The last major component of Microsoft Office 97 to have escaped
the activities of virus writers has now fallen victim to attack. On
10 December 1998, Sophos received a copy of PM97/Vic.a (aka
PM97/Attach), which uses VBA5 and UserForms to infect PowerPoint
files.
PM97/Vic.A executes when a Custom Dialog Box is activated. The
virus looks in the directory C:\My Documents and opens up every
file with the extension PPT. If the PPT file has a UserForm, the
virus checks to see if the first line of its own code is present
(i.e. if the PPT file has already been infected by PM97/Vic.A). If
it is, the virus does not continue to execute. Otherwise, it
inserts itself as the first 27 lines of code. If the document has
multiple UserForms, PM97/Vic.A will infect each Form
separately.
If PM97/Vic.A does activate, it is very obvious to the user. The
computer screen flashes and PowerPoint claims to be opening many
files.
PM97/Vic.A is important because it is the first PowerPoint virus
and it will act as an example for future viruses. However, the
likelihood of actual real world infections is slim for the
following reasons: first, the C:\My Documents directory is hard
coded in the virus, and in most situations this is not an area
where users store PPT files - it is far more likely that they will
be stored on a network share instead; second, in Sophos's
experience only a small number of PowerPoint files contain
UserForms; and third, the virus writer's website was closed very
soon after the virus was posted there and consequently PM97/Vic.A
has had only a very limited distribution.
Background to Office infectors
Microsoft Word was the first Office platform to fall victim to
virus writers, with the first widespread macro virus, Winword/Concept, appearing
in August 1995. The first Excel virus was Excel/Laroux, which
appeared in the wild in February 1997. AM97/AccessiV, which
attacks the macros and modules of the Access database, appeared in
March 1998.
More than 100 million users in 150 countries rely on Sophos as the best protection against complex threats and data loss. Sophos is committed to providing security and data protection solutions that are simple to manage, deploy and use and that deliver the industry's lowest total cost of ownership. Sophos offers award-winning encryption, endpoint security, web, email, and network access control solutions backed by SophosLabs - a global network of threat intelligence centers. With more than two decades of experience, Sophos is regarded as a leader in security and data protection by top analyst firms and has received many industry awards.
Sophos is headquartered in Boston, US and Oxford, UK. More information is available at www.sophos.com.