Objective: This FAQ will explain the WORD MACRO VIRUS family of
viruses, and will explain how infections occur. It will also when possible,
detail how to clean them up, and how to prevent infections in the first
place.
Vx or VX refers to the Virus Writing Community at large, regardless of any individuals virus writing experience, or popularity.
AV refers to the Anti-Virus Community, including Researchers, Hobbyists, and Software/Hardware Developers.
GUI refers to Graphical User Interface. (ex. Windows 3.1)
MAC refers to Apple MacIntosh Computers, usually both the Current POWER PC MAC (PPC) and the earlier models. (unless otherwise stated)
MS refers to MicroSoft Corporation, and products made by them.
PC refers to IBM Brand Computers running on the x86 (including early x88, AT, XT models) series of processors produced by INTeL, AMD, NeXTGEN, and CYRIX, as well as IBM Clone or Compatible computers.
OS, or Operating System, will refer to the Disk Operating Systems that handle basic I/O, file management, etc. MS-DOS, PC-DOS, DR-DOS, DIP-DOS, Tandy DOS, COMPAQ-DOS all fit into this category. Operating Systems with GUI's like WINDOWS NT, OS/2 WARP, MacOS, AMIGADos, and WINDOWS '95 also fit this category. (it could be argued that WINDOWS '95 is NOT AN OS, as an enhanced version of the classic MS-DOS OS is loaded prior to the loading of WINDOWS Environment.)
Operating Environments, refers to interfaces that run on top of NON-GUI OS's such as Windows 3.0, 3.1, 3.11, Windows for Workgroups, early OS/2 versions prior to WARP.
Operating Platform, refers to the combination of Computer Architecture, OS, and sometimes GUI. Examples of Platforms can include, but are not limited to the following...
NOTE: Use of VIRII as a plural of VIRUS has been dropped from this FAQ. The term VIRUSES will be used instead. Complaints can be forwarded to ALT.COMP.VIRUS where someone will be glad to argue with you till they're blue in the face! :)
WARNING: User definable virus search strings are littered thoughout this document. They will help users with older version of Anti-Virus software. However, we suggest that you should acquire up-dated copies of the AV software, which will have these strings included, and save you some trouble. Also note that using TOOL/MACRO as a way of hunting down macro infections can be dangerous. It is preferred that you use dedicated AV software to hunt down infection.
With any luck, things will return to normal around here. Updated copies of the FAQ should resume it's former schedule of updates once every 2 weeks.
It is possibly the first Virus to be truly a CROSS-PLATFORM (not including WORMS) infector, since any systems running compatible copies of WORD 6.0, or those systems that emulate Word 6.0's macro language can be infected.
It is also the first group of viruses that prove NON-Executables can infect systems. It had been theorized for years by the best in the industry, as people started to realize the power of the MACRO Languages that were included with program like 1-2-3, Excel, and numerous Word-Processors.
It is far less important to classify these viruses as data or executable code or both, than to acknowledge their existence, and the need for preventive measures against them.
To better understand the issues covered in this FAQ, the WORD MACRO VIRUSES, it's necessary to first explain what a virus and a macro is.
Dos users have been using a macro language for years to automate the mundane and repetitive tasks common to maintaining a computer system. Commonly known as the BATCH Language. In DOS, Files with the .BAT extension are interpreted (by the Command Processor COMMAND.COM) and are executed line by line, automating tasks (the most common example of a batch file is the AUTOEXEC.BAT file, found in the root directory on every MS DOS based PC in the world).
NDOS & 4DOS Users have their own enhanced version of the batch languages (files with the extensions .BTM), which allows the same batch files, with additional commands, to be read by the NDOS or 4DOS command interpreters (NDOS.COM & 4DOS.COM) as a whole file into memory for execution (which increases the speed of the batch file).
OS/2 Users have enjoyed an even better Macro Language, the REXX batch/Programming language. It is much more robust, and better suited to deal with demanding tasks.
WORD MACROS, are Macros that can carry out and follow lists of instructions, usually saving a user keystrokes. The abilities of the WORD MACROS are limited to the functions provided by the MS WORD WordBasic Environment, included with the WORD 6.x level of Word Processors from MicroSoft. NOTE: WordBasic included with WORD 1.x, 2.x have enought similar commands in their languages to warrant consideration.
Imagine having to add your name, address, phone#, and other personal info to dozens of documents daily, it would become tedious fast. Macros can automate the process, saving alot of time and effort. The power of the WordBasic Macro Environment gives the users, both home users and business users alike the ability to automate many tasks, including file management, from within MS WORD. Macros also include the ability to affect other running applications, via the Word Macro language, by DDE etc. Unknown to the author at this time, it's been theorized that OLE abiltiy may also exist in the WORDBASIC macro Language. (BOTH DDE and OLE may be entry point for future viruses)
MS WORD MACROS are only executable by the WORDBasic environment, which is limited to functional copies of MS WORD 6.x /7.x and sometimes 2.0, as well as WORDVIEW 7.1. For the sake of this FAQ, MACROS will be considered Data files. Macros require interpretation by the WordBasic Environment, and are not executed in the classic DOS sense. Executables will be defined as files that follow the classic standards, including EXE, COM, NEWEXE, BAT (yes they are interpreted, but they are also almost always DIRECTLY executed by the user, and as such almost fall into the same GREY area that these macro viruses fall into) as well as the programs in the boot-sector, master boot sectors. It could be argued that WORD macro are a combination or data and executable code. A notable exception to the batch file rule, is the WINSTART.BAT file, which Windows 3.11 for WorkGroups looks for in every directory in the path, and tries to execute. It'll be executed whether the user wishes it to be or not.
NOTE: David Harley (harley@europa.lif.icnet.uk) and Joseph Stafford (stafford@twsuvm.uc.twsu.edu) have noted that MicroSoft Word Wizards are also WORD Macros. Wizards are simply templates with the WIZ extension, which include an AutoNew Macro, which call a Start Wizard Macro. WIZ files may soon fall prey to macro infections.
NOTE: Viruses can and sometimes do infect files indirectly, without altering the CODE of executable files. For instance, File System or Cluster viruses (Dir-II, BYWay) are those which alter directory entries, pointing a legitimate directory entry first to it's malicious code, so the virus can be executed, and then the desired program is executed. The program itself is not physically altered, but the directory entry is.
Viruses may, and often do have destructive bombs or payloads, which do something other than replicate. Many payloads include destroying data, deleting files, encrypting parts of hard drives, etc. Common targets for Viruses include standard Executables like *.COM, *.EXE, and NEWEXE files, as well as the programs used by the computer to boot up, including the programs (executable code) found in Boot sectors, and Master Boot Sectors. Other DOS executables can also be infected, such as *.DLL and *.BIN, *.DRV, *.OV? *.OB? and *.SYS files. Not all of these executable will allow for the proper execution of viral code, and can/may either hang the machine, crash a session, or simply not function, producing numerous errors. Common examples of executable files include COMMAND.COM, EMM386.EXE, Windows Executables, MOUSE.DRV, DRVSPACE.BIN, and HIMEM.SYS. (everyone with Modern release of MS-DOS and WINDOWS should recognize these files)
A sub-class of viruses, known as Trojan Horses, are commonly, and possibly incorrectly considered viruses. A Trojan Horse, named after the Greek Battle Tactic, is a program, that is stated and promoted as being able to do something useful or interesting (like a game or utility), but in turn does something malicious. (like drop a virus for later infection) Trojans typically DO NOT ACTIVELY REPLICATE. They may inadvertently get copied around and distributed, but this has little or nothing to do with any replication code in the TROJAN.
NOTE: It can be argued that Viruses by the above definition, are Trojans. This argument would have Viruses listed as replicating Trojans. Defining these two groups of programs isn't really relevant, as long as you understand the premise behind both groups. For a more detailed definition of VIRUSES, refer to the ALT.COMP.VIRUS VIRUS FAQ, by David HARLEY, or the COMP.VIRUS/VIRUSL FAQ's on VIRUSES. Both are an excellent source of virus related info. Both are reposted regularly to their respective newsgroups.
These viruses commonly tend to infected the global macros, which get automatically saved at the end of each session. When the next session of MS WORD opens, the infected Global Macros are executed, and the WORD Environment is now infected, and will in turn be likely to infect documents whenever they are opened, closed, and created during all future sessions.
As a Virus, the WORD MACRO VIRUSES do REPLICATE. They can spread in most cases to any MS WINDOWS Environment or OS that runs a compatible copy of MS WORD 6.x or 7.x, MS WORD 6.x running on OS/2, as well as WORD for MAC 6.0 for MacOS. This makes it a multi-platform/multi-OS file infector. It also makes it one of the first non-research viruses to be successfully spread to all of these environments and OS's
MS Word Macro Viruses reside in interpreted data that can spread to different OS's/platforms. These viruses do not spread via modification of executable machine code, but by modification of data in files that are interpreted by the Microsoft Word 6.0 program and any other versions of Word that support macros and WordBasic.
MacIntosh Word Users have an advantage over the PC world, as infected documents appear with the template icon, rather than the usual document icon. This means that Mac Users can visually tell before-hand whether a Document is infected or not.
For responsible Word 6.x users, Macros can also be of great use. The Macro Language of WORD 6.x (WORD BASIC) is a powerful tool, and can accomplish many tasks, including altering files, copying files, and executing other programs. What makes this macro language so powerful is also what makes it a target for the Vx community. The idea of the Vx community exploiting macro languages had been theorized for years, but has only recently been developed and spread throughout the world.
WordBasic Macro Language is much simpler to learn and master than ASSEMBLER, or other popular higher Level programming languages, and for this reason, Vx people (both new and old alike) have taken to it as a viable alternative to learning and coding ASM. The thought of ticking users off on more than one platform has been around for years, and now thanks to MS WORD, and all it's compatible versions on other popular platforms, the Vx people have their wish. Another Bonus of this new outlet for Vx writers, is that many virus scanners only scan Executable files, leaving the .DOC files of WORD alone. It is important to note that many AV producers have now included scanners/cleaners to their software, allowing for the detection of existing MS WORD Macro Viruses.
Vx people also know that many people never exchange programs, but regularly exchange documents (those in the corporate circles for example) which meant that there was a whole new region of unsuspecting users to infect. On top of the power and lower learning curve of this language, and the popular past conception that non-executables are relatively safe from infection and becoming themselves infectors has allowed the Word Macro Virus spread like "Wildfire". (Editor smiles :))
Even until just recently, members of the respected AV community inadvertently continues these classic misconceptions that NON-executables (DATA FILES) cannot infect systems, and that no VIRUS can infect on a CROSS-PLATFORM basis. F-PROT V2.21 (Dec '95) continues these misconceptions in the file VIRUS.DOC, included with their DOS command line scanner...
"A virus cannot spread from one type of computer to another. For example, a virus designed to infect Macintosh computers cannot infect PCs or vice versa."This isn't meant to be a knock on F-PROT... they easily have one of the best virus scanners on the market. They're just too busy keeping us VIRUS-FREE that they simply haven't gotten around to updating this older file! :) (Info on obtaining a copy of F-PROT is included in the SUGGESTED SOFTWARE area of this FAQ.)"A virus cannot infect a computer unless it is booted from an infected diskette or an infected program is run on it. Reading data from an infected diskette cannot cause an infection."
Heck, a year ago, those two quotes were standard replies to virus related questions regarding how viruses spread, and at the time you'd be hard-pressed to prove these quotes wrong. Now, the new realities are setting in. The MS WORD Macro Virus Family have changed the rules. Infection from simply reading a document is NOW possible.
So, a WORD MACRO Virus, is a collection of instructions, known as a macro or template which WinWord (Word 6.x) executes. The list of instructions in the macro can copy and delete files, alter them, make whole changes to template files, drop other viruses, and execute programs, including ones it has dropped. These Macro Viruses (as defined in section 1) aren't directly executable. They are actually read (and interpreted and executed) by the MS WORD WordBasic Interpreter. This is the first time a virus infection has occurred in the mainstream user market where a file was only read (or at least the user thought was only going to be read) for it to be executed.
MSN - MicroSoft Network, and other similar ON-LINE services, have also contributed to the spread of Word Macro Viruses, via a feature included in their terminal programs, MIME-compliant mailers (e.g., Eudora). and WWW browsers (e.g., Mosaic and Netscape). This features, allows users to download and view .DOC files while on-line... the terminals can run the associated program for .DOC files, (MS WORD) and therefore immediately infect users systems. This mechanism WILL also allow the virus to be introduced into your system via mail or a WWW page. Use such automatic execution with caution. Had the Macro Viruses never been created, this feature would be of benefit.
NOTE: Reading Infected documents with anything other than a copy of MS WORD will not activate and spread the infection. For the virus to become active, MS WORD is required, and it must be WORD that is used to view the document. For example, NORTON UTILITIES Norton Commander (DOS) has a document viewer, able to view 10-12 of the most popular formats for documents, including various versions of WORKS, WORD and WordPerfect documents. Using the viewer to read an infected document, and telling it to use WORD 6.x format, will allow you to view the document, but will NOT and CAN NOT execute any macros.
At the time of this writing, it was mentioned to me that MicroSoft had released a WORD Document Viewer, that does not execute Macros, that could be used in place of WORD for the purpose of viewing Documents while on-line. MSN or it's affiliated BBS services should have the file available for download.
UPDATE: Eric Phelps noted that a newer version to the WORD Viewer is now available from MS, called WordView 7.1. Unlike it's predecessor, it will execute some MACROS. Users who uses the Veiwer to prevent macro infection, should stick to the previous version. This WordView 7.1 doesn't have a NORMAL.DOt to infect, but it still allows for an entry point into your system. Use WordView 7.1 with caution.
When Word opens a document (.DOC), it first looks for all included macros in it. This is alittle misleading... MS WORD looks at the DOC, first thinking it is a DOC, but finds that it has TEMPLATE/MACRO code (meaning it isn't technically a document, but a template file) If it finds the AutoOpen Macro, or other AUTO macros, Word will automatically execute this macro. Typically, in the case of an infected .DOC file, this macro will instruct the system to infect important key macros and template files. Those Macros will in turn infect any documents opened thereafter. (hence the Term VIRUS)
Typically, the FileSaveAs Macro is replaced or overwritten, so that an infected copy can then determine how all future documents will be saved. This means it gains the control of what file format to save in, and what macros to include into the document. All this is seamless, and most of the time you may not even realize this is happening. When the user executes the FileSaveAs command, the virus (e.g., Concept) displays the usual dialog box, letting the user fill in the fields for the file name, location, type, etc. Onl afterwards the virus changes the type of the file to template - so the user doesn't see anything unusual. AutoOpen and other Macros are then included into documents. When exchanging documents with uninfected computers, the system becomes instantly infected as soon you try to view and load the infected document (macro/template) with a compatible copy of MS WORD!
At the end of a WORD session, MS Word automatically saves all Global Macros into the Global Macro File, typically the Normal.DOT file. Now all future sessions of Word will infect documents it opens until you replace NORMAL.DOT with an uninfected copy. (or delete the infected macros) Otherwise, MS Word Loads, and will load infected GLOBAL MACROS before you do a single thing. NOTE: Some macros will save to the Global macros on their own!
[ according to Vesselin Bontchev (bontchev@complex.is) The auto macros are always spelled in one and the same way in al nationalized versions. It is things like FileSaveAs that are translated ].
NOTE: PC Users will likely not notice the difference between a TEMPLATE infected file masquerading around as a document file, as word will recognize Macro Templates in a file regardless of the extension used by the Template (Default *.DOT). (Send Complaints to BILL GATES, C/O MICROSOFT CORP.) MacIntosh Users can visually tell whether a Document is infected or by, since infected documents appear with the template/macro icon, instead of the normal document icon. A file that is indicated by a template icon may simply be a harmless template, that the user has made, containing legitimate macros. This MAC advantage will depend on how the document is opened. Opening with the File / Open command will not help a MAC user make the distinction. Viewing parameters for a folder will also determine whether a MAC user will notice the template file. Viewing by size, name, or date will not help, as the icon isn't displayed properly.
A Feature common to most viruses of this type is the ability to spread to other platforms, making this family of viruses unique, and dangerous. They can and will spread to almost any platform operating with a compatible copy of MS Word 6.x+. (some exceptions apply)
Although other word processors like WordPerfect and Ami Pro do support reading MS Word documents, they can not be infected by these viruses. These program have the ability to read documents, but not to execute the macro language command that may be imbedded.
It's worth noting that macro viruses whose payloads have no effect on a Mac (PC emulators excepted) will nevertheless replicate on the Mac unless they use one of the relatively few WordBasic functions specific to Windows in the infection/replication routine.
The proliferation of this virus is widespread, mainly due to 2 companies ACCIDENTLY shipping this virus in infected documents found on their CD-ROMS. The first CD-ROM was...
MicroSoft Windows '95 Software Compatibility Testwhich was shipped to thousands of OEM companies in mid 1995. In August/September Microsoft distributed the Concept virus on a CD-ROM in the UK called...
"The Microsoft Office 95 and Windows 95 Business Guide"The infected file is \Office95\Evidence\Helpdesk.DOC, dated August 17th, 1995, (121,856 bytes) The third CD was...
Snap-On Tools for Windows NTwhich was distributed by ServerWare, who immediately withdrew it, warned recipients, and re-mastered it. MicroSoft Corp. is to be commended for acknowledging their part in the spreading of this new virus, (calling it a PRANK) and their effort in controlling the spread of it. They were quick to respond to this new Virus threat with a Macro Scanner/Cleaner which is available freely for download from MSN and associated services. (Note: it's buggy)
This commendation should be taken with a grain of salt, as MicroSoft waited up to two months before admitting there was a problem, down playing the seriousness of the situation, and calling it a PRANK Macro, not befitting an acknowledgment as a REAL virus in their view. MS in turn requested help from AV insiders, and subsequently released their own flawed FIX. AV people wanted info regarding internal information of the WORDBASIC Macro Template Format.
Such help wasn't forthcoming, at least not until months later. During the whole time that the bulk of the AV people waited for help, MS cited their FIX as being the only thing that CAN deal with this new virus, and that Current AV Products were useless. (not the first time MS has thrown rocks at competitors...) The statement from MicroSoft is only partially true, as a number of AV companies figured out the Macro format on their own, and released their own fixes. Those of us who are used to dealing with MicroSoft would agree that 5 months of waiting, being told you're wrong, then finally getting the help you asked for was "a quick response". :)
A CONCEPT Infection is easy to notice, on the first execution of the virus infected document (on the first opening of the infected file) the MessageBox appears with digit "1" inside, and "Ok" button. Also, simply checking the TOOLS/MACROS option to check loaded macros, the presence of concept is apparent by the appearance of these 5 macros :
AAAZFS *
AAAZAO *
AutoOpen
PayLoad *
FileSaveAs
NOTE: Using the Tools/Macro option to view in memory macros can be misleading,
and dangerous, as some viruses will intercept this call. The Tools/Macro option
should be used with caution with all viruses, and shouldn't be considered as a
genera way to look for macro viruses. The Colors virus for example intercepts
this comman and activates if it is used.
You may be currently using legitimate macros that go by the names of AutoOpen and FileSaveAs, so these two may not be out of place. However, it is unlikely that you use legitimate macros with names like Payload, AAAZFS, and AAAZAO. These 3 are the clearest signs of an infection.
Note: As has been noted in some press releases, the virus code is simple for a novice to modify, so variants may also be present or appear soon. The Macros are UNEnencrypted, and are easily viewable.
The following Text strings are in the infected documents...
see if we're already installed
iWW6IInstance
AAAZFS
AAAZAO
That's enough to prove my point
Also, the line...
WW6I=1is added to WINWORD6.INI on infected systems.
The Concept Virus is able to run on compatible systems running Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. In Macintosh Word, infected documents appear with the template icon, rather than the usual document icon.
NOTE TO WINDOWS '95/WORD '95 USERS: Those of you who are running Windows 95 and Word 95, and have Word set up to act as your Exchange mail program; (WordMail.) are protected from the spreading abilities of CONCEPT, as WORDMAIL disables the capability that lets Concept spread, so you cannot get infected by reading mail with WordMail. However, if an incoming message has an attached infected Word document, and you double-click on that document to open it in Word, you will get infected.
F-Prot has made an Anti-Viral FIX for this ONE virus, known as WVFIX. It detects a Concept Infection, and can make modifications to WORD settings on PC's to prevent further re-infection by this one virus. Available now from...
CE WordMacro/Concept
646F02690D6957573649496E7374616E63650C67
then turn on the USER-DEFINED section of the Targets menu, and add *.DO? as an
extension to scan for, or scan for ALL FILES. If F-PROT finds an infected
document with this method, use WVFIX to do an additional scan of to confirm
infection, as legitimate documents may get flagged using the above search
string.
SOPHOS SWEEP users can add detection of this virus to their older scanners by executing Sweep in full Mode with the following command...
SWEEP C:\*.* -F -REC -PAT=575736496e666563746f720606646f026904734d65240c67Sweeps SWEEP.PAT file can also hold this pattern for you, so that you do not need to type it out every time you wish to scan. Add the following to the SWEEP.PAT file using an ASCII Text Editor...
Concept 5757 3649 6e66 6563 746f 7206 0664 6f02 6904 734d 6524 0c67Users of IBM's Anti-Virus can add protection to their system for this Virus Manually, or can acquire updated copies of AntiVirus from IBM. To Manually add detection of CONCEPT to IBM AntiVirus add the following three lines to an ADDENDA.LST file in the same directory as VIRSIG.LST
07734D6163726F24126A0D476C6F62616C3A4141415A414F
%s the WordMacro.Concept %s
DOC and DOT (COM format) files. Mismatches=0. No fragments.
Then use the "Check System" dialog to add "*.DOT" to the list of patterns to
check, or simply instruct IBM Anti-Virus to scan ALL FILES.
PC Users can also acquire the Macro Virus Protection Tool. (On CompuServe or AOL, GO MS; on Microsoft Network, GO MACROVIRUSTOOL.) Follow the instructions to run the file. It will look for macro viruses, both among your macros, and any documents you specify. It will also install special macros that will help prevent any further infection.
If you use SCAN.DOC, make sure that your copy of the "cleanall" macro is not one of the early releases which contained a typo! Look for the line Dlg.Pat$ = "*.doc;*.dot" used to set up the ".Name" argument for FileFind. There should be NO space between the semicolon and the second asterisk. A space here (found in early releases) prevents looking for ".DOT" files.
Microsoft has also made software available to counter this virus (on MACS), obtainable via the WWW from...
If you need additional information, call Microsoft Product Support Services at...
In truth, it is 2 viruses, a macro virus which alters the Operating Environment of WORD, and an executable file infector (as well as a system file deleter). This makes NUCLEAR the first Macro Virus to also incorporate, or at least try to incorporate a classic File Infector Virus. This virus is actually quite ineffective in the destructive sense, detailed later in this document. The infected documents contains the following nine Macros...
AutoExec
AutoOpen
FileSaveAs
FilePrint
FilePrintDefault
InsertPayload *
Payload *
DropSuriv *
FileExit
which get copied into the GLOBAL Macro List.
General detection of NUCLEAR is easy, simply view the macros listed under the Macros command under the Tools Menu. If Macros "InsertPayload", "Payload", and "DropSuriv" are listed, then you'll likely have a NUCLEAR infection. (unless you named legitimate macros with the same names... :)) NUCLEAR hides itself from detection, by disabling the "PROMPT FOR CHANGES TO NORMAL.DOT" option. Changes are made, and the user doesn't notice anything.
NOTE: Use of the TOOL/MACRO command can be dangerous. Some viruses subvert this command. Use with caution. Use AV software to find and delete infected macros.
The "InsertPayload" Macro will cause the following text to be added to the end of printouts when printing documents. Every 12th printout will have the following text added...
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!
which is appended to the file after the command to print is issued but prior to
the actual printing. FAX's sent via a FAX Print Driver will also be affected,
this much I know first hand. From testing, I came to the realization that some
Vx putz will start messing with my outgoing faxes behind our backs.
Another included Macro, is "Payload" which tries to delete IO.SYS, MSDOS.SYS and COMMAND.COM on April 5th. It is ineffective, as WordBasic can't reset the attributes of a file which has the System attribute set. It has been noted that a variant that does work is being circulated.
The Second part of the Nuclear Virus is the executable infector. The DropSuriv Macro checks system time, and will attempt to drop the file infector between 17:00/18:00. However, the routine is flawed, and shouldn't work on any system. (fails due to a syntax error - not closed IF statement, which makes this payload never executed) If DropSuriv DID work properly, it would search for the standard DOS util DEBUG.EXE, if found, the macro drops PH33r.SCR & EXEC_PH.BAT. The Bat File is executed, and then the hex dump file PH33r.SCR is converted from a DEBUG script into an executable, and is in turn executed. Later, the .SCR and the .BAT files are deleted to cover its tracks. The File infector then hooks INT 21h and writes itself at the end of COM/EXE/NewEXE files. (however, the memory is released once this DOS task is completed, includes the memory resident virus Ph33r) Unconfirmed reports state that a NUCLEAR infected Macro with a fully operational DropSuriv Macro exist.
The following text strings are in the executable infector...
=Ph33r=
Qark/VLAD
SOPHOS SWEEP users can use a user-defined search string to find NUCLEAR, simple
by executing the following command using Sophos' SWEEP in full mode...
SWEEP C: -F -ALL -PAT=63e6e5e5ee8fe6e3e48fefe3fd87b1c98aeaad8ca7918c93Discovered on the internet, the discovered infected file ironically was supposed to provide info on a previous Macro Virus, Concept. Mac Users will notice an infected document, since infected documents appear with the template icon, instead of the usual document icon.
Commonly known as Rainbow or WordMacro.Colors, this virus was freely posted to usenet newsgroups on October 14th, 1995. The Colors Virus will infect the global template (usually NORMAL.DOT) upon opening of an infected document. An infected document contains the following macros:
AutoOpen
AutoClose
AutoExec
FileNew
FileExit
FileSave
FileSaveAs
ToolsMacro, and other macros.
All Macros included in COLORS are Execute-Only, and cannot be viewed or edited
by MicroSoft Word. If normal "clean" macros with the same names existed prior
to infection, they will be overwritten by COLORS.
The AutoExec Macro of COLORS is an EMPTY Macro, possibly designed to defeat any ANTI-MACRO-VIRUS schemes developed by the AV community. It accomplishes this by overwriting a "CLEANING/SCANNER" AutoExec Macro with COLORS empty one, effectively making the AV Scanner/Cleaner useless. The Cleaner Provided by Microsoft would fall victim to this attack, and subsequently be rendered useless.
COLORS will also enable AutoMacros in case you were smart and disabled them! It will also disable the MS Word's Prompt to save changes to NORMAL.DOT.
COLORS is crafty, as it can spread without the use of AUTO macros... thus defeating the DISABLE AUTOMACROS Feature. It does so via the Macros:
File/New
File/Save
File/SaveAs
File/Exit
Tools/Macro
COLORS will infect NORMAL.DOT whenever a user chooses any of the above
functions. It also has limited stealth ability, earning it the title of being
the first WINWORD STEALTH MACRO VIRUS. It accomplishes it's stealth actions, by
hiding itself from the active listing, since attempting to view active macros
would run the COLORS infected Tools/Macro, thus hiding it's own presence while
simultaneously infecting your system. However, deleting these macros is easy,
simply use the File/Templates/Organizer/Macros to view the names of virus'
macros and delete them.
The COLORS virus will keep track of infections via a counter, named "countersu", which can be found under the [Windows] section of the WIN.INI file. Whenever an infected macro is executed, the counter is incremented by a count of one. It quickly adds up, when you consider how much you OPEN, CREATE, SAVE, EXIT, and CLOSE documents. When the increment counter reaches 299, and every 300th execution thereafter, COLORS will be triggered. COLORS will then make changes to the system colors setup, including text, background, borders, buttons, etc., using randomly determined colors. The new color scheme becomes apparent to the user during the next session of Windows.
NOTE: MicroSoft Word for Macintosh is immune to this effect. In Macintosh Word, infected documents appear with the template icon, rather than the usual document icon, which alerts the user to this infection. Only Copies of WORD running on a Windows OS or Windows Operating Environments will suffer these effects. PPC Macs running emulation software that allows Windows and Windows WORD 6.x to run could be hit by this payload. (Does current PPC MAC allow for Windows and Word to be run on it???)
Colors ability to spread without the use of AutoExecute Macros, and its use of Advanced Stealth techniques signals a new level of MACRO virus technology. (Hiding itself from view when you actively look for it defines STEALTH in my book, since it evades detection) It also adds fuel to the VxD argument, as an on access scanner could prevent infection by this type of stealthy virus. NOTE: Check SUGGESTED SOFTWARE section for AV developers with VxD scanners
F-Prot Users should note that F-PROT Professional 2.20 is not able to detect the Colors macro virus, but you can detect it manually by following the same method used in the CONCEPT section of this FAQ for Scanning with F-PROT and it's user Defined Strings. In this Case, use the following 2 lines, which are to be added to your USER.DEF file.
CE WordMacro/Colors
0100066D6163726F730100084175746F45786563
MAC Word Users can visually detect DMV, since infected documents will appear with the template icon, instead of the usual document icon.
The Writer of DMV is rumored to be playing with some EXCEL Viruses, based on details he published about a virus that would infect MicroSoft EXCEL Spreadsheet Files. (anyone get the feeling 6 months from now I'll be writing an EXCEL MACRO Virus FAQ ??? :))
[ DOES ANYONE HAVE THE PUBLISHED PAPER? ]
Not the most ingenious of the Macro Virus Family, it's biggest kick, is the ability to wait or sleep for awhile (up to 14 days) and then delete a file. WordMacro/Hot appears to be the first Word macro virus written in Russia. It was found in the wild in Russia in January 1996.
Infected documents contain four execute-only macros:
AutoOpen
DrawBringInFrOut
InsertPBreak
ToolsRepaginat.
MacIntosh Word Users will notice HOT, by examining the icon of the file...
infected documents appear with the template icon, normal documents appear with
the normal document icon.
NOTE: WordMacro/Hot appears to be the first macro virus to use external functions, allowing Word macros to call any standard Windows API call. This makes the spreading function Windows 3.x specific, preventing Word for MAC and Word 7 for Win '95 from spreading the Virus. An error dialog will be displayed under Microsoft Word 7.0.
Unable to load specified libraryHOT activates automatically via it's AutoOpen Macro (assuming no attempt to disable AutoMacros has been made) adding a line LIKE...
QLHot=34512to Ms Word for Windows 6's WinWord6.INI file, which acts as a counter recorder system, setting a date 14 days in the future for payload activation.
HOT then copies the included macros to the Global Template, NORMAL.DOT usually, revising their names...
AutoOpen ==> StartOfDoc
DrawBringInFrOut ==> AutoOpen
InsertPBreak ==> InsertPageBreak
ToolsRepaginat ==> FileSave
A listing of the currently loaded macros in this infected environment will
reveal the names in the right list. Loading another infected document (actually
a template) will add the left list to the macro list plus the right list. NOTE:
Macros have been saved with the 'execute-only' feature, which means that a user
can't view or edit them.
A clean (AutoMacros disabled) WORD environment will produce the left list when viewing an infected document.
HOT's FileSave macro cause the virus to randomly decide within 1-6 days from the infection date to activate whenever an effort to open files is made. Upon activation, a document will have it's contents deleted, by opening it, slecting the entire contents, delting them, and closing the document, saving it in it's now empty state.
Users with c:\DOS\EGA5.CPI should be protected from this macro, as the author included a check for this file as a protective measure, noted in the source code as follows:
'---------------------------------------------------------------
'- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
'- and if File C:DOSega5.cpi not exist (not for OUR friends) ---
'---------------------------------------------------------------
HOT's InsertPBreak Macro inserts a page-break in current documents, which is
used as a sign of a document already being infection by HOT.
NOTE: WordMacro/Hot relies on the existence of KERNEL.EXE
To clean existing in memory infected macros, use the TOOLS/MACROS/DELETE function to delete all infected macros. Do the same for Document you find that are infected, by doing so from a session of word with AutoMacros Disabled, and using the Tools/Macros/Delete function.
NOTE: Use of the TOOL/MACRO command can be dangerous. Some viruses subvert this command. Use with caution. Use AV software to find and delete infected macros.
SOPHOS SWEEP Users can add detection NOW to their scanner with the line...
Winword/Hot a186 9dad 889d 8ca7 86cd e58e 0369 ec8e ee69 ec8e e868 ecefby adding the line to SWEEP.PAT, then scanning in FULL MODE (-f)
"Dr Solomon's FindVirus has been detecting this virus for a while (I think we call it WinWord.Weideroffnen). Our WinGuard VxD can also intercept documents infected with it thus stopping an outbreak dead in its tracks"Since it basically goes after AUTOEXEC.BAT, Mac users have nothing to fear from this trojan macro. PC users on the otherhand... :)
Please have mercy on us Graham (Graham.Cluley@uk.drsolomon.com), and provide some more info... :)
Also known as AMIMACRO GREENSTRIPE. The name of this virus comes from it's main macro procedure, called Green_Stripe_virus.
Quite possibly the first Macro Virus to hit the AMI PRO 3.0 Word Processor, GREEN STRIPE, was first reported to Computer Weekly, by those who first detected it Reflex Magnetics. (reported to A.C.V by David Phillips (D.Phillips@open.ac.uk)) Reflex Magnetics is reported to has a program able to detect this virus available on their WEB sites by the time you read this.
Ami Pro Macros are somewhat different than their WORD equivalents, as an AMI PRO MACRO is a totally separate file, whereas WORD Macro viruses turn documents into combination files, part data, part macro. The Ami Pro macros are stored in a separate file, with the SMM extension. This makes it difficult to spread an AMI PRO virus, as it is likely to not get copied with the normal document, effectively disabling the virus.
Ami Pro's File/Save and File/Save As commands are intercepted by Green Stripe, and used to infect all documents in comes in contact with. You could say that GREEN STRIP is the first COMPANION MACRO VIRUS, as it doesn't even touch the original document.
NOTE: Using File/Save As and saving an infected document to a network drive or a floppy is the only likely way this virus will spread from a machine to another.
When an infected document is loaded, it has a link to an AMI PRO auto-macro file of the same name (as the document) but different extension. This macro is then executed, and attempts to open ALL other documents in the same directory (to infect them) This is apparent to the user, as they can see this happening on the screen! It is reported to do a Search and Replace on SAVE, searching and replacing all occurances of "Its" with "It's". Reportedly, this fails to work properly.
GREEN STRIPE was first Published in Mark Ludwigs virus writing newsletter, this virus makes itself obvious to the user, since it attempts to infect all files found in AMI PRO 3.0 Document Directory, during the initial infection process which takes a long time, and the user is likely to notice that something is going on,.
NOTE: Removal of AMI PRO 3.0 infected macros is simple, just delete the macro from the directory. To see if a Macro has been attached to a document, simply open the Tools/Macros/Edit menu and check whether the document has a .SMM macro file assigned to be executed on open. If you find one, delete it (unless YOU created a legitimate macro)
Documents and Macros in AMI PRO are ASCII files, making viewing and detection of infected macros easy using any other program other than AMI PRO. This virus is difficult to spread, as the path to the Macro is hard-coded, preventing the macro from spreading if programs other than AMI PRO are used to move it about.
Thanks to Vesselin Bontchev (bontchev@complex.is) and Dr David Aubrey-Jones (davidj@reflexd.demon.co.uk) for detailing this virus.
The differences, when compared to the Concept Virus, follows:
The second activation, password protects documents, restricting the users access to their own documents. This happens when the system clock seconds counter equals 13, and a File/Save As command is issued. The passowrd assigned to the documents is ATOM#1.
If the user disables AUTOMACROS, Atom will be unable to execute and spread to other documents. Enabling the Prompt To Save NORMAL.DOT will prevent Atom from attacking and infecting the NORMAL.DOT file.
The FORMATC Macro Virus, isn't ieven a virus, as it DOES NOT SPREAD. This makes it another MACRO TROJAN. This Trojan contains only one macro, AutoOpen, which will be executed automatically when a document is opened. The Macro AutoOpen, is READ ONLY, making it encrypted, and unreadable and editable. It is visiable in the Macro List.
When FORMATC is executed, "triggered", it will run a dos session, in a minimized DOS box. It will run an Unconditional Format of the C drive.
NOTE: Get your hands on some up to date scanners, and pre-screen all documents. Also acquire some AV VxD's, as they should prevent the Trojan from wiping your drive clean.
Thanks to Symantec for providng the info on this trojan.
Some products are now including Windows Mode VxD Virtual On-access Scanners, that run co-operatively with Windows. (insert bad joke about windows reliability here :)) These VxD's tend to have the same capabilities as the classic scanners. Others that don't yet include VxD's are also worth acquiring, as the command-line scanners are some of the best in the industry. Most of the Virus Scanners Listed in the SUGGESTED SOFTWARE area of this FAQ will in the worst case detect known MACRO Viruses, and at best, clean existing infections, and prevent future infections by MACRO viruses.
The Following AV products now include an option to Scan for Word Macro viruses, Including F-PROT, TBAV, AVP, AVTK, SOPHOS SWEEP, McAFEE, and others. Fans of ChekMate will be glad to hear about CkekMate.DOC, part of the CHECKMATE 2.00 Generic Anti-Vitus Package, which will detect and prevent Macro infections.
Learning to scan documents as well as program files will now be necessary to maintain a clean system environment. So, keeping these new viruses out of your system isn't really any harder than keeping standard viruses out. Most of these products are listed in the SUGGESTED SOFTWARE area of this FAQ.
A file, SCAN831.zip, common on various AV FTP Sites on the internet, can deal with the WORD.Concept (Prank) virus. Unzipping it into the Winword directory, and opening the included document SCAN831.DOC, will check your documents for the presence of Concept. NOTE: This is only a solution for preventing/removing Concept Infections. Also, Windows '95 users will need to dump the contents of their Start Menu document menu, and remove desktop shortcuts before using this solution. NOTE: This 'fix' distributed by Microsoft isn't complete - there are ways to open documents (like from the recently used files list) that don't trigger the protection macros.
Fans of Symantec can download a free copy of REPAIR.ZIP, which contains virus definition files for the macro viruses. You can use REPAIR.ZIP with either NAV 95 or NAV 3.0. NOTE: To detect the MS Word macro viruses, scan your hard drive from DOS only; either version of NAV will not detect them from within Windows.
Disinfectant For the MAC, although a great AV product, doesn't generally address macro viruses or hypercard infectors. (At least it didn't the last time I played with a MAC :)) Disinfectant does not deal with non-machine code viruses, so no update is needed. Mac users will want to contact some of the AV producers listed below, as many of them are now offering MAC AV solutions which DO deal with MS WORD MACRO VIRUSES. Some of the Word macro viruses will work at least in part on a MAC, Dr Solomon's Anti-Virus Toolkit for Macintosh will detect such infections, and will detect PC Boot Sector Viruses. Mac Users will have one advantage fighting and finding WORD MACRO VIRUSES, since MAC displays the icon of the data files, users will notice that infected documents appear with the template icon, rather than the usual document icon.
A Good Back-Up routine is also a sensible addition to any AV strategy. No AV product is perfect, especially against new and unknown Viruses (unless you are ZVI NETIZ, his AV products catch 100% of all viruses, including the cold viruses you've suffered with this winter! Unfortunately ZVI's product will delete all copies of your SOFIA files :))
It is often preferable to replace infected files with clean uninfected copies, regardless of format, than to execute a "cleansed" file, that may be corrupt, or at least unstable. This is good advice for standard executables.. but MS WORD docs can be cleaned most of the time simply by removing the infected macros, and saving the file as a NORMAL Document!
Disabling of AutoOpen Macros is possible by invoking the Word system Macro DisableAutoMacros. An once of prevention equals a pound of cure. :) NOTE: this can be disabled by some Macro viruses. :(
The Manual for WORD for Windows says you can also do this from the command line, by executing WORD with the following command...
WINWORD.EXE /mDisableAutoMacrosHowever, due to a Flaw, Feature, or Bug (Gotta Love MS) this doesn't appear to work! Thanks MS! :(
The Manual also states that holding (SHIFT) while opening documents will prevent any AutoExecute type macros from running, but this suggestion also doesn't appear to work! Thanks Again MS! :(
Or better yet, you could create your own AutoExec Macro, it isn't hard, simply select the TOOLS Menu, hit the MACRO command, and create a new macro call "AutoExec". Alter line 3 as you see fit...
Sub Main
DisableAutoMacros
MsgBox "MS WORD AutoMacros Disabled.", "Some Protection!", 64
End Sub
or...
Sub Main
DisableAutoMacros
MsgBox "MS WORD AutoMacros Disabled!", 0
End Sub
The second macro should display the message in the status line. (I hope)
:)
NOTE: Use of the TOOL/MACRO command can be dangerous. Some viruses subvert this command. Use with caution. Use AV software to find and delete infected macros.
This method will effectively prevent CONCEPT, HOT, DMV, and NUCLEAR word macro viruses from infecting the WORD environment, by fooling these 3 viruses into thinking they've already infected your system. It also Disables AutoMacros, which will help with some Macro infectors. This is a temporary fix, as WORD gives priority to macros in documents over system macros. (MS will need to ship an update to WORD for all platforms that will give control back to the users. Can you all say WORD '99?)
All legitimate owners of copies of MS WORD should CALL MICROSOFT Support staff, and let them know you want an updated copy WORD. Let them know you want the BUGS FIXED. It's your right! Call Microsoft Product Support Services at 206-462-9673 for Word for Windows, or send an Internet e-mail message to wordinfo@microsoft.com (wonder if we could cause a class action suit....)
Another option is to check the TOOLS/OPTION Menu and set it to prompt before saving NORMAL.DOT. Setting the File Attributes of the file to read-only may help, but anyone going to the effort of writing a Macro Virus can easily disable that attribute. (and if you've read this FAQ, you also know that some macro viruses can enable AutoMacros even if you specifically disable them! :()
NOTE: Use of the TOOL/MACRO command can be dangerous. Some viruses subvert this command. Use with caution. Use AV software to find and delete infected macros.
AMI PRO 3.0 Users, who want to clean their system of infected AMI PRO 3.0 GREEN STRIPE MACROS, need only look in their document directory, and delete and infected macros (which will have the same names as documents) Note: detection of GREEN STRIPE infection is easy, view all macros with a NON-AMI PRO viewer, like DOS edit. Find infected macros, and delete them. that's it!.
Users of NETSCAPE 2 who fear virus infection by macro viruses while onl the WWW, can now acquire Inso's new Word Plug-In Viewer (Inso wrote the Quick View utility in Win95). Inso's URL is:
If you need additional information, call Microsoft Product Support Services at 206-462-9673 for Word for Windows, or 206-635-7200 for Word for the Macintosh, or send an Internet e-mail message to wordinfo@microsoft.com
WD1215.EXE 51078 10-10-95 WD1215.EXE Macro Virus
Protection Tool
MW1222.HQX 83729 11-09-95 MW1222.HQX Macro Virus
Protection Tool for
Mac Word 6.0
SCANPROT.EXE 29996 01-02-96 SCANPROT.EXE Word pour
Windows, "Prank Macro"
Protection Template (for
french Word)
Available at WWW.MICROSOFT.COM or WWW.MSN.COM...
A self-extracting archive, MVTOOL10.EXE, being distributed by Microsoft. It is an way to protect yourself against the Concept virus, as well as to warn you against document files that contain macros without your knowledge. It will create these files:
README.DOC 36864 10-02-95 1:08p
SCANPROT.DOT 49152 10-02-95 3:44p
Enter Word and read the README.DOC to see if this package is suitable for your
environment.
Simtel, the Software Depository, is a great source for Anti-Virus software!
Many AV producers posts updated versions of their software regularly to SIMTEL.
SIMTEL is a free service, which you can access via Internet.
The following list will allow anyone with Internet access to freely access and obtain Most AV shareware/freeware. For those of you who cannot FTP to a Simtel site, do a search for "SIMTEL" with a decent search engine like YAHOO or WEB CRAWLER, and you'll see SIMTEL listed.
SimTel's primary mirror site is ftp.Coast.NET (205.137.48.28) located in Detroit, Michigan, and there the programs may be found in the directory /SimTel/msdos/virus.
Secondary SimTel mirror sites in the US include:
Concord, CA ftp.cdrom.com 192.216.191.11
Urbana, IL uiarchive.cso.uiuc.edu 128.174.5.14
Rochester, MI OAK.Oakland.Edu 141.210.10.117
St. Louis, MO wuarchive.wustl.edu 128.252.135.4
Norman, OK ftp.uoknor.edu 129.15.2.20
Corvallis, OR ftp.orst.edu 128.193.4.2
Salt Lake City, UT ftp.pht.com 198.60.59.5
Users outside the US should in general select the "closest" mirror site
from the list below:
Australia archie.au 139.130.23.2
Brazil ftp.unicamp.br 143.106.10.54
China ftp.pku.edu.cn 162.105.129.30
Czech Republic pub.vse.cz 146.102.16.9
England micros.hensa.ac.uk 194.80.32.51
src.doc.ic.ac.uk 155.198.1.40
ftp.demon.co.uk 158.152.1.44
France ftp.ibp.fr 132.227.60.2
Germany ftp.ruhr-uni-bochum.de 134.147.32.42
ftp.tu-chemnitz.de 134.109.2.13
ftp.uni-mainz.de 134.93.8.129
ftp.uni-paderborn.de 131.234.10.42
ftp.uni-tuebingen.de 134.2.2.60
Hong Kong ftp.cs.cuhk.hk 137.189.4.110
hkstar.com 202.82.0.48
Israel ftp.technion.ac.il 132.68.7.8
Italy cnuce-arch.cnr.it 131.114.1.10
Japan ftp.saitama-u.ac.jp 133.38.200.1
ftp.riken.go.jp 134.160.41.2
Korea ftp.kornet.nm.kr 168.126.63.7
ftp.nuri.net 203.255.112.4
Netherlands ftp.nic.surfnet.nl 192.87.46.3
New Zealand ftp.vuw.ac.nz 130.195.2.193
Poland ftp.cyf-kr.edu.pl 149.156.1.8
ftp.icm.edu.pl 148.81.209.3
Portugal ftp.ua.pt 193.136.80.6
South Africa ftp.sun.ac.za 146.232.212.21
Slovak Republic ftp.uakom.sk 192.108.131.12
Slovenia ftp.arnes.si 193.2.1.72
Sweden ftp.sunet.se 130.238.127.3
Switzerland ftp.switch.ch 130.59.1.40
Taiwan nctuccca.edu.tw 140.111.1.10
Thailand ftp.nectec.or.th 192.150.251.33
Turkey ftp.metu.edu.tr 144.122.1.101
Graham Cluley (gcluley@uk.drsolomon.com), Senior Technology Consultant, Dr Solomon's Anti-Virus Toolkit.
Dr Alan Solomon (drsolly@ibmpcug.co.uk, drsolly@chartridge.win-uk.net), Chief Designer of Dr Solomon's Anti Virus Toolkit, S&S International.
Vesselin Vladimirov Bontchev (bontchev@complex.is), FRISK Software International.
Wolfgang Stiller (72571.3352@compuserve.com), Stiller Research
Keith A. Peer (keith@command-hq.com), Central Command Inc. (AVP)
Sarah Gordon, (sgordon@commandcom.com), Command Software System's F-PROT Professional Support.
Paul Kerrigan, (pkerrign@iol.ie)
Paul Ducklin (duck@sophos.com), and SOPHOS (www@sophos.com) for providing early info and the detection string for this new macro virus.
David Harley (harley@icrf.icnet.uk)
David Phillips (D.Phillips@open.ac.uk)
Dr David Aubrey-Jones (davidj@reflexd.demon.co.uk) of REFLEX MAGNETICS
Martin Overton (chekmate@salig.demon.co.uk) and Ed Fenton (ris@transit.nyser.net)
This FAQ may be posted to any USENET newsgroup, on-line service, or BBS as long as it is posted in its entirety and includes this copyright statement. This FAQ may not be distributed for financial gain. This FAQ may be made freely available and posted on FTP, WWW, and BBS sites, Newsgroups and Networks, as well as included within software packages and AV products, and on CD-ROMs containing other FAQ's/shareware/freeware programs, such as the SIMTEL and GARBO collection CD-ROMs, as long as this FAQ is always distributed complete and without modifications, and proper credits are given to the author.
Mass distribution of this FAQ in magazines, newspapers or books requires approval from the author, Richard John Martin.
Anyone with additional info, critiques, suggestions, etc. to add to this FAQ, please send it to Bd326@Torfree.Net
Copyright (c) 1995-1996 by Richard John Martin, all rights reserved.
With any luck, things will return to normal around here. Updated copies of the FAQ should resume it's former schedule of updates once every 2 weeks.
An Updated copy of this FAQ can also be obtained by sending Email to Bd326@TorFree.Net, with a SUBJECT header of "PLEASE SEND FAQ", which will result in a return email message that will include an updated copy of this FAQ. To be added to an experimental MAILING LIST for updates of this faq, send EMAIL with the SUBJECT header "ADD TO MAIL LIST". The MAILING LIST may be cancelled at anytime.
You can also remove yourself from the list, by sending an email with the SUBJECT header: "REMOVE FROM FAQ MAIL LIST"
For those of you who live in Toronto, Ontario, Canada, or don't mind a call up here to the Great White North, set your modem to 8n1, and call:
WORDMACR.xxxThe xxx will refer to the month. This particular edition is WORDMACR.MAR
I'm still looking for BBS's to ARCHIVE this FAQ, so if anyone would like to ARCHIVE it on their BBS, please let me know.
1: [ HOW MANY DIFFERENT VERSIONS OF MS WORD HAVE BEEN RELEASED ON POPULAR PLATFORMS? ]
2: [ HOW MANY DIFFERENT NATIONALIZED VERSIONS OF MS WORD HAVE BEEN RELEASED? WHICH LANGUAGES? ]
2.1: [ HOW MANY DIFFERENT NATIONALIZED VERSIONS OF MS WORD FOR MAC HAVE BEEN RELEASED? WHICH LANGUAGES? ]
3: [ WHAT ARE THE NAMES OF MACROS EQUIVALENT TO AUTOOPEN, AUTOCLOSE, FILESAVEAS, etc. IN THE NATIONALIZED VERSIONS OF MS WORD? ]
4: [ DOES MS WORD FOR DOS EXIST? IF SO, WHICH VERSIONS HAVE BEEN RELEASED? ]
4.1: [ DOES IT HAVE A COMPATIBLE MACRO LANGUAGE? ]
5: [ GENERAL INFO ON MAC WORD INTERFACE, MENUS, MACRO, ETC.??? ]
6: [ ANY NEW INFO TO ADD? ]
7: [ LIST ANY PROGRAMS YOU KNOW THAT CAN VIEW WORD 6.x or 7.x DOCUMENTS??? ]
8: [ HOW TO DISABLE AUTOMACROS OR MACROS IN GENERAL UNDER WORD FOR MAC? ]
9: [ IS THE ATARI ST CAPABLE OF RUNNING DOS, WINDOWS, and WORD FOR WINDOWS? ]
10: [ DOS THE AMIGA HAVE A NATIVE MS WORD? ]
11: [ DOES WINDOWS OLE and DDE ALLOW FOR THE POSSIBILITIES OF INFECTING OTHER FILE FORMATS? ]
12: [ DOES ANYONE HAVE INFO ON THE "HOT" & "WEIDEROFFEN" VIRUSES? ]
Anyone with additional info, critiques, suggestions, etc. to add to this FAQ, please send it to Bd326@Torfree.Net
This FAQ is Copyright (c) 1996 Richard John Martin, HIGH SPEED DEMONZ Anti-Virus Research Labs, Canada. All rights reserved.
MicroSoft (tm), MicroSoft Windows, MicroSoft Word, MicroSoft EXCEL are Copyright (c) 1995-96 MicroSoft Corp. All rights reserved.