Winword-Nuclear
Wordmacro-Nuclear
Wordmacro-Alert.

(Note: The current accepted practice is to drop the "Winword" part from all these names.)

This notice was posted to the alt.comp.virus Usenet newsgroup from one of the anti-virus people (Paul Ducklin of Sophos) that there is another WinWord macro virus on the loose. Here is the complete text of the message:

It's happened...

Another MS Word macro virus has appeared. It is known by a number of names, including Winword-Nuclear, Wordmacro-Nuclear and Wordmacro-Alert.

Unfortunately, it was first spotted on the Internet in a publicly accessible area that has been used in the past for the uncontrolled distribution of viral code. Ironically (and, presumably, by malicious design) this new Word virus is attached to a Word document which gives information about a previous Word virus, Winword-Concept.

OPERATION

Infected files contain a macro which is usually run when the document is opened. This macro is not particularly noticeable (unlike the Winword-Concept virus, which alerts you by popping up a dialogue box).

Once actuated, the virus effectively "goes resident" by adding its infective macros into your Word environment. It also runs a macro called PayLoad, which wipes out your DOS system files (IO.SYS, MSDOS.SYS and COMMAND.COM) on the fifth of April. See Virus Update for comments

Now, the viral macros alter the usual behaviour of several Word functions. Any documented saved via the Save As... menu option will be infected; roughly every twelfth document printed will have two lines of text added at its end:

	And finally I would like to say
	STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC

Also, next time you start up Word, the virus looks at the clock. If it is between 17h00 and 17h59 (or, as a comment in the virus suggests, "5PM - approx time before work is finished"), the virus attempts to inject a DOS file virus named "Ph33r" into yoursystem. See Virus Update for comments

Lastly, the virus switches off the menu setting "Tools/Options/Prompt to save NORMAL.DOT" every time you close a file. This means you are less likely to notice Word saving changes that the virus has made to your global environment, because the dialog box which warns you that this is about to happen no longer appears.

DETECTION

An infected Word environment will contain a number of curiously named macros, which you can check for in the Tools/Macro menu. Some of the obvious giveaway names to look for on a machine infected with Winword-Nuclear are: DropSuriv (this is the routine which tries to inject the DOS virus -- "suriv" is "virus" backwards) and InsertPayload (this adds the anti-nuclear remarks).

[A more complete version of this doc is available via http://www.sophos.com or ftp://ftp.sophos.com/pub/wordnuke.txt, which includes detection update info for Sophos' SWEEP -- though you'll probably be able to use the SWEEP pattern data with other a-v programs, if you really must :-)]

SIGHTINGS

The dropper is hidden in a Trojanised document by the well-known Russian virus researcher Eugene Kasperski, describing and warning against the WordMacro.Concept virus. The name is Ww6Info.doc. It was found in an archive called Ww6alert.zip. The name of the original document by Kasperski is AVPWW101.ZIP. So beware of these files. They could prove contagious!

There's absolutely no reason to believe it hasn't been spread to other files by now. There is at least one unconfirmed report that there is a web page with a hyperlink to an infected file. Click on the link and your browser will dutifully download the document and launch Word for you so you can read it. See Virus Update for comments

PREVENTION

The Word for Windows manual claims that if you hold down <Shift> whilst double-clicking the Word icon in Program Manager, then Word will start up with file-related "auto-execute" macros disabled. This ought to inhibit the actuation of WinWord-Nuclear, which relies on this feature; it didn't work in our test setup. Starting up WinWord with the command line "WINWORD.EXE /m" is supposed to achieve a similar effect, but failed similarly.

You can also hold down <Shift> whilst opening a document to disable any automatic macros in that file, though this too failed during our trials.

You might wish to use one of Word's auto-execute macros to your advantage. Under Tools/Macro, create a macro called AutoExec that looks like this:

	Sub MAIN
		DisableAutoMacros
		MsgBox "AutoMacros off!", "Safety First!", 64
	End Sub

This macro is triggered whenever Word starts (a serious potential hole!), and serves to disable the feature which WinWord-Nuclear uses to actuate. See Virus Update for comments

This one doesn't seem quite as benign as winword.concept. I hope Microsoft comes up with a fix. (I wonder if this will classed as a "prank" macro?)

(For your printed records: this document is at: http://www.csn.net/~woody/wwinfo/nuclear.htm)

Woody Leonhard