|
Macro Virus: Wordmacro/HotName: WordMacro/HotType:Word Macro Virus Description: This macro virus is similar to all the others. It contains four execute-only macros. Loading an infected document into MS-Word for Windows v.6 will activate the AutoOpen macro. The virus first creates an entry in your WINWORD6.INI file that contains a "hot date" 14 days in the future. An infected WINWORD6.INI file will contain a line something like this: QLHot=34512The virus will then copy the following macros into the NORMAL.DOT file and change their names as shown: AutoOpen changes to StartOfDoc DrawBringInFront changes to AutoOpen InsetPBreak changes to InsetPageBreak ToolsRepaginat changes to FileSaveIf you select TOOLS?MACRO from the Word toolbar, you will see these macros. Loading an infected document will then reveal both sets of macros. If you turn automacros OFF before the system becomes infected, and then load an infected document, you will be able to see the macros on the left. Within a few days of the "hot" date, the virus will triiger its payload. The payload will randomly decide to erase the contents of a selected file. Disinfect this macro by deleting all of the macros listed above. You can select TOOLS/MACRO/DELETE from the toolbar to do this. Each time you open an infected document, it can be disinfected with this procedure. Make sure you disable AutoMacros in order to prevent future infections. |
||||||