[Esa-l] Scanner Scores

John D. Hardin jhardin at wolfenet.com
Thu Oct 12 08:34:21 PDT 2000

On Thu, 12 Oct 2000, Floyd Pierce wrote:

> I'm having a problem with Word documents that are generating a 123
> macro scanner score. Is there an easy way to show the elements
> that caused the score? The documents in question pass Norton AV
> without a problem, and I'm unable to find any macros at all in the
> documents.

 From what I've seen, a lot of A/V tools simply mangle the macro
viruses in-place and don't even try to remove them. This may render it
unrecognizable to Word or other signature-based virus scanners, but
will leave enough bits of VB code in the document to trigger

To truly clean it up, I recommend the document be saved in some format
that does not support macros, such as Rich Text (RTF) or (perhaps)
Word Perfect. Then re-load the document and save it in native format.

To see what's there, edit the document file in vi and search for:


(...where the ^@ is a literal NULL, entered by typing [CTRL]-V,
[CTRL]- at . Lines of vbscript start with a null, followed by plain-text

You should be able to see enough lines of plaintext VBscript doing
things like playing with the macro and security settings, default
document, registry, etc. to recognize that it was infected and, while
defanged, wasn't actually cleaned out. Some of them may appear to be
mangled, which is the A/V tool's disinfecting the document.

 John Hardin KA7OHZ   ICQ#15735746   http://www.wolfenet.com/~jhardin/
 jhardin at wolfenet.com      pgpk -a finger://gonzo.wolfenet.com/jhardin
  768: 0x41EA94F5 - A3 0C 5B C2 EF 0D 2C E5  E9 BF C8 33 A7 A9 CE 76 
 1024: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
  "Bother," said Pooh as he struggled with /etc/sendmail.cf, "it never
  does quite what I want. I wish Christopher Robin was here."
				-- Peter da Silva in a.s.r
   17 days until Daylight Savings Time ends

More information about the esd-l mailing list