Virus infected my PB - help?

Posted:
in Mac Software edited January 2014
Well, mostly anyway...it seems I have been infected with the Word macro virus W97/thus.gen. Of course, it has no effect on my mac itself (other than turning off the macro warning in Word), but every document I send to PC users gets blocked or infects them.



I downloaded Virex from .Mac, got the latest updates, and while it WILL clean the files (I have cleaned the entire drive repeatedly), as soon as I create a new file or open an old one, it becomes infected again.



Any help please?



Fish

Comments

  • Reply 1 of 19
    mr. memr. me Posts: 3,219member
    Quote:

    Originally posted by fishdoc

    Well, mostly anyway...it seems I have been infected with the Word macro virus W97/thus.gen. Of course, it has no effect on my mac itself (other than turning off the macro warning in Word), but every document I send to PC users gets blocked or infects them.



    I downloaded Virex from .Mac, got the latest updates, and while it WILL clean the files (I have cleaned the entire drive repeatedly), as soon as I create a new file or open an old one, it becomes infected again.



    Any help please?



    Fish




    If each new file is infected, then clearly you have not disinfected your computer. But, you used Virex so the best evidence is that your files have indeed been disinfected. Virex will not allow them to be reinfected. My question is: How do you know that your new files are still infected? My reading of your post is that the files are infected when your friends receive them. That tells me that it is their computers that are still infected, not yours. Where did your first infection come from?



    Another thing--just because a mail server's antivirus software blocks your attachments doesn't mean that your attachments are infected. Although I do most of my computer work on a Macintosh, my firm is predominantly a Windows shop. Over the years, it has been inundated with viruses. Recently, IT implemented antiviral software on the Exchange server. At times, this software has blocked my attached Word files, PDFs, and .zip files. Suffice it to say, none of my blocked attachments were infected.



    In your case, your account may have been tagged by some servers as a source of infections. My entire firm got tagged as a source of infections due to reasons mentioned above. ISPs that subscribed to the tagging services blocked all email from my firm.
  • Reply 2 of 19
    Well, I run Virex on the entire drive, and it finds and cleans files of the virus. Running it a second time reveals no viruses.



    However - if I create a new blank Word document after doing the virus check, and then save it, it is also infected. So the problem really is my computer.



    Fish
  • Reply 3 of 19
    Is it possible that the virus is acting through Word to infect new documents (via a script, for example)?
  • Reply 4 of 19
    mr. memr. me Posts: 3,219member
    Quote:

    Originally posted by fishdoc

    Well, I run Virex on the entire drive, and it finds and cleans files of the virus. Running it a second time reveals no viruses.



    However - if I create a new blank Word document after doing the virus check, and then save it, it is also infected. So the problem really is my computer.



    Fish




    You have yet to answer the question: "How do you know that newly created files are infected?"



    Recommendation: Delete and reinstall MS Office.
  • Reply 5 of 19
    Isn't it Virex that is telling him the new files are infected?
  • Reply 6 of 19
    kickahakickaha Posts: 8,760member
    Yeah, Mr. Me, he did answer the question.



    He runs Virex, disinfects (confirming with another run), makes a new Word doc, saves, and Virex immediately finds it on a subsequent scan.



    Word is making infected files from scratch, it appears. Which means the virus lodged itself into perhaps a template document or macro library.



    I concur though, wipe Office off your machine, toss your preferences and any extra macros, and reinstall the mess from scratch.



    Don't you just LOVE MS products?!? :P
  • Reply 7 of 19
    randycat99randycat99 Posts: 1,919member
    Like cockroaches, these Windows viruses have actually adapted to the point where they can "live" in the most viral-adverse of environments (a Mac running a Mac OS), just by inhabiting an installation of M$ software? (Yeah, I know. The viruses aren't really adapting or changing, per say. It's just infesting on a small island of Windows-esque code.) The cockroaches are nesting right at "the gate", snickering at how they can plant 1 or 2 spindly legs in Mac land, just as long as they keep the other feet in M$ land. Dirty little bastards...
  • Reply 8 of 19
    alcimedesalcimedes Posts: 5,486member
    before you wipe everything, toss the default template file first. that's the one that likely infected.



    after you delete it, make a new file, save and scan it again. it should be clean. faster than wiping office completely. of course, if after that the new file is still infected. wipe it.
  • Reply 9 of 19
    mr. memr. me Posts: 3,219member
    Quote:

    Originally posted by Kickaha

    Yeah, Mr. Me, he did answer the question.



    He runs Virex, disinfects (confirming with another run), makes a new Word doc, saves, and Virex immediately finds it on a subsequent scan.



    Word is making infected files from scratch, it appears. Which means the virus lodged itself into perhaps a template document or macro library.



    I concur though, wipe Office off your machine, toss your preferences and any extra macros, and reinstall the mess from scratch.



    Don't you just LOVE MS products?!? :P




    Reread what fishdoc says. He runs Virex to disinfect. He runs Virex again to verify that all files have been disinfected. Virex shows no infections. Nowhere does he specifically say that Virex tells him that his new files are infected. However, I have a feeling that he is leaving out something. Viruses don't materialize out of the ether. Virex supposedly removed all traces of W97M.thus.gen. That means that it had been removed from all documents, templates, and everywhere else, or should have been. And yet it magically resurfaces. According to the Symantec virus database, this family of viruses is four years old, not widely distributed, not terribly destructive, and easy to remove. Come on, fishdoc, what's really going on?
  • Reply 10 of 19
    Let me try again (although in re-reading my posts, it seems clear, and Kickaha got it right off)...



    I have the virus - I know because Virex finds and cleans it from various word docs. Yet with every new document I create, I am re-infected (the newly-created document has the W97 virus - specifically W97/thus.gen).



    Put more succinctly:

    "He runs Virex, disinfects (confirming with another run), makes a new Word doc, saves, and Virex immediately finds it on a subsequent scan."



    Also, note that for W97/thus.gen, there are two entries in the Symantec database - one with a discovery date of sep 03, and one from Sep 04. I am not sure how or why the age of the virus is an issue anyway - the fact is, I have the virus, and AFTER cleaning the entire drive ("All Local Volumes") with the newest update of Virex from .Mac (7.21, DAT file update Oct 14), the virus re=appears on any new Word document.



    I iwll try re-installing Office and see what happens...



    Fish
  • Reply 11 of 19
    Forgive the obvious, but...



    Most antivirus software will not clean the active boot volume.



    Infected files may already be resident in memory and represent as 'protected kernel'.

    (Remember "Terminate and Stay Resident" programs from the old days?)



    Boot from CD or external volume and then run anti-virus.

    Only when booted externally can your AV tools fully clean the machine.



    Not sure if that helps, but in reading your comments, it wasn't clear if you're trying to clean the volume you've booted from (which wouldn't be thorough and might explain recurring symptoms).
  • Reply 12 of 19
    kickahakickaha Posts: 8,760member
    PAGING MR. ME.



    PAGING MR. ME.



    PLEASE READ. CAREFULLY.



    THAT IS ALL.



    Quote:

    Originally posted by fishdoc

    Well, I run Virex on the entire drive, and it finds and cleans files of the virus. Running it a second time reveals no viruses.



    However - if I create a new blank Word document after doing the virus check, and then save it, it is also infected. So the problem really is my computer.



    Fish




    Missed that post, did we?
  • Reply 13 of 19
    mr. memr. me Posts: 3,219member
    Quote:

    Originally posted by Kickaha

    PAGING MR. ME.



    PAGING MR. ME.



    PLEASE READ. CAREFULLY.



    THAT IS ALL.







    Missed that post, did we?




    There is no need to get personal. The fact is that you are the one, not fishdoc, who explained how he "knows" that his new Word documents are infected. You inferred it from what he wrote, but you did not read it in his post. fishdoc then quoted you rather than use his own words to comfirm your inference.



    Now to curiousuburb's assertion that you cannot clean the boot volume. MacOS X is not MS-DOS and W97.thus.gen is not a DOS virus. It is a MS Word macrovirus, and as such, can only exist within the Office environment and the files generated by it. Such viruses are easily removed from the boot volume. In my personal experience going back to System 6, I have never had any problem removing viruses from Mac boot volumes.
  • Reply 14 of 19
    randycat99randycat99 Posts: 1,919member
    I guess another loose end here is if this virus is truly hiding out in some component or template of the software package, why doesn't Virex detect it there then? Is it possible for the virus to embed itself or something in a template such that it cannot be detected? ...or maybe Windows viruses have developed the technology of temporal wormholes, so that the can hide out in hyperspace? (that was a joke, btw )
  • Reply 15 of 19
    Quote:

    Originally posted by alcimedes

    before you wipe everything, toss the default template file first. that's the one that likely infected.



    I agree with this. Isn't it called the "Normal" template?



    Microsoft Office X/Templates/Normal
  • Reply 16 of 19
    kickahakickaha Posts: 8,760member
    Quote:

    Originally posted by Mr. Me

    There is no need to get personal. The fact is that you are the one, not fishdoc, who explained how he "knows" that his new Word documents are infected. You inferred it from what he wrote, but you did not read it in his post. fishdoc then quoted you rather than use his own words to comfirm your inference.



    Sorry, but no. I quoted the third message in this thread, which was fishdoc's immediate and clear response to you, prior to my entering it simply to point to out that he had already answered you. Hence hauling out the larger clubs to get you to realize that your subsequent requests for information were superfluous, and only served to point out that you weren't reading carefully... not to mention more than a little rude.



    Now as to what's actually going on... fishdoc, you aren't by any chance having Word still running while doing the scans, are you? If so, then the virus will have already been loaded into memory, as pointed out by curiousburb (even though what he describes is WIndows specific). Quit all apps, run Virex, ensure a clean drive. Then launch Word and see if it still happens. If so, Virex your drive again, remove the templates, and then reinstall just them from the CD. Try launching Word again. If it STILL happens, delete the entire Office installation (and all preferences files, Library files, etc!), then Virex, reinstall Office, and try again. If it happens after *THAT*, call a witch doctor.
  • Reply 17 of 19
    fishdocfishdoc Posts: 189member
    Thanks Kickaha - that was EXACTLY what happened - I left Word running during the virus scan, so the removal was incomplete (although of course Virex did not know that).



    As for Mr. Me - you gotta lighten up dude. "What's really going on"? As though there is some conspiracy to mislead here (rather than you simply not understanding my post)?



    Anyway, I asked for help, and you guys helped me resolve this - thanks much everyone!



    Fish
  • Reply 18 of 19
    mr. memr. me Posts: 3,219member
    Quote:

    Originally posted by fishdoc

    Thanks Kickaha - that was EXACTLY what happened - I left Word running during the virus scan, so the removal was incomplete (although of course Virex did not know that).



    As for Mr. Me - you gotta lighten up dude. "What's really going on"? As though there is some conspiracy to mislead here (rather than you simply not understanding my post)?



    Anyway, I asked for help, and you guys helped me resolve this - thanks much everyone!



    Fish




    In the post that seemed to get so many goats, I said that you were not telling us everything. You have now admitted that you performed your virus scans while the offending application was still running. That the infected file was in RAM rather than on the hard disk would seem to explain why the seemingly impossible was happening. Thank you for finally coming clean.
  • Reply 19 of 19
    kickahakickaha Posts: 8,760member
    Oh please.



    Here, have a cookie for your *fantastic* prognostication and sheer genius. Wow, you really were ahead of the game, and man, you sure pegged fishdoc as being this evil conniving seeeeecretive bastard for not being 'willing' to divulge everything.



    Brother.



    Question answered, thread has run its course, and Mr. Me needs one less place to rant.



    Locking.
Sign In or Register to comment.