Classification

Category: Malware

Type: -

Aliases: Colors

Summary


This macro virus was posted to a usenet newsgroup on the 14th of October, 1995. It is also known as the Rainbow virus.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


This macro virus infectes Word documents in a similar manner as the previous Word macro viruses, except that it does not rely only on the auto-execute macros to operate. Thus, this virus will be able to execute even if the automacros are turned off. Colors contains the following macros:

AutoCloseAutoExecAutoOpenFileExitFileNewFileSaveFileSaveAsToolsMacromacros

When an infected document is opened, the virus will execute when user:

* Creates a new file
 * Closes the infected file
 * Saves the file (autosave does this automatically after the

 infected document has been open for some time)
 * Lists macros with the Tools/Macro command

It is important not to use the Tools/Macro command to check if you are infected with this virus, as you will just execute the virus while doing this. Instead, use File/Templates/Organizer/Macros command to detect and delete the offending macros. Do note that a future macro virus will probably subvert this command as well.

The virus maintains a generation counter in WIN.INI, where a line "countersu =" in the [windows] part is increased during the execution of the macros. After every 300rd increments the virus will modify the system color settings; the colors of different Windows objects will be changed to random colors after next boot-up. This activation routine will not work under Microsoft Word for Macintosh.

WordMacro/Colors seems to be carefully written; The virus even has a debug mode built-in.

F-Secure anti-virus products are able to the detect the WordMacro/Colors macro virus.

See also: DMV, Concept, Nuclear