W97M.Tador.A

SUMMARY

W97M.Tador.A is a macro virus that infects Microsoft Word documents and the global template Normal.dot. It also attempts to connect to a specific FTP site; if it is successful, it performs the following actions:

• It downloads and then runs an executable file.
• It uploads your user name and the number of infections on your system.

Protection

• Virus Definitions (Intelligent Updater) October 2, 2001

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low

Distribution

• Distribution Level: Low

TECHNICAL DETAILS

Activation
When an infected document is opened on a previously uninfected computer, the virus infects the Normal.dot file (and itself, but because it is already infected, this action has no effect). After Normal.dot is infected, the virus infects other documents on FileOpen, FileClose, FileNew, and when you close Microsoft Word.

NOTE: During the initial infection, the virus does not infect other currently open documents. They will be infected, however, when you close them.

The virus resides in the VT module in the infected documents. It also initiates an FTP session on FileOpen and FileClose.

Infection process
During the infection process this virus does the following:

1. Deletes all user macros from the Normal.dot file.
2. Infects the Normal.dot file.
3. Creates the registry key
   
   HKEY_CURRENT_USERVT
   
   with the value
   
   "Cont"=0 (or some other number)
   
   This virus uses the value to keep track of how many documents it has infected from the global template.
   
4. Infects the currently active document.
5. Increments the infection count in the registry key that it created.
6. Disables macro virus protection in Microsoft Word.
7. Hides the Macro item on the Tools menu (including the Alt+F11 option).
8. Creates files on the system.
9. Downloads an executable from the same FTP site.
10. Runs the downloaded executable.
11. Uploads user information to an FTP site.

Files created
The virus creates the following files:

• C:VT.001
• C:<your user name>.001
• C:VT.ftp
• C:Vtm.exe

FTP activity
This virus contacts an FTP site that is specified within the virus body and tries to download the file Vtm.exe. It then uploads the following text message:

Writer by SVX
VXName: VT
UserName: [your user name]
Contador: [number of infections]

For the connection this virus uses a specific user name and password. At the time that this write-up was created, this user name appears to have been disabled.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.

REMOVAL

1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and make sure that NAV is configured to scan all files. For instructions on how to do this, read the document How to configure Norton AntiVirus to scan all files.
3. Run a full system scan.
4. If any files are detected as infected by W97M.Tador.A, click Repair.
5. Using Windows Explorer, delete any of the following files if they exist:
   • C:VT.001
   • C:<your user name>.001
   • C:VT.ftp
   • C:Vtm.exe
6. (Optional) Delete the registry key that was created by this virus. (This key does no harm to your system and may be left there if desired.)