WordMacro/Hot
is a new macro virus which has been discovered in January 1996.Infected documents contain four executeonly macros: AutoOpen, DrawBringInFrOut, InsertPBreak and ToolsRepaginat.
If you load an infected document into Word with automacros enabled, then the viral document's AutoOpen macro gets to run, and the virus is activated. The virus first creates an entry in your WINWORD6.INI (thus assuming MSWord for Windows version 6), which records a "hot date" 14 days in the future when its warhead will be activated -- on an infected machine, you should find a line like:
QLHot=38510in the file WINWORD6.INI.
Next, the virus copies the mentioned macros to the global template (typically NORMAL.DOT), changing their names as follows:
AutoOpen becomes StartOfDoc DrawBringInFrOut becomes AutoOpen InsertPBreak becomes InsertPageBreak ToolsRepaginat becomes FileSaveUsing Tools/Macro in an infected Word environment will reveal the macros listed on the right. If you then load an infected document into the infected environment, you will see both sets of macros. If you load an infected document into a clean Word environment with automacros off (this prevents the virus spreading), you will see the macros listed to the left.
So, when an infected document is first loaded, the virus uses the AutoOpen macro to spread to the Word environment (usually NORMAL.DOT). Thereafter, the virus spreads to other documents via the FileSave macro, which is triggered when you use the menu option File/Save. Once active within Word, the virus uses AutoOpen to decide whether to trigger its warhead -- randomly, within a few days of the viral "hot date", a document you try to open will have its contents erased instead. This warhead is disabled if the file C:\DOSEGA5.CPI exists. A comment in the virus suggests that this is a "feature" designed to protect the author and his friends.
The InsertPBreak/InsertPageBreak macro does, as its name suggest, insert a pagebreak in the current document. However, it is also used by the virus to recognise that it a document is already infected.
Cleaning an infected environment is easy: start Word, and delete all offending macros (Tools/Macro/Delete) from the list above. Now, if you load infected documents with automacros disabled, you can delete the offending macros from them, too.
