Threat Description

Colors

Details

Aliases: Colors
Category: Malware
Type:
Platform: W32

Summary



This macro virus was posted to a usenet newsgroup on the 14th of October, 1995. It is also known as the Rainbow virus.



Removal



Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details



This macro virus infectes Word documents in a similar manner as the previous Word macro viruses, except that it does not rely only on the auto-execute macros to operate. Thus, this virus will be able to execute even if the automacros are turned off. Colors contains the following macros:

  AutoClose
     AutoExec
     AutoOpen
     FileExit
     FileNew
     FileSave
     FileSaveAs
     ToolsMacro
     macros

When an infected document is opened, the virus will execute when user:

* Creates a new file
  * Closes the infected file
  * Saves the file (autosave does this automatically after the
    infected document has been open for some time)
  * Lists macros with the Tools/Macro command

It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.

The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.

WordMacro/Colors seems to be carefully written; The virus even has a debug mode built-in.

F-Secure anti-virus products are able to the detect the WordMacro/Colors macro virus.

See also: DMV, Concept, Nuclear





Description Created: Mikko Hypponen, F-Secure
Technical Details: Mikko Hypponen, F-Secure; thanks to Vesselin Bontchev


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More