Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


Hot


Aliases:


Hot

Malware

W32

Summary

WordMacro/Hot was the first Word macro virus written in Russia. It was found in the wild over there in January 1996.

Hot spreads in a similar manner as the WordMacro/Concept virus: when an infected DOC is first opened, virus modifies the NORMAL.DOT file, and will spread to other documents after that.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

Unlike the earlier Word macro viruses, Hot does not replicate with the File/Save As command - it infects only during the basic File/Save command. This means that Hot will infect only existing documents in the system - not new ones.

Infected documents contain the following four macros, which are visible in the macro list:

o  AutoOpen
        o  DrawBringInFrOut
        o  InsertPBreak
        o  ToolsRepaginat

When Hot infects NORMAL.DOT, it renames these macros to:

o  StartOfDoc
        o  AutoOpen
        o  InsertPageBreak
        o  FileSave

Macros have been saved with the 'execute-only' feature, which means that a user can't view or edit them.

WordMacro/Hot contains a counter. It adds a line like this to the WINWORD6.INI file:

QLHot=35112

This number is based on the number of days during this century. Hot adds 14 to this number and then waits until this latency time of 14 days has passed. Hot will spread normally during this time, it will just not activate.

After the 14 day pause, there is a 1 in 7 chance that a document will be erased when it is opened. Virus will delete all text and re-save the document. Hot does not do this, if it find a file called EGA5.CPI from the C:\DOS directory. A comment in the source code of the virus hints that this feature is added so that the author of the virus and his friends can protect themselves from the activation damage:

'---------------------------------------------------------------
  '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
  '- and if File C:DOSega5.cpi not exist (not for OUR friends) -
  '---------------------------------------------------------------

By default, there is no file by the name EGA5.CPI in MS-DOS distributions.

WordMacro/Hot was the first macro virus to use external functions. This system allows Word macros to call any standard Windows API call. The use of external functions is specific to Windows 3.1x means that WordMacro/Hot will be unable to spread under Word for Macintosh or Word 7 for Windows 95: opening an infected document will just produce an error message.

F-Secure anti-virus products are able to detect the WordMacro/Hot virus.







Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.