Classification

Category: Malware

Type: -

Aliases: Hot

Summary


WordMacro/Hot was the first Word macro virus written in Russia. It was found in the wild over there in January 1996.

Hot spreads in a similar manner as the WordMacro/Concept virus: when an infected DOC is first opened, virus modifies the NORMAL.DOT file, and will spread to other documents after that.

Removal


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Unlike the earlier Word macro viruses, Hot does not replicate with the File/Save As command - it infects only during the basic File/Save command. This means that Hot will infect only existing documents in the system - not new ones.

Infected documents contain the following four macros, which are visible in the macro list:

o
AutoOpen
 o
DrawBringInFrOut
 o
InsertPBreak
 o
ToolsRepaginat

When Hot infects NORMAL.DOT, it renames these macros to:

o
StartOfDoc
 o
AutoOpen
 o
InsertPageBreak
 o
FileSave

Macros have been saved with the 'execute-only' feature, which means that a user can't view or edit them.

WordMacro/Hot contains a counter. It adds a line like this to the WINWORD6.INI file:

QLHot=35112

This number is based on the number of days during this century. Hot adds 14 to this number and then waits until this latency time of 14 days has passed. Hot will spread normally during this time, it will just not activate.

After the 14 day pause, there is a 1 in 7 chance that a document will be erased when it is opened. Virus will delete all text and re-save the document. Hot does not do this, if it find a file called EGA5.CPI from the C:\DOS directory. A comment in the source code of the virus hints that this feature is added so that the author of the virus and his friends can protect themselves from the activation damage:

'---------------------------------------------------------------
 '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
 '- and if File C:DOSega5.cpi not exist (not for OUR friends) -
 '---------------------------------------------------------------

By default, there is no file by the name EGA5.CPI in MS-DOS distributions.

WordMacro/Hot was the first macro virus to use external functions. This system allows Word macros to call any standard Windows API call. The use of external functions is specific to Windows 3.1x means that WordMacro/Hot will be unable to spread under Word for Macintosh or Word 7 for Windows 95: opening an infected document will just produce an error message.

F-Secure anti-virus products are able to detect the WordMacro/Hot virus.