Colors

Colors
Alias: WordMacro.Colors
Type: Word macro virus.
Description:

Colors is a Word macro virus which most likely comes from Portugal. When an infected document is opened under Microsoft Word (Word for Win95, Word for NT, Word for Windows 3.x, MacWord, ...), the virus infects the global template (usually NORMAL.DOT). Then every document being created via File/New or saved via Save or File/SaveAs is infected by the virus. The virus contains the following ten macros:

AutoOpen, AutoClose, AutoExec, FileNew, FileExit, FileSave, FileSaveAs, ToolsMacro and other macros.

If macros with such names existed prior to infection, they are overwritten by the virus.

Surprisingly enough, AutoExec macro in the virus is an empty one - it does nothing. The possible aim of it could be overwriting existing AutoExec macro which could contain anti-virus routines (e.g. supplied by MicroSoft).

The virus can propagate even with AutoMacros being disabled (e.g. by invoking Word as WINWORD.EXE /mDisableAutoMacros or by using one of Microsoft's recent antivirus template tools). As soon as a user chooses File/New, File/Save, File/SaveAs, File/Exit or Tools/Macro, the virus gets control and infects NORMAL.DOT. Moreover, unlike other known Word viruses (such as Concept, Nuclear, DMV), Colors virus cannot be spotted by using Tools/Macro to list active macros. The virus intercepts Tools/Macro and effectively disables it, while still using it for infection. This way Colors can be called the first macro virus with some stealth capabilities. Nevertheless, one can use File/Templates/Organizer/Macros to view the names of virus' macros and even to delete them.

As in the case of Nuclear (the first encrypted macro virus), all macros in Colors are Execute-Only and thus cannot be viewed/edited by means of Microsoft Word.

The virus also enables AutoMacros (just in case the user had disabled it) and disables Word's prompt to save changes to NORMAL.DOT.

The virus maintains a counter named 'countersu' in [windows] section of WIN.INI file. Every time a virus macro is called (with the exception of AutoExec) the counter is incremented by one. That is, every time a user opens, creates, saves, closes a document, attempts to use Tools/Macro or exits Word, the counter is incremented. When the counter reaches 299 and each 300th time thereafter (i.e. 299, 599, 899 and so on) the virus triggers. It then changes Windows colours settings (text, background, buttons, borders, etc.) to randomly selected colours. So that the next time Windows are started the user is puzzled by the most unusual and weird colour pallette.

Dr Solomon's Anti-Virus Toolkit has an extra driver which can detect and repair this virus. (A version for Win95 is due any day now).
Visit the Dr. Solomon's Web page at http://www.sands.com/. Information and downloads are also available on Compuserve: GO DRSOLOMON.
If you would like a full evaluation copy of the toolkit, please contact the sales department at (01296) 318700 in the UK, or in the US - 617 273 7400.

Wolfgang Stiller says:

Macro viruses are a threat in environments (such as MS Word) where what appears to be a data file (e.g., document) can automatically execute macros or change normally executed macros. This allows the malicious code to spread from data file to data file. We have a text file explaining macro viruses in more detail in section six (the Stiller Research section) of the Anti-Virus Vendor forum on Compuserve. GO STILLER. Our WWW page also has information on this: http://delta.com/stiller/stiller.htm. Integrity Master's scanner component will detect all the existing macro viruses and is completely compatible with Win95.