Virus -WM97/ColdApe-A

[davigibs]

My daughter-in-law recently created a Microsoft Word 98 document on an iMac 300 Mhz OS 9.x  and sent it as an attachment to several Windows using people. She received in return from one or two of the recipients a message that the document had the WM97/ColdApe-A virus and would not be delivered. This has unnerved her tremendously and provided me with several head-scratching moments trying to figure out what this all means. She has no virus protection software on her iMac. (I know - Bad girl; bad girl) Questions:
(1.) I thought it was not possible for a Mac to be infected with a Windows virus. Is this correct? I know that a Mac can spread a virus to others by passing on infected e-mail attachments, but that isn't the case here. She created the document on a Mac. (and I don't think she knows how to create a macro)
(2.) Could there possibly be something wrong with her Word 98 program that is sending a false virus message to Windows machines? If so, trashing and reinstalling would cure what ails it, right?
(3.) Could the receiving machines be giving false virus messages?
(4.) Norton's AntiVirus seems to be about the only game in town for Mac virus protection. Any other suggestions before she buys that program?

[cdub1988]

QUOTE

My daughter-in-law recently created a Microsoft Word 98 document on an iMac 300 Mhz OS 9.x  and sent it as an attachment to several Windows using people. She received in return from one or two of the recipients a message that the document had the WM97/ColdApe-A virus and would not be delivered. This has unnerved her tremendously and provided me with several head-scratching moments trying to figure out what this all means. She has no virus protection software on her iMac. (I know - Bad girl; bad girl)

WM97/*virus_name = Word Macro Virus

QUOTE

(1.) I thought it was not possible for a Mac to be infected with a Windows virus. Is this correct? I know that a Mac can spread a virus to others by passing on infected e-mail attachments, but that isn't the case here. She created the document on a Mac. (and I don't think she knows how to create a macro)

I'm sure one of the more seasoned vets will confirm the answer, but if memory serves, you would have to have macros enabled in the first place for her to have executed the script. Secondly, I couldn't even FIND a virus by that name on Symantec or McAfee's site. Be willing to say it's probably a Windows-exclusive virus.

QUOTE

(2.) Could there possibly be something wrong with her Word 98 program that is sending a false virus message to Windows machines? If so, trashing and reinstalling would cure what ails it, right?

Back the truck up.

Have her friends check the header of the message first and foremost and see what the originating network was of the message (should be able to tell by the Received: stamp in the header)

QUOTE

(3.) Could the receiving machines be giving false virus messages?

Most of the virus scanners I've seen are pretty good for the most part. They may not identify a new virus by name, but they catch it as an unknown type and ask you what to do with it.

QUOTE

(4.) Norton's AntiVirus seems to be about the only game in town for Mac virus protection. Any other suggestions before she buys that program?

I always like what I saw from Virex and NAV frustrates me to no end on the Windows side - takes over the system like everything else.

Course, NAV may very well be the only one. I haven't researched that in awhile.

I'd have her friends check the Internet Headers of the message they received.

Message was probably spoofed.

Take care.

Chris

[Paddy]

Here's some info:

http://www.sophos.com/virusinfo/analyses/w...97coldapea.html

Click on the link at the top of that page to see more info on these macro viruses. They do affect any Word 97/98 user on any operating system, and some of them copy themselves into the global template, which may be how she transmitted it.

There is a listing for this virus on the Symantec site, but it doesn't give any helpful info:

http://securityresponse.symantec.com/avcen.../dyn/25758.html

McAfee has a LOT more info, though it is all Windoze specific:

http://vil.mcafee.com/dispVirus.asp?virus_k=10327

[cdub1988]

Man, Paddy, I missed that one.  

I didn't take that much time to check it out. Figgered it was a Macro.

I don't regularly check Sophos.

May have to start.

Take care.

Chris

[Paddy]

Actually, Chris, it was Google that found the Sophos link. But looks like a useful site too - they are the big guys in network anti-virus software aren't they?

Once I found that site, and realized that it was definitely a macro, it was a short hop to looking it up in Symantec's and McAfee's lists of macro viruses, and realizing the slight variation in the name. That's the thing with these darn Windows viruses - like trees and shrubs, they have common names and then they have botanical names.   Last night I got a warning (mailed out to a mailing list with several hundred people in town on it) about the Teddy Bear virus (a HOAX) and went looking for "Teddy Bear" at McAfee, so that I could add some links to the email I sent out in reply. They don't list it that way - they use it's "botanical" name, "Jdbgmgr.exe hoax". Of course, these viruses mutate so often that this is probably the only way to keep track of them properly, since the antidotes may also change.

I swear, as a manager of a fairly hefty email list myself, I spend more time straightening people out with Windows viruses and virus hoaxes...pretty ironic that it is the Mac person helping out all the Windows users!

Back to the problem at hand - if there REALLY is a macro virus, and she has no anti-virus software, here is some information from Microsoft that should help:

WD98: What to do if you have a Macro Virus

[davigibs]

Chris - Thanks for the spoofing angle. I'll have to check out the header details and see what info they provide.
Paddy - Thanks for the Microsoft page about Word macro virii. Lots of good stuff in there that may help solve the problem.
I'll report back later after I have a chance to talk to my daughter-in-law (45 miles away) and post the results of what I find out.

[davigibs]

Update-- It seems as though my daughter-in-law had received an e-mail attachment from a PC user with a format that she really liked and had saved it to her hard drive. She used that same format to create new documents to send as e-mail attachments. That could be the source of her problems. Another puzzling aspect is that when trying to enable the Word Macro virus protection found in the Word preferences, it won't stick. Any ideas out there?
Norton's AntiVirus 8 is scheduled for an install as soon as it arrives. Thanks to all for your help so far.