Mac Word viruses

Subject: Mac Word viruses
From: Elsa Kapitan-White <kapitan-white -at- SUGAR-LAND -dot- OILFIELD -dot- SLB -dot- COM>
Date: Mon, 20 May 1996 12:37:07 -0500

Garret Romaine asked:Does anyone know if the Word macro virus can also
strike a Macintosh using Word?

Our computer guy had distributed this FYI a few months ago:

New Macintosh Virus Discovered (Word Macro 9508)
28 August 1995

Virus: Word-Macro-9508 (see description, below, for aliases)
Damage: Changes macros in some Word files and templates; may alter
file types.
Spread: Under Microsoft Word 6.0 for Mac, DOS, OS/2, Windows (all),
and others.
Systems affected: All Apple Macintosh computers, plus PCs.

The Word Macro virus is the first non-research instance of a virus
type that has been known to anti-virus experts for years: a virus
residing in interpreted data that can spread to different OS
platforms. This virus does not spread via modification of executable
machine code, but by modification of data in files that are
interpreted by application programs. In this case, the interpreter is
the Microsoft Word 6.0 program (also part of Microsoft Office), and
any other versions of Word that support macros and WordBasic.

This virus is capable of spreading to and from more than one platform.
Any systems that are capable of running Microsoft Word 6.0 can be
affected by the virus, and transfer of files between systems can
spread it. Thus, transferring Word files between DOS, OS/2,
Windows, NT, or other non-Mac platforms and your Mac can spread the
virus. Note that this may be more common on Mac systems with PC
co-processor cards or running SoftWindows.

The virus appears to be widespread in the PC (DOS, OS/2, Windows, etc)
world, with instances from the US, UK, France, Germany, Canada, the
Netherlands, Turkey, and Finland reported to one major PC anti-virus
firm. However, we have seen very few reports of the virus on Macs to

The virus adds several new macros to the global macro pool: "AAAZA0",
"AAAZFS", "Payload" and one entitled "FileSaveAs". The virus is
activated in an infected file when you choose the "Save As" feature in
the "File" menu and the virus macro is run. The altered macros are
then saved with the file, and may be saved in the global template file
as well.

The virus may be noticed when triggered by the appearance of an alert
window with the digit "1" in it. On Macs, it may also be noticed
because infected files are saved as templates no matter what type was
specified in the "Save As" dialog (note that this changes the icon you
see from that of a normal document). Additionally, a user may examine
the defined macros for a file to determine if any suspicious macros
are present. As has been noted in some press releases, the virus code
is simple for a novice to modify, so variants may also be present or
appear soon; variants that will run successfully on all affected
platforms, including Macintoshes, may not be so simple to create.

The PC community has also named this virus "WinWord.Concept", "WW6",
and "WW6Macro" (misnomers, as it spreads to other platforms running
Word 6.0), and Microsoft has dubbed it "Prank". One of the best
descriptions of the virus, albeit with an emphasis on the DOS, OS/2
and Windows environments, is available from IBM's WWW server:

A few vendors of major Macintosh anti-virus software are planning
minor releases of their products to cope with this virus or help
identify its presence. Other vendors are deferring to Microsoft for a
more comprehensive solution, to this and similar such viruses.

Microsoft has made software available to counter the virus, obtainable
via the WWW from
and via ftp from
Note that as of the release of this advisory, the fix from Microsoft
only renames the virus rather than removing it. Furthermore, we have
had reports that the filesystem scan function supplied ("Scan.doc")
may not actually find every occurence of infected files on a
Macintosh. Also note that the release from Microsoft does *not*
negate the threat of simple variants or similar such viruses that
might be written in the future.

Be aware that if you operate your Mac in a heterogeneous computing
environment that includes other platforms running Microsoft Word 6.0,
you may need to obtain updated versions of anti-virus software for
those other platforms. Eradicating the virus from your Macintoshes
may not be enough protection -- a different platform with the virus
may result in the virus being reestablished on your Macs.

Also note that some users have MIME-compliant mailers (e.g., Eudora)
and WWW browsers (e.g., Mosaic and Netscape) configured to recognize
Microsoft Word documents and automatically start Word if this file
type is encountered. This mechanism may also allow the virus to be
reintroduced into your system via mail or a WWW page, so you should
use such automatic execution with caution.

Further questions about the virus and Microsoft Word 6.0 should be
directed to Microsoft technical support. Queries about their plans to
prevent future such viruses should also be directed to Microsoft.

Tool: Virex
Status: Commercial software
Revision to be released: Virex 5.6.1
Virex Virus Update 5.6.1, for all
versions of Virex 5.5 or later.
Where to find: Datawatch Corporation, (508) 988-9700
Compuserve: Go: NCSA/NCSA Anti-Virus Vendor Forum/
Browse Libraries/General Info/Utils
AppleLink: Third Parties/3rd Party Demos/Updates/
Software Updates/Companies A-D/
Datawatch Corporation
Internet: <>
Datawatch BBS: (508) 988-6373 [8,N,1]
When available: Immediately
Comments: Virex Virus Update 5.6.1 is available on the listed online
services. Subscribers will automatically receive updates
by mail. Contact Datawatch for additional information on
update and subscription services.

Other antivirals:
CPAV (Central Point Anti-virus): no update at this time
Disinfectant does not deal with non-machine code viruses,
so no update is needed.
Gatekeeper is no longer actively supported. However, its
design is such that no update would be needed (this
virus would likely not be stopped by Gatekeeper)
No information is available at this time about the "Rival"
antivirus program and this virus.
SAM (Virus Clinic and Intercept) no update at this time
VirusDetective: no updated planned

- -------------

If you discover what you believe to be a virus on your Macintosh
system, please report it to the vendor/author of your anti-virus
software package for analysis. Such reports make early, informed
warnings like this one possible for the rest of the Mac community. If
you are otherwise unsure of who to contact, you may send e-mail to
spaf -at- cs -dot- purdue -dot- edu as an initial point of contact.

Also, be aware that writing and releasing computer viruses is more
than a rude and damaging act of vandalism -- it is also a violation of
many state and Federal laws in the US, and illegal in several other
countries. If you have information concerning the author of this or
any other computer virus, please contact any of the anti-virus
providers listed above. Several Mac virus authors have been
apprehended thanks to the efforts of the Mac user community, and some
have received criminal convictions for their actions. This is yet one
more way to help protect your computers.

Elsa Kapitan-White
Schlumberger Oilfield Marketing Services
(713)275-7563, fax -8545

Post Message: TECHWR-L -at- LISTSERV -dot- OKSTATE -dot- EDU
Get Commands: LISTSERV -at- LISTSERV -dot- OKSTATE -dot- EDU with "help" in body.
Unsubscribe: LISTSERV -at- LISTSERV -dot- OKSTATE -dot- EDU with "signoff TECHWR-L"
Listowner: ejray -at- ionet -dot- net

Previous by Author: Re: Tech Writing in Silicon Valley
Next by Author: Functionality
Previous by Thread: Re: Word's Macro Virus
Next by Thread: Posting Guidelines -- Newly Revised

What this post helpful? Share it with friends and colleagues:

Sponsored Ads