Winword-Nuclear - Another Word Macro Virus
by Paul Ducklin, Sophos, Plc (14 Sept 1995)

Another MS Word macro virus has appeared. It is known by a number of names,
including Winword-Nuclear, Wordmacro-Nuclear and Wordmacro-Alert.

Unfortunately, it was first spotted on the Internet in a publicly accessible
area that has been used in the past for the uncontrolled distribution of
viral code. Ironically (and, presumably, by malicious design) this new Word
virus is attached to a Word document which gives information about a previous
Word virus, Winword-Concept.

Operation

Infected files contain a macro which is usually run when the document is
opened. This macro is not particularly noticeable (unlike the Winword-Concept
virus, which alerts you by popping up a dialogoue box).

Once actuated, the virus effectively "goes resident" by adding its infective
macros into your Word environment. It also runs a macro called PayLoad, which
wipes out your DOS system files (IO.SYS, MSDOS.SYS and COMMAND.COM) on the
fifth of April.

Now, the viral macros alter the usual behaviour of several Word functions. Any
documented saved via the Save As... menu option will be infected; roughly
every twelfth document printed will have two lines of text added at its end:

   And finally I would like to say:
      STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC

Also, next time you start up Word, the virus looks at the clock. If it is
between 17h00 and 17h59 (or, as a comment in the virus suggests, "5PM -
approx time before work is finished"), the virus attempts to inject a DOS file
virus named "Ph33r" into your system.

Lastly, the virus switches off the menu setting "Tools/Options/ Prompt to save
NORMAL.DOT" every time you close a file. This means you are less likely to
notice Word saving changes that the virus has made to your global environment,
because the dialog box which warns you that this is about to happen no longer
appears.

Detection

An infected Word environment will contain a number of curiously named macros,
which you can check for in the Tools/Macro menu. Some of the obvious giveaway
names to look for on a machine infected with Winword-Nuclear are: DropSuriv
(this is the routine which tries to inject the DOS virus -- "suriv" is "virus"
backwards) and InsertPayload (this adds the anti-nuclear remarks).

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.