DR SOLOMON'S TECHNICAL NOTE Macro viruses Macro viruses are the latest development in the battle against computer viruses. First encountered in the autumn of 1995 they have quickly caught the imagination of the press and virus-author alike. Their introduction into the virus world has caused a stir because they have broken some of the established "rules": 1) They are the first ever viruses to infect documents rather than executable files. The first macro viruses seen infected Microsoft Word documents. In January 1996 the first AmiPro macro virus (Green Stripe) appeared. It should be remembered that other word processors (and even other applications) could be at risk in the future. 2) They are the first ever multi-platform viruses - not just capable of infecting PC systems, but Macintosh as well. This document provides an overview to some of the better known macro viruses: Concept: Aliases: WinWord.Concept, WW6Macro, WW6Infector, WBMV (Word Basic Macro Virus), Prank Macro Type: Word macro virus. Description: This is the first virus to infect data files. Concept infects Microsoft Word 6 documents (*.DOC) and the NORMAL.DOT template. The virus makes use of the well-developed Microsoft Word macro language, Word Basic, in an attempt to exploit the fact that computer users exchange documents far more often than programs. When an infected document is opened under Microsoft Word for the first time, the virus gets control as an AutoOpen macro and infects the NORMAL.DOT template (or any other template, if it has been selected as a global default template). A message box, with the text '1', appears on the screen. After this, every document saved using the File|SaveAs command is infected with the virus. This normally happens when a newly-created document is saved to the disk. If Microsoft Word is run, then Tools|Macros is selected and the list of macros checked, the presence of the macros named AAAZFS, AAAZAO, AutoOpen, PayLoad and FileSaveAs indicates that the Microsoft Word system is infected. This virus works under Microsoft Word for Windows 3.x, Word for Windows 95, Word for Windows NT, and Word for Macintosh. This made it the first ever multi-platform virus. Other macro viruses have been written in the wake of Concept, including Nuclear, DMV, and Colors. The Concept virus is very common in the wild. This is largely due to Microsoft accidentally shipping it on a CD ROM called Microsoft Windows 95 Software Compatability Test to hundreds of OEM companies in August 1995. Another company distributed more Concept-infected documents on 5500 copies of a CD ROM called Snap-on Tools for Windows NT shortly afterwards. Nuclear: A Word .DOC file, containing a description of another Word Macro virus (Concept) was uploaded to one of the publicly accessible ftp directories at the USA internet provider netcom.com . The file in its turn appeared to be infected with a new Word Macro virus - Nuclear. Similar to Concept, Nuclear infects NORMAL.DOT when an infected document is opened. Then it infects all the documents being saved using File/SaveAs. Unlike Concept, all macros in Nuclear are "execute-only" i.e. protected (encrypted) in such a way you cannot view or modify their source code. (You still can see the macros' names in Tools/Macro though). We, nevertheless, succeeded in decrypting the macros and thus, in analysing and understanding the virus. An infected document or NORMAL.DOT contains nine macros named AutoExec, AutoOpen, DropSuriv, FileExit, FilePrint, FilePrintDefault, FileSaveAs, InsertPayload and PayLoad. The main effect of the virus, besides replication, is that if a document is being printed and system clock seconds counter is in between 55 and 59 seconds (i.e. with a probability of approximately 1/12th), two lines are added to the document and are subsequently printed at the end of the last page: And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! The virus was also supposed to drop a "normal" (i.e. COM/EXE/NewEXE infecting) virus named PH33R (pronounced `fear'), but due to a whole set of bugs it fails to achieve this. By the way, the virus it is supposed to drop has nothing to do with the old Suriv virus family. The confusion is completely due to the fact the macro to do this is called DropSuriv. 'suriv' is nothing but 'virus' reversed and the only thing in common between the Suriv viruses and DropSuriv macro is the name. Another payload conceived by Nuclear author should be triggered on April 5 any year. The destructive macro named Payload was supposed to damage (truncate to 0 bytes) system files IO.SYS, MSDOS.SYS and COMMAND.COM. Fortunately, once again the virus author never dared to debug this piece of code - the Payload macro does not work either due to bugs in it. The virus also causes some side effects such as error messages if you choose from File/Print or File/SaveAs. Colors: Alias: WordMacro.Colors Type: Word macro virus. Description: Colors is a Word macro virus which most likely comes from Portugal. When an infected document is opened under Microsoft Word (Word for Win95, Word for NT, Word for Windows 3.x, MacWord, ...), the virus infects the global template (usually NORMAL.DOT). Then every document being created via File/New or saved via Save or File/SaveAs is infected by the virus. The virus contains the following ten macros: AutoOpen, AutoClose, AutoExec, FileNew, FileExit, FileSave, FileSaveAs, ToolsMacro and other macros. If macros with such names existed prior to infection, they are overwritten by the virus. Surprisingly enough, AutoExec macro in the virus is an empty one - it does nothing. The possible aim of it could be overwriting existing AutoExec macro which could contain anti-virus routines (e.g. supplied by Microsoft). The virus can propagate even with AutoMacros being disabled (e.g. by invoking Word as WINWORD.EXE /mDisableAutoMacros or by using one of Microsoft's recent antivirus template tools). As soon as a user chooses File/New, File/Save, File/SaveAs, File/Exit or Tools/Macro, the virus gets control and infects NORMAL.DOT. Moreover, unlike other known Word viruses (such as Concept, Nuclear, DMV), Colors virus cannot be spotted by using Tools/Macro to list active macros. The virus intercepts Tools/Macro and effectively disables it, while still using it for infection. This way Colors can be called the first macro virus with some stealth capabilities. Nevertheless, one can use File/Templates/Organizer/Macros to view the names of virus macros and even to delete them. As in the case of Nuclear (the first encrypted macro virus), all macros in Colors are Execute-Only and thus cannot be viewed/edited by means of Microsoft Word. The virus also enables AutoMacros (just in case the user had disabled it) and disables Word's prompt to save changes to NORMAL.DOT. The virus maintains a counter named 'countersu' in [windows] section of WIN.INI file. Every time a virus macro is called (with the exception of AutoExec) the counter is incremented by one. That is, every time a user opens, creates, saves, closes a document, attempts to use Tools/Macro or exits Word, the counter is incremented. When the counter reaches 299 and each 300th time thereafter (i.e. 299, 599, 899 and so on) the virus triggers. It then changes Windows colours settings (text, background, buttons, borders, etc.) to randomly selected colours. So that the next time Windows are started the user is puzzled by the most unusual and weird colour palette. Hot: Aliases: Wordmacro.Hot, WM.Hot Type: Word macro virus. Description: WordMacro.Hot creates an entry in the WINWORD6.INI configuration file which contains a "hot date" 14 days in the future when its payload will trigger. The virus can then activate randomly within a few days of the "hot date": when you try to open a document its contents are erase instead. The payload is disabled if C:\DOS\EGA5.CPI is found to exist. A comment in the virus source code suggests that this is a "feature" designed to protect the virus author and his friends. Atom: Alias: Wordmacro.Atom Type: Word macro virus. Description: ATOM consists of 4 macros - AutoOpen, FileOpen, FIleSaveAs, and ATOM - all of which are xecute- only. When an infected document is opened, ATOM infects the global template. If the auto macros are disabled, the virus is rendered ineffective. ATOM does not turn off the prompting when saving the global template, so if prompting is turned on you will be prompted to save changes to the global template at the end of the session. After the global template is infected, ATOM calls its first destructive payload. If the current date is December 13, the virus deletes all files in the current directory. Once the virus is active (i.e., it has infected the global template), it infects all documents which are saved via the FileSaveAs command or which are opened via the FileOpen command. If the seconds field of the current time is 13 at the time of infection, the virus encrypts the document being saved with the password "ATOM#1". DMV: Type: Word macro virus. Description: DMV is the name of a Word macro virus that was written for "demonstration" purposes by an American computer user. He subsequently made his virus available for all to download via the World Wide Web. The author of this virus also attempted to write an Excel macro virus - but it fails to work because of a bug. FormatC: Type: Word macro trojan. Description: This is not a virus, but a trojan because it does not replicate. It does, however, format your C: drive as soon as the document is opened. This trojan was posted to a Usenet newsgroup. Wiederoffnen: Type: Word macro trojan. Description: Wiederoffnen is not a virus, but a Word macro trojan. It comes in a Microsoft Word 2 document but works perfectly under Word 6 too. Wiederoffnen intercepts the AutoClose macro and when the document is closed plays tricks with AUTOEXEC.BAT. Green Stripe: Aliases: AMP.GreenStripe Type: Ami Pro macro virus. Description: This virus infects Ami Pro document files (*.SAM) by creating for every .SAM file a corresponding .SMM (Ami Pro macro) file with the same name in the same directory and linking .SAM to .SMM in such a way that opening .SAM invokes execution of the .SMM. .SMM files are hidden and cannot be seen with a simple DIR command - DIR /AH will work though. When an infected document is opened, the virus gets control and infects all *.SAM files in the current directory which is always Ami Pro's default DOCS directory (...\AMIPRO\DOCS). The process is very noticeable since all the doc files are opened and then closed one by one and a user can see them quickly appearing/disappearing on the screen. Then the virus intercepts File/Save and File/Save As commands. On File/Save As the virus infects the document being saved. And this is the only way the virus can propagate to another computer. Since both .SAM and .SMM files are necessary for the virus and since .SAM file contains an absolute pathname as a reference to the appropriate .SMM file, if one simply copies either .SAM or both .SAM and .SMM files to a floppy and then opens .SAM under Ami Pro on a different computer, the virus won't run. But when a document (.SAM) is copied using File/Save As both .SAM and .SMM are transferred and the pathname link is changed accordingly. File/Save was supposed to be used for the virus' payload. On File/Save the virus should replace all occurences of "its" in the document with "it's". This did not appear to work in our experiments however. Unlike with Word macro viruses, this Ami Pro virus is very unlikely to be transmitted by E-mail. Again, this is due to the fact that Ami Pro keeps macros in separate .SMM files, while only .SAM file is sent as a cc:Mail attachment. The name of the virus - Green Stripe - is taken from the virus itself. It's main macro procedure is called Green_Stripe_virus. Detection is made easier by a number of factors: Firstly, as mentioned above, when an infected document is opened it is very noticeable - the screen keeps blinking as numerous documents are loaded and then closed. Secondly, after loading a document, one can go to Tools/Macros/Edit and see whether the document has an appropriate macro file (same name, .SMM) assigned to it to be executed on open. Thirdly users of Dr Solomon's FindVirus v7.58 and later will detect this virus when run with the /DOALLFILES switch. FINDVIRU /REPAIR /DELETE will delete infected files. The report will contain the names of all infected (and now deleted) .SMM files. Then one should run Ami Pro and for each .SMM file listed in the report load .SAM file with the same name (there will be an error message saying that the appropriate .SMM file was not found), go to Tools/Macros/Edit and uncheck the Assign box(es).