LISTSERV - CONCH-L Archives - LISTSERV.UGA.EDU

CONCH-L Archives

Conchologists List

CONCH-L@LISTSERV.UGA.EDU

	LISTSERV Archives
	CONCH-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Where are we headed
From:	"Sylvia S. Edwards" <[log in to unmask]>
Reply To:	Conchologists of America List <[log in to unmask]>
Date:	Sat, 28 Aug 1999 13:02:35 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (60 lines)

I received two e-mail via Conch-L this morning that are suspect as
containing a virus.  The first was from [log in to unmask], 8/28 received by my
ISP at 9:51 AM CDT.  The second was an answer to the first and was from
[log in to unmask], 8/28, received 10:01AM CDT.

When I opened the first of these e-mails, a box popped up saying it wanted
to install a "Japanese Text Display Support" program of 27MB, time approx 23
minutes.

I quickly deleted it.  then when I opened the second of these e-mails, the
box popped up again, and attempted to start installation.  I quickly deleted
it.  I went to my deleted file to the first one and found the box was greyed
out that said never install these kinds of programs.

Neither e-mail showed it had an attachment, and I feel neither were aware
they were sending it.  I went to housecall virus center and had my disk
scanned.  No virus showed up, but I am not certain it scans the deleted
e-mail file.

Currently, the most prevalent virus is one that attacks word processing
programs.  It comes under various names.  I am pasting some information
about them.

I just wanted to warn Conch-L subscribers to be careful and not download a
program not mentioned in the e-mail.

Sylvia S. Edwards
Huntsville, Alabama
[log in to unmask]

Virus Name: W97M_TRIPLICATE
Alias: TRIPLICATE, TRISTATE
Virus Type: Macro
Platform: Windows
Number of Macros: 3
Encrypted: No
Size of Macro: 5608 bytes
Seen in the Wild: Yes
Detected by Scan Engine#: 2.062 or later
Detected by Pattern File#: 518 or later
Details: TRIPLICATE is a macro virus that can cross-infect MS WORD 97, MS
EXCEL 97, and MS POWERPOINT 97 applications.
In whichever application the virus is activated, be it from a Word document,
an Excel spreadsheet/workbook or from a PowerPoint slide, the virus will
cross-infect.
- Crossing to MS-EXCEL: The virus searches for BOOK1.XLS in the MS Excel
Startup directory. If not present the virus creates an infected workbook in
the same directory and also disables the macro virus protection of Excel.
The virus resides in the THISWORKBOOK stream of infected excel
spreadsheet/workbook.
- Crossing to MS-WORD: For Word infections, the virus will check if its
codes are present in the "ThisDocument" Stream of the Global Template
 NORMAL.DOT ). If not it will infect the global template and disable the
macro virus protection of Word.
- Crossing to MS-POWERPOINT: If there is no "Triplicate" module in "Blank
Presentation.POT" Powerpoint Template, the virus will disable the macro
virus protection of PowerPoint. It adds a viral module called "Triplicate"
into "Blank Presentation.POT" and a basic AutoShape object that covers the
entire slide. The viral module is linked to the AutoShape object.

ATOM RSS1 RSS2

LISTSERV.UGA.EDU