DMV, Hot, FormatC, Wiederoffnen
DMV is probably the first Word macro virus to have
been written. It is test virus, written by a person called Joel
McNamara to study the behavior of macro viruses. As such, it is
no threat - it announces its presence in the system, and keeps
the user informed of its actions.
McNamara wrote DMV in the fall of 1994 - at the
same time, he published a detailed study about macro viruses.
He kept his test virus under wraps until a real macro virus, Concept,
was discovered. At that time, he decided to make DMV known to
the public. We can expect to see new variants of the DMV virus,
as well as totally new viruses inspired by the techniques used
in this virus. McNamara also published a skeleton for a virus
to infect Microsoft Excel spreadsheet files.
Hot was the first Word macro virus written in Russia.
It was found in the wild over there in January 1996.
Infected documents contain the following four macros,
which are visible in the macro list:
AutoOpen When Hot infects NORMAL.DOT, it renames these macros to:
StartOfDoc
Macros are saved with the 'execute-only' feature,
which means that a user can't view or edit them.
QLHot=35112
This number is based on the number of days in this
century. Hot adds 14 to this number and then waits until this
latency time of 14 days has passed. Hot will spread normally during
this time, it will just not activate.
'---------------------------------------------------------------
By default, there is no file by the name EGA5.CPI in MS-DOS distributions.
Hot was the first macro virus to use external functions.
This system allows Word macros to call any standard Windows API
call. The use of external functions specific to Windows 3.1x means
that Hot will be unable to spread under Word for Macintosh or
Word 7 for Windows 95: opening an infected document will just
produce an error message.
This is not a virus, but a trojan because it does
not replicate. It does, however, format your C: drive as soon
as the document is opened. This trojan was posted to a Usenet
newsgroup.
Wiederoffnen is not a virus, but a Word macro trojan.
It comes in a Microsoft Word 2 document but works perfectly under
Word 6 too. Wiederoffnen intercepts the AutoClose macro and when
the document is closed plays tricks with AUTOEXEC.BAT.
Hot
It spreads in a similar manner as the Concept virus:
when an infected DOC is first opened, the virus modifies the NORMAL.DOT
file, and will spread to other documents after that.
Unlike the earlier Word macro viruses, Hot does not
replicate with the File/Save As command - it infects only during
the basic File/Save command. This means that Hot will infect only
existing documents in the system - not new ones.
DrawBringInFrOut
InsertPBreak
ToolsRepaginate
AutoOpen
InsertPageBreak
FileSave
Hot contains a counter. It adds a line like this
to the WINWORD6.INI file:
After the 14 day pause, there is a 1 in 7 chance
that a document will be erased when it is opened. The Virus will delete
all text and re-save the document. Hot does not do this, if it
find a file called EGA5.CPI from the C:\DOS directory. A comment
in the source code of the virus hints that this feature is added
so that the author of the virus and his friends can protect themselves
from the activation damage:
'- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
'- and if File C:DOSega5.cpi not exist (not for OUR friends) -
'---------------------------------------------------------------
FormatC
Wiederoffnen
