This macro virus was posted to a usenet newsgroup on the 14th of October, 1995. It is also known as the Rainbow virus.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
This macro virus infectes Word documents in a similar manner as the previous Word macro viruses, except that it does not rely only on the auto-execute macros to operate. Thus, this virus will be able to execute even if the automacros are turned off. Colors contains the following macros:
AutoClose AutoExec AutoOpen FileExit FileNew FileSave FileSaveAs ToolsMacro macros
When an infected document is opened, the virus will execute when user:
* Creates a new file * Closes the infected file * Saves the file (autosave does this automatically after the infected document has been open for some time) * Lists macros with the Tools/Macro command
It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.
The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.
WordMacro/Colors seems to be carefully written; The virus even has a debug mode built-in.
F-Secure anti-virus products are able to the detect the WordMacro/Colors macro virus.
See also: DMV, Concept, Nuclear
Description Created: Mikko Hypponen, F-Secure
Technical Details: Mikko Hypponen, F-Secure; thanks to Vesselin Bontchev