WW6MACRO Virus

- The Computer Virus That Infects WinWord Documents
  by Eugene V. Kaspersky (24 Aug 1995)

A new computer virus has been discovered - the virus infects (but does
not overwrite!) the DOC-files of the WinWord ver.6 format. This virus
has been named as WW6MACRO.

The virus uses an absolutely new and unusual infection way. It does not hit
executable (COM, [New] EXE, SYS or BAT) files, it does not overwrite the
system boot sectors. It infects Word Document files.

The system gets infected while READING the infected file. To infect the
computer it is necessary to run WinWord ver.6 and open the infected file.
Then the virus infects all newly created DOC files. After sending the newly
created and infected file to another (clear) computer that file can infect
that computer too (while opening in WinWord).

Fortunately, this virus does not call any dangerous trigger routine. The
place for that routine contains only the string:

    That's enough to prove my point

But it is not clear up to now if that virus is free of other "deep" effects
(i.e. is that virus 100% compatible with WinWord or not). Anyway, that virus
is a VERY FAST INFECTOR. DOC files are sent/received more often than
executables.

So, be careful with documents!

Tech part

While opening the Word Document file WinWord executes the internal file
macros. If that document is infected, WinWord executes infected macros,
i.e. the virus code. The virus copies the macros into the Global Macros area,
defines FileSaveAs macro, and then it copies its macros into all the newly
created documents (i.e. documents which are saved with "Save as" command).
The virus also converts the Microsoft Document files into Template format
while saving.

On exiting from WinWord the Global Macros are automatically saved into system
DOT-files (NORMAL.DOT or other). So on the next WinWord execution the virus
receives control before reading of the first document, it infects the
environment while loading the Global Macros from the DOT file.

The infected files contain the strings:

    see if we're already installed
    iWW6IInstance
    AAAZFS
    AAAZAO
    That's enough to prove my point

and other.

The WINWORD6.INI on infected system contains the file:
    WW6I= 1
    On the first execution of the viruscode (i.e. on the first opening of the
    infected file) the MessageBox with digit "1" appears.

Copyright 1995 Eugene V. Kaspersky