Macro
Viruses
by Symantec
The Word Macro family of viruses use the WordBasic macro language to infect and replicate in and among MS Word documents and templates. Most notably, this new family of viruses is platform independent - they will infect documents and templates on DOS, Macintosh, Windows 3.x, Windows 95 and Windows NT operating systems.
These viruses use several of the features of the MS Word "environment" to auto-execute viral macro code. Once an infected document is opened and the virus launched, generally, the virus will infect the user's NORMAL.DOT template. This template is the basis for the majority of other documents and templates and is globally available to all other MS Word templates on the system. Once entrenched in the NORMAL.DOT file, the virus will spread to all other documents and templates as they are opened. Note that, by default, the NORMAL.DOT template is the first document opened when you launch MS Word without specifying a different document on the command line. This will immediately put the virus in control every time you launch MS Word.
Word Macro viruses force documents to be saved as MS Word templates, despite what the name or extension of the document file might be recorded as. Forcing documents to be saved as templates is used as a means of propagation as macros are not saved in standard .DOC files. Only templates can contain any actual macro code and therefore be used as a carrier.
This is a modified version of the macro virus DMV. This uses only one (1) macro, AutoClose, and therefore infects the global template when infected documents are closed. If the global template is infected, then documents will be infected as they are closed.
On the first day of any month (for example: March 1, April 1, June 1), this virus unsuccessfully checks the platform it is running on, and attempts to delete files on the user's system. Because of a bug in the code, the virus always assumes it is running on a Windows 95 system. If the day is correct, it will attempt to delete files in the following directories:
C:\SHMK (all files)
C:\WINDOWS (all help files)
C:\WINDOWS\SYSTEM (all Control Panel files)
These commands will be unsuccessful on Macintosh platforms, but have a high probability of deleting at least some files on PCs running DOS, Windows 3.1, Windows 95 or Windows NT.
The Atom macro virus consists of four (4) macros. These are named Atom, AutoOpen, FileOpen, and FileSaveAs, and are stored in encrypted form in infected documents. If these macros are somehow unencrypted, they will be encrypted again when the document is opened. The AutoOpen, FileOpen, and FileSaveAs macros are used to infect documents and the global template.
On December 13 of any year, Atom of it will attempt to delete all files in the current directory (this assumes your document directory).
The Boom macro virus uses four (4) macros: AutoOpen, AutoExec, System, and DateiSpeichernUnter. Because DateiSpeichernUnter is German for FileSaveAs, standard documents will only be infected when using German editions of Word.
The AutoOpen macro copies itself and the other macros to the global template and calls the AutoExec macro. The AutoExec macro will call the system macro if the current time is 13:13:13 (13 minutes and 13 seconds after 1pm). The System macro will change the main menu bar from "File Edit View Insert…" to "Mr. Boombastic and Sir WIXALOT are watching you!!!!" if it is run on February 13,1995.
It beeps as each menu item is changed. It then prints out the following string 5,000 times:
"Mr. Boombastic and Sir WIXALOT : Don't Panik, all things are removeable !!! Thanks VIRUSEX !!!"
It then creates a new template that contains the text:
"Greeting from Mr. Boombastic and Sir WIXALOT !!!"
"Oskar L., wir kriegen dich !!!"
"Dies ist eine Initiative des Institutes zur Vereidung und Verbreitung von Peinlichkeiten, durch in der Offentlichkeit stedhende Personen, unter der Schirmherrschaft von Rudi S.!"
It then sends the file to the printer.
Written in German.
The Colors macro virus is similar in nature to the other macro viruses (Concept, Nuclear and DMV) in that documents are saved as templates containing viral macros. Infection is triggered by auto-macros as well as menu commands.
Macros called by the virus are: AutoExec, AutoClose, AutoOpen, FileExit, FileNew, FileSave, FileSaveAs, Macros and ToolsMacro
When any of the above macros are invoked, a counter is incremented. This counter is stored in the [windows] section of WIN.INI file (the entry is "countersu"). Every 300 times this occurs, the payload is triggered. The trigger is to save random values for the desktop colors stored in the WIN.INI. The next time the user starts Windows, the desktop colors are altered. As with Nuclear, these macros are copied "ExecuteOnly" and, as such, automatically encrypted by MS Word. They are not normally available for viewing and editing, despite being visible in the macro list.
The Concept virus uses five (5) macros to infect and spread. The macros are named: AAAZAO, AAAZFS, AutoOpen, FileSaveAs and PayLoad. All are easily visible from the Tools, Macro… menu. Upon infection, the virus will check for the presence of the PayLoad macro. It will then check for the presence of a macro named "FileSaveAs." If either are found, the virus will abort infection, otherwise the infection process begins.
The first stage of infection that the user will see is a dialog box displaying the number "1" and an OK button. Once the OK button is pressed by the user, the virus gains control. The virus replaces the File, Save As… function with its own, which forces the user to save all documents as new templates. In addition, without notice, the virus will take the contents of the AAAZAO macro and place it in another macro called AutoOpen in the new templates and copy the AAAZFS, AAAZAO and PayLoad macros to the new file. The AutoOpen macro is automatically started each time a template is opened. Thus, the virus replicates to the new documents.
Other than the number "1" displayed during initial residency, there is no message displayed. However, a message is contained in the PayLoad macro:
That's enough to prove my point
This is a variant of the original Concept virus. It is identical in nature and function, however it has been modified and translated to work with French language versions of Microsoft Word.
The DMV macro virus was written and published by Joel McNamara in December of 1994. In his paper, McNamara outlines the potential of macro viruses and the vulnerability of documents, e-mail and OLE environments. At the tail end of his document, McNamara provides complete, commented source code for a fully infectious "Document Macro Virus," DMV. In addition to the source code provided, the document is intentionally infected! Although the intention of the paper may have been to instruct and advise, his paper has been posted on major Internet newsgroups and bulletin board services and has been used as a tutorial for writing some of the first macro viruses. McNamara has been heavily criticized by prominent members of the anti-virus community for making his paper available to the general public in an unabridged form. Malicious suggestions and replication code found in McNamara's paper were implemented in the Nuclear macro virus.
The DMV macro virus uses a single macro, AutoClose, which auto-executes when an infected document is closed. At each stage of infection, the virus displays a message box explaining action as it is completed. None of the original code is destructive, although suggestions are made as to where destructive commands can be inserted. Dialogs are displayed with the following messages:
Counting global macros.
AutoClose macro virus is already installed in NORMAL.DOT.
Infected NORMAL.DOT with copy of AutoClose macro virus.
AutoClose macro virus already present in this document.
Saved current document as template.
Infected current document with copy of AutoClose macro virus.
Macro virus has been spread. Now execute some other code (good, bad, or indifferent).
The FormatC macro is not truly a virus, but a Trojan Horse. It cannot and will not replicate. Although simplistic in nature, it can wreak great havoc on an unprotected system. It uses only one macro, AutoOpen, which automatically launches when the document is opened. The macro is tagged "ExecuteOnly" and, as such, automatically encrypted by MS Word. It is not normally available for viewing and editing, despite being visible in the macro list.
When FormatC triggers, it runs an unconditional format on your C drive, in a minimized DOS box. Standard procedures can be used to recover from the DOS format.
The Friendly macro virus consists of twenty (20) macros, several of which are identical in content, but have different names to insure functionality of the virus when running under German or English-language editions of Word. Most of the macros in this virus simply call other macros which reproduce or deliver its payload. When the virus is run, it checks to see if it is running on a German or English version of Word, and also drops a virus onto the user's hard disk by calling DOS programs. Because of the use of DOS programs, the screen will briefly change to text mode with only a cursor in the upper left corner of the screen each time the virus is run.
The virus on the disk only reproduces, except on January 1st, when it prints the message "Eine gute neues Jahr!" - which literally translates from German as "A good new year!" The virus program "dropped" by this macro virus is detected by NAV as "Little Brother (Gen1)", while subsequent infections are detected as "Little Brother.395."
The Hot virus uses four (4) macros to infect and spread. In an effort to elude virus scanners which check only for the macro names, the virus will name the macros differently depending on the infection routine. When the virus infects the NORMAL.DOT global template, it names the macros: AutoOpen, FileSave, InsertPageBreak and StartOfDoc. When it infects a document (from the global template) it names the macros: AutoOpen, DrawBringInFrOut, InsertPBreak and ToolsRepaginat. Therefore, although it uses only four (4) true macros, it has 7 different names for them.
All of the macros are easily visible from the Tools, Macro… menu. In addition, these macros are "ExecuteOnly" and, as such, automatically encrypted by MS Word. They are not normally available for viewing and editing, despite being visible in the macro list.
Most notably with this virus, Hot is the first to use the Word Basic ability to call any standard Windows API. This grants the virus enormous opportunity to use advanced calls and features of Windows.
The virus does deliberately destroy data. Upon initial infection, the virus adds an entry to the WINWORD6.INI file (found in the \WINDOWS directory), in the [Microsoft Word] section. The entry is QLHot=mmdddyy, where mmddyy is the date of first infection. Every time an infected document is open, the virus compares the stored date against the current date. The virus stays dormant for the first fourteen (14) days, after that, there is chance that the virus will trigger (based upon some calculations).
When the virus triggers, it deletes all information in the document as it is opened. Specifically, when the document is opened and the virus triggers, it highlights all text in the file, deletes the text, and then saves the document again, completely empty. The exception is if the file EGA5.CPI exists in the C:\DOS directory, in which case the virus simply closes the file without any damage.
First discovered in the wild in Russia.
The Imposter virus uses two (2) macros to infect and spread. In an effort to elude virus scanners which check only for the macro names, the virus will name the macros differently depending on the infection routine. When the virus infects the NORMAL.DOT global template, it names the macros: FileSaveAs and DMV. When it infects a document (from the global template) it names the macros: AutoClose and DMV. Therefore, although it uses two (2) true macros, it has three different names for them.
Imposter is based on DMV and has no payload or trigger event. A message box entitled DMV is displayed when the global template is first infected.
This virus deletes all document and global macros named AutoClose, presumably because Microsoft's antidote to the Concept virus resides in a macro by this name. Infected documents and templates will have a single macro named AutoOpen.
First discovered in the wild in Italy.
The Irish virus uses four (4) macros to infect and spread. In an effort to elude virus scanners which check only for the macro names, the virus will name the macros differently depending on the infection routine. When the virus infects the NORMAL.DOT global template, it names the macros: AntiVirus, AutoOpen, WordHelp and WordHelpNT. When it infects a document (from the global template) it names the macros: AntiVirus, FileSave, WordHelp and WordHelpNT. Therefore, although it uses four (4) true macros, it has six different names for them.
The WordHelp and WordHelpNT macros do not appear to run automatically. However, if they are executed manually by the user, they will turn the Windows desktop colors green. Additionally, WordHelpNT attempts to set the screen saver to Marquee with the message "Happy Saint Patties Day ... CDJ 1995." The screen saver portion of the payload does not function well under Windows 95.
This macro virus only reproduces. It infects other documents using two (2) macros that are identical to each other. It copies itself to macros named AutoOpen and NOP in standard documents. Because it uses German menu commands, this macro virus will only propagate with German-language editions of Word.
The Nuclear virus uses nine (9) macros to infect and spread. The macros are named: AutoExec, AutoOpen, DropSuriv, FileExit, FilePrint, FilePrintDefault, FileSaveAs, InsertPayload and PayLoad. All are easily visible from the Tools, Macro… menu. In addition, these macros are "ExecuteOnly" and, as such, automatically encrypted by MS Word. They are not normally available for viewing and editing, despite being visible in the macro list.
When an infected host document or template is opened, the virus is launched from the AutoOpen macro automatically by MS Word. The virus checks for the presence of a macro named "AutoExec." If found, the virus aborts the infection process, otherwise it copies all of the viral macros to the global template. Immediately after copying the macros, if the date is April 5th of any year, Nuclear checks for the presence of and then clears all attributes except the System attribute on C:\IO.SYS, C:\MSDOS.SYS and C:\COMMAND.COM. Then it deletes C:\COMMAND.COM.
Another means of infection is when the user attempts to save a document with the Save As… function. It copies all of the viral macros from the global template to the newly created file as it is saved. In addition, it forces the documents to be saved as templates, so that the macros as stored within the new file.
The third infection macro, AutoExec, is automatically launched when MS Word is first executed. Here again the macro checks for the presence of a macro named "AutoExec." If found, the virus aborts the infection process, otherwise it copies all of the viral macros to the global template. Following the infection check, the virus polls the system time. If the time is between 5:00pm and 5:59pm (inclusive) on any day, the macro uses an elaborate DEBUG routine to drop a binary virus to the C:\DOS directory. Once the binary virus is in memory and infectious, the macro removes any trace of the dropping and infection routines.
The Ph33r virus dropped by Nuclear is a fully replicating virus unto itself. Once dropped and launched, it will infect both .COM and .EXE files. In addition, it can infect Windows executables as well as standard DOS executables.
The message carried by the virus is displayed only when printing, and then only in the last 4 seconds of any minute (if the time in seconds is 56, 57, 58 or 59). When printing any infected Word file during that time bracket, the macro virus will insert a message on the last page which is printed along with the rest of the document:
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
This virus replaces "and" with "not", and on the 16th of the month is also replaces "." with "," and "a" with "e" on all Word documents. Also on the 16th, it displays the following message while starting Microsoft Word:
"Parasite virus version 1.0 !"
It displays the following message while closing Microsoft Word:
"Your computer is infected with the Parasite Virus, version 1.0!"
This virus uses six (6) different macros that appear under different names in the global template and infected document files. Note that macros 1 and 2 may appear more than once under two different names. Each infected file will contain seven macros, two of which will be identical in content, as shown in the table below:
| Macro | NORMAL.DOT Name(s) | Document Name(s) |
| Macro1 | Para | AutoOpen
Para |
| Macro2 | FileSaveAs
Site |
Site |
| Macro3 | Payload | Payload |
| Macro4 | AutoExec | K |
| Macro5 | AutoOpen | A678 |
| Macro6 | AutoExit | I8U9Y13 |
Parasite initially infects the global template when an infected document is opened. Once the global template is infected, documents are infected when they are opened, or when they are saved using the FileSaveAs option.
Polite is a word macro virus that is made up of two (2) macros: FileClose and FileSaveAs. It is a fairly simple macro virus and is not encrypted.
The FileClose macro first displays a message box with the title "Activization" and the message "I am Alive!" Next it checks to see if the normal.dot file is already infected, if it isn't it will copy it's two macros infecting the normal.dot file.
The FileSaveAs macro is the one that actually infects other documents. When you chose FileSaveAs from the file menu a message box pops up with the message "Shall I infect the file ?" If you click "yes" your file will be infected, otherwise the file will save as normal without being infected. This is obviously how the virus got its name.
This virus uses one (1) macro to infect and spread. Infected documents and templates will have a macro called: AutoOpen.
Each time a document is opened while the virus is active, Wazzu rearranges up to three words, and may also insert the word "Wazzu" in a document. Documents will become infected upon opening.
The Xenixos virus uses eleven (11) different macros to reproduce, and then attempts to deliver and activate its payload. This virus carries many payloads (triggered actions) depending upon various criteria. A list follows:
Written in German.