AutoClose AutoExec AutoOpen FileExit FileNew FileSave FileSaveAs ToolsMacro macros
When an infected document is opened, the virus will execute when user:
* Creates a new file * Closes the infected file * Saves the file (autosave does this automatically after the infected document has been open for some time) * Lists macros with the Tools/Macro command
It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.
The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.
WordMacro/Colors seems to be carefully written; The virus even has a debug mode built-in.
F-Secure anti-virus products are able to the detect the WordMacro/Colors macro virus.
See also: DMV, Concept, Nuclear
[Analysis: Mikko Hypponen, F-Secure; thanks to Vesselin Bontchev]