Threat Description

Colors

Details

Aliases:Colors
Category: Malware
Type:
Platform: W32

Summary



This macro virus was posted to a usenet newsgroup on the 14th of October, 1995. It is also known as the Rainbow virus.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



This macro virus infectes Word documents in a similar manner as the previous Word macro viruses, except that it does not rely only on the auto-execute macros to operate. Thus, this virus will be able to execute even if the automacros are turned off. Colors contains the following macros:

  AutoClose
  AutoExec
  AutoOpen
  FileExit
  FileNew
  FileSave
  FileSaveAs
  ToolsMacro
  macros

When an infected document is opened, the virus will execute when user:

* Creates a new file
  * Closes the infected file
  * Saves the file (autosave does this automatically after the
 infected document has been open for some time)
  * Lists macros with the Tools/Macro command

It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.

The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.

WordMacro/Colors seems to be carefully written; The virus even has a debug mode built-in.

F-Secure anti-virus products are able to the detect the WordMacro/Colors macro virus.

See also: DMV, Concept, Nuclear





Description Created: Mikko Hypponen, F-Secure
Technical Details: Mikko Hypponen, F-Secure; thanks to Vesselin Bontchev


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More