WM.Rapi

SUMMARY

WM.Rapi is a macro virus that infects Microsoft Word documents and templates. The virus originated in Indonesia.

WM.Rapi contains seven macros:

• AutoOpen
• RPAE
• RPFO
• RPFS
• RPTC
• RPTM
• RPFSA

In NORMAL.DOT infections, these macros are renamed:

• RPAO
• AutoExec
• FileOpen
• FileSave
• ToolsCustomize
• ToolsMacro
• FileSaveAs

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: 0 - 49
• Number of Sites: 0 - 2
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Easy

Damage

• Damage Level: Low
• Payload Trigger: Opening infected document.
• Payload: Displays message "Thanks for joining us ! " in Message box, then displays contents of BACALAH.TXT, created by virus.

Distribution

• Distribution Level: Low
• Target of Infection: Microsoft Word documents

TECHNICAL DETAILS

The AutoOpen macro copies the macros to the global template. The virus spreads to other documents through the FileOpen, FileSave, and FileSaveAs macros. If a file is opened when the virus is active, a message box with the title "@Rapi.Kom" displays the following message:

Thanks for joining us !

The AutoExec macro creates a file in the root of the C: drive called "BACALAH.TXT". The macro writes a message to this file that ends with the current date and time.

Translated into English, the file message reads as follows:

Assalamualaikum ", sorry @Rapi.Kom disturbs you. This message is originally called PESAN.TXT. It appears in the root directory after running Winword 6.0 if its template (normal.dot) is already infected by this macro. This macro virus(before being modified by @Rapi.Kom) came from a Winword 6.0 data file (*.doc) which was already infected by this macro virus. When the data file is opened (Open doc), the macro automatically runs the instructions i.e. copies itself into the global template (normal.dot). On a certain date and time the macro will delete all data in the directory levels 1, 2, and 3 (except hidden directories) Malang, [current date and time]."""""""""" @Rapi.Kom

The AutoExec macro does contain code to delete files in directories on the C: drive. However, the destructive code is commented out entirely.

The ToolsMacro and ToolsCustomize macros contain plain text and, therefore, do not execute. If either of these macros are executed, a message box appears that reports a Microsoft Word basic error.

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

• Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have less avenues of attack and you have fewer services to maintain through patch updates.
• If a blended threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services (for example, all Windows-based computers should have the current Service Pack installed.). Additionally, please apply any security updates that are mentioned in this writeup, in trusted Security Bulletins, or on vendor Web sites.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread viruses, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate infected computers quickly to prevent further compromising your organization. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.