Marc, check the contents of your c:\ for 666INSE_1.EXE as this is the dropper file that the macro drops. If it's there, the macro was executed, and the dropper has probably also download further malware.
Modern versions of Office will, by default, not execute the macro so you might be safe. I don't know if Symantec has signatures for this document, the dropper or the payload it downloads. Trend Micro does, so you could use their web based HouseCall antivirus scanner from here: http://housecall.trendmicro.com/ Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Marc Catuogno > Sent: Wednesday, June 28, 2006 6:03 AM > To: declude.virus@declude.com > Subject: RE: [Declude.Virus] New Virus: zipped word doc with > Macro-Virus > > Um, no making fun here - I opened it. I thought it was just > spam someone forwarded it to my spam account. I didn't find > the Trojan downloader on my PC. I'm ASSUMING that you have > to hit the "check prices" macro button as no macro seemed to > auto-execute... > > I just downloaded the intelligent updater for NAV 9 (as the > live update button only gave me definitions of the 21st) and > am running a scan now. > > Remind me not to make so much fun of other people for opening > attachments. > > Marc > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Markus Gufler > Sent: Tuesday, June 27, 2006 2:32 PM > To: declude.virus@declude.com > Subject: [Declude.Virus] New Virus: zipped word doc with Macro-Virus > > Some of us has noted in the past two hours that messages with > an zip-file as attachment has passed our virus filters > > It's a zip-file containing a MS Word Document named "my_notebook.doc" > > Most Virus-Scanners can't catch it. Virustotal has returned > only two scanners with positive results > > Sophos has found "WM97/Kukudro-A" > UNA has found a "Macro Virus" > > No other AV-Engine has catched the suspicious file. > > We've added the following lines to our virus.cfg in order to > block as much was we can at the moment. > > BANNAME prices.zip > BANNAME apple_prices.zip > BANNAME sony_prices.zip > BANNAME hp_prices.zip > BANNAME dell_prices.zip > BANNAME My_Notebook.doc > > Regards > Markus > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > > > > > --- > This E-mail came from the Declude.Virus mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.Virus". The archives can be found > at http://www.mail-archive.com. > > --- This E-mail came from the Declude.Virus mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.Virus". The archives can be found at http://www.mail-archive.com.
