Wazzu | |
---|---|
Type | Macro virus |
Creator | |
Date Discovered | 1996 |
Place of Origin | United States |
Source Language | Visual Basic |
Platform | MS Word |
File Type(s) | .doc |
Infection Length | One macro module |
Reported Costs |
Wazzu was a prolific macro virus from 1996. It became among the largest virus families in history. It influenced subsequent families, like the email-spreading Sharefun virus.
Behavior
Wazzu consists of the macro. When an infected document is opened, the virus infects the NORMAL.DOT template, so that any document saved afterwards will be infected with the virus.
The virus has a random counter that is used twice. It first takes a random word and moves it to a random place in the document. It may do this up to three times, depending on the counter. It then places the word "wazzu" at a random point in the document, also determined by the counter.
As the virus has not been completely debugged, the message "WordBasic Err 124" may appear.
Variants
Wazzu is one of the largest virus families in history. Most variants were only minor variations on the original. Some have a slightly different payload or no payload at all. Most are relatively unremarkable.
The Wazzu.C, T and AC do not have any payload at all. The payload subroutine is present in the virus, but it is never called. D, F, Q, W and AD lack both the call and the subroutine. F is the smallest variant, weighing in at 318 bytes. M and S call a payload subroutine, but it is missing, resulting in an error message. Wazzu.L has all of its code in one subroutine, and places "wazzu!" at the end of the document. U, AA and AD are similar to the original, but do not place "wazzu" into the document. Wazzu.Y replaces all tab spaces with eight regular spaces. K is simply a corrupted form of the original. Wazzu.X contains text that is never displayed:
The Meat Grinder virus - Thanks to Kermit the Frog,
and Kermit the Protocol
E, H, G and R are encrypted. H is corrupted and may cause an error message, or halt MS Word. The payload subroutine in G is named EatThis. There is a 1 in 10 probability that G and R will display a message:
Microsoft Word
This one's for you, Bosco.
Effects
Microsoft itself experienced a bad Wazzu infection in the Fall of 1996. Three times the virus was in some way distributed by the company. In September of 1996, the company released a "Solution Provider CD", which contained the virus in the directory \sia\mktools\case\ on the file ed3905a.doc. It was distributed to 10,000 different sites. At the Swiss ORBIT conference in Basel, Microsoft distributed a CD called "Letz Fetz on the Netz", which contained Wazzu in the file hotl95d.doc. An infected document was available for download on the Swiss German Microsoft site for several days.
Three variants (S, X and AF) were found in New Jersey. Whether they were created there or made it to there from somewhere else is uncertain. X never became widespread, but it did cause a US military Assist team to release a warning about it in January of 1997.
Name and Origin
While Wazzu is an alternative name of Washington State University, the virus may not have come from anywhere near there. Wazzu is a euphemism for the anus in the northeast and the south of the United States, which may provide a clue for its true origin. It may also be spelled "wazoo" and denote the mouth or abdomen.
Sources
Dr. Nikolai Bezroukov. Softpanorama, Frequently asked questions about the WAZZU macro virus. 1997.02.11
Kaspersky Lab. SecureList.com, Virus.MSWord.Wazzu.
Mikko Hypponen, Katrin Tocheva. F-Secure Antivirus, F-Secure Virus Descriptions : Wazzu.
John Doerrheim. Word Macro Virus.
The Urban Dictionary, wazzu.
Dictionary.com, wazoo.