home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
HPAVC
/
HPAVC CD-ROM.iso
/
MVUPDAT3.ZIP
/
RAINBOW.ZIP
/
COLORS.ZIP
/
COLORS0.TXT
next >
Wrap
Text File
|
1996-04-13
|
3KB
|
55 lines
WordMacro/Colors
This macro virus was posted to a usenet newsgroup on the 14th of October,
1995. It is also known as the Rainbow virus. This macro virus infectes Word
documents in a similar manner as the previous Word macro viruses, except
that it does not rely only on the auto-execute macros to operate. Thus,
this virus will be able to execute even if the automacros are turned off.
Colors contains the following macros:
************************************************************************
AutoClose colors7.txt
AutoExec colors3.txt
AutoOpen colors4.txt
FileExit colors5.txt
FileNew colors2.txt
FileSave colors6.txt
FileSaveAs colors8.txt
ToolsMacro colors9.txt
macros colors1.txt
************************************************************************
All macros are encrypted with the standard Word execute-only feature.
When an infected document is opened, the virus will execute when user:
* Creates a new file
* Closes the infected file
* Saves the file (autosave does this automatically after the infected
document has been open for some time)
* Lists macros with the Tools/Macro command
It is important not to use the Tools/Macro command to check if you are
infected with this virus, as you will just execute the virus while doing
this. Instead, use File/Templates/Organizer/Macros command to detect and
delete the offending macros. Do note that a future macro virus will
probably subvert this command as well.
The virus maintains a generation counter in WIN.INI, where a line
"countersu =" in the [windows] part is increased during the execution of
the macros. After every 300rd increments the virus will modify the system
color settings; the colors of different Windows objects will be changed to
random colors after next boot-up. This activation routine will not work
under Microsoft Word for Macintosh.
It is interesting to note that the AutoExec macro in the virus is empty. It
is probably included just to overwrite an existing AutoExec macro - which
might contain some antivirus routines. WordMacro/Colors also enables the
automatic execution of automacros if they have been disabled, and turns off
the 'prompt to save changes to NORMAL.DOT' feature, both of which have been
used to fight macro viruses.
WordMacro/Colors seems to be carefully written; The virus even has a debug
mode built-in. The virus is probably written in Portugal.