
 AntiViral Toolkit Pro for Microsoft Word (AVPWW)
 ------------------------------------------------
                  version 1.04

This package contains the anti-virus utility for known viruses that infect 
the Microsoft Word documents. This package is FREEWARE.

To check your Microsoft Word for the viruses you should load Microsoft 
Word and open the AVPWWxxx.DOC file. If your Word is already infected, 
AVPWW displays a warning message. To install AVPWW "memory resident" you 
should press "Install" button while reading AVPWWxxx.DOC file.

See AVPWWxxx.DOC for more details.

To find all the infected files you should use anti-virus database 
MACRO.AVB and anti-virus scanner AVP for DOS. Then you should load all 
infected document into Word with installed AVPWW utility. AVPWW does 
automatically disinfection being installed.

 Macro-viruses

The Macro-viruses use the features of Macro-languages that are built into
the modern data-processing systems (text editors and spreadsheets). To 
allow the viruses to spread the systems have a built in macro-language
that allows:

 1) assignment of specific macro-program(s) to specific files
 2) copy macro-program(s) from one file to another 
 3) pass the control to macro-program(s) without user's permission 
    (Auto-macroses).

There are three systems that meet these conditions: Microsoft Word,
Microsoft Excel and Lotus AmiPro. These systems contain built-in
Basic-like macro languages (Word - Word Basic, Excel - Visual Basic),
and:

 1) macro-program(s) are assigned to specific file(s) (AmiPro), or exists 
    only within the file body (Word, Excel);
 2) macro-language allows to copy DOS-files (AmiPro) or copy macro-programs 
    into the system and other files (Word, Excel);
 3) while working with a file the macro-programs are executed under some 
    conditions (file opening, closing, and so on), these programs are 
    defined by special commands (AmiPro), or they have standard names 
    (Word, Excel).

These features of modern systems was designed to write "document 
auto-processing systems", but they also allow for the viruses to spread 
their copies, i.e. to infect the files.

There are three known systems that may be infected with the computer virus: 
Microsoft Word, Excel and AmiPro. Under these systems the viruses receive 
the control while opening/closing an infected document, then they hook one 
or more system events (functions, macros), and infect the files that are 
accessed with these functions.

The macro viruses are "memory resident". They hook the system events and 
are active not only at the moment of file opening/closing, but during all 
time when the system is working.


 Macro.Word-viruses

 Macro.Word.Atom
 
This virus contains four macros: Atom, FileOpen, FileSaveAs, AutoOpen, and
infects Word while loading the infected document (AutoOpen).

This virus infects the files in two ways: while opening the file (command
File/Open, macros FileOpen), and while saving the document with new name
(command File/SaveAs, macros FileSaveAs).

While infecting the document while saving it with new name (FileSaveAs)
the virus checks the system time. If the value of seconds is equal to 13
the virus set the password ATOM#1 for this document. The virus cannot set
the password if the file is already infected - Word displays the
message about WordBasic error.

While opening the infected document on 13th of December the virus deletes
all files of current directory. We did not check it, but the system has to
display the error message while deleting opened files.


 Macro.Word.Color (Rainbow, Color Changer)

This is a encrypted virus, it contains the macroses:

 macros, FileNew, AutoExec, AutoOpen, FileExit, 
 FileSave, AutoClose, FileSaveAs, ToolsMacro

This virus infects the files while creating of new document (FileNew) and 
while saving the document with new name (FileSaveAs).

On each 300th call to the file functions (FileNew, AutoOpen, FileExit, 
FileSave, AutoClose, FileSaveAs and ToolsMacro) the virus alters the 
section [colors] in the WIN.INI file, and sets the random selected colors 
for Windows components. New colors appear after next Windows loading. The 
virus keeps the trigger counter in the WIN.INI file in the [windows] 
section:

 [windows]
 countersu= 234

The virus allows Auto-macroses (AutoOpen, AutoClose and so on), it sets 
DisableAutoMacros to zero.

When the virus is active, it is impossible to activate Tools/Macro command. 
To manual disinfection it is necessary to delete virus' macroses by using  
Organizer (Tools/Customize, Word command, then draw Organizer out to 
toolbar).


 Macro.Word.Concept (WW6Macro)

This is the first WinWord virus found "in the wild". The virus contains
five macroses: AAAZAO, AAAZFS, AutoOpen, PayLoad, FileSaveAs. It infects 
the files that are SaveAs'ed (FileSaveAs).

There are the text strings in the infected document:

 see if we're already installed
 iWW6IInstance
 AAAZFS
 AAAZAO
 That's enough to prove my point

and other. The WINWORD6.INI on infected system contains the file:

 WW6I= 1

On the first execution of the virus code (i.e. on the first opening of the
infected file) the MessageBox appears with digit "1" inside, and "Ok"
button.


 Macro.Word.DMV

This is the first known MS-Word macro-virus. It contains only one macros -
AutoClose, and infects the files that are saved on disk. While infecting 
this virus displays the MessageBox'es with the header:

 Document Macro Virus

The messages are:

 Counting global macros.
 AutoClose macro virus is already installed in NORMAL.DOT.
 AutoClose macro virus already present in this document.
 Saved current document as template.
 Infected current document with copy of AutoClose macro virus.
 Macro virus has been spread.
 Now execute some other code (good, bad, or indifferent).


 Macro.Word.Hot

This is encrypted virus. It contains the macroses: AutoOpen, InsertPBreak, 
DrawBringInFrOut, ToolsRepaginat. While infecting the system that virus 
renames the ToolsRepaginat macros to FileSave, and then infects the 
existing documents that are saved on disk (FileSave). While infecting the 
documents the virus renames FileSave macros back to ToolsRepaginat name.

While infecting the system the virus inserts the string "QLHot=nnnn" into
the WINWORD6.INI file, where "nnnn" is the "triggering day", it is the
number of current day of this century plus 14, for example:

 QLHot=35110

The next days the virus selects random value from 1 till 6, and adds to the
"triggering day". If the result is equal to the current day, the virus
deletes the file before saving it to disk.

14 days after last modifying of the "QLHot" string the virus renews it.

The virus does no action if there is the C:\DOS\EGA5.CPI file.

The virus does not work under Microsoft Word 7.0. While opening the
infected document the system displays the message:

 Unable to load specified library


 Macro.Word.Imposter

This is a plagiarism from "Word.Macro.Concept" and "Word.Macro.DMV". It
contains two macroses:

 in infected document:   AutoClose, DMV
 in infected NORMAL.DOT: FileSaveAs, DMV

While infecting the system the virus receives the control in AutoClose 
document, renames DMV macros to FileSaveAs, then renames AutoClose to DMV.  
While infecting the files (FileSaveAs) the virus renames these macros back 
DMV -> AutoClose, FileSaveAs -> DMV.

While infecting the documents the virus displays the MessageBox:

 DMV

One of the strings in the virus body looks like follows:

 just to prove another point


 Macro.Word.Nuclear

It is encrypted virus, it contains the macroses:

 AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
 InsertPayload, Payload, DropSuriv, FileExit

While installation these macros are copied into Global Macros area, and 
overwrites the macros if they are already present there. Then the virus 
infects the documents by FileSaveAs macros.

The virus manifest itself in three ways: 1) runs COM/EXE/NewEXE virus,
2) appends the text strings while printing the documents, 3) corrupts the 
system files.

1) The AutoExec macro calls DropSuriv macro which check the system time and
drops the COM/EXE/NewEXE virus ({"Ph33r":Ph33r}) if the time is in 17:00 /
18:00. While dropping the virus uses DEBUG utility.

First, the virus checks the C:\DOS\DEBUG.EXE. If there is such one the
virus creates temporary file PH33R.SCR in C:\DOS directory, and writes hex
dump of COM/EXE/NewEXE virus and DEBUG commands into there. Then the virus
creates the temporary file EXEC_PH.BAT with the strings inside:

 @echo off
 debug < ph33r.scr > nul

and executes that. As the result DEBUG utility creates the copy of
COM/EXE/NewEXE virus (in the memory) and executes it. That virus hooks INT
21h and writes itself to the end of COM/EXE/NewEXE files while opening,
execution, renaming and changing their attributes.

The execution of BAT-file is doing in background, so the user does not know
that there are two(!) viruses on his PC.

Them the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT files.

Fortunately, this virus has a bug, and fails to drop COM/EXE/NewEXE-virus, 
but it is quite easy way to fix that bug in next virus version.

2) While printing of documents the virus appends the text approximately to
each 12th file (if the seconds are 55 or more):

 And finally I would like to say:
 STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

These strings are appended to the document immediately before printing, so
the uses does not see them (often documents occupy more that one screen).
This is very curios effect, especially while sending documents via fax.


3) On 5th of April the virus erases IO.SYS and COMMAND.COM files.


 Macro.Word.Nuclear.b

The variant of previous one. Does not contain COM/EXE/NewEXE virus and 
macroses DropSuriv, FileExit. 

There is a bug while appending the text to the end of the document while 
printing. As the result the virus appends blank page, and Word displays the 
message about WordBasic error.


 Macro.Word.Xenixos (Nemesis)

It is encrypted virus. It contains the macroses:

Drop, Dummy, AutoExec, AutoOpen, Dateiffnen, ExtrasMakro, DateiBeenden, 
DateiDrucken, DateiSpeichern, DateiSpeichernUnter, DateiDruckenStandard.

In some cases it sets the password "xenixos" for infected documents, 
displays the message:

 Diese Option ist derzeit leider nicht verfgbar.
 Fehler

While printing the documents it appends:

 Brought to you by the Nemesis Corporation, 1996

On 1st of may the virus writes the string to the AUTOEXEC.BAT file:

 @echo j|format c: /u >nul

This virus also launches "Neurobasher.b" multipartite virus. To do that the 
virus creates the C:\DOS\SCRIPT.SCR file, and writes hexadecimal dump 
of that virus into there. Then the virus creates the C:\DOS\EXEC.BAT file, 
and writes the strings into there:

 @echo off
 debug < script.scr>nul
 rem debugger.com
 echo @c:\dos\debugger.exe>>c:\autoexec.bat
 del c:\dos\script.scr
 del c:\dos\exec.bat

Then the virus executes that file. As the result DEBUG.EXE creates the
DEBUGGER.EXE file, and C:\AUTOEXEC.BAT has new string at its end:

 @c:\dos\debugger.exe

So, the last command of AUTOEXEC.BAT launches dropper of "Neurobasher.b" 
virus.


 Word.Excel-viruses

While processing the document Word (as well as Excel while processing 
spreadsheets) performs different actions: opens the file, closes it, reads 
the date, saves and prints it. At the same time Word executes corresponding 
macro-program with standard name - FileSave while file saving, FileSaveAs 
while saving the file with new name, FilePrint while printing, and so on, 
if there macros are defined.

While opening the document Word checks it for the AutoOpen macro presence.
If there is such one, Word executes that macro (if it is not disabled by
DisableAutoMacros). While file closing Word executes AutoClose macros.

The Macro.Word-viruses contain at least one of Auto-macros: AutoOpen, 
AutoClose, AutoExec, AutoExit, AutoNew. If the document is infected with 
Macro.Word virus Word executes infected Auto-macros, i.e. executes the 
virus code.

The Auto-macros in the viruses contains the code of moving other virus 
macros into the area of Global Word macros, and the virus copies itself 
into Word Global macros by this way. While exiting Microsoft Word saves all 
Global macros (including the virus ones) into the DOT file (usually 
NORMAL.DOT). Being started Word loads all global macros (including virus 
ones) from DOT file, as the result on next loading the virus infects Word 
at the moment Word initialize its system areas, and Word is infected before 
loading the first document.

Then the virus replaces or defines other system macros (FileOpen, FileSave, 
FileSaveAs, FilePrint), and hooks in such way the file accessing functions. 
When any of hooked function is executed, the virus receives the control, 
and performs different branches of its code, including infection routine.

While infecting the virus converts the document into Template format, and 
copies all virus macros (including Auto-macros) into the document. Being 
converted to Template format the document cannot be converted in any other 
format. The presence of Auto-macros allows the virus infect other 
computers while reading just infected document.

I.e. if the virus hooks FileSaveAs macros, it infects the files that are 
saved by "File/Save As" call. If the virus hooks FileOpen macros, it hits 
the files while Word is opening them.

Note: MS Word allows to encrypt the code of macroses, and some of 
Macro.Word-viruses are encrypted.

Known Macro.Word viruses infect the documents of Microsoft Word ver.6 
format. The system gets infection while reading the infected document. Then 
the viruses infect all newly created DOC files. The Macro.Word viruses can 
infect the computers of different platforms, not IBM-PC only. To spread 
they need for the text processor compatible with Microsoft Word.

The common features of these viruses are:

1) It is impossible to convert the infected document in any other format.

2) It is impossible to save the document in any other subdirectory/disk by
using "Save As" command.

3) The infected documents have the Template internal format. While
infection the documents are converted by the viruses from Microsoft
Document into Template format.

Majority of Macro.Word viruses do not infect localized Word versions, but 
only English one, other viruses infect only local Word versions (French, 
German), and do not work under English version. But anyway the virus stays 
active in infected document, and may spread on other computers with 
necessary version of Word installed.

It is possible to protect oneself against these virus by disabling AutoOpen
macro by using the Word system macro DisableAutoMacros.


 AmiPro-viruses

AmiPro creates two files while processing the text: the first file contains 
the text and has the name extension SAM, the second one contains macroses 
and other system data and has the name extension SMM.

It is possible to assign to document any macros of SMM-file by 
AssignMacroToFile command. The assigned macros has the same mean as 
AutoOpen in Word-documents, and it is executed while the file opening.

I see it is impossible to copy AmiPro macros into Global area, so AmiPro 
viruses may infect the system only while opening the infected document, but 
not while system loading (as Word does with the NORMAL.DOT file).

AmiPro, as well as MS-Word, allows to hook the system events (macros) such 
as SaveAs and Save. It is possible by the command ChangeMenuAction. While 
calling hooked functions the virus' macros receives the control.


 Macro.AmiPro.GreenStripe

This virus contains four macroses (functions): Green_Stripe_Virus,
Infect_File, SaveFile, SaveAsFile. They receives the control when infected 
document is opening, then the virus searches for *.SAM-files of current 
directory, and infects them.

While infecting a SAM-file the virus creates SMM-file, and copies itself to 
there by the command DosCopyFile. Then the virus assigns the 
Green_Stripe_Virus macros for that file, the virus does it by the 
AssignMacroToFile command.

Then the virus hooks SaveFile and SaveAsFile macroses. When "Save As" 
command is performed, the virus infects that document. In case of 
"Save" command the virus replaces the "its" string with "it's" one within 
the file.

==========================================================================
Microsoft Word and Micorsoft Excel are trademarks of Microsoft Corporation
Lotus Amipro is a trademark of Lotus Corporation