As many of you know, I'm employed by Microsoft Corp. on MSN (The Microsoft Network). Periodically we receive virus warnings, one of which I posted on this list a few months ago concerning a Trojan virus that can infect Word 6 and Word 95. This message is a follow up of that and relates to Word 97. This is not a hoax... Barb Mallut [log in to unmask] ----------------------------------------- ShareFun.A Virus Information ShareFun.A is a new virus that utilizes MSMail and Microsoft Word to spread itself three-fold throughout your email network. Also known as the "ShareTheFun" virus, it is spread by using MSMail email messages and attaching itself as an embedded document. The subject line of the email reads "You have GOT to read this!" ShareFun.A is a WordBasic virus, running in Word 6 and Word 95. It has also been found in Word 97 Visual Basic for Applications (VBA), after the infected Word 95/6.0 document has been opened in Word 97. The virus runs and infects the Word environment whenever an infected Word document is opened. It does NOT infect your environment if the virus carrying document is never opened, but is merely present in the email inbox. The virus is considered harmless by many as it does not delete nor modify any files, however we are concerned about the potential issues arising from this macro virus. Confidential documents can be compromised, unsaved work could be lost if the user is forced to re-boot, and the widespread propagation of this virus could consume network resources unnecessarily. It replicates in 2 ways: 1.It copies itself into Normal.dot and infects all the documents you open from that point on. 2.If Microsoft Mail is running on your machine, it forwards an infected copy of the currently open document to three random people from the user's aliases list through email. This occurs with a 25% chance each time a document is opened. If Microsoft Mail is not running, then instead of forwarding itself, the virus restarts Windows without letting you save unsaved documents. Besides running automatically each time a document is opened, the virus also attaches itself to a number of menu commands: FileOpen, FileTemplates, FileClose, FileSave and ToolsMacro. Each time you select any of these commands, the virus attempts to replicate. All of these macros are Execute-Only, which means their code cannot be viewed. Prevention: 1.The Word macro warning dialog in Word 95A and Word 97 detects the existence of macros in an infected document and warns you about them. If you receive an email message with a document that contains macros, you should either not open the document at all, or open it with macros disabled. 2.The virus forwards itself to other people in an email message with the following subject line: You have GOT to read this! If you receive a Word document in an email message with this subject line, delete the message immediately and contact the sender about it. The sender is most likely infected with the virus. You will not get infected from just having that email message in your mailbox. You will get infected only when you open the infected Word document attached to the email message. 3.If you use Word 97, you should lock the Normal VBA project for viewing, by following the steps listed in http://www.microsoft.com/word/freestuff/mvtool/virusinfo.htm. This will help you protect your Word 97 environment from all viruses. Detection: The symptoms of infection with this virus include: •Windows suddenly restarting right after you attempt to open a document •Inability to use the ToolsMacro menu command Removal: Removing this virus by hand is difficult because the virus attaches itself to the Tools Macros menu command. That means you cannot display the macros dialog using the Tools menu. Contact an anti-virus software vendor for a tool to remove this virus. Microsoft recommends security products certified by the NCSA (National Computer Security Association). You can view their page at: http://www.ncsa.com. If you do not have any macros or customizations in your Normal.dot template that you care about, you should consider deleting Normal.dot. When Word finds Normal.dot missing, it will recreate a new virus-free Normal.dot. ----------