Aliases: WordMacro/NTTHNTA; WordMacro/Funyour
Type: Word Macro Virus
WordMacro/Appder.A was found in January 1997. Infected files contain 3 macros - AppDer, AutoOpen & AutoClose.
When opening the infected document it adds a counter variable called NTTHNTA into the MS Word INI file. With every opening of an infected document, the variable is incremented by 1.
When the variable is equal to 20, it is reset to 1 and the WordMacro virus executes its payload to delete the following files within directories:
c:\doc\*.exe c:\doc\*.com c:\windows\*.exe c:\windows\system\*.ttf c:\windows\system\*.fotThis WordMacro virus checks for the macros AutoClose & AppDer. If not found, they are copied to the global template NORMAL.DOT.
When the file in use is closed, AutoClose first attempts to convert the document to a template and then transfers the three macros to it. The reason for the two different names given for this virus are because in the code of the virus, there is a comment line:
' Virus - NTTHNTA
The other name 'funyour' is derived from the subroutine called: Sub Funyour$