Macro Virus: Wordmacro/Nuclear

Like WordMacro/DMV and WordMacro/Concept, WordMacro/Nuclear spreads through Microsoft Word documents. The new virus was first spotted on a FTP site, in a publicly accessible area which has in the past been a notorious distribution site for viral code. Apparently, the virus' distributor has some sense of humor: the virus was attached to a document which described an earlier Word macro virus, WordMacro/Concept.

Whereas WordMacro/DMV is a test virus and WordMacro/Concept is only potentially harmful, WordMacro/Nuclear is destructive, harmful and generally obnoxious. It consists of a number of Word macros attached to documents. When an infected document is opened, the virus is executed and tries to infect Word's global document template, NORMAL.DOT.

Unlike WordMacro/Concept - which pops up a dialogue box when it infects NORMAL.DOT - WordMacro/Nuclear does not announce its arrival in the system. Instead, it lays low and infects every document created with the Save As function by attaching its own macros to it. The virus tries to hide its presence by switching off the Prompt to save NORMAL.DOT option (in the Options dialog, opened from Tools menu) every time a document is closed.

That way, the user is no longer asked whether changes in NORMAL.DOT should be saved, and the virus is that more likely to go unnoticed.

Many users relied on this option to protect themselves against the WordMacro/Concept virus, but it obviously no longer works against Nuclear.

WordMacro/Nuclear contains several potentially destructive and irritating routines. The next time Word is started after initial infection, one of its constituent macros, DropSuriv, looks up the time in the computer's clock. If the time is between 17.00 and 17.59, the virus tries to inject a more traditional DOS/Windows file virus called Ph33r into the system (as the virus's author has commented in the virus's code: 5PM - approx time before work is finished). Suriv is, of course, Virus spelled backwards. However, due to an error, this routine does not work as intended in any of the popular operating environments.

Another of the virus's macros, PayLoad, tries to delete the computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the date is fifth of April. And finally, the virus adds the following two lines:

And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC

at the end of any document printed or faxed from Word during the last five seconds of any minute. Since the text is added at print-time only, the user is unlikely to notice this embarrassing change. This function is handled by the viral macro InsertPayload.

The virus can be detected by selecting the Macro command from the Tools menu and checking whether the macro list contains any curiously named macros. DropSuriv and InsertPayload are obvious giveaways.

Command AntiVirus™ with F-PROT Professional® is able to the detect the WordMacro/Nuclear virus.