Threat Description

Green Stripe

Details

Aliases: Green Stripe, AmiMacro
Category: Malware
Type:
Platform: W32

Summary



With Microsoft Word, a document and all macros related to it are stored in a single file. So a file called DOCUMENT.DOC or DOCUMENT.DOT contains both the document contents and the macros. But with Lotus' Ami Pro, macros are stored in a separate file: if you have DOCUMENT.SAM, macros related to it are in DOCUMENT.SMM. This makes it somewhat more difficult for Ami Pro viruses to spread, since when a user is distributing a document, he is likely to leave the .SMM file behind, effectively disabling the virus.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



The first Ami Pro macro virus was located in January 1996. The virus, which is called Green Stripe or AmiMacro/GreenStripe, works by creating a .SMM file for every .SAM file in Ami Pro's default DOCS directory (\amipro\docs), and modifying the existing .SAM files to use the new macros. The name of the virus comes from it's main macro procedure, which is called Green_Stripe_virus.

Green Stripe propagates by intercepting Ami's File/Save and File/Save As commands. Using File/Save As and saving an infected document to a network drive or a floppy is the only likely way for this virus to spread from a machine to another.

Green Stripe has an activation routine which triggers during saving: the virus searches through the document and replaces all occurences of the word "its" with "it's". Such a change can easily go undetected by the user. However, it is unclear whether this routine works at all.

Green Stripe is rumoured to have been originally published in a US virus-related magazine. It is unlikely to spread in the wild.

Detecting Green Stripe

Open the Tools/Macros/Edit menu and check whether the document has a .SMM macro file assigned to be executed on open. To disinfect an infected document, just delete the .SMM file, open the document to Ami and uncheck the above setting.

Also, the initial infection process takes a long time, and the user is likely to notice that something is going wrong, since all the documents in the default directory are quickly appearing and disappearing on the screen while the virus infects them.






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More