Classification

Category :

Malware

Type :

-

Aliases :

ATU

Summary

The viruses of this family use an uncommon way of spreading. Instead of copying their macro program to the macro area in victim documents, they just write to documents a reference to a template (attached template) which contains virus macros. MS Word97 when opening a such document detects the reference to the attached template, opens it and executes its macros. The virus macro gets control and runs infected procedure. As a result the infected documents have no macro code, but on their opening the virus macro code is loaded by Word97 and executed.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

In the known versions of this virus the reference to attached template points to a file on a remote Internet site (virus-writers Web site). As a result, MS Word97 on opening an affected document downloads and processes the template that is placed in the Internet zone. Because of that virus author(s) are able to "upgrade" virus code by replacing the template on their Web site.

This way of spreading allows the virus to bypass the anti-virus protection (VirusWarning) in old versions of MS Word97. These Word97 versions have a security breach: the anti-virus protection is not activated by Word97 to scan attached templates for macro code. This bug in MS Word97 was fixed in the beginning of 1999.

This variant contains this comment:





 Active Template Update

Variant: ATU.B

This virus version does not copy entire code from the template to global macros area, but only the code necessary to infects documents.

This variant contains this comment:





 Active Template Update v0.2 /1nternal