With Microsoft Word, a document and all macros related to it are stored in a single file. So a file called DOCUMENT.DOC or DOCUMENT.DOT contains both the document contents and the macros. But with Lotus' Ami Pro, macros are stored in a separate file: if you have DOCUMENT.SAM, macros related to it are in DOCUMENT.SMM. This makes it somewhat more difficult for Ami Pro viruses to spread, since when a user is distributing a document, he is likely to leave the .SMM file behind, effectively disabling the virus.
Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.
The first Ami Pro macro virus was located in January 1996. The virus, which is called Green Stripe or AmiMacro/GreenStripe, works by creating a .SMM file for every .SAM file in Ami Pro's default DOCS directory (\amipro\docs), and modifying the existing .SAM files to use the new macros. The name of the virus comes from it's main macro procedure, which is called Green_Stripe_virus.
Green Stripe propagates by intercepting Ami's File/Save and File/Save As commands. Using File/Save As and saving an infected document to a network drive or a floppy is the only likely way for this virus to spread from a machine to another.
Green Stripe has an activation routine which triggers during saving: the virus searches through the document and replaces all occurences of the word "its" with "it's". Such a change can easily go undetected by the user. However, it is unclear whether this routine works at all.
Green Stripe is rumoured to have been originally published in a US virus-related magazine. It is unlikely to spread in the wild.
Detecting Green Stripe
Open the Tools/Macros/Edit menu and check whether the document has a .SMM macro file assigned to be executed on open. To disinfect an infected document, just delete the .SMM file, open the document to Ami and uncheck the above setting.
Also, the initial infection process takes a long time, and the user is likely to notice that something is going wrong, since all the documents in the default directory are quickly appearing and disappearing on the screen while the virus infects them.