************************** * * * DECrypt macro WORD * * * ************************** Some TOOLS to study the macro virus that used the ReadOnly Option like COLORS, NEMESIS.... The Zip is composed of : decword.exe the executable for simple encrypted file. decword2.exe a modified version for more complicated WORD file. %-) rainbow2.doc a word document infected with the virus RAINBOW(COLORS). BE CAREFUL !!!!! ^^^^^^^ read_me.txt some word about this programs. This programs have been compiled with C++ 4.5 (a good langage). It's my first released of this soft. So i don't have tested all the possibilities. * The softs don't work with .DOC (> 32 Ko) [I don't find the intrustion to declared big memory allocation.]. So I should deleted all the text contained in the document.... * With certains decrypted files, WORD will tell you that the macros contained some mistakes. I don't understand why ???? but you can still see the script of the macros.. * use first the program DECWORD. If you have some problems, so use the second one DECWORD2 An advice: when you works with infected documents, think to save the NORMAL.DOT before loading the document. For example, the first time, you load RAINBOW2.DOC, you NORMAL.DOT has been modified (infected!!!). When you close WORD, reload the NORMAL.DOT uninfected (you have previously saved.....) OK!!!! For suggestions, you can contact me : ______ _____ _____ _____ / __ \ __ __ / __ \ _____ / __ \ _____ ______ / __ \ ___ _ / /_/ / / / / / / / / / / __ \ / / / \ / __ // ___/ / / / / / // \ / / / / / /_/ / / /_/ / / /_/ / / /_/ / / /_/// _/_ / /_/ / / _~ / /__/ /__/,/_____/ /__/ \ > \_____/ /________/ /_//_//_____/ / ____/ /__//__/ ====*****{=========-====\/=======[ Bonnet@isara.ipl.fr ]====\_/================== '