Visions.eZine - For Visio Users

Vol. 2 No. 2

New Viruses Target Visio Drawings.

26 Jan 00 | Ralph Grabowski

On 21 January, a programmer submitted a "proof of concept" virus to several anti-virus companies. The virus was written in VBA. It was written to show that Visio drawings are not immune to viruses -- just as macro-enabled Word documents have become the most common source of computer virus infections. (Of the half-dozen viruses that have shown up on my computer in the last year, four were transmitted via corporate press releases sent as Microsoft Word documents; two other viruses were email attachments.)
      The Visio virus infects VS* files with VBA (Visual Basic for Applications) in the same way that Word documents are infected. Explains Computer Associates: "Macro viruses in the MS Office suite are able to spread by intercepting particular keys, menu items, auto-macros, and events (such as Auto-Open and Auto-Close). VBA provides viruses with all the functionality and access necessary to copy macro code from one document to another."

Interestingly enough, two different anti-virus companies each declared they were the first to discover the first instance of a Visio virus. Last Friday, the headlines of their press releases read:

"McAfee Avert Researchers discover [V5M/Unstable] first viruses targeted to Microsoft's Visio software."
"Computer Associates warns of VIS5/RadiantAngels ... the first virus to infect VISIO drawings."

I am guessing the virus author had some fun by sending a different virus to each anti-virus firm. Symantec also received a Visio virus, but chose not to publicize it, since the virus was "in the zoo" (exists only in virus and anti-virus labs), rather than "in the wild" (is contaminating users' files). Symantec told me the press releases from their competitors are "pretty much marketing hype that [they are] engaging in, in order to help sell their software.
      "Symantec generally does not send out press releases regarding Zoo viruses. We feel it is not appropriate to 'hype' a Zoo virus in this manner. The fact is that many Zoo viruses are never, ever placed into circulation. These viruses thus never end up posing any real threat, as no one ever gets them.
      "Symantec will also be updating our virus definitions file for the Norton AntiVirus for this new virus. Symantec recommends that our customers update the virus list in their software (no matter the brand) at least twice a month in order to maintain a good level of protection."
      I spent Tuesday morning searching other anti-viral Web sites, but they appeared to contain no information on the new Visio viruses.

How the Viruses Work
McAfee calls the virus "V5M/Unstable" because it works with Visio 5; is a macro virus; and displays phrases that include the word "unstable." It has variants called "V2KM/Unstable", "Visio2000.Unstable", and "Visio2k.Unstable" that work with Visio 2000.
      The virus can lurk in VST (template), VSS (stencil) and VSD (drawing) files. It is activated when you open an infected Visio document… On 31st of any month after May, the virus will display one of the following messages:

"Visio2000.Unstable"
"Unstable, it's hard to be the one who's strong"
"Who's always got a shoulder to cry on"
"Who's got a shoulder for me?"

The virus modifies the file properties of the document (so that it reads "Visio2k.Unstable") so that the virus knows whether it has already infected the file.
      Technically, this virus is a module in the ThisDocument class. The virus is called "polymorphic" because it can make changes to its own code. If you attempt to access the VBA source code (by pressing Alt+F11), the macro prevents the VBA Editor from opening.
      The risk of this virus is considered "low" for several reasons: the virus was submitted to anti-virus companies; the virus has not been seen in any Visio drawing; the virus is a macro virus that can be easily disabled. Ironically, Visio 2000's macro-warning feature is disabled, by default; fortunately, though, the virus does not turn off the macro warning once you turn it on. As well, VSS stencil files are installed as read-only, which protects them.

Computer Associates calls the virus "V5MRadiant.A". It has variants known as "RadiantAngels" and "Radiant.A".
      This macro virus also lurks in Visio 5 and 2000 VSS and VSD files. It, however, operates in a different manner than does the V5M/Unstable sent to McAfee. The Radiant virus detects when the user closes a document via the Document_BeforeDocumentClose event. Radiant infects clean documents when the infected file is closed. When an infected document is closed, Radiant writes an HTML file called "C:\Index.html" with the following message:

A Multitude of Suns
Orbit in Empty Space;
They Speak with their light
to all that is dark.
To me they remain silent.
Greets [sic] to all the VX Community
And Radiant Angels
its...... [sic]
Radiant

Computer Associates agrees that the virus was written as a 'proof of concept' virus to show it is possible to infect non-MS Office files with VBA scripting. They say the virus is not deliberately destructive.

Who are VX and Radiant Angels?
I looked up references to the "VX Community" and the "Radiant Angels." VX is a reference to the virus-exchange underground, found at www.virusexchange.org/ . Their slogan is "The day has come, That the virus shall inherit the earth, And all that get in its' [sic] way shall perish."
      I found a reference to Radiant Angles in 'The Ethikon of Bar Hebraeus' IV, 15, 15 which is described as "a collection of scattered sayings concerning Love" at http://www.orthodox.co.uk/love.htm, the Arimathea Eastern and Ancient Christianity site.
      From the context, "Radiant" appears to be the name of the virus author. But I could not find reference to any programmer calling himself Radiant at VX Web sites, which openly list such info (as well as the viruses themselves).

Respnse from Visio
I asked Visio for their comments (their Web site contains no info on the virus):

"The Visio/Microsoft technical staff has looked at the code for V5M/Radiant (Visio 5 Virus). It seems to work like this: It replicates its code into currently open documents and writes an HTML file. This doesn't require any significant programming expertise, nor does it require cracking the VSD file format.
      "At this point, Visio/Microsoft has not see the Unstable.A code for Visio 2000, but it operates in what sounds to be a similarly simple manner.
      "Visio has always had Macro Virus Protection capabilities similar to Office that users can choose to turn on or off. And although certainly not foolproof, users can prevent their template files from being changed by making sure they're read-only, which is how they're installed.
     "Unfortunately, when there exists a programming language like VBA it can be use for both creating useful and destructive applications."

References:

McAfee: vil.nai.com/vil/vm10560.asp
Computer Associates: www.cai.com/virusinfo/encyclopedia/
List of anti-viral firms: www.virusexchange.org/tally/main.html

Return to top of page.

Return to Contents.
Subscribe to Visions.eZine for free! Simply send message subscribe visions by clicking here .
Subscribe to Spanish Edition: Claudio Jose Maccio
Subscribe to Japanese Edition: Yasu Ohgushi

All contents copyright 1999 XYZ Publishing, Ltd. Inc., and all rights are reserved. No material may be reproduced electronically or in print without written permission from XYZ Publishing, 34486 Donlyn Avenue Abbotsford BC, V2S 4W7, Canada, unless otherwise noted.