Virus Information [ Word Macro Colors ]


	Virus Databases Virus Links Virus Research Security

Macro Virus: Wordmacro/Colors

Name: WordMacro/Colors
Type: Word Macro Virus
Description:

This macro virus was posted to a Usenet newsgroup on the 14th of October, 1995. It is also known as the Rainbow virus. Colors most likely comes from Portugal.

This macro virus infects Word documents in a similar manner as the previous Word macro viruses, except that it does not rely only on the auto-execute macros to operate. The virus can propagate even with AutoMacros being disabled (e.g. by invoking Word as : WINWORD.EXE /mDisableAutoMacros or by using one of Microsoft's recent antivirus template tools).

As soon as a user chooses File/New, File/Save, File/SaveAs, File/Exit or Tools/Macro, the virus gets control and infects NORMAL.DOT.

Colors contains the following macros:

AutoClose
AutoExec
AutoOpen
FileExit
FileNew
FileSave
FileSaveAs
ToolsMacro
macros

When an infected document is opened, the virus will execute when user:

Creates a new file
Closes the infected file
Saves the file (autosave does this automatically after the infected document has been open for some time)
Lists macros with the Tools/Macro command

It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.

The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.

WordMacro/Colors seems to be carefully written; The virus even has a debug mode built-in.

F-PROT Professional is able to detect the WordMacro/Colors macro virus, by directly copying the following lines to a file called USER.DEF in your F-PROT for DOS directory:

CE WordMacro/Colors
0100066D6163726F730100084175746F45786563

To scan for the user-defined virus string, either configure F-PROT to scan all files, or add the filename extension ".DO?" to the list of files F-PROT should scan.

It is recommended that you simply scan all files in case a non-standard filename extension is used for documents. Under the Targets menu item turn on User-defined Virus Strings.
Isolate all documents or document templates that contain this search string and examine them for the virus. Do not assume any of the files are infected, as this preliminary string could occur in uninfected documents.