Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 



ZortMcGort11

Does Win9x need Antivirus anymore?

Recommended Posts

And something more is that this file can had fail in a plain vanilla Win 98

but be active when KernelEx is installed...   :unsure:

Share this post


Link to post
Share on other sites

> And something more is that this file can had fail in a plain vanilla Win 98

> but be active when KernelEx is installed...

Um, I run Kex on all my win-98 systems. I think it's been discussed in this thread that Kex doesn't convey any of the various heap-spray and buffer-overrun vulnerabilities that NT has to win-98.

Share this post


Link to post
Share on other sites

I wouldn't be so sure to attribute the success to Windows 98 alone, but rather to NOT opening that file with some version of MS Word.

The Wordpad ".doc converter" most likely strips off anything that is not text and its formatting.

 

If you prefer, if you open that .doc file on a NT family OS with - say - OpenOffice, LibreOffice or Atlantis, very likely the whatever is in them won't be triggered as well, as it is seemingly a WORD macro:

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:W97M/Adnel#tab=2

 

It is entirely possible that even when opened by Word the macro won't run on 9x systems, but from what you report the macro has never been executed, it simply crashed the converter. 

 

jaclaz

Share this post


Link to post
Share on other sites

When I open the .doc file in MS Word (that is part of Office 2000) I get this message window:

-------------------

Microsoft Visual Basic (in the title bar)

The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros.

--------------------

And while that message is on-screen, this is what the Word window looks like:

post-357900-0-03032200-1431315039_thumb.

Share this post


Link to post
Share on other sites

> The above link answers your question,

Well, technically the above link doesn't mention Word 2000. But the point is that for what ever reason (maybe it's the default setting?) I have Word macro's set to "High" (only signed macros can run). With that document open in Word, if I go to Tools, Macros, Visual Basic Editor, that brings up MS Visual Basic project editor, where I see the name of the document in the left-hand project pane. If I try to do anything with it (like expand it, get the properties, etc) I am prompted to provide a Project Password.

I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...

Share this post


Link to post
Share on other sites

I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...

Well, I would rather attempt "cracking" the Macro password (if possible) and see what is in the actual macro. :whistle:

 

If it is a "simple", "default" password protection, the good ol' DPB= to DPx= hexedit/replacement:

http://stackoverflow.com/questions/272503/how-do-i-remove-the-password-from-a-vba-project

http://superuser.com/questions/807926/how-to-bypass-the-vba-project-password-from-excel

works for both Excel and Word VBA projects.

 

jaclaz

Share this post


Link to post
Share on other sites

I've edited the malicious .doc file in 3 places, rendering 3 internal keys as invalid. While opening the modified document, Word throws up a VB error message for each key, giving me the option to continue loading the project - which I say yes. I can then open the project in the VB editor, and there are 3 code windows (one for the document, and two which are labled as Module1 and Module2). I understand that starting with MS Word 2007, I wouldn't be able to view this code or possibly even open the document given the invalid keys.

If anyone wants to see the VB code, I can post them (or the modified document itself) where ever appropriate.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

×