Antivirus vendor Sophos on Tuesday warned about a worm that sets a registry entry to reduce security levels for Microsoft Office.

WM97/Adenu-A lowers the Microsoft Office Security settings by making the following registry entry:

HKCU\Software\Microsoft\Office\9.0\Word\Security\Level=01

WM97/Adenu-A also disables the following menu options within Microsoft Word:

Tools|Macro
Tools|Customize
Tools|Templates and Add-Ins

WM97/Adenu-A creates the file GbcHS4664.VBS in the Windows system folder and sets a registry entry. View it and other information at this Sophos page.

Virus Infects Excel 95 Spreadsheets

XM/Laroux-Fam is a family of viruses that infect Excel 95 spreadsheet files. Members of the XM/Laroux-Fam family are simple viruses, similar to the first Word macro viruses, and contain two macros, usually named auto_open and check_files.

The auto_open macro is run when the infected document is opened, and merely instructs Excel to call the check_files macro every time a new worksheet is activated.

When this happens, the virus creates a file in the XLSTART directory called PERSONAL.XLS and copies the viral macros into it. This file is automatically opened every time Excel is run, much like Word's NORMAL.DOT. From then on, it infects every workbook used. When PERSONAL.XLS is infected, the virus will be loaded every time Excel is started.

For information on removing macro viruses, visit this Sophos page.

Macro Virus Displays 'Porn Error' Message

Sophos has also issued an alert for WM97/ZWMVC-B, a simple macro virus that uses the name "zwmvc_macro" for the infected VBA module.

The virus displays the message "Yet Again Porn Error" every time an infected document is opened or a clean document is infected.

For removal instructions visit this Sophos site.

Worm Tries to Use Malformed MIME Header to Execute Attachment

This Borland Delphi worm, W32/Pluto.A@MM, propagates via:

  • mass-mailing itself to all recipients listed in the Outlook Address Book and the Windows Address Book (WAB).
  • peer-to-peer file-sharing networks like eDonkey2000, KaZaa, LimeWire, Morpheus, Shareaza and Xolox.

    • It is packed with UPX. It arrives attached to emails and tries to use a known malformed MIME header exploit to execute the attachment (view here).

    View the various subject lines the message may arrive in at this McAfee page.

    Worm Targets Weak Passwords to Copy Itself to Network Shares

    W32.HLLW.Graps is a network-aware worm that has backdoor capabilities. By default is opens port 45836 for listening.

    The worm copies itself to available network shares by connecting with weak passwords. It is a Visual Basic application compiled to native code and packed with UPX v1.24.

    Technical details are at this Symantec page.

    Compiled by Esther Shein.