Microsoft Word document macro viruses
Date: 23rd of August, 1995, updated 5th of March 1996.
Same information in Finnish / Suomenkielinen versio
Lotus Ami Pro word processor is not virus-free anymore, either. The first
virus to spread under Ami Pro has been found.
* Introduction
* WordMacro/DMV
* WordMacro/Concept
* WordMacro/Nuclear
* WordMacro/Colors
* WordMacro/Hot
* NEW! WordMacro/Atom
* Other Word macro viruses and trojans
* WordMacro/Xenixos
* WordMacro/Imposter
* WordMacro/Nuclear.B.
* WordTrojan/FormatC
* WordTrojan/BlastC
* WordTrojan/Weideroffnen
* Protecting yourself against macro viruses
Introduction
Macro viruses are not a new concept - they were predicted as early as the
late eighties. At that time, the first studies about the possibility of
writing viruses with the macro languages of certain applications were made.
However, macro viruses are not just a theory any more. Currently, there are
several known macro viruses. They have all been written with WordBasic, the
powerful macro language of Microsoft Word. These viruses spread through
Word documents - Word's advanced template system makes it an opportune
environment for viral mischief. This is problematic, because people
exchange document a lot more than executables or floppy disks. Macro
viruses are also very easy to create or modify.
Although other word processors like WordPerfect and Ami Pro do support
reading Word documents, they can not be infected by these viruses. It is
not impossible to write similar viruses for these systems, however.
WordMacro/DMV
WordMacro/DMV is probably the first Word macro virus to have been written.
It is test virus, written by a person called Joel McNamara to study the
behavior of macro viruses. As such, it is no threat - it announces its
presence in the system, and keeps the user informed of its actions.
Mr. McNamara wrote WordMacro/DMV for over a year ago, in fall 1994 - at the
same time, he published a detailed study about macro viruses. He kept his
test virus under wraps until a real macro virus, WordMacro/Concept, was
recently discovered. At that time, he decided to make WordMacro/DMV known
to the public. We oppose to such behaviour; although it can be argued that
spreading such information will educate the public, we can also except to
see new variants of the DMV virus, as well as totally new viruses inspired
by the techniques used in this virus. McNamara also published a skeleton
for a virus to infect Microsoft Excel spreadsheet files.
F-PROT Professional 2.20 is able to the detect the WordMacro/DMV macro
virus.
WordMacro/Concept
WordMacro/Concept - also known as Word Prank Macro or WW6Macro - is a real
macro virus which has been written with the Microsoft Word v6.x macro
language. It has been reported in several countries, and seems to have no
trouble propagating in the wild.
WordMacro/Concept consists of several Word macros. Since Word macros are
carried with Word documents themselves, the virus is able to spread through
document files. This is a quite ominous development - so far, people have
only had to worry about infections in their program files. The situation is
made worse by the fact that WordMacro/Concept is also able to function with
Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as
in Windows 95 and Windows NT environments. It is, truly, the first
functional multi-environment virus, although it can be argued that the
effective operating system of this virus is Microsoft Word, not Windows or
MacOS.
The virus gets executed every time an infected document is opened. It tries
to infect Word's global document template, NORMAL.DOT (which is also
capable of holding macros). If it finds either the macro "PayLoad" or
"FileSaveAs" already on the template, it assumes that the template is
already infected and ceases its functioning.
If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, [Image]
it starts copies the viral macros to the template and displays a
small dialog box on the screen. The box contains the number "1" and an "OK"
button, and its title bar identifies it as a Word dialog box. This effect
seems to have been meant to act as a generation counter, but it does not
work as intended. This dialog is only shown during the initial infection of
NORMAL.DOT.
After the virus has managed to infect the global template, it infects all
documents that are created with the File/Save As command. It is then able
to spread to other systems on these documents - when a user opens an
infected document on a clean system, the virus will infect the global
document template.
The virus consists of the following macros:
AAAZAO
AAAZFS
AutoOpen
FileSaveAs
PayLoad
Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some
users may already have attached these macros to their documents and
templates. In this context, "PayLoad" sounds very ominous. It contains the
text:
Sub MAIN
REM That's enough to prove my point
End Sub
However, the "PayLoad" macro is not executed at any time.
You can detect the presence of the WordMacro/Concept macro virus in your
system by simply selecting the command Macro from Word's Tools menu. If the
macro list contains a macro named "AAAZFS", your system is infected.
You could prevent the virus from infecting your system by creating a macro
named "PayLoad" that doesn't have to do anything. The virus will then
consider your system already infected, and will not try to infect the
global template NORMAL.DOT. This is only a temporary solution, though -
somebody may modify the viruse's "AutoOpen" macro to infect the system
regardless of whether NORMAL.DOT contains the macros "FileSaveAs" or
"PayLoad".
There is also a anti-macro virus package called WVFIX available. This
package will detect if your copy of Word is infected, and will clean it if
needed. It can also modify your Word settings so that this specific macro
virus will be unable to infect it. In addition, WVFIX is available on the
F-PROT for DOS diskette.
The WVFIX package is available from the Data Fellows FTP site at URL
ftp://ftp.datafellows.fi/pub/f-prot/wvfix.zip. If you are located in the
United States, you might want to get the package from Command Software
System's FTP site at
ftp://ftp.commandcom.com/pub/fix/wvfix.zip.
If you don't have F-PROT Professional which detects this virus, you can
detect it manually with older F-PROT versions: you can do this by directly
copying the following lines to a file called USER.DEF in your F-PROT for
DOS directory:
CE WordMacro/Concept
646F02690D6957573649496E7374616E63650C67
To scan for the user-defined virus string, either configure F-PROT to scan
all files, or add the filename extension ".DO?" to the list of files F-PROT
should scan for. It is recommended that you simply scan all files in case
your users use a non-standard filename extension for their documents. Under
the Targets menu item turn on User-defined Virus Strings.
Isolate all documents or document templates that contain this search string
and examine them for the virus. Do not assume any of the files are
infected, as the strings required to identify it could occur in uninfected
documents. Instead, check suspect files with the WVFIX package mentioned
above.
F-PROT Profesional 2.20 is able to the detect the WordMacro/Concept macro
virus.
WordMacro/Nuclear
WordMacro/Nuclear was recently discovered. Like WordMacro/DMV and
WordMacro/Concept, it spreads through Microsoft Word documents. The new
virus was first spotted on a FTP site in Internet, in a publicly accessible
area which has in the past been a notorious distribution site for viral
code. Apparently, the viruse's distributor has some sense of irony; the
virus was attached to a document which described an earlier Word macro
virus, WordMacro/Concept.
Whereas WordMacro/DMV is a test virus and WordMacro/Concept is only
potentially harmful, WordMacro/Nuclear is destructive, harmful and
generally obnoxious. It consists of a number of Word macros attached to
documents. When an infected document is opened, the virus is executed and
tries to infect Word's global document template, NORMAL.DOT.
Unlike WordMacro/Concept - which pops up a dialogue box when it infects
NORMAL.DOT - WordMacro/Nuclear does not announce its arrival in the system.
Instead, it lays low and infects every document created with the File/Save
As command by attaching its own macros to it. The virus tries to hide its
presence by switching off the "Prompt to save NORMAL.DOT" option (in the
Options dialogue, opened from Tools menu) every time a document is closed.
That way, the user is no longer asked whether changes in NORMAL.DOT should
be saved, and the virus is that more likely to go unnoticed. Many users
relied on this option to protect themselves against the WordMacro/Concept
virus, but it obviouisly no longer works against Nuclear.
WordMacro/Nuclear contains several potentially destructive and irritating
routines. The next time Word is started after initial infection, one of its
constituent macros, "DropSuriv", looks up the time in the computer's clock.
If the time is between 17.00 and 17.59, the virus tries to inject a more
traditional DOS/Windows file virus called "Ph33r" into the system (as the
viruse's author has commented in the viruse's code: "5PM - approx time
before work is finished"). "Suriv" is, of course, "Virus" spelled
backwards. However, due to an error, this routine does not work as intended
in any of the popular operating environments.
Another of the viruse's macros, "PayLoad", tries to delete the computer's
system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the date is fifth
of April. This attempt will fail due a programming error (virus authors
never test drive the destructive parts of their code, it seems). And
finally, the virus adds the following two lines:
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC
at the end of any document printed or faxed from Word during the last five
seconds of any minute. Since the text is added at print-time only, the user
is unlikely to notice this embarassing change. This function is handled by
the viral macro "InsertPayload".
The virus can be detected by selecting the Macro command from the Tools
menu and checking whether the macro list contains any curiously named
macros. "DropSuriv" and "InsertPayload" are obvious giveaways.
F-PROT Professional 2.20 is able to the detect the WordMacro/Nuclear virus.
WordMacro/Colors
This macro virus was posted to a usenet newsgroup on the 14th of October,
1995. It is also known as the Rainbow virus. This macro virus infectes Word
documents in a similar manner as the previous Word macro viruses, except
that it does not rely only on the auto-execute macros to operate. Thus,
this virus will be able to execute even if the automacros are turned off.
Colors contains the following macros:
AutoClose
AutoExec
AutoOpen
FileExit
FileNew
FileSave
FileSaveAs
ToolsMacro
macros
All macros are encrypted with the standard Word execute-only feature.
When an infected document is opened, the virus will execute when user:
* Creates a new file
* Closes the infected file
* Saves the file (autosave does this automatically after the infected
document has been open for some time)
* Lists macros with the Tools/Macro command
It is important not to use the Tools/Macro command to check if you are
infected with this virus, as you will just execute the virus while doing
this. Instead, use File/Templates/Organizer/Macros command to detect and
delete the offending macros. Do note that a future macro virus will
probably subvert this command as well.
The virus maintains a generation counter in WIN.INI, where a line
"countersu =" in the [windows] part is increased during the execution of
the macros. After every 300rd increments the virus will modify the system
color settings; the colors of different Windows objects will be changed to
random colors after next boot-up. This activation routine will not work
under Microsoft Word for Macintosh.
It is interesting to note that the AutoExec macro in the virus is empty. It
is probably included just to overwrite an existing AutoExec macro - which
might contain some antivirus routines. WordMacro/Colors also enables the
automatic execution of automacros if they have been disabled, and turns off
the 'prompt to save changes to NORMAL.DOT' feature, both of which have been
used to fight macro viruses.
WordMacro/Colors seems to be carefully written; The virus even has a debug
mode built-in. The virus is probably written in Portugal.
F-PROT Professional 2.21 is able to the detect the WordMacro/Colors macro
virus.
WordMacro/Hot
WordMacro/Hot was the first Word macro virus written in Russia. It was
found in the wild over there in January 1996.
Hot spreads in a similar manner as the WordMacro/Concept virus: when an
infected DOC is first opened, virus modifies the NORMAL.DOT file, and will
spread to other documents after that.
Unlike the earlier Word macro viruses, Hot does not replicate with the
File/Save As command - it infects only during the basic File/Save command.
This means that Hot will infect only existing documents in the system - not
new ones.
Infected documents contain the following four macros, which are visible in
the macro list:
* AutoOpen
* DrawBringInFrOut
* InsertPBreak
* ToolsRepaginat
When Hot infects NORMAL.DOT, it renames these macros to:
* StartOfDoc
* AutoOpen
* InsertPageBreak
* FileSave
Macros have been saved with the 'execute-only' feature, which means that a
user can't view or edit them.
WordMacro/Hot contains a counter. It adds a line like this to the
WINWORD6.INI file:
QLHot=35112
This number is based on the number of days during this century. Hot adds 14
to this number and then waits until this latency time of 14 days has
passed. Hot will spread normally during this time, it will just not
activate.
After the 14 day pause, there is a 1 in 7 chance that a document will be
erased when it is opened. Virus will delete all text and re-save the
document. Hot does not do this, if it find a file called EGA5.CPI from the
C:\DOS directory. A comment in the source code of the virus hints that this
feature is added so that the author of the virus and his friends can
protect themselves from the activation damage:
'---------------------------------------------------------------
'- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
'- and if File C:DOSega5.cpi not exist (not for OUR friends) -
'---------------------------------------------------------------
By default, there is no file by the name EGA5.CPI in MS-DOS distributions.
WordMacro/Hot was the first macro virus to use external functions. This
system allows Word macros to call any standard Windows API call. The use of
external functions is specific to Windows 3.1x means that WordMacro/Hot
will be unable to spread under Word for Macintosh or Word 7 for Windows 95:
opening an infected document will just produce an error message.
F-PROT Professional 2.21a is able to detect the WordMacro/Hot virus.
WordMacro/Atom
WordMacro/Atom was found in February 1996. It's operating mechanism is
quite similar to WordMacro/Concept, with the following differences:
* All the macros in this virus are encrypted (Word's execute-only
feature)
* The virus replicates during file openings as well, in addition to
saving files
* The virus has two destructive payloads
First activation happens when the date is December 13th. At this date the
virus attempts to delete all files in the current directory.
Second activation happens when a File/Save As command is issued and [Image]
the seconds of the clock are equal to 13. If so, the virus will
password-protect the document, making it unaccesible to the user in the
future. The password is set to be ATOM#1.
It is not easy to give a search string for this virus: some of the
replicants are usually in files password-protected by the virus, and thus
contain no constant user-definable search string.
Disabling automacros will make Atom unable to execute and spread. Turning
on the Prompt to save NORMAL.DOT setting will make Atom unable to infect
NORMAL.DOT, but it will still be able to infect documents that are opened
or saved during the same Word session.
WordMacro/Atom is not known to be in the wild.
Other Word macro viruses and trojans
In late February and early March, the following new macro viruses were
found: WordMacro/Xenixos, WordMacro/Imposter and WordMacro/Nuclear.B.
Analysis of these will be added later.
There exists also several trojans written in the Word macro language. These
typically delete data as soon as the trojanized document is open. Since
these do not spread by themselves, they are not widespread and not
considered to be a significant threat.
Some known macro trojans are WordTrojan/FormatC, WordTrojan/Blast and
WordTrojan/WeideroffnenC. F-PROT does not attempt to search for macro
trojans and we have no plans to add support for them.
Protecting yourself against macro viruses
There is a generic way to protect your Word against currently known macro
viruses except WordMacro/Colors. Select the command Macro from the Tools
menu and create a new macro called "AutoExec". Write the following commands
to the macro and save it:
Sub MAIN
DisableAutoMacros
MsgBox "AutoMacros are now turned off.", "Virus protection", 64
End Sub
This macro will be executed automatically when Word starts. It will disable
the feature which Concept, DMV and Nuclear use to attack the system.
However, there are ways to create future macro viruses that are able to
bypass such protection.
Currently known Word macro viruses are not able to infect certain
nationalized versions on Word. In these programs, the macro language
commands have been translated to the national language, and therefore
macros created with the English version of Word will not work. Since these
viruses consists of macros, they will be unable to function.
