Threat Description

ShareFun

Details

Aliases: ShareFun, You have GOT to see this, Share The Fun
Category: Malware
Type:
Platform: W32

Summary



For more information on Word macro viruses, see WordMacro/Concept.

WordMacro/ShareFun is a Word macro virus which is loosely based on WordMacro/Wazzu. The only special thing about it is that it attempts to spread over e-mail attachments. Every time an infected file is opened, there is a 1/4 chance the virus will activate.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



If Microsoft Mail is running, the virus attempts to send e-mail messages to three random people listed in the local MSMail alias list. The subject of the messages will be

You have GOT to see this!

The message will contain no text, only a file attachment called DOC1.DOC, which is infected by the virus. The document itself is the document that user happened to have open when the virus activated. If the receiver double-clicks on the attachment, he will get infected by the virus and will spread the infection further with his own MSMail. Thus, ShareFun can be considered to be mix between a macro virus and an automatic chain letter.

Do notice that this is not an "e-mail virus". You do not get infected by just reading e-mail - you need to actively use an attachment file and you should always approach attachment files with caution.

ShareFun also has code to protect itself. If a user tries to analyze a sample of the virus via Tools/Macro or File/Templates menus, the virus will execute and infect the NORMAL.DOT template.

ShareFun was found in the wild from USA in February 1997.





Description Created: Mikko Hypponen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More