Classification

Category :

Malware

Type :

-

Aliases :

ShareFun, You have GOT to see this, Share The Fun

Summary

For more information on Word macro viruses, see WordMacro/Concept.

WordMacro/ShareFun is a Word macro virus which is loosely based on WordMacro/Wazzu. The only special thing about it is that it attempts to spread over email attachments. Every time an infected file is opened, there is a 1/4 chance the virus will activate.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

If Microsoft Mail is running, the virus attempts to send email messages to three random people listed in the local MSMail alias list. The subject of the messages will be

You have GOT to see this!

The message will contain no text, only a file attachment called DOC1.DOC, which is infected by the virus. The document itself is the document that user happened to have open when the virus activated. If the receiver double-clicks on the attachment, he will get infected by the virus and will spread the infection further with his own MSMail. Thus, ShareFun can be considered to be mix between a macro virus and an automatic chain letter.

Do notice that this is not an "email virus". You do not get infected by just reading email - you need to actively use an attachment file and you should always approach attachment files with caution.

ShareFun also has code to protect itself. If a user tries to analyze a sample of the virus via Tools/Macro or File/Templates menus, the virus will execute and infect the NORMAL.DOT template.

ShareFun was found in the wild from USA in February 1997.