Winword-Nuclear - Another Word Macro Virus by Paul Ducklin, Sophos, Plc (14 Sept 1995) Another MS Word macro virus has appeared. It is known by a number of names, including Winword-Nuclear, Wordmacro-Nuclear and Wordmacro-Alert. Unfortunately, it was first spotted on the Internet in a publicly accessible area that has been used in the past for the uncontrolled distribution of viral code. Ironically (and, presumably, by malicious design) this new Word virus is attached to a Word document which gives information about a previous Word virus, Winword-Concept. Operation Infected files contain a macro which is usually run when the document is opened. This macro is not particularly noticeable (unlike the Winword-Concept virus, which alerts you by popping up a dialogoue box). Once actuated, the virus effectively "goes resident" by adding its infective macros into your Word environment. It also runs a macro called PayLoad, which wipes out your DOS system files (IO.SYS, MSDOS.SYS and COMMAND.COM) on the fifth of April. Now, the viral macros alter the usual behaviour of several Word functions. Any documented saved via the Save As... menu option will be infected; roughly every twelfth document printed will have two lines of text added at its end: And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC Also, next time you start up Word, the virus looks at the clock. If it is between 17h00 and 17h59 (or, as a comment in the virus suggests, "5PM - approx time before work is finished"), the virus attempts to inject a DOS file virus named "Ph33r" into your system. Lastly, the virus switches off the menu setting "Tools/Options/ Prompt to save NORMAL.DOT" every time you close a file. This means you are less likely to notice Word saving changes that the virus has made to your global environment, because the dialog box which warns you that this is about to happen no longer appears. Detection An infected Word environment will contain a number of curiously named macros, which you can check for in the Tools/Macro menu. Some of the obvious giveaway names to look for on a machine infected with Winword-Nuclear are: DropSuriv (this is the routine which tries to inject the DOS virus -- "suriv" is "virus" backwards) and InsertPayload (this adds the anti-nuclear remarks).