Category :


Type :


Aliases :



Like WordMacro/DMV and WordMacro/Concept, WordMacro/Nuclear spreads through Microsoft Word documents. The new virus was first spotted on a FTP site in Internet, in a publicly accessible area which has in the past been a notorious distribution site for viral code. Apparently, the viruse's distributor has some sense of irony; the virus was attached to a document which described an earlier Word macro virus, WordMacro/Concept.


Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Whereas WordMacro/DMV is a test virus and WordMacro/Concept is only potentially harmful, WordMacro/Nuclear is destructive, harmful and generally obnoxious. It consists of a number of Word macros attached to documents. When an infected document is opened, the virus is executed and tries to infect Word's global document template, NORMAL.DOT.

Unlike WordMacro/Concept - which pops up a dialogue box when it infects NORMAL.DOT - WordMacro/Nuclear does not announce its arrival in the system. Instead, it lays low and infects every document created with the "Save As" function by attaching its own macros to it. The virus tries to hide its presence by switching off the "Prompt to save NORMAL.DOT" option (in the Options dialogue, opened from Tools menu) every time a document is closed. That way, the user is no longer asked whether changes in NORMAL.DOT should be saved, and the virus is that more likely to go unnoticed. Many users relied on this option to protect themselves against the WordMacro/Concept virus, but it obviouisly no longer works against Nuclear.

WordMacro/Nuclear contains several potentially destructive and irritating routines. The next time Word is started after initial infection, one of its constituent macros, "DropSuriv", looks up the time in the computer's clock. If the time is between 17.00 and 17.59, the virus tries to inject a more traditional DOS/Windows file virus called Ph33r.1332 into the system (as the viruse's author has commented in the viruse's code: "5PM - approx time before work is finished"). "Suriv" is, of course, "Virus" spelled backwards. However, due to an error, this routine does not work as intended in any of the popular operating environments.

Another of the viruse's macros, "PayLoad", tries to delete the computer's system files IO.SYS, MSDOS.SYS and COMMAND.COM whenever the date is fifth of April. And finally, the virus adds the following two lines:


at the end of any document printed or faxed from Word during the last five seconds of any minute. Since the text is added at print-time only, the user is unlikely to notice this embarassing change. This function is handled by the viral macro "InsertPayload".

The virus can be detected by selecting the Macro command from the Tools menu and checking whether the macro list contains any curiously named macros. "DropSuriv" and "InsertPayload" are obvious giveaways.

F-Secure anti-virus products detect the WordMacro/Nuclear virus.

See also: Ph33r, Concept, DMV, Colors