Whereas WordMacro/DMV is a test virus and WordMacro/Concept is only potentially harmful, WordMacro/Nuclear is destructive, harmful and generally obnoxious. It consists of a number of Word macros attached to documents. When an infected document is opened, the virus is executed and tries to infect Word's global document template, NORMAL.DOT.
Unlike WordMacro/Concept - which pops up a dialogue box when it infects NORMAL.DOT - WordMacro/Nuclear does not announce its arrival in the system. Instead, it lays low and infects every document created with the "Save As" function by attaching its own macros to it. The virus tries to hide its presence by switching off the "Prompt to save NORMAL.DOT" option (in the Options dialogue, opened from Tools menu) every time a document is closed. That way, the user is no longer asked whether changes in NORMAL.DOT should be saved, and the virus is that more likely to go unnoticed. Many users relied on this option to protect themselves against the WordMacro/Concept virus, but it obviouisly no longer works against Nuclear.
WordMacro/Nuclear contains several potentially destructive and irritating routines. The next time Word is started after initial infection, one of its constituent macros, "DropSuriv", looks up the time in the computer's clock. If the time is between 17.00 and 17.59, the virus tries to inject a more traditional DOS/Windows file virus called Ph33r.1332 into the system (as the viruse's author has commented in the viruse's code: "5PM - approx time before work is finished"). "Suriv" is, of course, "Virus" spelled backwards. However, due to an error, this routine does not work as intended in any of the popular operating environments.
Another of the viruse's macros, "PayLoad", tries to delete the computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the date is fifth of April. And finally, the virus adds the following two lines:
And finally I would like to say:STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC
at the end of any document printed or faxed from Word during the last five seconds of any minute. Since the text is added at print-time only, the user is unlikely to notice this embarassing change. This function is handled by the viral macro "InsertPayload".
The virus can be detected by selecting the Macro command from the Tools menu and checking whether the macro list contains any curiously named macros. "DropSuriv" and "InsertPayload" are obvious giveaways.
F-Secure anti-virus products detect the WordMacro/Nuclear virus.
See also: Ph33r, Concept, DMV, Colors