GUI Bytes

Birthday Virus

a virus may leave tracks even after it is gone

Recently, while editing a specification section, the message "Are you surprised?" appeared. I was surprised, but, recognizing this as a symptom of a virus, I immediately killed the program. My anti-virus program had not raised an alarm, but I knew that I might have been victim to a new virus. 

I logged onto the Internet, updated my anti-virus programs, ran them again, and still found nothing. I also visited a site that scans viruses on your computer via the Internet, a slow process due to connection speed. In the end, I spent about three hours trying to find the virus. It was possible that I had an unknown virus, but it seemed highly unlikely, due to the source of the file and the fact that there were no alerts on any of the anti-virus web sites.

A word about my specification files

I use several fields to take care of repeated information. For example, one field in each specification looks for the state where the project is being built, so I don't end up with one section asking for certification in Wisconsin and another in Minnesota. Other fields are used to ensure consistency in the project name, project number, date of issue, and so on.

Other fields are used for information specific to each file. For each document, Word has a set of properties, accessed through the "File" menu. We use some of these fields for document information such as the section number and section name. These fields are linked to the section title and the footer; they are also used to generate a table of contents. The section name and number are then the same in the table of contents, the footers, and the section title.

Back to the story...

I opened up the file with the odd message, then looked at the properties. They were:

Title: Are You surprised ?
Subject: Birthday
Comments: X's Birthday falls on 25th July.

"X" was the name of someone in our office - I had been the victim of a prank! It looked as if someone - who knew how we use the property fields - had changed them so that when the specification was printed we would get a birthday surprise! 

Wait - there's more...

But - when I asked "X" about his birthday, it turned out that the date was wrong. Returning to the anti-virus sites, I found that there is a macro virus that inserts the phony information into each document! The fact that the name used by the virus was the same as one of our staff was just a coincidence!

I think I have it figured out now. The file originally was infected, but our consultant's anti-virus software detected and removed the virus. Of course, it had no way of knowing what the document's title or subject really were, so they still had the phony information. 

By the way, this particular virus didn't just change the properties; it also corrupted other documents and mailed itself to e-mail addresses in the host computer, so we were happy that it was cleaned before any damage occurred. 

The moral of the story: Some viruses leave ghosts behind to haunt us even after they're gone.

2001 Sheldon Wolfe, RA, CSI, CCS, CCCA, swolfe@bwbr.com 
on the web at www.CSI-MSP.org 
May 2001


home page

Web site design and content Copyright  1995-2004 Sheldon Wolfe

Material from CSI Chapter newsletters used with permission.