ZortMcGort11

Does Win9x need Antivirus anymore?

38 posts in this topic

And something more is that this file can had fail in a plain vanilla Win 98

but be active when KernelEx is installed...   :unsure:

0

Share this post


Link to post
Share on other sites

> And something more is that this file can had fail in a plain vanilla Win 98

> but be active when KernelEx is installed...

Um, I run Kex on all my win-98 systems. I think it's been discussed in this thread that Kex doesn't convey any of the various heap-spray and buffer-overrun vulnerabilities that NT has to win-98.

0

Share this post


Link to post
Share on other sites

I wouldn't be so sure to attribute the success to Windows 98 alone, but rather to NOT opening that file with some version of MS Word.

The Wordpad ".doc converter" most likely strips off anything that is not text and its formatting.

 

If you prefer, if you open that .doc file on a NT family OS with - say - OpenOffice, LibreOffice or Atlantis, very likely the whatever is in them won't be triggered as well, as it is seemingly a WORD macro:

https://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=TrojanDownloader:W97M/Adnel#tab=2

 

It is entirely possible that even when opened by Word the macro won't run on 9x systems, but from what you report the macro has never been executed, it simply crashed the converter. 

 

jaclaz

0

Share this post


Link to post
Share on other sites

When I open the .doc file in MS Word (that is part of Office 2000) I get this message window:

-------------------

Microsoft Visual Basic (in the title bar)

The macros in this project are disabled. Please refer to the online help or documentation of the host application to determine how to enable macros.

--------------------

And while that message is on-screen, this is what the Word window looks like:

post-357900-0-03032200-1431315039_thumb.

0

Share this post


Link to post
Share on other sites

If that's an "unknown DOC" file (e.g. you don't know what it is and it shouldn't be trusted), you're asking for it, IMHO.

https://support.microsoft.com/en-us/kb/285514

The above link answers your question, but not what to do if you shouldn't have run that Macro in the first place.

0

Share this post


Link to post
Share on other sites

> The above link answers your question,

Well, technically the above link doesn't mention Word 2000. But the point is that for what ever reason (maybe it's the default setting?) I have Word macro's set to "High" (only signed macros can run). With that document open in Word, if I go to Tools, Macros, Visual Basic Editor, that brings up MS Visual Basic project editor, where I see the name of the document in the left-hand project pane. If I try to do anything with it (like expand it, get the properties, etc) I am prompted to provide a Project Password.

I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...

0

Share this post


Link to post
Share on other sites

I am really curious though. I am tempted to set macro security to Low just to see what this thing does on this system...

Well, I would rather attempt "cracking" the Macro password (if possible) and see what is in the actual macro. :whistle:

 

If it is a "simple", "default" password protection, the good ol' DPB= to DPx= hexedit/replacement:

http://stackoverflow.com/questions/272503/how-do-i-remove-the-password-from-a-vba-project

http://superuser.com/questions/807926/how-to-bypass-the-vba-project-password-from-excel

works for both Excel and Word VBA projects.

 

jaclaz

0

Share this post


Link to post
Share on other sites

I've edited the malicious .doc file in 3 places, rendering 3 internal keys as invalid. While opening the modified document, Word throws up a VB error message for each key, giving me the option to continue loading the project - which I say yes. I can then open the project in the VB editor, and there are 3 code windows (one for the document, and two which are labled as Module1 and Module2). I understand that starting with MS Word 2007, I wouldn't be able to view this code or possibly even open the document given the invalid keys.

If anyone wants to see the VB code, I can post them (or the modified document itself) where ever appropriate.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.