are much more mobile than executable files in an organization, passingfrom machine to machine as different people write or edit them. ______________________________________________________________________________ CRITICAL Information Concerning Winword Macro Viruses CIAC has obtained information about six macro viruses currently in the wild, five of which infect Microsoft Word 6.0 documents, and one that infects an Excel worksheet. Two of these viruses are damaging. This bulletin describes these viruses: Concept (Prank) Working demo of a macro virus. DMV (Word) Working demo of a macro virus. DMV (Excel) Working demo of a macro virus. Nuclear Attempts damage but fails. Colors Changes screen colors. FormatC Deletes files on the hard drive. Hot Deletes Word documents when they are opened. WARNING: The new macro viruses are not detected by the original protection macro available from Microsoft which only detects Concept (scan831.dot, see CIAC Notes 95-12). A new protection program is available from Microsoft and most anti-virus scanner developers are adding macro virus detection to their products. The new Microsoft scanner is available from Microsoft at: http://www.microsoft.com/msoffice/freestuf/ msword/download/mvtool/mvtool20.exe with a description available at: http://www.microsoft.com/msoffice/freestuf/ msword/download/mvtool/mvtool2.htm The files are also available from the CIAC archive. What Are Macro Viruses? - - ----------------------- A macro virus is a piece of self-replicating code written in an application's macro language. Many applications have macro capabilities such as the automatic playback of keystrokes available in early versions of Lotus 1-2-3. The distinguishing factor which makes it possible to create a virus with a macro is the existence of auto-execute macros in the language. An auto-execute macro is one which is executed in response to some event and not in response to an explicit user command. Common auto-execute events are opening a file, closing a file, and starting an application. Once a macro is running, it can copy itself to other documents, delete files, and create general havoc in a person's system. These things occur without the user explicitly running the macro. In Microsoft Word there are three types of hazardous, auto-executing macros: auto-execute macros, auto-macros, and macros with command names. There is one auto-execute macro in Word named AutoExec. If a macro named AutoExec is in the "normal.dot" template or in a global template stored in Word's startup directory, it is executed whenever Word is started. The only way to disable the execution of AutoExec is to insert the flag /m in the command line used to start Word. The second type of dangerous macros are auto-macros. Name Runs when you ------------------------------------ AutoNew create a new document. AutoOpen open a document. AutoClose close a document. AutoExit quit Word. The auto-macros can be disabled by executing the Word.Basic command "DisableAutoMacros" in a macro. Note that the example in Word's online help of executing this command in the command line when starting Word does not work. The command must be executed in a macro. Auto-macros are also disabled by holding down the shift key while opening a document. The third type of dangerous macros are those named for an existing Word command. If a macro in the global macro file or in an attached, active template has the name of an existing Word command, the macro command replaces the Word command. For example, if you create a macro named FileSave in the "normal.dot" template, that macro is executed whenever you choose the Save command on the File menu. There is no way to disable this feature. Macro viruses spread by having one or more auto-execute macros in a document. By opening or closing the document or using a replaced command, you activate the virus macro. As soon as the macro is activated, it copies itself and any other macros it needs to the global macro file "normal.dot". After they are stored in normal.dot they are available in all opened documents. At this point, the macro viruses try to spread themselves to other documents, usually by including an AutoClose macro that attaches the virus macros to the document and saves it. The macro viruses that cause damage contain a trigger that starts the damage routines and those routines do the actual damage. The trigger is some event that the virus writer has programmed his virus to watch for such as a date or the number of days since the infection occurred. An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC. DMV (Word) Macro Virus - - ---------------------- The DMV (Demonstration Macro Virus) virus was originally described in the paper "Document Macro Viruses" by Joel McNamara who conveniently infected the document containing the paper with the virus so the reader could experience it first hand. The virus itself is simply an example of how such a virus could be implemented and does not attempt to hide at all. The virus is not harmful and is relatively simple to remove using the Tools Macro command in Microsoft Word (See below). The virus installs a single macro named AutoClose onto the "normal.dot" global macro file. The AutoClose macro infects all new documents when they are closed. The macro does no damage other than to spread itself. When the macro runs, it displays numerous dialog boxes telling you what it is doing, making it obvious if you are infected. DMV (Excel) Macro Virus - - ----------------------- The Excel version of the DMV macro virus works the same as the Word version but uses the Visual Basic for Applications language built into Excel. The Excel document contains a macro sheet which implements an AutoClose macro. When you close the file, the macro is activated and copies itself to Excel's global macro file. When other worksheets are closed, the macro attaches itself to them as well. Concept (Prank) Macro Virus - - --------------------------- The Concept macro (alias Prank) is similar to the DMV macro virus in that it is a demonstration that a macro virus can be created. A document infected with the Concept virus contains the macros: AAAZAO AutoOpen AAAZFS Payload When an infected file is opened, the AutoOpen macro is run and copies the virus files to the global macro file. During the copying process it changes the name of AAAZFS to FileSaveAs. Whenever a document is saved, the FileSaveAs command copies the virus macros into it and saves it. The AAAZAO macro becomes the AutoOpen macro on the saved document file. The Payload macro does nothing. The first time the macro runs a dialog box appears with the single digit "1" contained in it. Nuclear Macro Virus - - ------------------- A document infected with the Nuclear macro virus contains nine macros: AutoExec AutoOpen DropSuriv FileExit FilePrint FilePrintDefault FileSaveAs InsertPayload Payload All of these are copied to the global macro file when an infected document is opened. When any document is saved, the virus copies all the macros onto it and saves it. Printing a document during the last 5 seconds of any minute causes the following text to appear at the top of the printed page: "And finally I would like to say:" "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!" After April 5th it attempts to delete your system files but fails because of a bug in the virus. The virus also attempts to infect a system with the Suriv binary virus, but fails again because of a bug. Colors Macro Virus - - ------------------ A document infected with the Colors virus contains the following eight macros: AutoClose AutoExec AutoOpen FileExit FileNew FileSave FileSaveAs ToolsMacro The virus changes many of the menu items to make it difficult to delete. For example, it effectively removes the Tools Macros command so you can't list or delete the macros in a program with that command. After being accessed 300 times, Colors activates and randomly changes the system colors in the win.ini file making the screen look strange. FormatC Macro Virus - - ------------------- The FormatC macro virus consists of a single macro named AutoOpen. Opening an infected document causes this macro to run and the macro copies itself to the global macro file. If the viruses payload is activated, it attempts to format the C: drive. WARNING: the format command in most modern versions of DOS can be reversed. If this virus strikes, get some knowledgeable help before doing anything to your system. Don't do anything that might write something on the hard drive until you get knowledgeable help. You may need only boot from a floppy and run unformat to recover the whole drive. What you do depends on what utility programs (Norton Utilities, PCTools, and so forth) you have installed on your system. Wordmacro/Hot - - ------------- A new Word macro virus just appeared in the wild named Wordmacro/Hot and it is destructive. The Wordmacro/Hot virus attaches itself like the others, adding macros to documents and to the "normal.dot" global macro file. New documents are infected when they are saved. After about 14 days, the virus deletes the contents of any document as you open it and does a save which effectively wipes out the document. It is unlikely that you will be able to recover the contents of a file deleted in this way unless you have Make Backup turned on. Don't start opening the backup copies before cleaning the virus, because it will clear the contents of every document you open while it is active. An infected document contains the following macros: AutoOpen DrawBringInFrOut InsertPBreak ToolsRepaginat When the virus infects the Word program, these macros are copied to "normal.dot" and renamed in the same order to: StartOfDoc AutoOpen InsertPageBreak FileSave The virus adds the item: "OLHot=nnnnn" to the winword.ini file where nnnnn is a date 14 days in the future. The virus uses this date to determine when it is going to trigger. The virus also checks for the existence of the file: "c:\dos\ega5.cpi" and does not infect a machine if the file exists. This was apparently a feature to protect the virus writer. Detecting A Macro Virus - - ----------------------- Document files must now be treated in the same manner as executables in terms of virus protection. If you don't know where a Word document has been, scan it before opening it with Word. Most anti-virus scanners have been modified to detect macro viruses in Word documents, so use those scanners to check any new documents that have been copied onto your machine. For example, version 2.21 of the shareware version of F-Prot detects all but the FormatC and Hot viruses. Microsoft has released a new version of its macro virus protection program (see below) that checks all Word documents as you open them and tells you if they contain a macro or not. It can only detect the Concept virus by name, but any document with a macro attached should be considered suspect. You can use the Organizer dialog box (see below) to check for strange macros attached to your documents. The Organizer can open a document in the background (without running any attached macros) and let you see what macros are attached to it. You can also use it to delete macros from a document. You can watch for virus activity when opening or saving a document, but it is generally preferable to detect a virus before it gets installed. If you have already opened a document that suspect has a virus, use the Tools Macro command to see a list of the macros attached to Word. If you can't open the Macro dialog box, try the Organizer dialog box instead. Protecting A System From Macro Viruses - - -------------------------------------- A feature of Microsoft's products is that automatic execution of auto- macros and auto-execute macros is enabled by default. In fact, it is difficult to turn off. This is a problem in protecting against macro viruses. Currently, the best protection is to install Microsoft's macro virus protection template. The template is available directly from Microsoft's -------- From academic-firewalls-owner@net.tamu.edu Thu Feb 8 02:01:43 1996 Date: Thu, 8 Feb 96 09:00:14 +0100 From: mlees@macsch.com (Martin Lees) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: Re: 2/2 CIAC Bulletin G-10: Winword Macro Viruses -------- From academic-firewalls-owner@net.tamu.edu Thu Feb 8 09:46:11 1996 CC: comp-sec@pierce.llnl.gov Date: Thu, 8 Feb 1996 10:40:48 -0500 (EST) From: "A. Padgett Peterson, P.E. Information Security" Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: 2/2 CIAC Bulletin G-10: Winword macro viruses >and the scanner itself is available at: >http://www.microsoft.com/msoffice/freestuf/ > msword/download/mvtool/mvtool20.exe This scanner is dated Nov 20 and its main difference from the earlier one seems to be that it is multilingual. Not sure exactly what it does since it blew up on my machine. The major problem is that it does not block any infection when the infected document is an attachment to a ccMail file (would imagine the same is true of MS-Mail and others but cannot check) and WORD is launched from the mail program. Imagine the reason is given on page 33 of the "Microsoft Word Developer's Kit" (Microsoft document # WB51159-1093). Thanks to the draconian copyright notice, I do not feel comfortable quoting but the upshot is that macros in documents always take precidence over those in the global template. Coupled with the fact that the AUTOEXEC macro is run at a time when WORD has not yet made the name of the document to be opened available (FileName$() returns a null string) and effective automatic protection from inside WORD appears to be impossible without disabling macros entirely (many users would not permit). >To disable auto-macros and the auto-execute macro, create the following >macro in the global macro file (normal.dot) and name it >"DisableMyAutoMacros". > >MAIN > DisableAutoMacros 1 > MsgBox "Auto-macros are disabled." >End Sub This is rather complex (and the /m command line switch does not work as described). Is easier to simply create or add this to the AutoExec macro. Once macros are turned off, you are safe from macros in documents. Further if you make the line: MsgBox "Auto-macros are disabled.",-1 then the message will display briefly on the status line instead of in a dialogue box the user must clear. Finally adding the line: ToolsOptionsSave .GlobalDotPrompt = 1 will ensure that the "Prompt to Save Normal.Dot" option is always selected (can be bypassed though but not if macros are disabled). Belt and suspenders. Warmly, Padgett -------- From academic-firewalls-owner@net.tamu.edu Fri Feb 9 00:39:22 1996 X-Sender: swift@tamiya.llnl.gov Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Date: Thu, 8 Feb 1996 22:34:34 -0800 From: uncl@llnl.gov (Frank Swift at Home) Reply-To: academic-firewalls@net.tamu.edu To: academic-firewalls@net.tamu.edu Subject: CERT Advisory CA-96.01 - UDP Port Denial-of-Service Attack Date: Thu, 8 Feb 1996 11:01:33 -0500 From: CERT Advisory To: cert-advisory@cert.org Subject: CERT Advisory CA-96.01 - UDP Port Denial-of-Service Attack Reply-To: cert-advisory-request@cert.org Organization: CERT(sm) Coordination Center - +1 412-268-7090 ============================================================================= CERT(sm) Advisory CA-96.01 February 8, 1996 Topic: UDP Port Denial-of-Service Attack - ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of programs that launch denial-of-service attacks by creating a "UDP packet storm" either on a system or between two systems. An attack on one host causes that host to perform poorly. An attack between two hosts can cause extreme network congestion in addition to adversely affecting host performance. The CERT staff recommends disabling unneeded UDP services on each host, in particular the chargen and echo services, and filtering these services at the firewall or Internet gateway. Because the UDP port denial-of-service attacks typically involve IP spoofing, we encourage you to follow the recommendations in advisory CA-95:01 and CA-95:01.README. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-96.01.README We encourage you to check our README files regularly for updates on advisories that relate to your site. - ----------------------------------------------------------------------------- I. Description When a connection is established between two UDP services, each of which produces output, these two services can produce a very high number of packets that can lead to a denial of service on the machine(s) where the services are offered. Anyone with network connectivity can launch an attack; no account access is needed. For example, by connecting a host's chargen service to the echo service on the same or another machine, all affected machines may be effectively taken out of service because of the excessively high number of packets produced. In addition, if two or more hosts are so connected, the intervening network may also become congested and deny service to all hosts whose traffic traverses that network. II. Impact Anyone with network connectivity can cause a denial of service. This attack does not enable them to gain additional access. III. Solution We recommend taking all the steps described below. 1. Disable and filter chargen and echo services. This attack is most readily exploited using the chargen or echo services, neither of which is generally needed as far as we are aware. We recommend that you disable both services on the host and filter them at the firewall or Internet gateway. To disable these services on a host, it is necessary to edit the inetd configuration file and cause inetd to begin using the new configuration. Exactly how to do this is system dependent so you should check your vendor's documentation for inetd(8); but on many UNIX systems the steps will be as follows: (1) Edit the inetd configuration file (e.g. /etc/inetd.conf). (2) Comment out the echo, chargen, and other UDP services not used. (3) Cause the inetd process to reread the configuration file (e.g., by sending it a HUP signal). 2. Disable and filter other unused UDP services. To protect against similar attacks against other services, we recommend - disabling all unused UDP services on hosts and - blocking at firewalls all UDP ports less than 900 with the exception of specific services you require, such as DNS (port 53). 3. If you must provide external access to some UDP services, consider using a proxy mechanism to protect that service from misuse. Techniques to do this are discussed in Chapter 8, "Configuring Internet Services," in _Building Internet Firewalls_ by Chapman and Zwicky (see Section IV below). 4. Monitor your network. If you do provide external UDP services, we recommend monitoring your network to learn which systems are using these services and to monitor for signs of misuse. Tools for doing so include Argus, tcpdump, and netlog. Argus is available from ftp://lancaster.andrew.cmu.edu/pub/argus-1.5/argus-1.5.tar.gz MD5 (argus-1.5.tar.gz) = 9c7052fb1742f9f6232a890267c03f3c Note that Argus requires the TCP wrappers to install: ftp://info.cert.org/pub/tools/tcp_wrappers/tcp_wrappers_7.2.tar.Z MD5 (tcp_wrappers_7.2.tar.Z) = 883d00cbd2dedd9bfc783b7065740e74 tcpdump is available from ftp://ftp.ee.lbl.gov/tcpdump-3.0.2.tar.Z MD5 (tcpdump-3.0.2.tar.Z) = c757608d5823aa68e4061ebd4753e591 Note that tcpdump requires libpcap, available at ftp://ftp.ee.lbl.gov/libpcap-0.0.6.tar.Z MD5 (libpcap-0.0.6.tar.Z) = cda0980f786932a7e2eebfb2641aa7a0 netlog is available from ftp://net.tamu.edu/pub/security/TAMU/netlog-1.2.tar.gz MD5 (netlog-1.2.tar.gz) = 1dd62e7e96192456e8c75047c38e994b 5. Take steps against IP spoofing. Because IP spoofing is typically involved in UDP port denial-of-service attacks, we encourage you to follow the guidance in advisory CA-95:01 and CA-95:01.README, available from ftp://info.cert.org/pub/cert_advisories/CA-95:01.IP.spoofing ftp://info.cert.org/pub/cert_advisories/CA-95:01.README IV. Sources of further information about packet filtering For a general packet-filtering recommendations, see ftp://info.cert.org/pub/tech_tips/packet_filtering For in-depth discussions of how to configure your firewall, see _Firewalls and Internet Security: Repelling the Wily Hacker_ William R. Cheswick and Steven M. Bellovin Addison-Wesley Publishing Company, 1994 ISBN 0-201-63357 _Building Internet Firewalls_ Brent Chapman and Elizabeth D. Zwicky O'Reilly & Associates, Inc., 1995 ISBN 1-56592-124-0 - --------------------------------------------------------------------------- The CERT Coordination Center staff thanks Peter D. Skopp of Columbia University for reporting the vulnerability and Steve Bellovin of AT&T Bell Labs for his support in responding to this problem. - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. Frank Swift L-315 (Sent from Home) Unclassified Computer Security Coordinator Lawrence Livermore National Laboratory (LLNL) 7000 East Avenue L-315 Livermore CA 94550-9516 Voice: (510) 422-1463 FAX: (510) 423-0913