Note: All code beyond here was imported from Wazzu on the VirusInfo Wiki due to inactivity and chance of vandalism. No one could be contacted for permission. The Malware Wiki community does not take any credit for the following text, with the exception of the Sources section. Note left by Godzilla Gamer (talk) 11:21, July 13, 2014 (UTC). Remove this note if more First Party info is added!
Wazzu consists of the macro. When an infected document is opened, the virus infects the NORMAL.DOT template, so that any document saved afterwards will be infected with the virus.
The virus has a random counter that is used twice. It first takes a random word and moves it to a random place in the document. It may do this up to three times, depending on the counter. It then places the word "wazzu" at a random point in the document, also determined by the counter.
As the virus has not been completely debugged, the message "WordBasic Err 124" may appear.
Wazzu is one of the largest virus families in history. Most variants were only minor variations on the original. Some havew a slightly differenty payload or no payload at all. Most are relatively unremarkable.
The Wazzu.C, T and AC do not have any payload at all. The payload subroutine is present in the virus, but it is never called. D, F, Q, W and AD lack both the call and the subroutine. F is the smallest variant, weighing in at 318 bytes. M and S call a payload subroutine, but it is missing, resulting in an error message. Wazzu.L has all of its code in one subroutine, and places "wazzu!" at the end of the document. U, AA and AD are similar to the original, but do not place "wazzu" into the document. Wazzu.Y replaces all tab spaces with eight regular spaces. K is simply a corruypted form of the original. Wazzu.X contains text that is never displayed:
The Meat Grinder virus - Thanks to Kermit the Frog, and Kermit the Protocol
E, H, G and R are encrypted. H is corrupted and may cause an error message, or halt MS Word. The payload subroutine in G is named EatThis. There is a 1 in 10 probability that G and R will display a message:
Microsoft Word This one's for you, Bosco.
Microsoft itself experienced a bad Wazzu infection in the Fall of 1996. Three times the virus was in some way distributed by the company. In September of 1996, the company released a "Solution Provider CD", which contained the virus in the directory \sia\mktools\case\ on the file ed3905a.doc. It was distributed to 10,000 different sites. At the Swiss ORBIT conference in Basel, Microsoft distributed a CD called "Letz Fetz on the Netz", which contained Wazzu in the file hotl95d.doc. An infected document was available for download on the Swiss German Microsoft site for several days.
Three variants (S, X and AF) were found in New Jersey. Whether they were creatred there or made it to there from somewhere else is uncertain. X never became widespread, but it did cause a US military Assist team to release a warning about it in January of 1997.
Name and Origin
While Wazzu is an alternative name of Washington State University, the virus may not have come from anywhere near there. Wazzu is a euphemism for the anus in the northeast and the south of the United States, which may provide a clue for its true origin. It may also be spelled "wazoo" and denote the mouth or abdomen.
Softpanorama, Virus.MSWord.Wazzu by Dr. Nikolai Bezroukov
Securelist (Kaspersky Labs), Virus.MSWord.Wazzu