The payload subroutine is renamed to EatThis. With a probability of
1/10 it displays a message box saying "This one's for you, Bosco.".
The part of the payload which inserts the word "wazzu" is corrupted;
otherwise it is like Wazzu.A.
Wazzu.X contains this text:
The Meat Grinder virus - Thanks to Kermit the Frog,
and Kermit the Protocol
This virus is not particularily widespread, but it got lots of attention
in January 1997, when the US military Assist team sent out this warning:
<JOINT STAFF WASHINGTON DC//J6Z//@ams.com> 01/14/97/16:51
UNCLAS
AMP/ DESTRUCTIVE COMPUTER VIRUS DETECTION AND ERADICATION//
RMKS/1. ALL MILITARY SITES SHOULD TAKE IMMEDIATE ACTION TO DETECT
AND ERADICATE TWO (2), NEW DESTRUCTIVE VARIANTS OF MACRO VIRUSES
CALLED MEATGRINDER (ALSO KNOWN AS WAZZU.X). THE VIRUSES DESTROY
HARD DRIVES, OR AT A MINIMUM, DATA ON HARD DRIVES. BE ADVISED,
MANY VIRUS DETECTION PACKAGES DO NOT DETECT OR ERADICATE THESE
PARTICULAR VIRUS STRAINS. THE VIRUSES HAVE A 48 HOUR TIME DELAY
AND GIVE THE COMPUTER OPERATOR NO INDICATION OF INFECTION.
2. THE EXECUTABLE FILES REQUIRED TO DETECT AND ERADICATE THESE
VIRUSES ARE AVAILABLE THROUGH THE DEFENSE INFORMATION SYSTEMS
AGENCY (DISA) ASSIST WEB SITE LOCATED AT WWW.ASSIST.MIL. IF YOU
CAN NOT ACCESS THE WEB OR REQUIRE ADDITIONAL ASSISTANCE, CONTACT
THE DISA GLOBAL OPERATIONS AND SECURITY CENTER HELP DESK AT DSN
(312) 327-4700 OR 1-800-357-4231; EMAIL ADDRESS: VIRUS@ASSIST.MIL.
3. THIS IS A DISA AND JOINT STAFF J6 COORDINATED MSG.
This is another Wazzu variant, but this one seems to be more widespread
than most of the others.
Wazzu.DG activates on 14th of July. At this time it might modify the
Word settings and also insert this text to current document:
Les employes les plus incompetents sont systematiquement
promus aux postes ou ils se revelent le moins dangereux:
l'encadrement."
The virus might also introduce some common French typing errors to
current document.
This variant will infect the documents when closing them, because it
consists of a single AutoClose macro (instead of AutoOpen like in
previous variants).
The part of Payload subroutine that insert the text 'wazzu' is missing.
Sometimes the virus deletes words and inserts the following text in
the infected document:
BIG F... TO LAVOISIER LYCEE DE MERDE
Virus body contains this text:
Sorry for the man or woman who have created azuzw,but it's for
a good reason.Thanks you very much, AND F... LAVOISIER !!!!!!!
Wazzu.DO is a special case: This virus was written by a French company
as an Anti-Virus macro. Unfortunately they created a new virus in the
process.
This virus has AutoClose macro instead of Autoopen like in original
Wazzu Word Macro virus.
In the beginning Wazzu.DO contains the following text:
VirusMacroWord du Xxxxxx Xxxxxxxxxxxx xx XXXXX
Virus Anti Virus du 14 juillet 1997
v0.1b - Sgt THERY - 18/07/97
There are some little changes in the virus code.
The Payload subroutine is not present and not called.
Like in Wazzu.C payload subroutine is missing, RndWord
subroutine is still present, but not called.
In this variant one line has been changed for French version of Word.
This is a simple variant of Wazzu, which is detected as AntiNS or
Nightshade by some other anti-virus products.
It contains these texts:
Vaccination to get rid of the NightShade word macro virus,
that pretends to be an anti-virus Macro called ScanProt!
11/97, Ax
This is a vaccination response to the NightShade Word Macro
Virus. It allows itself to be copied just like the original
virus, so that it reproduces the vaccination just like the
virus but all the code to lock the user's files has been
removed. I am tired of telling the lab idiots to clean this
mess - JML, 11/97
WM/Wazzu.DU does not have any destructive payload.
[Analysis: Mikko Hypponen and Katrin Tocheva, F-Secure Ltd]
