The viruses of this family use an uncommon way of spreading. Instead
of copying their macro program to the macro area in victim documents,
they just write to documents a reference to a template (attached
template) which contains virus macros. MS Word97 when opening a such
document detects the reference to the attached template, opens it and
executes its macros. The virus macro gets control and runs infected
procedure. As a result the infected documents have no macro code, but
on their opening the virus macro code is loaded by Word97 and
executed.
In the known versions of this virus the reference to attached template
points to a file on a remote Internet site (virus-writers Web site).
As a result, MS Word97 on opening an affected document downloads and
processes the template that is placed in the Internet zone. Because of
that virus author(s) are able to "upgrade" virus code by replacing the
template on their Web site.
This way of spreading allows the virus to bypass the anti-virus
protection (VirusWarning) in old versions of MS Word97. These Word97
versions have a security breach: the anti-virus protection is not
activated by Word97 to scan attached templates for macro code. This
bug in MS Word97 was fixed in the beginning of 1999.
This variant contains this comment:
<!--1nternal-->
Active Template Update
This virus version does not copy entire code from the template to
global macros area, but only the code necessary to infects documents.
This variant contains this comment:
<!--1nternal-->
Active Template Update v0.2 /1nternal
[Analysis by Eugene Kaspersky]
