WordMacro/Colors

is a macro virus which most likely comes from Portugal.

 When an infected document is opened under WinWord (Word for Win95, MacWord, ...), the virus infects the global template (usually NORMAL.DOT). Then every document being created via File/New or saved via File/Save or File/SaveAs is infected by the virus. The virus contains the following ten macros:

 AutoOpen, AutoClose, AutoExec, FileNew, FileExit, FileSave, FileSaveAs, ToolsMacro and macros.

 If macros with such names existed prior to infection, they are overwritten by the virus.

 Surprisingly enough, AutoExec macro in the virus is an empty one - it does nothing. The possible aim of it could be overwriting existing AutoExec macro which could contain anti­virus routines (e.g. supplied by Microsoft).

 The virus can propagate even with AutoMacros being disabled (e.g. by invoking Word as WINWORD.EXE /mDisableAutoMacros or by using one of Microsoft's recent antivirus template tools). As soon as a user chooses File/New, File/Save, File/SaveAs, File/Exit or Tools/Macro, the virus gets control and infects NORMAL.DOT. Moreover, unlike other known Word viruses (Concept, Nuclear, DMV), Colors virus cannot be detected by using Tools/Macro to list active macros. The virus intercepts Tools/Macro and effectively disables it, while still using it for infection. This way Colors can be called the first macro virus with some stealth capabilities. Nevetherless, one can use File/Templates/Organizer/Macros to view the names of virus' macros and even to delete them. As in the case of Nuclear (the first encrypted macro virus), all macros in Colors are Execute­Only and thus cannot be viewed/edited by means of WinWord.

 The virus also enables AutoMacros and disables Word's prompt to save changes to NORMAL.DOT.

 The virus maintains a counter named 'countersu' in [windows] section of WIN.INI file. Every time a virus macro is called (with the exception of AutoExec) the counter is incremented by one. That is, every time a user opens, creates, saves, closes a document, attempts to use Tools/Macro or exits Word, the counter is incremented. When the counter reaches 299 and each 300th time thereafter (i.e. 299, 599, 899 and so on) the virus triggers. It then changes Windows colours settings (text, background, buttons, borders, etc.) to randomly selected colours. So that the next time Windows are started the user is puzzled by the most unusual and weird colour palette.

 
Macro viruses
Word Word 97 Excel AmiPro
Viren
Im Umlauf befindliche Viren Windows Viren Ältere Windows Viren 2002 Ältere Windows Viren 2001 Ältere Windows Viren 2000 Script-Viren Macro-Viren Virus Report Ergebnis des Viren Reports Eicar Test-Datei VPS-History
Mitglieder-Service
VPS (iAVS) Mitglieder-Service
avast! Virus-Cleaner
Home pageWeb site mapPrint this pagePrivacy policy
Copyright © 1988 - 2008 ALWIL Software a.s.
Home page
Viruses  macro viruses  Word  WordMacro/Colors