Macro viruses are the latest development in the battle against computer
viruses. First encountered in the autumn of 1995 they have quickly
caught the imagination of the press and virus-author alike. Their
introduction into the virus world has caused a stir because they have
broken some of the established "rules":
1) They are the first ever viruses to infect documents rather than
executable files. The first macro viruses seen infected Microsoft Word
documents. In January 1996 the first AmiPro macro virus (Green Stripe)
appeared. It should be remembered that other word processors (and even
other applications) could be at risk in the future.
2) They are the first ever multi-platform viruses - not just capable of
infecting PC systems, but Macintosh as well.
This document provides an overview to some of the better known macro
viruses:
Description:
This is the first virus to infect data files. Concept infects Microsoft
Word 6 documents (*.DOC) and the NORMAL.DOT template. The virus makes
use of the well-developed Microsoft Word macro language, Word Basic, in
an attempt to exploit the fact that computer users exchange documents
far more often than programs.
When an infected document is opened under Microsoft Word for the first
time, the virus gets control as an AutoOpen macro and infects the
NORMAL.DOT template (or any other template, if it has been selected as
a global default template). A message box, with the text '1', appears
on the screen.
After this, every document saved using the File|SaveAs command is
infected with the virus. This normally happens when a newly-created
document is saved to the disk.
If Microsoft Word is run, then Tools|Macros is selected and the list of
macros checked, the presence of the macros named AAAZFS, AAAZAO,
AutoOpen, PayLoad and FileSaveAs indicates that the Microsoft Word
system is infected.
This virus works under Microsoft Word for Windows 3.x, Word for Windows
95, Word for Windows NT, and Word for Macintosh. This made it the
first ever multi-platform virus. Other macro viruses have been written
in the wake of Concept, including Nuclear, DMV, and Colors.
The Concept virus is very common in the wild. This is largely due to
Microsoft accidentally shipping it on a CD ROM called Microsoft Windows
95 Software Compatability Test to hundreds of OEM companies in August
1995. Another company distributed more Concept-infected documents on
5500 copies of a CD ROM called Snap-on Tools for Windows NT shortly
afterwards.
Nuclear:
A Word .DOC file, containing a description of another Word Macro virus
(Concept) was uploaded to one of the publicly accessible ftp
directories at the USA internet provider netcom.com . The file in its
turn appeared to be infected with a new Word Macro virus - Nuclear.
Similar to Concept, Nuclear infects NORMAL.DOT when an infected document
is opened. Then it infects all the documents being saved using
File/SaveAs. Unlike Concept, all macros in Nuclear are "execute-only"
i.e. protected (encrypted) in such a way you cannot view or modify their
source code. (You still can see the macros' names in Tools/Macro
though). We, nevertheless, succeeded in decrypting the macros and
thus, in analysing and understanding the virus.
An infected document or NORMAL.DOT contains nine macros named AutoExec,
AutoOpen, DropSuriv, FileExit, FilePrint, FilePrintDefault, FileSaveAs,
InsertPayload and PayLoad. The main effect of the virus, besides
replication, is that if a document is being printed and system clock
seconds counter is in between 55 and 59 seconds (i.e. with a
probability of approximately 1/12th), two lines are added to the
document and are subsequently printed at the end of the last page:
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
The virus was also supposed to drop a "normal" (i.e. COM/EXE/NewEXE
infecting) virus named PH33R (pronounced `fear'), but due to a whole
set of bugs it fails to achieve this. By the way, the virus it is
supposed to drop has nothing to do with the old Suriv virus family. The
confusion is completely due to the fact the macro to do this is called
DropSuriv. 'suriv' is nothing but 'virus' reversed and the only thing
in common between the Suriv viruses and DropSuriv macro is the name.
Another payload conceived by Nuclear author should be triggered on April
5 any year. The destructive macro named Payload was supposed to damage
(truncate to 0 bytes) system files IO.SYS, MSDOS.SYS and COMMAND.COM.
Fortunately, once again the virus author never dared to debug this piece
of code - the Payload macro does not work either due to bugs in it.
The virus also causes some side effects such as error messages if you
choose <Cancel> from File/Print or File/SaveAs.
Colors:
Alias: WordMacro.Colors
Type: Word macro virus.
Description:
Colors is a Word macro virus which most likely comes from Portugal.
When an infected document is opened under Microsoft Word (Word for
Win95, Word for NT, Word for Windows 3.x, MacWord, ...), the virus
infects the global template (usually NORMAL.DOT). Then every document
being created via File/New or saved via Save or File/SaveAs is infected
by the virus. The virus contains the following ten macros:
AutoOpen, AutoClose, AutoExec, FileNew, FileExit, FileSave, FileSaveAs,
ToolsMacro and other macros.
If macros with such names existed prior to infection, they are
overwritten by the virus.
Surprisingly enough, AutoExec macro in the virus is an empty one - it
does nothing. The possible aim of it could be overwriting existing
AutoExec macro which could contain anti-virus routines (e.g. supplied
by Microsoft).
The virus can propagate even with AutoMacros being disabled (e.g. by
invoking Word as WINWORD.EXE /mDisableAutoMacros or by using one of
Microsoft's recent antivirus template tools). As soon as a user chooses
File/New, File/Save, File/SaveAs, File/Exit or Tools/Macro, the virus
gets control and infects NORMAL.DOT. Moreover, unlike other known
Word viruses (such as Concept, Nuclear, DMV), Colors virus cannot be
spotted by using Tools/Macro to list active macros. The virus
intercepts Tools/Macro and effectively disables it, while still using
it for infection. This way Colors can be called the first macro virus
with some stealth capabilities. Nevertheless, one can use
File/Templates/Organizer/Macros to view the names of virus macros and
even to delete them.
As in the case of Nuclear (the first encrypted macro virus), all macros
in Colors are Execute-Only and thus cannot be viewed/edited by means of
Microsoft Word.
The virus also enables AutoMacros (just in case the user had disabled
it) and disables Word's prompt to save changes to NORMAL.DOT.
The virus maintains a counter named 'countersu' in [windows] section of
WIN.INI file. Every time a virus macro is called (with the exception of
AutoExec) the counter is incremented by one. That is, every time a user
opens, creates, saves, closes a document, attempts to use Tools/Macro or
exits Word, the counter is incremented. When the counter reaches 299 and
each 300th time thereafter (i.e. 299, 599, 899 and so on) the virus
triggers. It then changes Windows colours settings (text, background,
buttons, borders, etc.) to randomly selected colours. So that the next
time Windows are started the user is puzzled by the most unusual and
weird colour palette.
Hot:
Aliases: Wordmacro.Hot, WM.Hot
Type: Word macro virus.
Description:
WordMacro.Hot creates an entry in the WINWORD6.INI configuration file
which contains a "hot date" 14 days in the future when its payload will
trigger.
The virus can then activate randomly within a few days of the "hot
date": when you try to open a document its contents are erase instead.
The payload is disabled if C:\DOS\EGA5.CPI is found to exist. A comment
in the virus source code suggests that this is a "feature" designed to
protect the virus author and his friends.
Atom:
Alias: Wordmacro.Atom
Type: Word macro virus.
Description:
ATOM consists of 4 macros - AutoOpen, FileOpen, FIleSaveAs, and ATOM -
all of which are xecute- only.
When an infected document is opened, ATOM infects the global template.
If the auto macros are disabled, the virus is rendered ineffective.
ATOM does not turn off the prompting when saving the global template,
so if prompting is turned on you will be prompted to save changes to the
global template at the end of the session.
After the global template is infected, ATOM calls its first destructive
payload. If the current date is December 13, the virus deletes all
files in the current directory.
Once the virus is active (i.e., it has infected the global template), it
infects all documents which are saved via the FileSaveAs command or
which are opened via the FileOpen command. If the seconds field of the
current time is 13 at the time of infection, the virus encrypts the
document being saved with the password "ATOM#1".
DMV:
Type: Word macro virus.
Description:
DMV is the name of a Word macro virus that was written for
"demonstration" purposes by an American computer user. He subsequently
made his virus available for all to download via the World Wide Web.
The author of this virus also attempted to write an Excel macro virus -
but it fails to work because of a bug.
FormatC:
Type: Word macro trojan.
Description:
This is not a virus, but a trojan because it does not replicate. It
does, however, format your C: drive as soon as the document is opened.
This trojan was posted to a Usenet newsgroup.
Wiederoffnen:
Type: Word macro trojan.
Description:
Wiederoffnen is not a virus, but a Word macro trojan. It comes in a
Microsoft Word 2 document but works perfectly under Word 6 too.
Wiederoffnen intercepts the AutoClose macro and when the document is
closed plays tricks with AUTOEXEC.BAT.
Green Stripe:
Aliases: AMP.GreenStripe
Type: Ami Pro macro virus.
Description:
This virus infects Ami Pro document files (*.SAM) by creating for every
SAM file a corresponding .SMM (Ami Pro macro) file with the same name
in the same directory and linking .SAM to .SMM in such a way that
opening .SAM invokes execution of the .SMM. .SMM files are hidden and
cannot be seen with a simple DIR command - DIR /AH will work though.
When an infected document is opened, the virus gets control and infects
all *.SAM files in the current directory which is always Ami Pro's
default DOCS directory (...\AMIPRO\DOCS). The process is very
noticeable since all the doc files are opened and then closed one by one
and a user can see them quickly appearing/disappearing on the screen.
Then the virus intercepts File/Save and File/Save As commands. On
File/Save As the virus infects the document being saved. And this is
the only way the virus can propagate to another computer. Since both
SAM and .SMM files are necessary for the virus and since .SAM file
contains an absolute pathname as a reference to the appropriate .SMM
file, if one simply copies either .SAM or both .SAM and .SMM files to a
floppy and then opens .SAM under Ami Pro on a different computer, the
virus won't run. But when a document (.SAM) is copied using File/Save As
both .SAM and .SMM are transferred and the pathname link is changed
accordingly.
File/Save was supposed to be used for the virus' payload. On File/Save
the virus should replace all occurences of "its" in the document with
"it's". This did not appear to work in our experiments however.
Unlike with Word macro viruses, this Ami Pro virus is very unlikely to
be transmitted by E-mail. Again, this is due to the fact that Ami Pro
keeps macros in separate .SMM files, while only .SAM file is sent as a
cc:Mail attachment.
The name of the virus - Green Stripe - is taken from the virus itself.
It's main macro procedure is called Green_Stripe_virus.
Detection is made easier by a number of factors:
Firstly, as mentioned above, when an infected document is opened it is
very noticeable - the screen keeps blinking as numerous documents are
loaded and then closed.
Secondly, after loading a document, one can go to Tools/Macros/Edit and
see whether the document has an appropriate macro file (same name,
SMM) assigned to it to be executed on open.
Thirdly users of Dr Solomon's FindVirus v7.58 and later will detect this
virus when run with the /DOALLFILES switch. FINDVIRU /REPAIR /DELETE
will delete infected files.
The report will contain the names of all infected (and now deleted) .SMM
files. Then one should run Ami Pro and for each .SMM file listed in the
report load .SAM file with the same name (there will be an error
message saying that the appropriate .SMM file was not found), go to
Tools/Macros/Edit and uncheck the Assign box(es).
