|Date: ||Sat, 28 Aug 1999 13:02:35 -0500|
|Reply-To: ||Conchologists of America List <CONCH-L@LISTSERV.UGA.EDU>|
|Sender: ||Conchologists of America List <CONCH-L@LISTSERV.UGA.EDU>|
|From: ||"Sylvia S. Edwards" <sylvia@HIWAAY.NET>|
|Subject: ||Where are we headed|
|Content-Type: ||text/plain; charset="iso-8859-1"|
I received two e-mail via Conch-L this morning that are suspect as
containing a virus. The first was from email@example.com, 8/28 received by my
ISP at 9:51 AM CDT. The second was an answer to the first and was from
firstname.lastname@example.org, 8/28, received 10:01AM CDT.
When I opened the first of these e-mails, a box popped up saying it wanted
to install a "Japanese Text Display Support" program of 27MB, time approx 23
I quickly deleted it. then when I opened the second of these e-mails, the
box popped up again, and attempted to start installation. I quickly deleted
it. I went to my deleted file to the first one and found the box was greyed
out that said never install these kinds of programs.
Neither e-mail showed it had an attachment, and I feel neither were aware
they were sending it. I went to housecall virus center and had my disk
scanned. No virus showed up, but I am not certain it scans the deleted
Currently, the most prevalent virus is one that attacks word processing
programs. It comes under various names. I am pasting some information
I just wanted to warn Conch-L subscribers to be careful and not download a
program not mentioned in the e-mail.
Sylvia S. Edwards
Virus Name: W97M_TRIPLICATE
Alias: TRIPLICATE, TRISTATE
Virus Type: Macro
Number of Macros: 3
Size of Macro: 5608 bytes
Seen in the Wild: Yes
Detected by Scan Engine#: 2.062 or later
Detected by Pattern File#: 518 or later
Details: TRIPLICATE is a macro virus that can cross-infect MS WORD 97, MS
EXCEL 97, and MS POWERPOINT 97 applications.
In whichever application the virus is activated, be it from a Word document,
an Excel spreadsheet/workbook or from a PowerPoint slide, the virus will
- Crossing to MS-EXCEL: The virus searches for BOOK1.XLS in the MS Excel
Startup directory. If not present the virus creates an infected workbook in
the same directory and also disables the macro virus protection of Excel.
The virus resides in the THISWORKBOOK stream of infected excel
- Crossing to MS-WORD: For Word infections, the virus will check if its
codes are present in the "ThisDocument" Stream of the Global Template
NORMAL.DOT ). If not it will infect the global template and disable the
macro virus protection of Word.
- Crossing to MS-POWERPOINT: If there is no "Triplicate" module in "Blank
Presentation.POT" Powerpoint Template, the virus will disable the macro
virus protection of PowerPoint. It adds a viral module called "Triplicate"
into "Blank Presentation.POT" and a basic AutoShape object that covers the
entire slide. The viral module is linked to the AutoShape object.