Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: PC Hacks :: word_mac.txt

MS Word 6.0 Macro Viruses FAQ (Note that this file is NOT an MS Word doc!)

                    MS WORD 6.x MACRO VIRUSES FAQ V2.0
                       <Frequently Asked Questions>
                     for the ALT.COMP.VIRUS Newsgroup

Before we get to the details, here is some info regarding the terms I have
chosen to use in this FAQ.

Vx or VX refers to the Virus Writing Community at large, regardless of any
individuals virus writing experience, or popularity.

AV refers to the Anti-Virus Community, including Researchers, Hobbyists,
and Software/Hardware Developers.

GUI refers to Graphical User Interface. <ex. Windows 3.1>

MAC refers to Apple MacIntosh Computers, usually both the Current POWER PC
MAC<PPC> and the earlier models. <unless otherwise stated>

MS refers to MicroSoft Corporation, and products made by them.

PC refers to IBM Brand Computers running on the x86 <including early x88,
AT, XT models> series of processors produced by INTeL, AMD, NeXTGEN, and
CYRIX, as well as IBM Clone or Compatible computers.

OS, or Operating System, will refer to the Disk Operating Systems that
handle basic I/O, file management, etc.  MS-DOS, PC-DOS, DR-DOS, DIP-DOS,
Tandy DOS, COMPAQ-DOS all fit into this category.  Operating Systems with
GUI's like WINDOWS NT, OS/2 WARP, MacOS, AMIGADos, and WINDOWS '95 also fit
this category. <it could be argued that WINDOWS '95 is NOT AN OS, as an
enhanced version of the classic MS-DOS OS is loaded prior to the loading of
WINDOWS Environment.>

Operating Environments, refers to interfaces that run on top of NON-GUI
OS's such as Windows 3.0, 3.1, 3.11, Windows for Workgroups, early OS/2
versions prior to WARP.

Operating Platform, refers to the combination of Computer Architecture, OS,
and sometimes GUI.  Examples of Platforms can include, but are not limited
to the following...

       x86 PC's running DOS
       x86 PC's running either DOS/Windows 3.0 - 3.11 <most popular>
       x86 PC's running DOS/OS/2 2.x or lower
       x386 PC's running DOS/Windows For WorkGroups 3.1 - 3.11
       X386 PC's running Windows NT 3.5
       X386 PC's running Windows '95
       x86 PC's running OS/2 Warp
       Apple Macs running MacOS <system x-7.5>
       POWERMacs running MacOS
       Alpha's running NT

When Possible, distinctions between PC and MAC centric issues will be made,
but be forewarned this document is PC heavy.

NOTE: Use of VIRII as a plural of VIRUS has been dropped from this FAQ. 
The term VIRUSES will be used instead.  Complaints can be forwarded to
ALT.COMP.VIRUS where someone will be glad to argue with you till they're
blue in the face! :)


WARNING:  User definable virus search strings are littered thoughout this
document.  They will help users with older version of Anti-Virus software. 
However, we suggest that you should acquire up-dated copies of the AV
software, which will have these strings included, and save you some
trouble.  Also note that using TOOL/MACRO as a way of hunting down macro
infections can be dangerous.  It is preferred that you use dedicated AV
software to hunt down infection.

                              [[[[ NEWS ]]]]

NOTE:  HIGH SPEED DEMONZ now has it's own WWW homepage.  you will find
updated copies of this FAQ at...

as well as other sites, including many popular AV sites.  Keep an eye on
the Page, as new things will shortly be added, plus an HTML version of the
FAQ is being prepared.

With any luck, things will return to normal around here.  Updated copies of
the FAQ should resume it's former schedule of updates once every 2 weeks.



       Preface: INTRODUCTION

               1.1>    WHAT IS A VIRUS?
               1.2>    WHAT IS A MS WORD MACRO VIRUS?
               - 4.1 - CONCEPT
               - 4.2 - NUCLEAR
               - 4.3 - COLORS
               - 4.4 - DMV
               - 4.5 - HOT * NEW *
               - 4.6 - MS WORD 2/MS WORD 6.x MACRO TROJAN WEIDEROFFEN * NEW*
               - 4.7 - AMI PRO 3.0 MACRO VIRUS GREEN STRIPE  * NEW *
               - 4.8 - WORDMACRO ATOM / ATOMIC * NEW *
               - 4.9 - FORMATC MACRO TROJAN * NEW *
                IN DOCUMENTS
       7)  CREDITS & THANKS
       11) DISCLAIMER



During the last year, we have witnessed the birth of a whole new type of
virus, the WORD 6.0 MACRO VIRUS.  The opening statement isn't entirely
true, as the idea of MACRO viruses isn't a new one, but this is the first
time that a macro virus has spread to the point of being considered "IN THE
WILD" by the Anti-Virus Community.

It is possibly the first Virus to be truly a CROSS-PLATFORM <not including
WORMS> infector, since any systems running compatible copies of WORD 6.0,
or those systems that emulate Word 6.0's macro language can be infected.

It is also the first group of viruses that prove NON-Executables can infect
systems.  It had been theorized for years by the best in the industry, as
people started to realize the power of the MACRO Languages that were
included with program like 1-2-3, Excel, and numerous Word-Processors.

It is far less important to classify these viruses as data or executable
code or both, than to acknowledge their existence, and the need for
preventive measures against them.

To better understand the issues covered in this FAQ, the WORD MACRO
VIRUSES, it's necessary to first explain what a virus and a macro is.



It is best to first describe what a Macro is.  A macro is a collection of
instructions to be carried out by a program or computer.  These
instructions, typically handle tasks that are boring, awkward, and tedious
in nature.

Dos users have been using a macro language for years to automate the
mundane and repetitive tasks common to maintaining a computer system. 
Commonly known as the BATCH Language.  In DOS, Files with the .BAT
extension are interpreted <by the Command Processor COMMAND.COM> and are
executed line by line, automating tasks <the most common example of a batch
file is the AUTOEXEC.BAT file, found in the root directory on every MS DOS
based PC in the world>. 

NDOS & 4DOS Users have their own enhanced version of the batch languages
<files with the extensions .BTM>, which allows the same batch files, with
additional commands, to be read by the NDOS or 4DOS command interpreters
<NDOS.COM & 4DOS.COM> as a whole file into memory for execution <which
increases the speed of the batch file>.  

OS/2 Users have enjoyed an even better Macro Language, the REXX
batch/Programming language.  It is much more robust, and better suited to
deal with demanding tasks.

WORD MACROS, are Macros that can carry out and follow lists of
instructions, usually saving a user keystrokes.  The abilities of the WORD
MACROS are limited to the functions provided by the MS WORD WordBasic
Environment, included with the WORD 6.x level of Word Processors from
MicroSoft.  NOTE: WordBasic included with WORD 1.x, 2.x have enought
similar commands in their languages to warrant consideration.

Imagine having to add your name, address, phone#, and other personal info
to dozens of documents daily, it would become tedious fast.  Macros can
automate the process, saving alot of time and effort.  The power of the
WordBasic Macro Environment gives the users, both home users and business
users alike the ability to automate many tasks, including file management,
from within MS WORD.  Macros also include the ability to affect other
running applications, via  the Word Macro language, by DDE etc.  Unknown to
the author at this time, it's been theorized that OLE abiltiy may also
exist in the WORDBASIC macro Language. <BOTH DDE and OLE may be entry point
for future viruses>

MS WORD MACROS are only executable by the WORDBasic environment, which is
limited to functional copies of MS WORD 6.x /7.x and sometimes 2.0, as well
as WORDVIEW 7.1.  For the sake of this FAQ, MACROS will be considered Data
files.  Macros require interpretation by the WordBasic Environment, and are
not executed in the classic DOS sense.  Executables will be defined as
files that follow the classic standards, including EXE, COM, NEWEXE, BAT
<yes they are interpreted, but they are also almost always DIRECTLY
executed by the user, and as such almost fall into the same GREY area that
these macro viruses fall into> as well as the programs in the boot-sector,
master boot sectors.  It could be argued that WORD macro are a combination
or data and executable code.    A notable exception to the batch file rule,
is the WINSTART.BAT file, which Windows 3.11 for WorkGroups looks for in
every directory in the path, and tries to execute.  It'll be executed
whether the user wishes it to be or not.

NOTE: David Harley <> and Joseph Stafford
( have noted that MicroSoft Word Wizards are
also WORD Macros.  Wizards are simply templates with the WIZ extension,
which include an AutoNew Macro, which call a Start Wizard Macro.  WIZ files
may soon fall prey to macro infections.



A computer VIRUS, is a  <usually compiled> computer program, that is able
to replicate in whole or part it's code, by infecting or modifying other
programs, and adding to or overwriting the code of uninfected files with
code <possibly evolved or unique forms of the infector> that will in turn
infect other programs.  Viruses must be able to replicate.  A Virus that is
unable to replicate isn't technically a virus. <by our definition>

NOTE:  Viruses can and sometimes do infect files indirectly, without
altering the CODE of executable files.  For instance, File System or
Cluster viruses ( Dir-II, BYWay ) are those which alter directory entries,
pointing a legitimate directory entry first to it's malicious code, so the
virus can be executed, and then the desired program is executed.  The
program itself is not physically altered, but the directory entry is.

Viruses may, and often do have destructive bombs or payloads, which do
something other than replicate.  Many payloads include destroying data,
deleting files, encrypting parts of hard drives, etc.  Common targets for
Viruses include standard Executables like *.COM, *.EXE, and NEWEXE files,
as well as the programs used by the computer to boot up, including the
programs <executable code> found in Boot sectors, and Master Boot Sectors. 
Other DOS executables can also be infected, such as *.DLL and *.BIN, *.DRV,
*.OV? *.OB? and *.SYS files.  Not all of these executable will allow for
the proper execution of viral code, and can/may either hang the machine,
crash a session, or simply not function, producing numerous errors.  Common
examples of executable files include COMMAND.COM, EMM386.EXE,  Windows
Executables, MOUSE.DRV, DRVSPACE.BIN, and HIMEM.SYS. <everyone with Modern
release of MS-DOS and WINDOWS should recognize these files>

A sub-class of viruses, known as Trojan Horses, are commonly, and possibly
incorrectly considered viruses.   A Trojan Horse, named after the Greek
Battle Tactic, is a program, that is stated and promoted as being able to
do something useful or interesting <like a game or utility>, but in turn
does something malicious.<like drop a virus for later infection>  Trojans
typically DO NOT ACTIVELY REPLICATE.  They may inadvertently get copied
around and distributed, but this has little or nothing to do with any
replication code in the TROJAN.

NOTE : It can be argued that Viruses by the above definition, are Trojans. 
This argument would have Viruses listed as replicating Trojans.  Defining
these two groups of programs isn't really relevant, as long as you
understand the premise behind both groups.  For a more detailed definition
of VIRUSES, refer to the ALT.COMP.VIRUS VIRUS FAQ, by David HARLEY, or the
COMP.VIRUS/VIRUSL FAQ's on VIRUSES.  Both are an excellent source of virus
related info.  Both are reposted regularly to their respective newsgroups.



An MS WORD MACRO Virus, is a macro <list of instructions> or template file
<usually with the .DOT extension> which masquerades as legitimate MS WORD
documents <usually with the extension *.DOC>.  An infected *.DOC file,
doesn't look any different to the average PC user, as it can still contain
a normal document.  The difference is that this document is really just a
template or macro file, with instructions to replicate, and possibly cause
damage.  MS WORD will interpret the *.DOT macro/template file regardless of
extension, as a template file.  This allows for it being passed off as a
legitimate document <*.DOC>  This FAQ takes the position that a document is
meant to be DATA, and a MACRO is at least partially executable CODE.  When
a document has been infected, it has been merged with executable code in a
multi-part file, part data/part executable.  This tends to be hidden from
the user, who expects a document to be data that is READ, and not some
combination of DATA and executable code designed to be executed, often
against the will of the user, to wreck havok.

These viruses commonly tend to infected the global macros, which get
automatically saved at the end of each session.  When the next session of
MS WORD opens, the infected Global Macros are executed, and the WORD
Environment is now infected, and will in turn be likely to infect documents
whenever they are opened, closed, and created during all future sessions.

As a Virus, the WORD MACRO VIRUSES do REPLICATE.  They can spread in most
cases to any MS WINDOWS Environment or OS that runs a compatible copy of MS
WORD 6.x or 7.x, MS WORD 6.x running on OS/2, as well as WORD for MAC 6.0
for MacOS.  This makes it a multi-platform/multi-OS file infector.  It also
makes it one of the first non-research viruses to be successfully spread to
all of these environments and OS's

MS Word Macro Viruses reside in interpreted data that can spread to
different OS's/platforms.  These viruses do not spread via modification of
executable machine code, but by modification of data in files that are
interpreted by the Microsoft Word 6.0 program and any other versions of
Word that support macros and WordBasic.

MacIntosh Word Users have an advantage over the PC world, as infected
documents appear with the template icon, rather than the usual document
icon.  This means that Mac Users can visually tell before-hand whether a
Document is infected or not.

For responsible Word 6.x users, Macros can also be of great use.  The Macro
Language of WORD 6.x <WORD BASIC> is a powerful tool, and can accomplish
many tasks, including altering files, copying files, and executing other
programs. What makes this macro language so powerful is also what makes it
a target for the Vx community.  The idea of the Vx community exploiting
macro languages had been theorized for years, but has only recently been
developed and spread throughout the world.

WordBasic Macro Language is much simpler to learn and master than
ASSEMBLER, or other popular higher Level programming languages, and for
this reason, Vx people <both new and old alike> have taken to it as a
viable alternative to learning and coding ASM .  The thought of ticking
users off on more than one platform has been around for years, and now
thanks to MS WORD, and all it's compatible versions on other popular
platforms, the Vx people have their wish.  Another Bonus of this new outlet
for Vx writers, is that many virus scanners only scan Executable files,
leaving the .DOC files of WORD alone.  It is important to note that many AV
producers have now included scanners/cleaners to their software, allowing
for the detection of existing MS WORD Macro Viruses.

Vx people also know that many people never exchange programs, but regularly
exchange documents <those in the corporate circles for example> which meant
that there was a whole new region of unsuspecting users to infect.  On top
of the power and lower learning curve of this language, and the popular
past conception that non-executables are relatively safe from infection and
becoming themselves infectors has allowed the Word Macro Virus spread like
"Wildfire". < Editor smiles :) >

Even until just recently, members of the respected AV community
inadvertently continues these classic misconceptions that NON-executables
<DATA FILES> cannot infect systems, and that no VIRUS can infect on a
CROSS-PLATFORM basis.  F-PROT V2.21 <Dec '95> continues these
misconceptions in the file VIRUS.DOC, included with their DOS command line

       "A virus cannot spread from one type of computer to another.  For
       example, a virus designed to infect Macintosh computers cannot
       infect PCs or vice versa."

       "A virus cannot infect a computer unless it is booted from an
       infected diskette or an infected program is run on it.  Reading
       data from an infected diskette cannot cause an infection."

This isn't meant to be a knock on F-PROT... they easily have one of the
best virus scanners on the market.  They're just too busy keeping us
VIRUS-FREE that they simply haven't gotten around to updating this older
file! :)  <Info on obtaining a copy of F-PROT is included in the SUGGESTED
SOFTWARE area of this FAQ.>

Heck, a year ago, those two quotes were standard replies to virus related
questions regarding how viruses spread, and at the time you'd be
hard-pressed to prove these quotes wrong. Now, the new realities are
setting in.  The MS WORD Macro Virus Family have changed the rules.
Infection from simply reading a document is NOW possible.

So, a WORD MACRO Virus, is a collection of instructions, known as a macro
or template which WinWord <Word 6.x> executes.  The list of instructions in
the macro can copy and delete files, alter them, make whole changes to
template files, drop other viruses, and execute programs, including ones it
has dropped.  These Macro Viruses <as defined in section 1> aren't directly
executable.  They are actually read <and interpreted and executed> by the
MS WORD WordBasic Interpreter.  This is the first time a virus infection
has occurred in the mainstream user market where a file was only read <or
at least the user thought was only going to be read> for it to be

MSN - MicroSoft Network, and other similar ON-LINE services, have also
contributed to the spread of Word Macro Viruses, via a feature included in
their terminal programs, MIME-compliant mailers (e.g., Eudora). and WWW
browsers (e.g., Mosaic and Netscape).  This features, allows users to
download and view .DOC files while on-line...  the terminals can run the
associated program for .DOC files, <MS WORD> and therefore immediately
infect users systems.  This mechanism WILL also allow the virus to be
introduced into your system via mail or a WWW page.  Use such automatic
execution with caution.  Had the Macro Viruses never been created, this
feature would be of benefit.

NOTE:  Reading Infected documents with anything other than a copy of MS
WORD will not activate and spread the infection.  For the virus to become
active, MS WORD is required, and it must be WORD that is used to view the
document.  For example, NORTON UTILITIES Norton Commander <DOS> has a
document viewer, able to view 10-12 of the most popular formats for
documents, including various versions of WORKS, WORD and WordPerfect
documents.  Using the viewer to read an infected document, and telling it
to use WORD 6.x format, will allow you to view the document, but will NOT
and CAN NOT execute any macros.

At the time of this writing, it was mentioned to me that MicroSoft had
released a WORD Document Viewer, that does not execute Macros, that could
be used in place of WORD for the purpose of viewing Documents while
on-line.  MSN or it's affiliated BBS services should have the file
available for download.

UPDATE: Eric Phelps noted that a newer version to the WORD Viewer is now
available from MS, called WordView 7.1.  Unlike it's predecessor, it will
execute some MACROS.  Users who uses the Veiwer to prevent macro infection,
should stick to the previous version.  This WordView 7.1 doesn't have a
NORMAL.DOt to infect, but it still allows for an entry point into your
system.  Use WordView 7.1 with caution.



Typically, a MACRO infection occurs when an infected macro instructs the
system to overwrite or alter existing system macros with infected ones, by
adding to or altering macros in the GLOBAL MACRO list, which in turn tend
to infect all documents opened and written thereafter.

When Word opens a document <.DOC>, it first looks for all included macros
in it.  This is alittle misleading... MS WORD looks at the DOC, first
thinking it is a DOC, but finds that it has TEMPLATE/MACRO code <meaning it
isn't technically a document, but a template file> If it finds the AutoOpen
Macro, or other AUTO macros, Word will automatically execute this macro. 
Typically, in the case of an infected .DOC file, this macro will instruct
the system to infect important key macros and template files. Those Macros
will in turn infect any documents opened thereafter. <hence the Term

Typically, the FileSaveAs Macro is replaced or overwritten, so that an
infected copy can then determine how all future documents will be saved.
This means it gains the control of what file format to save in, and what
macros to include into the document.  All this is seamless, and most of the
time you may not even realize this is happening.   When the user executes
the FileSaveAs command, the virus (e.g., Concept) displays the *usual*
dialog box, letting the user fill in the fields for the file name,
location, type, etc. Onl *afterwards* the virus changes the type of the
file to template - so the user doesn't see anything unusual.  AutoOpen and
other Macros are then included into documents.   When exchanging documents
with uninfected computers, the system becomes instantly infected as soon
you try to view and load the infected document <macro/template> with a
compatible copy of MS WORD!

At the end of a WORD session, MS Word automatically saves all Global Macros
into the Global Macro File, typically the Normal.DOT file.  Now all future
sessions of Word will infect documents it opens until you replace
NORMAL.DOT with an uninfected copy.  <or delete the infected macros>
Otherwise, MS Word Loads, and will load infected GLOBAL MACROS before you
do a single thing.  NOTE: Some macros will save to the Global macros on
their own!



Common features of this family of viruses include the inability to save an
infected document in any format other than Word Template Format, the
documents are converted into Template format <used internally in Word, and
by the user>, and tends to disallow saving of file/document in any other
directory using the SAVE AS command<You can save the infected document
anywhere you want - when it is first infected. Only if you *load* an
*already infected* document, and *then* try to use the FileSaveAs command
on it, will Word try to force you to save it in the template directory -
because it is now a template; not a simple document.>.  Most WORD MACRO
VIRUSES and TROJANS to DATE only affect ENGLISH ONLY Copies. Some
exceptions apply.  In Nationalized copies of WORD, the macro language
commands have been translated to the national language, therefore macros
created with the English version of Word will not work. <makes perfect
sense to me... anyone know how AutoOpen is spelled in French? :) >

[ according to Vesselin Bontchev <> The auto macros are
always spelled in one and the same way in al nationalized versions. It is
things like FileSaveAs that are translated ].

NOTE:  PC Users will likely not notice the difference between a TEMPLATE
infected file masquerading around as a document file, as word will
recognize Macro Templates in a file regardless of the extension used by the
Template <Default *.DOT>.  <Send Complaints to BILL GATES, C/O MICROSOFT
CORP.> MacIntosh Users can visually tell whether a Document is infected or
by, since infected documents appear with the template/macro icon, instead
of the normal document icon.  A file that is indicated by a template icon
may simply be a harmless template, that the user has made, containing
legitimate macros.  This MAC advantage will depend on how the document is
opened.  Opening with the File / Open command will not help a MAC user make
the distinction.  Viewing parameters for a folder will also determine
whether a MAC user will notice the template file.  Viewing by size, name,
or date will not help, as the icon isn't displayed properly.

A Feature common to most viruses of this type is the ability to spread to
other platforms, making this family of viruses unique, and dangerous.  They
can and will spread to almost any platform operating with a compatible copy
of MS Word 6.x+.  <some exceptions apply>

Although other word processors like WordPerfect and Ami Pro do support
reading MS Word documents, they can not be infected by these viruses. These
program have the ability to read documents, but not to execute the macro
language command that may be imbedded.

It's worth noting that macro viruses whose payloads have no effect on a Mac
(PC emulators excepted) will nevertheless replicate on the Mac unless they
use one of the relatively few WordBasic functions specific to Windows in
the infection/replication routine.



There are a number of Word Macro viruses in the wild, the first and
foremost being the CONCEPT Virus. <although DMV was created first, CONCEPT
is what pushed this new breed of viruses into the wild FIRST.  It was the
first to be widely recognized as a nuisance.


4.1: Concept Virus :

Also known by the Aliases of WW6Macro, WinWord.Concept, Word Basic Macro
Virus (WBMV), Word Macro 9508 <MAC> and Prank Macro <MicroSoft named it
Prank, to downplay the seriousness of the situation>.  This was the first
MS Macro Virus to be detected by the Anti-Virus community, and the first
Macro Virus to be considered in the wild, with infections spreading to the
US, UK, France, Germany, Bulgaria, Canada, the Netherlands, Turkey, and
Finland, and other Countries.

The proliferation of this virus is widespread, mainly due to 2 companies
ACCIDENTLY shipping this virus in infected documents found on their
CD-ROMS.  The first CD-ROM was...

        MicroSoft Windows '95 Software Compatibility Test

which was shipped to thousands of OEM companies in mid 1995.  In
August/September Microsoft distributed the Concept virus on a CD-ROM in the
UK called...

        "The Microsoft Office 95 and Windows 95 Business Guide"

The infected file is \Office95\Evidence\Helpdesk.DOC, dated August 17th,
1995, <121,856 bytes> The third CD was...

        Snap-On Tools for Windows NT

which was distributed by ServerWare, who immediately withdrew it, warned
recipients, and re-mastered it. MicroSoft Corp.  is to be commended for
acknowledging their part in the spreading of this new virus, <calling it a
PRANK> and their effort in controlling the spread of it. They were quick to
respond to this new Virus threat with a Macro Scanner/Cleaner which is
available freely for download from MSN and associated services. <Note: it's

This commendation should be taken with a grain of salt, as MicroSoft waited
up to two months before admitting there was a problem, down playing the
seriousness of the situation, and calling it a PRANK Macro, not befitting
an acknowledgment as a REAL virus in their view.  MS in turn requested help
from AV insiders, and subsequently released their own flawed FIX.  AV
people wanted info regarding internal information of the WORDBASIC Macro
Template Format.

Such help wasn't forthcoming, at least not until months later.   During the
whole time that the bulk of the AV people waited for help, MS cited their
FIX as being the only thing that CAN deal with this new virus, and that
Current AV Products were useless. <not the first time MS has thrown rocks
at competitors...>  The statement from MicroSoft is only partially true, as
a number of AV companies figured out the Macro format on their own, and
released their own fixes. Those of us who are used to dealing with
MicroSoft would agree that 5 months of waiting, being told you're wrong,
then finally getting the help you asked for was "a quick response". :)

A CONCEPT Infection is easy to notice, on the first execution of the virus
infected document (on the first opening of the infected file) the
MessageBox appears with digit "1" inside, and "Ok" button.  Also, simply
checking the TOOLS/MACROS option to check loaded macros, the presence of
concept is apparent by the appearance of these 5 macros :

       AAAZFS *
       AAAZAO * 
       PayLoad *

NOTE:  Using the Tools/Macro option to view in memory macros can be
misleading, and dangerous, as some viruses will intercept this call.  The
Tools/Macro option should be used with caution with all viruses, and
shouldn't be considered as a genera way to look for macro viruses. The
Colors virus for example intercepts this comman and activates if it is

You may be currently using legitimate macros that go by the names of
AutoOpen and FileSaveAs, so these two may not be out of place.  However, it
is unlikely that you use legitimate macros with names like Payload, AAAZFS,
and AAAZAO.  These 3 are the clearest signs of an infection.

Note: As has been noted in some press releases, the virus code is simple
for a novice to modify, so variants may also be present or appear soon. 
The Macros are UNEnencrypted, and are easily viewable.

The following Text strings are in the infected documents...

       see if we're already installed
       That's enough to prove my point

Also, the line...


is added to WINWORD6.INI on infected systems.

The Concept Virus is able to run on compatible systems running Microsoft
Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows
95 and Windows NT environments. In Macintosh Word, infected documents
appear with the template icon, rather than the usual document icon.

NOTE TO WINDOWS '95/WORD '95 USERS:  Those of you who are running Windows
95 and Word 95, and have Word set up to act as your Exchange mail program;
<WordMail.> are protected from the spreading abilities of CONCEPT, as
WORDMAIL disables the capability that lets Concept spread, so you cannot
get infected by reading mail with WordMail. However, if an incoming message
has an attached infected Word document, and you double-click on that
document to open it in Word, you will get infected.

F-Prot has made an Anti-Viral FIX for this ONE virus, known as WVFIX.  It
detects a Concept Infection, and can make modifications to WORD settings on
PC's to prevent further re-infection by this one virus.  Available now

       Data Fellows FTP URL


       Command Software System's FTP site

and is included on F-PROT for DOS Diskettes.  If you don't have F-PROT
Professional which detects this virus, you can detect it manually with
older F-PROT versions, by placing the following 2 lines into your F-PROT
USER.DEF file, found in your F-PROT for DOS Directory...

       CE WordMacro/Concept

then turn on the USER-DEFINED section of the Targets menu, and add *.DO? as
an extension to scan for, or scan for ALL FILES.  If F-PROT finds an
infected document with this method, use WVFIX to do an additional scan of
to confirm infection, as legitimate documents may get flagged using the
above search string.

SOPHOS SWEEP users can add detection of this virus to their older scanners
by executing Sweep in full Mode with the following <meant as one line, but
displayed below as 2...> command...

       SWEEP C:\*.* -F -REC

Sweeps SWEEP.PAT file can also hold this pattern for you, so that you do
not need to type it out every time you wish to scan.  Add the following to
the SWEEP.PAT file using an ASCII Text Editor...

       Concept 5757 3649 6e66 6563 746f 7206 0664 6f02 6904 734d 6524 0c67

Users of IBM's Anti-Virus can add protection to their system for this Virus
Manually, or can acquire updated copies of AntiVirus from IBM.  To Manually
add detection of CONCEPT to IBM AntiVirus add the following three lines to
an ADDENDA.LST file in the same directory as VIRSIG.LST

        %s the WordMacro.Concept %s
        DOC and DOT (COM format) files.  Mismatches=0.  No fragments.

Then use the "Check System" dialog to add "*.DOT" to the list of patterns
to check, or simply instruct IBM Anti-Virus to scan ALL FILES.

PC Users can also acquire the Macro Virus Protection Tool. (On CompuServe
or AOL, GO MS; on Microsoft Network, GO MACROVIRUSTOOL.) Follow the
instructions to run the file. It will look for macro viruses, both among
your macros, and any documents you specify. It will also install special
macros that will help prevent any further infection.

If you use SCAN.DOC, make sure that your copy of the "cleanall" macro is
not one of the early releases which contained a typo! Look for the line
Dlg.Pat$ = "*.doc;*.dot" used to set up the ".Name" argument for FileFind.
There should be NO space between the semicolon and the second asterisk. A
space here (found in early releases) prevents looking for ".DOT" files.

Microsoft has also made software available to counter this virus <on MACS>,
obtainable via the WWW from...


and via ftp from...


This FIX from Microsoft only renames the virus rather than removing it. 
Also note that the file system scan function supplied ("Scan.doc") may not
actually find every occurrence of infected files on a Macintosh. A few
others vendors of major Macintosh anti-virus software are planning minor
releases of their products to cope with this virus or help identify its

If you need additional information, call Microsoft Product Support Services

        206-462-9673 for Word for Windows
        206-635-7200 for Word for the Macintosh

or send an Internet e-mail message to...

Further info on CONCEPT Virus <albeit with an emphasis on the DOS, OS/2 and
Windows environments> is available from IBM's WWW server:


Note: A Personal Solution for this Virus is possible.  Simply make 2 dummy
macros <they don't need to do anything>, one as Payload, the other as
FileSaveAs.  This virus checks for the presence of these macros, and if
found, DOES NOT infect your system<The virus checks for the presence of
*either* of these macros, so usin just one (any) of them is sufficient>. 
This is a CONCEPT virus solution only, and will likely become useless with
any future variants of Concept.


4.2: Nuclear :

Known widely as Winword.Nuclear, Wordmacro-Nuclear and Wordmacro-Alert. 
This virus was the first WordMacro virus to infect <or at least to attempt
to infect> both data/documents <Word Documents .DOT and .DOC> as well as
executables <.COM/.EXE/NEWEXE>

In truth, it is 2 viruses, a macro virus which alters the Operating
Environment of WORD, and an executable file infector <as well as a system
file deleter>.  This makes NUCLEAR the first Macro Virus to also
incorporate, or at least try to incorporate a classic File Infector Virus. 
This virus is actually quite ineffective in the destructive sense, detailed
later in this document. The infected documents contains the following nine

       InsertPayload   *
       Payload         *
       DropSuriv       *

which get copied into the GLOBAL Macro List.

General detection of NUCLEAR is easy, simply view the macros listed under
the Macros command under the Tools Menu.  If Macros "InsertPayload",
"Payload", and "DropSuriv" are listed, then you'll likely have a NUCLEAR
infection. <unless you named legitimate macros with the same names... :) >
NUCLEAR hides itself from detection, by disabling the "PROMPT FOR CHANGES
TO NORMAL.DOT" option.  Changes are made, and the user doesn't notice

NOTE: Use of the TOOL/MACRO command can be dangerous.  Some viruses subvert
this command.  Use with caution.  Use AV software to find and delete
infected macros.

The "InsertPayload" Macro will cause the following text to be added to the
end of printouts when printing documents. Every 12th printout will have the
following text added...

       And finally I would like to say:

which is appended to the file after the command to print is issued but
prior to the actual printing. FAX's sent via a FAX Print Driver will also
be affected, this much I know first hand.  From testing, I came to the
realization that some Vx putz will start messing with my outgoing faxes
behind our backs.

Another included Macro, is "Payload" which tries to delete IO.SYS,
MSDOS.SYS and COMMAND.COM on April 5th. It is ineffective, as WordBasic
can't reset the attributes of a file which has the System attribute set.
It has been noted that a variant that does work is being circulated.

The Second part of the Nuclear Virus is the executable infector.  The
DropSuriv Macro checks system time, and will attempt to drop the file
infector between 17:00/18:00.  However, the routine is flawed, and
shouldn't work on any system.  <fails due to a syntax error - not closed IF
statement, which makes this payload never executed> If DropSuriv DID work
properly, it would search for the standard DOS util DEBUG.EXE, if found,
the macro drops PH33r.SCR & EXEC_PH.BAT.  The Bat File is executed, and
then the hex dump file PH33r.SCR is converted from a DEBUG script into an
executable, and is in turn executed.  Later, the .SCR and the .BAT files
are deleted to cover its tracks.  The File infector then hooks INT 21h and
writes itself at the end of COM/EXE/NewEXE files.  <however, the memory is
released once this DOS task is completed, includes the memory resident
virus Ph33r> Unconfirmed reports state that a NUCLEAR infected Macro with a
fully operational DropSuriv Macro exist.

The following text strings are in the executable infector...


SOPHOS SWEEP users can use a user-defined search string to find NUCLEAR,
simple by executing the following command <the following 2 lines are
actually ONE log one> using Sophos' SWEEP in full mode...

       SWEEP C: -F -ALL

Discovered on the internet, the discovered infected file ironically was
supposed to provide info on a previous Macro Virus, Concept.  Mac Users
will notice an infected document, since infected documents appear with the
template icon, instead of the usual document icon.


4.3:  Colors:

Colors, is the first WINWORD Macro Virus that could be called cute <IMHO>. 
This Virus has the noticeable ability to alter the Windows colors settings.
Mac Word is immune to the payload <the system colors attack> but is still
susceptable to the infection mechanism, which will attack documents. 
Detection of infections is easy, as infected documents appear with the
template icon, rather than the usual document icon.

Commonly known as Rainbow or WordMacro.Colors, this virus was freely posted
to usenet newsgroups on October 14th, 1995. The Colors Virus will infect
the global template <usually NORMAL.DOT> upon opening of an infected
document.  An infected document contains the following macros:

       ToolsMacro, and other macros.

All Macros included in COLORS are Execute-Only, and cannot be viewed or
edited by MicroSoft Word.  If normal "clean" macros with the same names
existed prior to infection, they will be overwritten by COLORS.

The AutoExec Macro of COLORS is an EMPTY Macro, possibly designed to defeat
any ANTI-MACRO-VIRUS schemes developed by the AV community.  It
accomplishes this by overwriting a "CLEANING/SCANNER" AutoExec Macro with
COLORS empty one, effectively making the AV Scanner/Cleaner useless.  The
Cleaner Provided by Microsoft would fall victim to this attack, and
subsequently be rendered useless.

COLORS will also enable AutoMacros in case you were smart and disabled
them!  It will also disable the MS Word's Prompt to save changes to

COLORS is crafty, as it can spread without the use of AUTO macros...  thus
defeating the DISABLE AUTOMACROS Feature.  It does so via the Macros:


COLORS will infect NORMAL.DOT whenever a user chooses any of the above
functions.  It also has limited stealth ability, earning it the title of
being the first WINWORD STEALTH MACRO VIRUS.  It accomplishes it's stealth
actions, by hiding itself from the active listing, since attempting to view
active macros would run the COLORS infected Tools/Macro, thus hiding it's
own presence while simultaneously infecting your system.  However, deleting
these macros is easy, simply use the File/Templates/Organizer/Macros to
view the names of virus' macros and delete them.

The COLORS virus will keep track of infections via a counter, named
"countersu", which can be found under the [Windows] section of the WIN.INI
file.  Whenever an infected macro is executed, the counter is incremented
by a count of one.  It quickly adds up, when you consider how much you
OPEN, CREATE, SAVE, EXIT, and CLOSE documents.  When the increment counter
reaches 299, and every 300th execution thereafter, COLORS will be
triggered.  COLORS will then make changes to the system colors setup,
including text, background, borders, buttons, etc., using randomly
determined colors.  The new color scheme becomes apparent to the user
during the next session of Windows.

NOTE: MicroSoft Word for Macintosh is immune to this effect.  In Macintosh
Word, infected documents appear with the template icon, rather than the
usual document icon, which alerts the user to this infection.  Only Copies
of WORD running on a Windows OS or Windows Operating Environments will
suffer these effects.  PPC Macs running emulation software that allows
Windows and Windows WORD 6.x to run could be hit by this payload. <Does
current PPC MAC allow for Windows and Word to be run on it??? >

Colors ability to spread without the use of AutoExecute Macros, and its use
of Advanced Stealth techniques signals a new level of MACRO virus
technology.  <Hiding itself from view when you actively look for it defines
STEALTH in my book, since it evades detection> It also adds fuel to the VxD
argument, as an on access scanner could prevent infection by this type of
stealthy virus.  NOTE: Check SUGGESTED SOFTWARE section for AV developers
with VxD scanners

F-Prot Users should note that F-PROT Professional 2.20 is not able to
detect the Colors macro virus, but you can detect it manually by following
the same method used in the CONCEPT section of this FAQ for Scanning with
F-PROT and it's user Defined Strings.  In this Case, use the following 2
lines, which are to be added to your USER.DEF file.

       CE WordMacro/Colors


4.4: DMV:

Commonly known as WordMacro.DMV, DMV is an unremarkable TEST Virus,
possibly the first to be created using the WORDBasic Language.  Joel
McNamera wrote it in the fall of 1994, as a real time TEST for some MACRO
Virus Theories.  The Virus was kept under wraps, and a detailed paper was
published.  This TEST virus was only released, as an educational aid, after
the CONCEPT virus was discovered.  DMV isn't a threat to anyone, as it
announce itself upon infecting the system.

MAC Word Users can visually detect DMV, since infected documents will
appear with the template icon, instead of the usual document icon.

The Writer of DMV is rumored to be playing with some EXCEL Viruses, based
on details he published about a virus that would infect MicroSoft EXCEL
Spreadsheet Files. <anyone get the feeling 6 months from now I'll be
writing an EXCEL MACRO Virus FAQ ??? :) >



4.5: HOT:

Also known as WORDMACRO HOT, WinWord.Hot.

Not the most ingenious of the Macro Virus Family, it's biggest kick, is the
ability to wait or sleep for awhile <up to 14 days> and then delete a file.
WordMacro/Hot appears to be the first Word macro virus written in Russia.
It was found in the wild in Russia in January 1996.

Infected documents contain four execute-only macros:


MacIntosh Word Users will notice HOT, by examining the icon of the file... 
infected documents appear with the template icon, normal documents appear
with the normal document icon.

NOTE: WordMacro/Hot appears to be the first macro virus to use external
functions, allowing Word macros to call any standard Windows API call. 
This makes the spreading function Windows 3.x specific, preventing Word for
MAC and Word 7 for Win '95 from spreading the Virus.  An error dialog will
be displayed under Microsoft Word 7.0.

        Unable to load specified library

HOT activates automatically via it's AutoOpen Macro <assuming no attempt to
disable AutoMacros has been made> adding a line LIKE...


to Ms Word for Windows 6's WinWord6.INI file, which acts as a counter
recorder system, setting a date 14 days in the future for payload

HOT then copies the included macros to the Global Template, NORMAL.DOT
usually, revising their names...

        AutoOpen          ==>   StartOfDoc
        DrawBringInFrOut  ==>   AutoOpen
        InsertPBreak      ==>   InsertPageBreak
        ToolsRepaginat    ==>   FileSave

A listing of the currently loaded macros in this infected environment will
reveal the names in the right list.  Loading another infected document
<actually a template> will add the left list to the macro list plus the
right list.  NOTE:   Macros have been saved with the 'execute-only'
feature, which means  that a user can't view or edit them.

A clean <AutoMacros disabled> WORD environment will produce the left list
when viewing an infected document.

HOT's FileSave macro cause the virus to randomly decide within 1-6 days
from the infection date to activate whenever an effort to open files is
made.  Upon activation, a document will have it's contents deleted, by
opening it, slecting the entire contents, delting them, and closing the
document, saving it in it's now empty state.

Users with c:\DOS\EGA5.CPI should be protected from this macro, as the
author included a check for this file as a protective measure, noted in the
source code as follows:

  '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
  '- and if File C:DOSega5.cpi not exist (not for OUR friends) ---

HOT's InsertPBreak Macro inserts a page-break in current documents, which
is used as a sign of a document already being infection by HOT.

NOTE:  WordMacro/Hot relies on the existence of KERNEL.EXE

To clean existing in memory infected macros, use the TOOLS/MACROS/DELETE
function to delete all infected macros.  Do the same for Document you find
that are infected, by doing so from a session of word with AutoMacros
Disabled, and using the Tools/Macros/Delete function.

NOTE: Use of the TOOL/MACRO command can be dangerous.  Some viruses subvert
this command.  Use with caution.  Use AV software to find and delete
infected macros.

SOPHOS SWEEP Users can add detection NOW to their scanner with the line...

        Winword/Hot   a186 9dad 889d 8ca7 86cd e58e 0369 ec8e ee69 ec8e
        e868 ecef

<the above 2 lines are to be entered as one line> by adding the line to
 SWEEP.PAT, then scanning in FULL MODE <-f>



This is a new MACRO Trojan, <that's been around for 2 years> that goes by
the alias WinWord.Weideroffnen.  It is technically a WinWord 2 infected
document, that works eqwually well under MS WORD 6.x.  It intercepts
AutoClose, and attempts to play tricks with boot-up file AUTOEXEC.BAT.  It
is rumored to exist in Germany, known locally in Germany as "Weideroffen
Macro Virus" No other information is available at this time, other than the
post by Graham Cluley, which states...

       "Dr Solomon's FindVirus has been detecting this virus for a while (I
       think we call it WinWord.Weideroffnen).  Our WinGuard VxD can also
       intercept documents infected with it thus stopping an outbreak dead
       in its tracks"

Since it basically goes after AUTOEXEC.BAT, Mac users have nothing to fear
from this trojan macro.  PC users on the otherhand... :)

Please have mercy on us Graham <>, and
provide some more info... :)




Also known as AMIMACRO GREENSTRIPE.  The name of this virus comes from it's
main macro procedure, called Green_Stripe_virus.

Quite possibly the first Macro Virus to hit the AMI PRO 3.0 Word Processor,
GREEN STRIPE, was first reported to Computer Weekly, by those who first
detected it Reflex Magnetics.  <reported to A.C.V by David Phillips
( >  Reflex Magnetics is reported to has a program
able to detect this virus available on their WEB sites by the time you read

Ami Pro Macros are somewhat different than their WORD equivalents, as an
AMI PRO MACRO is a totally separate file, whereas WORD Macro viruses turn
documents into combination files, part data, part macro.  The Ami Pro
macros are stored in a separate file, with the SMM extension.  This makes
it difficult to spread an AMI PRO virus, as it is likely to not get copied
with the normal document, effectively disabling the virus.

Ami Pro's File/Save and File/Save As commands are intercepted by Green
Stripe, and used to infect all documents in comes in contact with.  You
could say that GREEN STRIP is the first COMPANION MACRO VIRUS, as it
doesn't even touch the original document.

NOTE: Using File/Save As and saving an infected document to a network drive
or a floppy is the only likely way this virus will spread from a machine to

When an infected document is loaded, it has a link to an AMI PRO auto-macro
file of the same name <as the document> but different extension.  This
macro is then executed, and attempts to open ALL other documents in the
same directory <to infect them>  This is apparent to the user, as they can
see this happening on the screen!  It is reported to do a Search and
Replace on SAVE, searching and replacing all occurances of "Its" with "
It's".  Reportedly, this fails to work properly.

GREEN STRIPE was first Published in Mark Ludwigs virus writing newsletter,
this virus makes itself obvious to the user, since it attempts to infect
all files found in AMI PRO 3.0 Document Directory, during the initial
infection process which  takes a long time, and the user is likely to
notice that something is going on,.

NOTE: Removal of AMI PRO 3.0 infected macros is simple, just delete the
macro from the directory.  To see if a Macro has been attached to a
document, simply open the Tools/Macros/Edit menu and check whether the
document has a .SMM macro file assigned to be executed on open.  If you
find one, delete it <unless YOU created a legitimate macro>

Documents and Macros in AMI PRO are ASCII files, making viewing and
detection of infected macros easy using any other program other than AMI
PRO.  This virus is difficult to spread, as the path to the Macro is
hard-coded, preventing the macro from spreading if programs other than AMI
PRO are used to move it about.

Thanks to Vesselin Bontchev <> and Dr David Aubrey-Jones
<> for detailing this virus.



This is a new Macro Virus, found in February 1996, which works along the
same general ideas as the original Concept virus. The WordMacro/Atom virus
is not known to be in the wild.

The differences, when compared to the Concept Virus, follows:

       - All the macros in this virus have been marked EXECUTE ONLY,
         making them encrypted
       - Replication occures both during file openings, and file saves.
       - Atom comes with 2 destructive payloads

On December 13th, it's first point of activation occures.  It will attempt
to delete all files in the current file directory.

The second activation, password protects documents, restricting the users
access to their own documents.  This happens when the system clock seconds
counter equals 13, and a File/Save As command is issued.  The passowrd
assigned to the documents is ATOM#1.

If the user disables AUTOMACROS, Atom will be unable to execute and spread
to other documents.  Enabling the Prompt To Save NORMAL.DOT will prevent
Atom from attacking and infecting the NORMAL.DOT file.



Also known as WORDMACRO.FORMATC, and FORMAT.C.Macro.Trojan

The FORMATC Macro Virus, isn't ieven a virus, as it DOES NOT SPREAD.  This
makes it another MACRO TROJAN.  This Trojan contains only one macro,
AutoOpen, which will be executed automatically when a document is opened. 
The Macro AutoOpen, is READ ONLY, making it encrypted, and unreadable and
editable.  It is visiable in the Macro List.

When FORMATC is executed, "triggered", it will  run a dos session, in a
minimized DOS box.  It will run an Unconditional Format of the C drive.

NOTE:  Get your hands on some up to date scanners, and pre-screen all
documents.  Also acquire some AV VxD's, as they should prevent the Trojan
from wiping your drive clean.

Thanks to Symantec for providng the info on this trojan.



The best Strategy for dealing with this new VIRUS Menace, is to acquire at
least one, maybe even a couple decent Anti-Virus products.  This is a good
idea whether you are dealing with classic viruses, or this new MS WORD
MACRO family of viruses.  If you have some of the popular virus scanners,
you can add macro virus signature definitions to them from the previous
sections of this FAQ, or acquire updated copies of your favorite AV
programs, which should have them built in.

Some products are now including Windows Mode VxD Virtual On-access
Scanners, that run co-operatively with Windows. <insert bad joke about
windows reliability here :) > These VxD's tend to have the same
capabilities as the classic scanners.  Others that don't yet include VxD's
are also worth acquiring, as the command-line scanners are some of the best
in the industry.  Most of the Virus Scanners Listed in the SUGGESTED
SOFTWARE area of this FAQ will in the worst case detect known MACRO
Viruses, and at best, clean existing infections, and prevent future
infections by MACRO viruses.

The Following AV products now include an option to Scan for Word Macro
viruses, Including F-PROT, TBAV, AVP, AVTK, SOPHOS SWEEP, McAFEE, and
others.  Fans of ChekMate will be glad to hear about CkekMate.DOC, part of
the CHECKMATE 2.00 Generic Anti-Vitus Package, which will detect and
prevent Macro infections.

Learning to scan documents as well as program files will now be necessary
to maintain a clean system environment.  So, keeping these new viruses out
of your system isn't really any harder than keeping standard viruses out. 
Most of these products are listed in the SUGGESTED SOFTWARE area of this

A file,, common on various AV FTP Sites on the internet, can
deal with the WORD.Concept <Prank> virus.  Unzipping it into the Winword
directory, and opening the included document SCAN831.DOC, will check your
documents for the presence of Concept.  NOTE: This is only a solution for
preventing/removing Concept Infections.  Also, Windows '95 users will need
to dump the contents of their Start Menu document menu, and remove desktop
shortcuts before using this solution.  NOTE: This `fix' distributed by
Microsoft isn't complete - there are ways to open documents (like from the
recently used files list) that don't trigger the protection macros.

Fans of Symantec can download a free copy of REPAIR.ZIP, which contains
virus definition files for the macro viruses. You can use REPAIR.ZIP with
either NAV 95 or NAV 3.0.  NOTE: To detect the MS Word macro viruses, scan
your hard drive from DOS only; either version of NAV will not detect them
from within Windows.

Disinfectant For the MAC, although a great AV product, doesn't generally
address macro viruses or hypercard infectors. <At least it didn't the last
time I played with a MAC :) >  Disinfectant does not deal with non-machine
code viruses, so no update is needed.  Mac users will want to contact some
of the AV producers listed below, as many of them are now offering MAC AV
solutions which DO deal with MS WORD MACRO VIRUSES. Some of the Word macro
viruses will work at least in part on a MAC, Dr Solomon's Anti-Virus
Toolkit for Macintosh will detect such infections, and will detect PC Boot
Sector Viruses.  Mac Users will have one advantage fighting and finding
WORD MACRO VIRUSES, since MAC displays the icon of the data files, users
will notice that infected documents appear with the template icon, rather
than the usual document icon.

A Good Back-Up routine is also a sensible addition to any AV strategy.  No
AV product is perfect, especially against new and unknown Viruses <unless
you are ZVI NETIZ, his AV products catch 100% of all viruses, including the
cold viruses you've suffered with this winter! Unfortunately ZVI's product
will delete all copies of your SOFIA files :) >

It is often preferable to replace infected files with clean uninfected
copies, regardless of format, than to execute a "cleansed" file, that may
be corrupt, or at least unstable.  This is good advice for standard
executables.. but MS WORD docs can be cleaned most of the time simply by
removing the infected macros, and saving the file as a NORMAL Document!

                    Personal MACRO VIRUSES PREVENTION...

For those of you who would rather deal with the MACRO problem yourself,
without using one of the recommended products, there are a few things you
can do to add an extra measure of security <although it is really a false
sense of security...>

Disabling of AutoOpen Macros is possible by invoking the Word system Macro
DisableAutoMacros.  An once of prevention equals a pound of cure. :) NOTE:
this can be disabled by some Macro viruses. :(

The Manual for WORD for Windows says you can also do this from the command
line, by executing WORD with the following command...

       WINWORD.EXE /mDisableAutoMacros

However, due to a Flaw, Feature, or Bug <Gotta Love MS> this doesn't appear
to work!  Thanks MS! :(

The Manual also states that holding <SHIFT> while opening documents will
prevent any AutoExecute type macros from running, but this suggestion also
doesn't appear to work!  Thanks Again MS! :(

Or better yet, you could create your own AutoExec Macro, it isn't hard,
simply select the TOOLS Menu, hit the MACRO command, and create a new macro
call "AutoExec".  Alter line 3 as you see fit...

       Sub Main
         MsgBox "MS WORD AutoMacros Disabled.", "Some Protection!", 64
       End Sub


       Sub Main
         MsgBox "MS WORD AutoMacros Disabled!", 0
       End Sub

The second macro should display the message in the status line. <I hope>

NOTE: Use of the TOOL/MACRO command can be dangerous.  Some viruses subvert
this command.  Use with caution.  Use AV software to find and delete
infected macros.

This method will effectively prevent CONCEPT, HOT, DMV, and NUCLEAR word
macro viruses from infecting the WORD environment, by fooling these 3
viruses into thinking they've already infected your system.  It also
Disables AutoMacros, which will help with some Macro infectors.  This is a
temporary fix, as WORD gives priority to macros in documents over system
macros.  <MS will need to ship an update to WORD for all platforms that
will give control back to the users.  Can you all say WORD '99? >

All legitimate owners of copies of MS WORD should CALL MICROSOFT Support
staff, and let them know you want an updated copy WORD.  Let them know you
want the BUGS FIXED.  It's your right!  Call Microsoft Product Support
Services at 206-462-9673 for Word for Windows, or send an Internet e-mail
message to <wonder if we could cause a class action

Another option is to check the TOOLS/OPTION Menu and set it to prompt
before saving NORMAL.DOT.  Setting the File Attributes of the file to
read-only may help, but anyone going to the effort of writing a Macro Virus
can easily disable that attribute. <and if you've read this FAQ, you also
know that some macro viruses can enable AutoMacros even if you specifically
disable them! :( >

NOTE: Use of the TOOL/MACRO command can be dangerous.  Some viruses subvert
this command.  Use with caution.  Use AV software to find and delete
infected macros.

AMI PRO 3.0 Users, who want to clean their system of infected AMI PRO 3.0
GREEN STRIPE MACROS, need only look in their document directory, and delete
and infected macros <which will have the same names as documents>  Note:
detection of GREEN STRIPE infection is easy, view all macros with a NON-AMI
PRO viewer, like DOS edit.  Find infected macros, and delete them.  that's


At the time of this writing, it was mentioned to me that MicroSoft had
released a WORD Document Viewer, that does not execute Macros, that could
be used in place of WORD for the purpose of viewing Documents while
on-line.  MSN or it's affiliated BBS services should have the file
available for download.  Also, a number of Shareware and Freeware shells
can directly view WORD documents, without executing macros.  Eric Phelps
has noted that an updated version of the WordViewer is now available.  The
new WordView 7.1 free viewing utility from Microsoft now runs some Word
macros!!   If you want to view documents without the abiltiy to run macros,
then stick to versions of WordView previous to version 7.1

Users of NETSCAPE 2 who fear virus infection by macro viruses while onl the
WWW, can now acquire Inso's new Word Plug-In Viewer (Inso wrote the Quick
View utility in Win95).  Inso's URL is:

and there is a link to download the Word Plug-In Viewer on the opening

If you need additional information, call Microsoft Product Support Services
at 206-462-9673 for Word for Windows, or 206-635-7200 for Word for the
Macintosh, or send an Internet e-mail message to




       Available on MicroSoft Download Services...
       WD1215.EXE   51078      10-10-95        WD1215.EXE Macro Virus
                                               Protection Tool
       MW1222.HQX   83729      11-09-95        MW1222.HQX Macro Virus
                                               Protection Tool for
                                               Mac Word 6.0
       SCANPROT.EXE 29996      01-02-96        SCANPROT.EXE Word pour
                                               Windows, "Prank Macro"
                                               Protection Template (for
                                               french Word)

       Available at WWW.MICROSOFT.COM or WWW.MSN.COM...
       A self-extracting archive, MVTOOL10.EXE, being distributed by
       Microsoft.  It is an way to protect yourself against the Concept
       virus, as well as to warn you against document files that contain
       macros without your knowledge.  It will create these files:
               README.DOC      36864  10-02-95  1:08p
               SCANPROT.DOT    49152  10-02-95  3:44p
       Enter Word and read the README.DOC to see if this package is
       suitable for your environment.


       -FindVirus can Detect & Clean Macro Viruses, scanning recursively
        inside compressed and archived files (ZIP, LZH, ARJ, ARC, etc)
        without writing to the hard disk. WinGuard  VxD on-access
        scanner can prevent future infections. (available for DOS, Win 3.x,
        Win 95, Win NT, OS/2, Novell NetWare, Unix, and soon Apple Mac)
               USA Tel: +1 617-273-7400
               CompuServe:     GO DRSOLOMON
               UK Support:
               UK Tel:         +44 (0)1296 318700
               US Support:
               USA Tel:        +1 617-273-7400

               Canadian Representative:
               SSS-Sensible Security Solutions Inc.
               Tel. 613-623-6966
               Fax. 613-623-3992
               * Editors of 'Virus News' and on-line Security Alerts


       -Detects & Cleans Macro Viruses Infections.
               USA: Central Command Inc. <AVP>
               P.O. Box 856 Brunswick, Ohio 44212
               Phone: 216-273-2820
               FAX  : 216-273-2820
               FTP:  /pub/command/avp
                               [not operational yet]
               Compuserve: GO AVPRO


       -Currently Only Detects Known WINWORD Macro Viruses, Cannot
        clean in Macro infections.  Macro Virus Clean will be added
               Frisk Software International
               Postholf 7180
               IS-127 Reykjavik
               Fax: +354-5617274

               [North America, South America, Australia and New Zealand]
               Command Software Systems Inc.
               Tel: +1-407-575 3200
               Fax: +1-407-575 3026

               DOLFIN Developments
               Tel: +1-905-829-4344
               Fax: +1-905-829-4380

               [Most of Europe, Africa, Middle and Far East:]
               Data Fellows Ltd
               Paivantaite 8
               FIN-02210 ESPOO
               Tel: +358-0-478 444
               Fax: +358-0-478 44 599


       -Currently Only Detects Macro Viruses, but will soon add it's
        own internal Cleaners to the software.  In the meantime, McAfee
        included MicroSoft's MVTOOL10.EXE WinWord.Concept Cleaner with
        their product.
               2710 Walsh Avenue
               Santa Clara, California
               95051-0963 USA
               For questions, orders and problems call
               (M-F, 6:00AM - 5:00PM PST): (408) 988-3832  Business
               For Faxes (24 hour, Group III FAX): (408) 970-9727  FAX
               Bulletin Board System
               (24 hour US Robotics HST DS):  (408) 988-4004
               Internet Email:
               Internet FTP:
               America On-line:  MCAFEE
               CompuServe:  GO MCAFEE
               The Microsoft Network:  GO MCAFEE


       -Detects Currently Existing Word Macro Viruses
               ThunderBYTE International Affiliates
               ESaSS B.V.-ThunderBYTE International
               P.O. Box 1380
               6501 BJ Nijmegen
               The Netherlands
               Phone: +31 (0)8894 - 22282
               Fax:   +31 (0)8894 - 50899

               TCT-ThunderBYTE Corporation
               49 Main St., Suite 300
               Massena, N.Y. 13662
               Toll-Free: 1-800-667-8228
               Phone:     (315) 764 1616
               Fax:       (613) 936 8429

               TCT-ThunderBYTE Inc.
               3304 Second St. E., P.O. Box 672
               Cornwall, Ont. K6H 5T5
               Toll-Free: 1-800-667-TBAV
               Phone:     (613) - 930 4444
               Fax:       (613) - 936 8429


       -Detection of Macro Viruses + Integrity Checking in one package
               Stiller Research
               2625 Ridgeway St.
               Tallahassee, FL. 32310-5169
               PHSH44A on Prodigy.
               Stiller on GEnie


       -Generic Virus Detection Utility + ChekResQ utility that can remove
        boot sector and partition table viruses both from memory and your
        hard disk. ChekMate, using Generic Techniques avoids the major
        problem of false alarms.  <MS or PC-DOS 3.3 or later, Windows 3.0,
        3.1. 3.11. Workgroups, Windows '95, and Windows NT, as well as OS/2
        2.0, 2.1 and Warp> NOTE: Requires DEBUG.EXE.  Package Includes
        CHEKWORD.DOC, Macros in the GLOBAL template (normally NORMAL.DOT)
        are checked and the user is informed of the number(s), name(s) and
        desriptions of macros in this template.  For your protection, the
        AutoExec and AutoOpen macros are also disabled
        automatically.  Chekword.Doc also scans documents you open.
            Martin Overton (ChekWARE),
            8 Owl Beech Place,
            West Sussex, RH13 6PQ,
                FTP at:

                At the World-Wide Web site:


Simtel, the Software Depository, is a great source for Anti-Virus software!
Many AV producers posts updated versions of their software regularly to
SIMTEL.  SIMTEL is a free service, which you can access via Internet.

The following list will allow anyone with Internet access to freely access
and obtain Most AV shareware/freeware.  For those of you who cannot FTP to
a Simtel site, do a search for "SIMTEL" with a decent search engine like
YAHOO or WEB CRAWLER, and you'll see SIMTEL listed.

SimTel's primary mirror site is ftp.Coast.NET ( located in
Detroit, Michigan, and there the programs may be found in the directory

Secondary SimTel mirror sites in the US include:

       Concord, CA
       Urbana, IL
       Rochester, MI      OAK.Oakland.Edu
       St. Louis, MO
       Norman, OK
       Corvallis, OR 
       Salt Lake City, UT  

Users outside the US should in general select the "closest" mirror site
from the list below:

       Czech Republic   
       Hong Kong
       New Zealand
       South Africa
       Slovak Republic 



I would like to extend my appreciation and thanks to all those who provided
info to me on this matter.  Most of the Anti-Virus producers were extremely
helpful in the production of this much needed FAQ for ALT.COMP.VIRUS. 
Special Thanks goes to Bruce Burrell <> for reminding
me to DOT my "i"'s and cross my "t"'s.


I would like to thank the following individuals who have helped and
contributed to this document:

Graham Cluley <>, Senior Technology Consultant, Dr
Solomon's Anti-Virus Toolkit.

Dr Alan Solomon <,>,
Chief Designer of Dr Solomon's Anti Virus Toolkit, S&S International.

Vesselin Vladimirov Bontchev <>, FRISK Software

Wolfgang Stiller <>, Stiller Research

Keith A. Peer <>, Central Command Inc. <AVP>

Sarah Gordon, <>, Command Software System's F-PROT
Professional Support.

Paul Kerrigan, <>

Paul Ducklin <>, and SOPHOS <> for providing
early info and the detection string for this new macro virus.

David Harley <>

David Phillips (

Dr David Aubrey-Jones <> of REFLEX MAGNETICS

Martin Overton <> and Ed Fenton



Any distribution of this FAQ is subject to the following restrictions:

This FAQ may be posted to any USENET newsgroup, on-line service, or BBS as
long as it is posted in its entirety and includes this copyright statement.
This FAQ may not be distributed for financial gain.  This FAQ may be made
freely available and posted on FTP, WWW, and BBS sites, Newsgroups and
Networks, as well as included within software packages and AV products, and
on CD-ROMs containing other FAQ's/shareware/freeware programs, such as the
SIMTEL and GARBO collection CD-ROMs, as long as this FAQ is always
distributed complete and without modifications, and proper credits are
given to the author.

Mass distribution of this FAQ in magazines, newspapers or books requires
approval from the author, Richard John Martin.

       Email Bd326@Torfree.Net for FREE APPROVAL.

NOTE: I, the AUTHOR, will re-post copies of this FAQ to ALT.COMP.VIRUS
every one-two weeks.  <or more frequently when the need arises>

Anyone with additional info, critiques, suggestions, etc. to add to this
FAQ, please send it to Bd326@Torfree.Net

Copyright (c) 1995-1996 by Richard John Martin, all rights reserved.



ChekMate <ChekWare Software> will usually have the most up-to-date copy of
this faq on their Internet Site. <Thanks Guys>  You can find it at...

or try our own HIGH SPEED DEMONZ WWW homepage.  You will find updated
copies of this FAQ at...

as well as other many popular AV sites.  Keep an eye on the Page, as new
things will shortly be added, plus an HTML version of the FAQ is being

With any luck, things will return to normal around here.  Updated copies of
the FAQ should resume it's former schedule of updates once every 2 weeks.

An Updated copy of this FAQ can also be obtained by sending Email to
Bd326@TorFree.Net, with a SUBJECT header of "PLEASE SEND FAQ", which will
result in a return email message that will include an updated copy of this
FAQ.  To be added to an experimental MAILING LIST for updates of this faq,
may be cancelled at anytime.

You can also remove yourself from the list, by sending an email with the

For those of you who live in Toronto, Ontario, Canada, or don't mind a
call up here to the Great White North, set your modem to 8n1, and call:

        VIRUS WATCH BBS         (416)654-3814

Simply do a search on the BBS for MACRO and you see updated copies of
the FAQ listed.  The file will be an ASCII text file, with the name format

The xxx will refer to the month.  This particular edition is WORDMACR.MAR

I'm still looking for BBS's to ARCHIVE this FAQ, so if anyone would like to
ARCHIVE it on their BBS, please let me know.



Any help with the following questions would be appreciated.





          RELEASED? ]



6:        [ ANY NEW INFO TO ADD? ]

          DOCUMENTS??? ]

          MAC? ]

          WINDOWS? ]




Anyone with additional info, critiques, suggestions, etc. to add to this
FAQ, please send it to Bd326@Torfree.Net



This article is provided as is without any express or implied warranties.
While every effort has been taken to ensure the accuracy of the information
contained in this article, the author assume(s) no responsibility for
errors or omissions, or for damages resulting from the use of the
information contained herein.


      This FAQ is Copyright (c) 1996 Richard John Martin, HIGH SPEED
      DEMONZ Anti-Virus Research Labs, Canada.  All rights reserved.

    MicroSoft (tm), MicroSoft Windows, MicroSoft Word, MicroSoft EXCEL
     are Copyright (c) 1995-96 MicroSoft Corp.  All rights reserved.



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH