Results 1 to 9 of 9
  1. #1
    Platinum Lounger
    Join Date
    Feb 2001
    Location
    Yilgarn region of Toronto, Ontario
    Posts
    5,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    W97M.Ping.A (Word97/SR2)

    This from a respectable colleague, well-versed in technology, who scanned one of my templates with Norton Anti-virus. Norton reports the virus when ActWd073.dot is located on the laptop, but NOT when ActWd073.dot is located on the desktop. Go figure!

    "The file G:ACT documentsGrevesACT to WordActWd073.dot was infected with the W97M.Ping.A virus. The file was repaired. "

    I use GriSoft AV, and my latest update is 6/25, on which day I ran a complete check on both my 80G C drive and my 80G backlup drive.

    I generally feel quite secure, since I load MSWord from a DOS Batch file, clobbering the existing Normal.DOT with my heavily-disguised very-secure special copy of Normal.dot. Viruses, even if they get past GriSoft, don't hang around for long.

    Norton's web site seems to indicate that this is a 1999 virus, adding to the mystery. http://securityresponse.symantec.com/avcen...97m.ping.a.html

    If the thing showed up on BOTH of Jeff's machine, i would have hazarded a guess that Norton's signature for W97M.Ping.A was a short string, increasing its chances of matching some part of my template.

    FWIW Jeff and I read through my code. My aps are very short, since I rely heavily on my locked library Utils.DOT and other engines. We reasoned that no virus is smart enough to insinuate inside an existing procedure, that it would set itself up as a new procedure. Nonetheless we inspected every line of source code, references, My Document, forms code etc. Not a sign of a problem.

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: W97M.Ping.A (Word97/SR2)

    Did the file repair affect any of your code? If not, perhaps it's random. Also, were the signature files on the desktop and laptop identical versions at the moment of the test?

  3. #3
    Platinum Lounger
    Join Date
    Feb 2001
    Location
    Yilgarn region of Toronto, Ontario
    Posts
    5,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: W97M.Ping.A (Word97/SR2)

    > Did the file repair affect any of your code?

    Hey! You're good!.

    Further investigation revealed that of the five code modules, one was missing. My guess is that Norton, in repairing the file, flipped a bit or two causing Word/VBA to lose track of that module.


    >signature files on the desktop and laptop

    I'm not sure what you mean by this. The original template is Word97SR2, long before (?) digital signatures. The receipient site is Word2000. We checked quite carefully the (Windows explorer, right-click) properties of the file. The date/time and number of bytes is identical.

    Today the colleague is to disable Norton for this one file, re-receive and unzip it and see what happens.

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: W97M.Ping.A (Word97/SR2)

    You could try opening the "repaired" file in OpenOffice.org, just for laughs.

    Anyway, the signature files, sometimes called pattern files, are the ones that the AV products use to detect malware. If the Norton product on the desktop and laptop had different signature files at that moment, it could explain why one reacted and one didn't.

  5. #5
    Platinum Lounger
    Join Date
    Feb 2001
    Location
    Yilgarn region of Toronto, Ontario
    Posts
    5,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: W97M.Ping.A (Word97/SR2)

    > You could try opening the "repaired" file in OpenOffice.org
    If we had some ham, we could have ham and egss, if we had some eggs!

    We *Know* there's no virus, but that didn't stop me emailing the "missing" module and having Jeff Insert it manually; the program runs fine.

    Surprise! Recent tests indicate a virus on both machines, so either the Norton has been updated or the template files have been synchronised.

    I made a new version of the template and renamed the offending "ActToWord" module to be "WordToAct", just to see if a shift in the symbol table entry would make a difference. It didn't.

    This has to be a low-priority item, but I'll keep slogging away at it. The application is a forms generator. Our idea is that Jeff can carry this to various clients and use it to generate forms. It will be important that it NOT trigger false alerts during the 60 minutes it should take Jeff to install the beast.

    I'll probbably try various shuffling of source code (such as stripping comments, sorting procedures by name etc.) in an attempt to spot just what seems to be triggering the alert.

    In doing that, I'm aware that the pattern might be deep within the bowels of the template, unaffected by my work at the source level. In the limit, i may even get to remove all the source code and discover that the patetrn remains.

    I'll be on-site today or next week, and will set aside an hour to isolate the source of the trigger.

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: W97M.Ping.A (Word97/SR2)

    Hopefully an export forms and code, create new template, import forms and code cycle will cure any hidden problems.

  7. #7
    Platinum Lounger
    Join Date
    Feb 2001
    Location
    Yilgarn region of Toronto, Ontario
    Posts
    5,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: W97M.Ping.A (Word97/SR2)

    > create new template, import

    Nah. Tried that.

    I was over there last night, tug-of-war between me wanting to trash Norton completely (as in rename Folder and reboot), and Jeff.

    I'm beginning to think that it MIGHT be any one of my three routines in MyDocument (Fileprint, FileSave, FilesaveAs) that Norton has detected. Last night's two hours was supposedly set aside for testing my ap, and although we spent an hour trying to find Norton, we didn't spend the time playing with the template.

    In the week ahead I will offer Jeff a template WITHOUT the three routines, and see if that gets by Norton.

    I figure that the trigger is either the source code (perhaps as specified above) OR the guts of the project, i.e. encoded binary.

    Either way, this is a bit of a time-bomb, because I'm supposed to be writing an application that Jeff, as support analyst, will sell at high profit to many clients. We can't afford to have client machines baulk at a simple Forms generator.

    Thanks for the response; I'll keep you informed.

  8. #8
    Platinum Lounger
    Join Date
    Feb 2001
    Location
    Yilgarn region of Toronto, Ontario
    Posts
    5,453
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: W97M.Ping.A (Word97/SR2)

    I have been prompted to follow-up. Ooops!

    I just 'phoned Jeff to see if he can remember what happened. It appears that he had Norton on one m/c, and that this declared a virus, but not on the other machine. We ended up d/l my template to the unprotected machine, then transferring it by floppy to the protected machine.


    So, my best guess right now is that Norton detecetd a string which to it was suspicious. I know that templates are semi-tokenised - I usually see identifiers whose initial character(s?) are replced with a coded byte, presumably holding the original alphabetic plus some pointer information. Perhaps such a string rang a bell in Norton's database?

  9. #9
    3 Star Lounger
    Join Date
    Jan 2001
    Location
    Marietta, Georgia, USA
    Posts
    296
    Thanks
    9
    Thanked 4 Times in 4 Posts

    Re: W97M.Ping.A (Word97/SR2)

    It sounds like a false positive. I used to have a small Visual Basic 4 program that Norton flagged as a virus.

    After freaking out the first time <img src=/S/dizzy.gif border=0 alt=dizzy width=15 height=15>, I just got used to ignoring the warnings. After all, I had created the EXE, and there were no other viruses found. After a year or so, Norton quit flagging my EXE as a virus threat.
    Rick Groszkiewicz
    Life is too short to drink bad wine (or bad coffee!)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •