WM.Hot

SUMMARY

WM.Hot is a virus that uses four macros to infect and spread. In an effort to elude virus scanners that check only for the macro names, the virus names the macros differently, depending on the infection routine.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload Trigger: Opening a document
• Modifies Files: Changes documents and the WinWord.Ini file.

Distribution

• Distribution Level: Low
• Target of Infection: Microsoft Word documents

TECHNICAL DETAILS

When WM.Hot infects the NORMAL.DOT global template, it names the macros:

• AutoOpen
• FileSave
• InsertPageBreak
• StartOfDoc

When WM.Hot infects a document (from the global template) it names the macros:

• AutoOpen
• DrawBringInFrOut
• InsertPBreak
• ToolsRepaginat

Therefore, although it uses only four true macros, it has seven different names for them.

All of the macros are easily visible from the Tools > Macro menu. In addition, these macros are "ExecuteOnly." As such, they are automatically encrypted by Microsoft Word. The macros are not normally available for viewing and editing, despite being visible in the macro list.

WM.Hot is the first virus to use the Word Basic ability to call any standard Windows API. This ability grants the virus enormous opportunity to use advanced calls and features of Windows.

WM.Hot deliberately destroys data. Upon initial infection, the virus adds an entry to the WINWORD6.INI file (found in the WINDOWS directory), in the [Microsoft Word] section.

The entry is:

QLHot=mmdddyy

In this entry, "mmddyy" is the date of first infection. Every time an infected document is open, the virus compares the stored date against the current date.

WM.Hot stays dormant for the first 14 days of infection. After that, there is chance WM.Hot will trigger (based on some calculations).

When it triggers, WM.Hot deletes all information in the document as it is opened. Specifically, when the document is opened and WM.Hot triggers, the virus highlights all text in the file, deletes the text, and then saves the document again, completely empty. The exception is if the EGA5.CPI file exists in the C:DOS directory, in which case the virus simply closes the file without any damage.

WM.Hot was first discovered in the wild in Russia.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.