WordMacro/Hot was the first Word macro virus written in Russia. It was found in the wild over there in January 1996.
Hot spreads in a similar manner as the WordMacro/Concept virus: when an infected DOC is first opened, virus modifies the NORMAL.DOT file, and will spread to other documents after that.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Unlike the earlier Word macro viruses, Hot does not replicate with the File/Save As command - it infects only during the basic File/Save command. This means that Hot will infect only existing documents in the system - not new ones.
Infected documents contain the following four macros, which are visible in the macro list:
o AutoOpen o DrawBringInFrOut o InsertPBreak o ToolsRepaginat
When Hot infects NORMAL.DOT, it renames these macros to:
o StartOfDoc o AutoOpen o InsertPageBreak o FileSave
Macros have been saved with the 'execute-only' feature, which means that a user can't view or edit them.
WordMacro/Hot contains a counter. It adds a line like this to the WINWORD6.INI file:
QLHot=35112
This number is based on the number of days during this century. Hot adds 14 to this number and then waits until this latency time of 14 days has passed. Hot will spread normally during this time, it will just not activate.
After the 14 day pause, there is a 1 in 7 chance that a document will be erased when it is opened. Virus will delete all text and re-save the document. Hot does not do this, if it find a file called EGA5.CPI from the C:\DOS directory. A comment in the source code of the virus hints that this feature is added so that the author of the virus and his friends can protect themselves from the activation damage:
'--------------------------------------------------------------- '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) --- '- and if File C:DOSega5.cpi not exist (not for OUR friends) - '---------------------------------------------------------------
By default, there is no file by the name EGA5.CPI in MS-DOS distributions.
WordMacro/Hot was the first macro virus to use external functions. This system allows Word macros to call any standard Windows API call. The use of external functions is specific to Windows 3.1x means that WordMacro/Hot will be unable to spread under Word for Macintosh or Word 7 for Windows 95: opening an infected document will just produce an error message.
F-Secure anti-virus products are able to detect the WordMacro/Hot virus.