Summary

This macro virus was posted to a usenet newsgroup on the 14th of October, 1995. It is also known as the Rainbow virus.

Additional Details

This macro virus infectes Word documents in a similar manner as the previous Word macro viruses, except that it does not rely only on the auto-execute macros to operate. Thus, this virus will be able to execute even if the automacros are turned off. Colors contains the following macros:

     AutoClose
     AutoExec
     AutoOpen
     FileExit
     FileNew
     FileSave
     FileSaveAs
     ToolsMacro
     macros

When an infected document is opened, the virus will execute when user:

  * Creates a new file
  * Closes the infected file
  * Saves the file (autosave does this automatically after the
    infected document has been open for some time)
  * Lists macros with the Tools/Macro command

It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.

The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.

WordMacro/Colors seems to be carefully written; The virus even has a debug mode built-in.

F-Secure anti-virus products are able to the detect the WordMacro/Colors macro virus.

See also: DMV, Concept, Nuclear

[Analysis: Mikko Hypponen, F-Secure; thanks to Vesselin Bontchev]