Word 6 and Word 95 macro viruses, which freely interact and inter-infect documents and systems running both versions of Word, now occupy three of the top five positions on Virus Bulletin's infection list at http://www.virusbtn.com. The original Concept.A Word virus, released in June 1995, has the ignominious distinction of being the most common computer virus, of any kind, in the world. There are hundreds of different Word macro virus strains. Many of them breed as fast as rabbits.

Word 97 is a horse of a different color. As of this writing, there are three identified Word 97 viruses, and none of them are common. One was written specifically for Word 97, but the other two mutated from similar Word 6/95 viruses. And therein lies an interesting story. . .

Word 6 and Word 95 both use the WordBasic macro language. It's an older language, not terribly sophisticated, but extremely powerful. Word 97 uses a completely different macro language called Visual Basic for Applications (VBA/Word). When Word 97 encounters a macro written in WordBasic (that is, a macro that runs in Word 6 or Word 95) it automatically converts the macro to VBA/Word, so it will run in Word 97. Microsoft took advantage of that conversion step to wipe out old Word 6/95 viruses, so they won't infect Word 97 installations or Word 97 documents.

The WordBasic-to-VBA/Word macro converter in Word 97 contains, in effect, a "brick wall" that prevents almost all the strains of all the common Word 6/95 viruses from being translated into Word 97. So, for example, when you open a Word 6 document that's been infected by the Concept.A virus, Word 97 simply fails to convert the infectious part of the document. The infecting parts of the virus hit this "brick wall" and just don't convert to VBA/Word, so they can't infect Word 97 systems or Word 97 documents.

So how, you may wonder, did two Word 6/95 viruses mutate to Word 97? Well, it wasn't easy.

Back when Microsoft was beta-testing Office 97, it distributed tens of thousands of test copies of Office 97, identified as Office 97 Beta 2. This "Marketing Beta," as it was known, contained almost all of the features destined to become part of Office 97. As is common in a beta, some of the pieces worked, some didn't. And one of the key pieces that didn't work was this macro virus "brick wall."

Rather predictably, somebody, somewhere, probably using the Office 97 Marketing Beta, opened a Word 6 document infected with the Wazzu.A virus. Since the "brick wall" wasn't working, when that person saved the document, all of the Wazzu.A WordBasic virus macro got saved along with it. Only at that point the virus had been automatically translated to VBA/Word. In effect, while nobody was looking, Wazzu.A mutated from a Word 6/95 virus to a Word 97-specific virus. And that one infected document has spread this new W97M/Wazzu.A virus all over the world. ("W97M" stands for "Word 97 Macro.")

While it would be hard for anyone infected with the virus to appreciate the aesthetics of the situation, this mutation was, in fact, quite remarkable. The virus was hardy enough (and the translator robust enough) to allow this self-propagating program to make the leap from old, battered WordBasic to the fancy high tech world of VBA/Word. W97M/Wazzu.A is now infecting its way around Word 97 installations, all over the world.

The old Wazzu.A virus, which you can read about on this site, infects Word 6/95 documents as they are opened in Word 6/95. The virus is a data diddler. On random occasions it will move around words in a document, sometimes inserting the string "wazzu." While it's far from the most destructive Word virus, it's a bad one. If you aren't using an anti-virus package, you can get infected and pass the infection along for months before discovering that some of your documents have randomly rearranged words. The new mutation works in pretty much the same way.

I found the first identified W97M/Wazzu.A infected document in early February, just weeks after Office 97 was released. Unfortunately that infected document was sitting on the Microsoft Web site, www.microsoft.com. It had been mirrored at various MS ftp sites, all over the world. The infected file was in a self-extracting file called REVCODES.EXE. When you run the infected REVCODES.EXE, it produces a Word 97 document called WORD97~1.DOC. If you then open that document in Word 97, you may become infected with W97M/Wazzu.A. (Note that MS has several different REVCODES.EXE files posted on its site. Only those that expanded into a document called WORD97~1.DOC were infected.)

To Microsoft's credit, copies of the infected files were removed from the Web site within minutes of my notifying them of the locations. Still, at least one file was up there for at least several days: there's no telling who downloaded copies of the file, and how many people were infected.

This virus struck from out of the blue. Nobody was expecting to see mutations like this. All of the anti-virus software manufacturers (including IBM) are working hard to find ways to detect and eradicate W97M/Wazzu.A, and any other viruses that may have mutated during the Office 97 beta test (not to mention the new Word 97 viruses that are bound to spring up). It's a difficult problem, technically, because of the sheer number of different strains involved, and because new, hard-to-detect infection methods seem to be cropping up more and more frequently.

If you're running Office 97, you can feel relieved that most strains of common macro viruses will be blocked by this "brick wall." At the same time, though, you can't become complacent. The "brick wall" isn't an anti-virus package. It's just, well, a brick wall. Your only real protection against macro viruses, no matter which applications you use, will continue to be a strong anti-virus package, religiously deployed, and frequently updated. Anything less and you're begging for trouble.