Classification

Category :

Malware

Type :

Virus

Aliases :

Wazzu, Wazzu.A

Summary

For background information on Word macro viruses, see the description of the WordMacro/Concept virus.

WordMacro/Wazzu is one of the most common viruses in the world.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

WordMacro/Wazzu consists of a single AutoOpen macro; this makes it language independent, ie. this macro virus is able to infect localized versions of Word as well as the english Word.

Wazzu.A frequently modifies the contents of documents it infects, moving words around and inserting the text 'wazzu '. The word 'Wazzu' is reported to be a nickname for the Washington State University.

Microsoft did accidentally spread the WordMacro/Wazzu virus several times during fall 1996:

The September 1996 edition of the Microsoft SPCD (Solution Provider CD) had a single Word document infected with WordMacro/Wazzu.A. This CD was distributed internationally to Microsoft partners. The infected file on this CD is \sia\mktools\case\ed3905a.doc.

Microsoft distributed Wazzu.A during the Swiss ORBIT conference on another CD called Letz Fetz on the Netz, in a document called hotl95d.doc.

An infected document was available for download on Microsoft's WWW site in the https://www.microsoft.com/switzerland/de/Misc/ hierarchy for several days, possibly weeks.

Variant:Wazzu.B

The part of the payload that activates with a probability of 1/4 contains a syntax error.

Variant:Wazzu.C

The Payload subroutine is not present and not called, so it has no payload. The RndWord subroutine is still present but not called.

Variant:Wazzu.D

Both the Payload and the RndWord subroutines (and the calls to them) are missing, so no payload.

Variant:Wazzu.E

Like Wazzu.D, but one unnecessary line ("Goto bye") has been removed. No payload.

Variant:Wazzu.F

The payload subroutine is renamed to EatThis. With a probability of 1/10 it displays a message box saying "This one's for you, Bosco.".

Variant:Wazzu.G

The part of the payload which inserts the word "wazzu" is corrupted; otherwise it is like Wazzu.A.

Variant:Wazzu.X

Meatgrinder

Wazzu.X contains this text:

The Meat Grinder virus - Thanks to Kermit the Frog, 
and Kermit the Protocol
 

This virus is not particularily widespread, but it got lots of attention in January 1997, when the US military Assist team sent out this warning:

[JOINT STAFF WASHINGTON DC//J6Z//@ams.com] 01/14/97/16:51
 
UNCLAS

AMP/ DESTRUCTIVE COMPUTER VIRUS DETECTION AND ERADICATION// RMKS/
1. ALL MILITARY SITES SHOULD TAKE IMMEDIATE ACTION TO DETECT
 
AND ERADICATE TWO (2), NEW DESTRUCTIVE VARIANTS OF MACRO VIRUSES
 
CALLED MEATGRINDER (ALSO KNOWN AS WAZZU.X).
THE VIRUSES DESTROY
 
HARD DRIVES, OR AT A MINIMUM, DATA ON HARD DRIVES.
BE ADVISED,
 
MANY VIRUS DETECTION PACKAGES DO NOT DETECT OR ERADICATE THESE
 
PARTICULAR VIRUS STRAINS.
THE VIRUSES HAVE A 48 HOUR TIME DELAY
 
AND GIVE THE COMPUTER OPERATOR NO INDICATION OF INFECTION.
 
2. THE EXECUTABLE FILES REQUIRED TO DETECT AND ERADICATE THESE
 
VIRUSES ARE AVAILABLE THROUGH THE DEFENSE INFORMATION SYSTEMS
 
AGENCY (DISA) ASSIST WEB SITE LOCATED AT WWW.ASSIST.MIL. IF YOU
 
CAN NOT ACCESS THE WEB OR REQUIRE ADDITIONAL ASSISTANCE, CONTACT
 
THE DISA GLOBAL OPERATIONS AND SECURITY CENTER HELP DESK AT DSN
 
(312) 327-4700 OR 1-800-357-4231; EMAIL ADDRESS:
VIRUS@ASSIST.MIL.
 
3. THIS IS A DISA AND JOINT STAFF J6 COORDINATED MSG.
 

Variant:Wazzu.DG

Origin:France

This is another Wazzu variant, but this one seems to be more widespread than most of the others.

Wazzu.DG activates on 14th of July. At this time it might modify the Word settings and also insert this text to current document:

Les employes les plus incompetents sont systematiquement
 
promus aux postes ou ils se revelent le moins dangereux:
 
l'encadrement."
 

The virus might also introduce some common French typing errors to current document.

Variant:Wazzu.DH

Origin:France

This variant will infect the documents when closing them, because it consists of a single AutoClose macro (instead of AutoOpen like in previous variants).

The part of Payload subroutine that insert the text 'wazzu' is missing.

Sometimes the virus deletes words and inserts the following text in the infected document:


BIG F... TO LAVOISIER LYCEE DE MERDE
 

Virus body contains this text:


Sorry for the man or woman who have created azuzw,but it's for 
a good reason.Thanks you very much, AND F... LAVOISIER !!!!!!!
 

Variant:Wazzu.DO

Origin:France

Wazzu.DO is a special case: This virus was written by a French company as an Anti-Virus macro. Unfortunately they created a new virus in the process.

This virus has AutoClose macro instead of Autoopen like in original Wazzu Word Macro virus.

In the beginning Wazzu.DO contains the following text:

VirusMacroWord du Xxxxxx Xxxxxxxxxxxx xx XXXXX
 
Virus Anti Virus du 14 juillet 1997
 
v0.1b - Sgt THERY - 18/07/97
 

There are some little changes in the virus code. The Payload subroutine is not present and not called.

Variant:Wazzu.DP

Origin:France

Like in Wazzu.C payload subroutine is missing, RndWord subroutine is still present, but not called.

In this variant one line has been changed for French version of Word.

Variant:Wazzu.DU

AntiNS

This is a simple variant of Wazzu, which is detected as AntiNS or Nightshade by some other anti-virus products.

It contains these texts:

Vaccination to get rid of the NightShade word macro virus,
 
that pretends to be an anti-virus Macro called ScanProt!
 
11/97, AxThis is a vaccination response to the NightShade Word Macro
 
Virus. It allows itself to be copied just like the original
 
virus, so that it reproduces the vaccination just like the
 
virus but all the code to lock the user's files has been
 
removed. I am tired of telling the lab idiots to clean this
 
mess - JML, 11/97
 

WM/Wazzu.DU does not have any destructive payload.