Microsoft Word document macro viruses


Macro viruses are not a new concept - they were predicted as early as the late eighties. At that time, the first studies about the possibility of writing viruses with the macro languages of certain applications were made.

However, macro viruses are not just a theory any more. Currently, there are several known macro viruses. They have all been written with WordBasic, the powerful macro language of Microsoft Word. These viruses spread through Word documents - Word's advanced template system makes it an opportune environment for viral mischief. This is problematic, because people exchange document a lot more than executables or floppy disks. Macro viruses are also very easy to create or modify.

Although other word processors like WordPerfect and Ami Pro do support reading Word documents, they can not be infected by these viruses. It is not impossible to write similar viruses for these systems, however.


WordMacro/DMV is probably the first Word macro virus to have been written. It is test virus, written by a person called Joel McNamara to study the behavior of macro viruses. As such, it is no threat - it announces its presence in the system, and keeps the user informed of its actions.

Mr. McNamara wrote WordMacro/DMV in fall 1994 - at the same time, he published a detailed study about macro viruses. He kept his test virus under wraps until a real macro virus, WordMacro/Concept, was discovered. At that time, he decided to make WordMacro/DMV known to the public. We oppose to such behaviour; although it can be argued that spreading such information will educate the public, we can also except to see new variants of the DMV virus, as well as totally new viruses inspired by the techniques used in this virus. McNamara also published a skeleton for a virus to infect Microsoft Excel spreadsheet files.

F-PROT Professional 2.20 is able to the detect the WordMacro/DMV macro virus.


WordMacro/Concept - also known as Word Prank Macro or WW6Macro - is a real macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.

WordMacro/Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files. This is a quite ominous development - so far, people have only had to worry about infections in their program files. The situation is made worse by the fact that WordMacro/Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS.

The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro "PayLoad" or "FileSaveAs" already on the template, it assumes that the template is already infected and ceases its functioning.

If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, it starts copies the viral macros to the template and displays a small dialog box on the screen. The box contains the number "1" and an "OK" button, and its title bar identifies it as a Word dialog box. This effect seems to have been meant to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.

After the virus has managed to infect the global template, it infects all documents that are created with the File/Save As command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.

The virus consists of the following macros:

Picture of the macro list in an infected machine

Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, "PayLoad" sounds very ominous. It contains the text:

        Sub MAIN

                REM That's enough to prove my point

        End Sub

However, the "PayLoad" macro is not executed at any time.

You can detect the presence of the WordMacro/Concept macro virus in your system by simply selecting the command Macro from Word's Tools menu. If the macro list contains a macro named "AAAZFS", your system is infected.

You could prevent the virus from infecting your system by creating a macro named "PayLoad" that doesn't have to do anything. The virus will then consider your system already infected, and will not try to infect the global template NORMAL.DOT. This is only a temporary solution, though - somebody may modify the viruse's "AutoOpen" macro to infect the system regardless of whether NORMAL.DOT contains the macros "FileSaveAs" or "PayLoad".

Concept replicates only on English versions of Word. However, one translated version to operate on French Word has been found. This variant is known as WordMacro/Concept.Fr.

F-PROT Profesional is able to the detect the WordMacro/Concept macro virus.


WordMacro/Nuclear was recently discovered. Like WordMacro/DMV and WordMacro/Concept, it spreads through Microsoft Word documents. The new virus was first spotted on a FTP site in Internet, in a publicly accessible area which has in the past been a notorious distribution site for viral code. Apparently, the viruse's distributor has some sense of irony; the virus was attached to a document which described an earlier Word macro virus, WordMacro/Concept.

Whereas WordMacro/DMV is a test virus and WordMacro/Concept is only potentially harmful, WordMacro/Nuclear is destructive, harmful and generally obnoxious. It consists of a number of Word macros attached to documents. When an infected document is opened, the virus is executed and tries to infect Word's global document template, NORMAL.DOT.

Unlike WordMacro/Concept - which pops up a dialogue box when it infects NORMAL.DOT - WordMacro/Nuclear does not announce its arrival in the system. Instead, it lays low and infects every document created with the File/Save As command by attaching its own macros to it. The virus tries to hide its presence by switching off the "Prompt to save NORMAL.DOT" option (in the Options dialogue, opened from Tools menu) every time a document is closed. That way, the user is no longer asked whether changes in NORMAL.DOT should be saved, and the virus is that more likely to go unnoticed. Many users relied on this option to protect themselves against the WordMacro/Concept virus, but it obviouisly no longer works against Nuclear.

WordMacro/Nuclear contains several potentially destructive and irritating routines. The next time Word is started after initial infection, one of its constituent macros, "DropSuriv", looks up the time in the computer's clock. If the time is between 17.00 and 17.59, the virus tries to inject a more traditional DOS/Windows file virus called "Ph33r" into the system (as the viruse's author has commented in the viruse's code: "5PM - approx time before work is finished"). "Suriv" is, of course, "Virus" spelled backwards. However, due to an error, this routine does not work as intended in any of the popular operating environments.

Another of the viruse's macros, "PayLoad", tries to delete the computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the date is fifth of April. This attempt will fail due a programming error (virus authors never test drive the destructive parts of their code, it seems). And finally, the virus adds the following two lines:

        And finally I would like to say:


at the end of any document printed or faxed from Word during the last five seconds of any minute. Since the text is added at print-time only, the user is unlikely to notice this embarassing change. This function is handled by the viral macro "InsertPayload".

The virus can be detected by selecting the Macro command from the Tools menu and checking whether the macro list contains any curiously named macros. "DropSuriv" and "InsertPayload" are obvious giveaways.

F-PROT Professional 2.20 is able to the detect the WordMacro/Nuclear virus.


This macro virus was posted to a usenet newsgroup on the 14th of October, 1995. It is also known as the Rainbow virus. This macro virus infectes Word documents in a similar manner as the previous Word macro viruses, except that it does not rely only on the auto-execute macros to operate. Thus, this virus will be able to execute even if the automacros are turned off. Colors contains the following macros:

All macros are encrypted with the standard Word execute-only feature.

When an infected document is opened, the virus will execute when user:

It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.

The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.

It is interesting to note that the AutoExec macro in the virus is empty. It is probably included just to overwrite an existing AutoExec macro - which might contain some antivirus routines. WordMacro/Colors also enables the automatic execution of automacros if they have been disabled, and turns off the 'prompt to save changes to NORMAL.DOT' feature, both of which have been used to fight macro viruses.

WordMacro/Colors seems to be carefully written; The virus even has a debug mode built-in. The virus is probably written in Portugal.

F-PROT Professional 2.21 is able to the detect the WordMacro/Colors macro virus.


WordMacro/Hot was the first Word macro virus written in Russia. It was found in the wild over there in January 1996.

Hot spreads in a similar manner as the WordMacro/Concept virus: when an infected DOC is first opened, virus modifies the NORMAL.DOT file, and will spread to other documents after that.

Unlike the earlier Word macro viruses, Hot does not replicate with the File/Save As command - it infects only during the basic File/Save command. This means that Hot will infect only existing documents in the system - not new ones.

Infected documents contain the following four macros, which are visible in the macro list:

When Hot infects NORMAL.DOT, it renames these macros to:

Macros have been saved with the 'execute-only' feature, which means that a user can't view or edit them.

WordMacro/Hot contains a counter. It adds a line like this to the WINWORD6.INI file:


This number is based on the number of days during this century. Hot adds 14 to this number and then waits until this latency time of 14 days has passed. Hot will spread normally during this time, it will just not activate.

After the 14 day pause, there is a 1 in 7 chance that a document will be erased when it is opened. Virus will delete all text and re-save the document. Hot does not do this, if it find a file called EGA5.CPI from the C:\DOS directory. A comment in the source code of the virus hints that this feature is added so that the author of the virus and his friends can protect themselves from the activation damage:


  '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---

  '- and if File C:DOSega5.cpi not exist (not for OUR friends) -


By default, there is no file by the name EGA5.CPI in MS-DOS distributions.

WordMacro/Hot was the first macro virus to use external functions. This system allows Word macros to call any standard Windows API call. The use of external functions is specific to Windows 3.1x means that WordMacro/Hot will be unable to spread under Word for Macintosh or Word 7 for Windows 95: opening an infected document will just produce an error message.

F-PROT Professional 2.21a is able to detect the WordMacro/Hot virus.


WordMacro/Atom was found in February 1996. It's operating mechanism is quite similar to WordMacro/Concept, with the following differences:

First activation happens when the date is December 13th. At this date the virus attempts to delete all files in the current directory.

Second activation happens when a File/Save As command is issued and the seconds of the clock are equal to 13. If so, the virus will password-protect the document, making it unaccesible to the user in the future. The password is set to be ATOM#1.

It is not easy to give a search string for this virus: some of the replicants are usually in files password-protected by the virus, and thus contain no constant user-definable search string.

Disabling automacros will make Atom unable to execute and spread. Turning on the Prompt to save NORMAL.DOT setting will make Atom unable to infect NORMAL.DOT, but it will still be able to infect documents that are opened or saved during the same Word session.

WordMacro/Atom is not known to be in the wild.

Other Word macro viruses and trojans

In total the following macro viruses have been found between August 1995 and January 1997:

WordMacro/Wazzu consists of a single AutoOpen macro; this makes it language independent, ie. this macro virus is able to infect localized versions of Word as well as the english Word.

Unlike most other macro viruses, Wazzu has really been seen in the wild, and it is considered common nowadays.

Wazzu modifies the contents of documents it infects, moving words around and inserting the text 'wazzu '. Word Wazzu is reported to be a nickname for the Washington State University.

There exists also several trojans written in the Word macro language. These typically delete data as soon as the trojanized document is open. Since these do not spread by themselves, they are not widespread and not considered to be a significant threat.

Some known macro trojans are WordTrojan/FormatC, WordTrojan/WeideroffnenC, WordTrojan/Concept.L.Drp and WordTrojan/Concept.M.Drp.

Protecting yourself against Word macro viruses

There is a generic way to protect your Word against some of the known macro viruses. However, this should not be relied on alone, as it can not stop even all known macro viruses. Select the command Macro from the Tools menu and create a new macro called "AutoExec". Write the following commands to the macro and save it:



        MsgBox "AutoMacros are now turned off.", "Virus protection", 64

End Sub

This macro will be executed automatically when Word starts. It will disable the feature which viruses like Concept, DMV and Nuclear use to attack the system. However, there are ways to create macro viruses that are able to bypass such protection.

Only some of currently known Word macro viruses are able to infect nationalized versions on Word. In these programs, the macro language commands have been translated to the national language, and therefore macros created with the English version of Word will not work. Since these viruses consists of macros, they will be unable to function. However, viruses like DMV or Wazzu are able to spread in any version of Word.

F-PROT and Word macro viruses

F-PROT has been able to detect Word macro viruses since October 1995.

Unlike the limited free version of F-PROT, F-PROT Professional is able to disinfect macro viruses automatically with it's built-in scanning engine. The limited version of F-PROT includes a separate F-MACROW utility which can be used to detect and disinfect macro viruses.

F-PROT Professional for Windows, Windows 95, Windows NT and OS/2 as well as the realtime Windows VxD scanners have these macro scanning features built in to their normal scanners.

If you are running a VxD-based background protection from the F-PROT Professional suite, you will be notified on infected document files as soon as you try to open or copy them or when you are receiving such a document as an e-mail attachment or downloading it from www. Disinfection can also be done in realtime. A VxD-based solution provides significantly better protection than antivirus systems relying on the Word macro language.

Copyright © 1996 Data Fellows