First published: 26th June 1998
Data Fellows, one of the world's leading data security development companies, has discovered an important new macro virus known as WM/PolyPoster.The new virus uses advanced replication methods to spread within Microsoft Word documents. Once a machine becomes infected by the virus, all Word documents manipulated in it will become infected and the virus will spread within them to new machines.
However, the most disturbing part of the virus is in it's activation routine. The virus activates at random times, and will try to send the user's Word documents to usenet news public discussion groups. As an end result, the virus could post, for example, company confidential data or private love letters for the whole world to see.
The messages posted by the virus look like they are coming from the real user of the machine, complete with the user name and signature. The virus contains a list of newsgroups where it will attempt to post the messages. These include popular discussion groups like alt.hacker, alt.binaries.pictures.erotica, alt.fan.hanson, alt.windows95 and alt.skinheads. These groups have hundreds of thousands of people reading them from all over the world.
To top it all, the posted documents are always infected by the virus, and users who view them in Word will get infected - and the virus will continue to spread from their machines.
"This is something we've been expecting for quite some time", comments Data Fellows' Manager of Anti-Virus Research, Mr. Mikko Hypponen. "Viruses which activate by simply deleting data are easy to recover from - by using backups. However, there is no way to recover from an incident where a virus posts confidential documents publicly to the Internet."
"We have to understand that traditional security methods like firewalls or Windows NT security settings will not prevent attacks like this from happening", Mr. Hypponen continues. "Viruses like WM/PolyPoster will arrive to users through normal e-mail document attachments, and will further spread from the company's network with e-mail or standard usenet news postings. Most firewalls won't prevent this from happening."
The virus has been analysed in detail by Data Fellows Virus Researcher, Ms. Katrin Tocheva. "This is just the beginning", she says. "We will see viruses with similar but more advanced features in the future. WM/PolyPoster still has many limitations which will restrict it's spread. For example, it is only able to post the messages to newsgroups if the user has a particular newsreader application installed.", she continues. Another limitation, Ms. Tocheva explained, is that it is unable to spread in Chinese versions of Microsoft Word. Allan Dyer, the Technical Director of Yui Kee, commented, "Many local Hong Kong users, therefore, are not at risk from WM/PolyPoster, but we are likely to see more capable variants in the near future."
Data Fellows has updated its Anti-Virus product, F-Secure Anti-Virus, to handle the WM/PolyPoster virus.
Additional information on the new virus and its prevalence is available at
http://www.datafellows.com/v-descs/agent.htm.
The virus does not seem to widespread at this time.