TEGWAR: THE EXCITING GAME WITHOUT ANY RULES -or- COMPUTER VIRUS FUNNY BUSINESS WITH WINWORD DOCUMENTS In the baseball move "Bang the Drum Slowly" actor Michael Moriarty plays a star pitcher who, in cahoots with one of his team's managers, scams baseball groupies and assorted chumps out of their money with a card game they call TEGWAR. TEGWAR isn't a game, it's a con in which Moriarty and a cohort dupe people into falling for a pigeon drop where they make up a mystifying set of rules masked by the ruse of a legitimate card game. Of course, since no one can win a game with no logical rules, Moriarty - or his accomplice - always pocket the designated pigeon's betting money. When Moriarty's friend, a dim-witted catcher played by Robert DeNiro, comes down with Hodgkin's Disease, Moriarty finally lets him on the excellent secret of The Exciting Game Without Any Rules, TEGWAR. * "DoD is dripping in Word Concept virus . . . " -- An excitable fellow and insider who would rather not be named. * Crypt Newsletter is now going to let you in the secret of one of the software industry's latest versions of TEGWAR: the dilemma of the Microsoft Winword viruses. Taking advantage of the nature of Microsoft's Word for Windows, the Winword viruses exploit an automatic function embedded in special Microsoft Word documents. What this boils down to is that executable instructions buried within documents prepared by Microsoft Word can be written to perform the basic function of a computer virus: Make a copy of itself and attach itself to another target. In this case, Winword documents. Designed to execute commands or executive routines embedded in special documents - called .DOT files - Word has proved an excellent culture dish in which to breed simple computer viruses. Because of reasons which include the large installed user base of WinWord, the way people promiscuously share documents produced by it, the outwardly innocuous nature of the Word Concept virus (the most common of the "macro viruses") and the lack of prompt interest in the problem by Microsoft, the "macro virus" problem has run out of control. A recent press release by the National Computer Security Association stated even Microsoft has been snakebit by Winword viruses. Predictably, this has led to a great deal of spilt blood in institutions blind-sided by rapid distribution of the virus. However, the idea of "macro viruses" wasn't surprising. Back in 1993 Crypt Newsletter published just such a virus for the Telix PC communications program. [1] It infected other Telix sub-programs -- called scripts - which were simple lists of commands recorded into files and executed on-the-fly by Telix. An example of this type of sub-program, or script, could be one that called CompuServe and retrieved personal electronic mail. As it was written, the Telix script virus, named LittleMess, quickly flashed a Stoned virus-type message on the screen, "Legalise Marijuana." The possibility of this type of computer virus was also addressed by examples written elsewhere in computer security circles predating even then. However, LittleMess and others like it remained extremely obscure curiosities. Winword viruses are anything but. PART II: LOTSA CONSIDERATION * "Thank you very much, , for your thoughts. This is something I've been giving a lot of consideration of late. Sincerely, Bill." ---Bill Gates form reply to electronic mail. [Uncovered by David Applefield, March 1996] * What has been a surprise about Word macro viruses is the industry response to them. To understand the absurd nature of it, Crypt must construct a parable minus the jargon and baffle-speak used in the usual generic attempts to describe the Word "macro virus" problem. Now, for the sake of our story, let's pretend for a moment that Microsoft manufactures VCR's instead of operating system and business office software. Microsoft has a dominant share of the market and has just made a new model VCR. This model isn't significantly fancier than the previous model -- just newer with some bells and whistles that are nice but not absolutely essential. Of course, lots of people immediately buy these VCR's and start playing rented videotapes in them. Someone who's tinkering around or has too much time on his hands, discovers that if he makes a minor, almost invisible change or scratch in the plastic case of a rented tape, it introduces a problem into the new VCR. This scratch makes a part called the frammis fail. The frammis is put slightly out of line and whacks the videotape housing and an adjacent part, called the neo-frammis, also inside the VCR. This doesn't ruin the videotape but it puts the same scratch into it, if it didn't have it already. After a day, maybe a week, maybe longer -- development of the frammis/neo-frammis whacking makes tapes being played show up intermittently during play with an annoying white mistracking line on the TV. No amount of fiddling with the tracking adjustment on the VCR will fix it. Our tinkerer thinks this is clever and he's feeling mean so he rents a tape - the most popular title, something like "Busty Babes of the Bayou," "The Toolbox Murders" or "Forrest Gump" - from Blockbuster. He puts the scratch in the videotape's housing and returns it. Now it has the potential to spread to everyone who has the Microsoft VCR and rents this tape in the region. Months later Microsoft VCR owners are calling the company in outrage. Their VCR's are screwed up and local repairmen don't know what to do. [Now, in one possible world, Microsoft issues a massive recall, identifies and solves the problem, and returns new, different VCR's not susceptible to the problem to consumers. End of the frammis/scratch problem except for those people who for some reason or another don't follow the recall. Eventually, they stop using the VCR or buy a different brand. Microsoft takes a big financial hit for the quarter, but - hey - it's part of the business.] However, in our world Microsoft sends a pack of cheap screwdrivers, a replacement frammis that sometimes doesn't work and instructions on how to fix the VCR printed on a paper the size of a chewing gum wrapper. The instructions are written in Pig Latin. Quite naturally, a lot of people can't fix the problem. Other industry vendors rush to provide a solution. They supply a set of slightly less cheap screwdrivers, a replacement frammis that works 75 percent of the time and instructions printed on a paper that's the size of a legal pad but which no one bothers to read, anyway. More and more Microsoft VCR's play all screwed up but no one seems too concerned. They keep buying the model. Everyone is trained to use this model of VCR and they won't switch models because they're afraid they won't be able to use other VCR's and will lose the ability to rent and enjoy videotapes. Microsoft even issues a few thousand free sample tapes that are messed up with the frammis-buggering case flaw. This spreads the problem even further -- generally to people who have VCR's that aren't already messed up with it. Eventually, well-meaning but clueless techno-geeks at Lawrence Livermore National Lab issue a product advisory on the VCR. It describes the problem and a new one that's slightly different but more hazardous. The new one makes the frammis and neo-frammis misbehave so wildly a big spark comes out of the front of the VCR, frying the circuitry and ruining the VCR. Since the rental tape that introduces the problem melts when this happens and cannot be returned it never spreads as far. The Lawrence Livermore National Lab memo reaches a lot of people but 90 percent don't read it because it's too long. They will only read things that don't exceed a half page or a screenful of information. The Livermore National Lab warning [2] is pages and pages of daunting techno-gobble. The ten percent that persist in reading to the end have trouble grasping it because of language like this: "If you don't have the Microsoft cheap screwdriver and replacement frammis set, you can use the Organizo-frammis to find and remove the broken Frammis without making things worse. The first step is to start the VCR and open the Organizo-frammis box. There are two ways to open the Organizo-frammis box: 1. use the Tools Neo-Frammis and press the Organizo-frammis; 2. use the File Omega-frammis and depress the Organizo-frammis. In the Organizo-frammis box, flip the Frammis switch, click the Open Frammis button, locate the malfunctioning frammis and neo-frammis and close everything up. Back in the Organizo-frammis box, select all the Frammises listed in the file Omega-frammis and flick the off button to remove them. Flick the Close Omega-frammis switch to install the new Frammis. The Frammis is now fixed." Frustrated, many home owners and businesses can't deal with the Frammis problem-plagued VCR from Microsoft. While it's possible to fix the contagious frammis scratch, bureaucratic entropy, apathy, confusion and institutional impediments inevitably result in failure because: (1) Many victims of it cannot understand how the fix is to be made. The national lab warning was terrifying in its difficulty to understand. Microsoft's cheap screwdriver set doesn't work very well. (2) Many victims don't have the time or expertise to fix the VCR right so the de-frammis'd VCR becomes re-frammis'd very quickly -- about as soon as they rent another videotape with the same contagious scratch on it. This often happens two or three times before victims junk the damn thing. (3) Some victims bought a different frammis repair set from another vendor but it only works part of the time or if they decide to use it. Mostly they don't use it, though, because they don't care about their frammis'd VCR. (4) Many victims' bosses won't let them fix the frammis'd VCR because it would cost money. Besides, says the boss, "We have someone whose job it is to fix these things, thank you! But he doesn't answer voice-mail today or was skinned by an ogre, I'm not sure which. Now stop bothering me or I'll downsize you the next time we massage the stock price for our shareholders." (5) Or, victims think the frammis'd VCR is how all VCR's are supposed to be. A year later Microsoft markets a new, improved VCR not as susceptible to the problem but the people who have the old, brokedown VCR's don't get any trade value. They have to pay Microsoft just like everyone else does. So some just stumble on with their crippled VCR's. Some other VCR manufacturers who previously made VCR's that worked fine all the time make new models capable of being screwed up as badly as the Microsoft model even though they've known about the problem and laughed at it for some time. This is called progress. Now, if you retell Crypt's story to someone else we can here them shout: "Hey, that's crazy! No way that could happen or they'd burn people at the stake in those companies." However, with a little cut and paste you can just plug Word viruses back into the place where I put "frammis" and Word 6 for "VCR." Now they'll say: "Yeah, it really stinks, but what can we do?" This makes the Word "macro viruses" an almost perfect example of TEGWAR - an exciting game without any rules - in the software industry. The consumer or PC user in an institution uses Microsoft Winword and is largely unaware that specific electronic documents handled by it have the potential to bite him. Microsoft ignores the phenomenon just long enough so it becomes solidly established then generates a "fix" that works poorly and which must be embroidered by other vendors. Still more software developers jump into the breach with cures and advice - which take money - and that don't guarantee anything because they are poorly understood, poorly designed or a combination of the two. Those trapped in Word macro virus TEGWAR lose money trying to burrow through the electronic trash heaps of on-line services, sifting and downloading information and software they can't understand most of the time. They twist and turn in a seemingly endless maze, buying software only to find it's the wrong software for them. Squirming, they buy the correct software only to find an obdurate supervisor won't let them use it throughout the institution. Increasingly aggravated, those infected by Word virus TEGWAR sometimes see that pathogenic documents have the potential to spread the viruses in interesting ways through heterogenous combinations of machines and software with only one thing in common: Word's micro-environment. But they also find that anti-virus software designed to control infections is not quite so flexible. Goaded by the lash of fragmentary, gossipy on-line electronic phlogiston passed on as the biblical wisdom of computer gurus, others trapped by Word virus TEGWAR run about in a blind frenzy searching for Word "macro virus" protective software until realizing in a moment of stunning clarity that they don't _use_ Winword! So, the only rule that is a constant in Word virus TEGWAR is that if you play, you lose cash money. * "Thank you very much, , for your thoughts. This is something I've been giving a lot of consideration of late. Sincerely, Bill." ---Bill Gates form reply to electronic mail. [Uncovered by David Applefield, March 1996] * Additional notes: 1. The virus written for the Telix communications program was originally called LittleMess. It was programed by a Dutch virus-writer who travelled cyberspace under the handle of Crom-Cruach. Crom-Cruach reasoned LittleMess was of only trivial interest because he thought few people used the programming language interpreted by the Telix program -- which his computer virus exploited -- for anything important. The name of the programming language interpreted by the Telix software is SALT. Hang in there because this is a point of serendipitous interest. The US Navy also runs (or ran) telecommunications software it calls - you guessed it -- SALTS. The Navy's SALTS terminal is a simple Windows or DOS-running PC using little more than an off-the-shelf version of Telix driven by a series of custom made Telix sub-programs (or "macros") that create an elaborate communications system for the computer. The SALTS program is an acronym for Streamlined Automated Logistical Transmission System. The SALTS software used on Navy PC's is responsible for logistical support and satellite-borne communications jobs ranging through inventory and tracking of ship stock, software management/distribution, Internet sessions and the sending and receiving of electronic mail and USO telegrams. Since the software running on the SALTS terminal is written in the same programming language exploited by the LittleMess Telix virus, the SALTS PC can be easily infected by it. In the average Telix-using hobbyist PC envisioned by the hacker Crom-Cruach in 1993, this amounted to barely a few infections of predominantly non-essential computer files. However, on an average US Navy SALTS computer terminal, the same virus would create a much more massive infection since the military's software relies on hundreds of sub-program files that could serve as hosts for LittleMess. 2. The following text appeared in a Lawrence Livermore National Lab alert on Word Macro viruses. It was supposed to be a clear tutorial on ridding yourself of the Word macro viruses by hand. No, Crypt Newsletter isn't tweezing it for effect: "If you don't have a scanner or the protection macro, you can use the Organizer to find and remove macro viruses without infecting your system. The first step is to start Word and open the Organizer dialog box. There are two ways to open the Organizer: 1. use the Tools Macro command and press the Organizer button; 2. use the File Templates command and press the Organizer button. In the Organizer dialog box click the macros tab, click the Open File button, select the infected document and click OK. Back in the Organizer dialog box, select all the macros listed in the file and click the Delete button to remove them. Click the Close File button to close and save the file. The file can now be opened normally." Crypt Newsletter challenges PC "help desk" employees to read that to someone over the telephone. Here's some more strangled syntax from the same memo: "PROBLEM: Word macro viruses are no longer an isolated threat, but they are a significant hazard to the information on a computer." In fairness, the Lawrence Livermore National Lab memo, also known as "CIAC (Computer Incident Advistory Capability) G-10: Winword Macro Viruses," is an honest attempt to get some information on a real computer hazard into as many hands as possible. It's also possible for someone with good powers of concentration and a middling-to-exceptional grasp of PC computing systems to wring useful information from it. However, more and more, these types of bulletins serve only to emphasize the disastrous point that the average PC user in the home or business environment and the people generating the technology very rarely speak language that is mutually understood. That's a gold-plated guarantor for interesting times.