Details
Macro.Word.Doggie.a

This macro virus contains three macros: Doggie, AutoOpen and FileSaveAs. It display the message box with the text “Doggie”.

Details
Macro.Word.Buero

This is an encrypted virus. It contains two macros:
NORMAL.DOT Infected files
DateiSpeichern AutoOpen
BuroNeu BuroNeu

This virus infects the system on AutoOpen and writes itself to files on FileSave (DateiSpeichern).
If the current date is above than 15.8.96, the virus renames the system file IO.SYS to IIO.SYS (then it is impossible to boot DOS system), searches for the C:\*.DOC files and deletes them.

Details
Macro.Word.Breeder

The virus contains one macro “AutoOpen” in documents and infects the global macros area on opening an infected document. In NORMAL.DOT this macro is renamed to “FileSave” and the virus infects the files that are saved. The virus does not manifest itself in any way, it contains the comments:
BREEDER BY -=>NEMESIS<=- 5/4/97
“DO NOT PROVOKE THE INTROVERT”

Details
Macro.Word.Box.a

This macro virus contains seven macros: AutoOpen, AutoClose, Box, Dead, FilePrint, FilePrintDefault, ToolsMacro. On AutoOpen and AutoClose the virus infects the global macros and documents. ToolsMacro macro is used to disable Tools/Macro menu. Other macros contain infection and trigger routines.
The virus manifests itself in several ways. It inserts a text in Chinese into documents that are printed, displays message boxes, drops and launches the “OneHalf.3544″ virus, plays some sound (WAV) file, runs the DOS commands:
echo y|format c:/u
echo y|format c:/u/v:Twnos1

The virus contains the strings that are inserted into documents and displayed in MessageBoxes:
Taiwan Super No.1 Macro Virus
Twno1-S
Today Is My Birthday

Details
Macro.Word.Boom

This virus is encrypted, it contains four macros: AutoOpen, DateiSpeichernUnter, System, AutoExec. It infects the system on opening an infected file (AutoOpen) and documents that are saved by FileSaveAs (DateiSpeichernUnter).
On MS Word startup (AutoExec) the virus sets the System macro as triggered at 13:13:13. At this time MS Word calls this macro and the virus runs its trigger routine. It renames the menus:
Datei Bearbeiten Ansicht Einfügen Format Extras Tabelle Fenster

to
Mr. Boombastic and Sir WIXALOT are watching you ! !

The virus then prints the string:
Mr. Boombastic and Sir WIXALOT : Don`t Panik,
all things are removeable !!! Thanks VIRUSEX !!!

then creates new template and writes the text to there:
Greetings from Mr. Boombastic and Sir WIXALOT !!!
Oskar L., wir kriegen dich !!!
Dies ist eine Initiative des Institutes zur Vermeidung und Verbreitung von
Peinlichkeiten, durch in der Öffentlichkeit stehende Personen, unter der
Schirmherrschaft von Rudi S. !

The virus also contains the strings:
Mr. Boombastic and Sir WIXALOT !!!

Details
Macro.Word.Boogie

This macro virus contains four macros:
Documents NORMAL.DOT
vExit FileExit
vFSav FileSaveAs
vMacro ToolsMacro
AutoOpen Boogie

The virus infects the global macros area on opening an infected document (AutoOpen). It writes itself to documents that are saved with new name (FileSaveAs). The virus disables the Tools/Macro menu (stealth).
The virus contains the comments:
***********************************************
* Boogie v4.0beta (c) DNazi [SGWW] Kiev 1996. *
* Dedicated to Mike Naumenko. *
***********************************************

Details
Macro.Word.Bond

This is a silly macro virus. It contains three macros that have very close code: AutoClose, BONE, BOND. The virus replicates on document’s closing. It displays the MessageBox:
Any Problem ? Call Mr.BoND, OkEmi ThanK U

Details
Macro.Word.Blash

This is an extremely short Word macro virus. It contain only one macro AutoOpen and replicates itself on opening a document. It writes the string to the Subject field in document FileSummaryInfo:
DEMONS STRIDE AT THE GATE OF BLASHYRKH

Details
Macro.Word.BlackEnd

This is an encrypted virus, it contains five macros: BlackEnd, AutoNew, AutoClose, AutoExec, AutoOpen. The system and files get infection on AutoOpen and AutoExec. The virus also infects the files on AutoNew and AutoClose.
On May 22nd the virus creates new template and inserts the string to there:
You are infected with the BlackEnd Virus! [D.K.]

Then it creates and executes the C:\DOSYS.BAT file containing the commands:
echo off
doskey Fun=setver win.com 3.00
echo off
Fun

Details
Macro.Word.BlackDeath

This is an encrypted Word macro virus. It contains three macros: AutoExec, AutoOpen, BlackDeath. The virus replicates itself when documents are opened (AutoOpen).
On Friday 13th it prints the text to the status line:
Please waitall Scanning disk!

and deletes the files:
C:\*.COM
C:\WINDOWS\*.INI

It then prints:
Please wait… Reading directories!

and deletes the files:
C:\AOL30\ORGANIZE\*.*
C:\AOL30\IDB\*.*
C:\WINDOWS\*.COM
C:\WINDOWS\*.HLP
C:\WINDOWS\*.CPL
C:\WINDOWS\*.BMP
C:\*.EXE”.

It then displays the MessageBoxes:
Your computer is now lost to the ages…
WM.BlackDeath
Written on 6/6/1997

Details
Macro.Word.Bishkek

This virus contains four original macros that are copied with different names while infecting documents or NORMAL.DOT:
Documents NORMAL.DOT
AOSample, AutoOpen AOSample
FSSample FSSample, FileSaveAs
FOSample FOSample, FileOpen
RVSample RemoveVaccine

The virus infects the global macros area on opening an infected document (AutoOpen). It infects documents that are opened (FileOpen) or saving with new name (FileSaveAs).
The virus searches and deletes macros that belong to the “Concept” macro virus. While saving templates with a new name the virus displays a DialogBox. This dialog contains items to select file format to save document (DOT, DOC, TXT). On pressing the “About” button the virus displays the text:
Read this information to settle your issue
It is possible to select one of the next Items:
1. “Document Templates(* .dot)”
2. “Word Documents(* .doc)”
3. “Text Files(* .txt)”
Selecting the first Item does not convert your Document to another format
and saves all Macroses there.
Consequently, this Document will keep your own Samles and also will
eradicate the Word infection in the future. That ability to remove such
infection will be spreaded to other computers. Template’s documents alone
are capable to do it!
Selecting the next Items (2,3..) will convert your Template’s Document to
the Simple Format as *.doc or *.txt
In this Case, it is necessary to remember, that any Samples and Macroses
kept by Template’s Document will have been lost!
To remove this Word Vaccine it is necessary to run RemoveVaccine macros
from the ToolsMacroall menu!
RM of the WB, Bishkek, Fax:007(3312)620156, tel. 620157

Details
Macro.Word.Bilbo

This macro virus contains six macros: FileOpen, FileSave, FileExit, AutoOpen, AutoExec, and Bilbo. It infects the documents and global macros area on FileSave and AutoOpen. Starting from the 10th of each month, this virus, on AutoExit, displays a MessageBox with the following text:
Bilbo Baggins was here!

Details
Macro.Word.Bertik

This is an encrypted macro virus. It contains four macros that have different names in infected documents and NORMAL.DOT:
Documents NORMAL.DOT
AutoOpen YYYAO
XXXAO AutoOpen
XXXFSA FileSaveAs
XXXFS FileSave
PayLoad PayLoad

The virus infects the system on opening an infected document (AutoOpen) and writes itself to other documents on opening and saving (AutoOpen, FileSave, FileSaveAs).
On each infection the virus copies the WINWORD.HLP file to TEMPLATES\n.WRD file, where ‘n’ in number of infection. In case of error the virus displays one of MessageBoxes:
DúleOitè upozornini
!!! Tohle zpùsobil virus Bertik.1 !!!
!!! Made by virus Bertik.1 !!!

Details
Macro.Word.Beeper.a

These are encrypted Word macro viruses. They contain six original macros in NORMAL.DOT and infected documents:
“Beeper.a”: AutoExec, AutoClose, AutoOpen, AutoNew , TheTime , Kill
“Beeper.b”: AutoOpen, TFGAMV, AutoExec, AutoNew, AutoClose, Joke

While infecting global macros area (NORMAL.DOT) “Beeper.b” also creates two addition macros with random selected names. These macros contain copies of the TFGAMV and Joke macros.
The viruses infect the global macros area while infecting an opening document. They write themselves to documents while opening existing or creating a new document (AutoOpen, AutoNew).
Beeper.a
It maximizes Word windows and inserts into the current document the text:
You are infected with
The Time
A virus from Cool Zero

The virus does not executes the Kill and TheTime macros, i.e. they may be activated only by user’s request (by File/Templates or Tools/Macro menus). When activated, the TheTime macro checks the system time and at 15:59 beeps and displays the MessageBoxes:
Hi I’m the Time virus
I don’t like Your COMMAND.COM and AUTOEXEC.BAT
Play with me !!
You have 1 Minute time to find me
Find me, I do nothing
Find me not
SAY BYE TO YOUR COMMAND.COM AND AUTOEXEC.BAT

The Kill macro at 16:00 deletes the files C:\COMMAND.COM and C:\AUTOEXEC.BAT.
Beeper.b
This virus prints documents on opening them (AutoOpen). At 17:00 it tries (but fails) to create and execute the SMILEY.COM file. This file contains an “intended” DOS virus.

Details
Macro.Word.Bandung

This virus contains the same set of six macros in NORMAL.DOT and infected files:
AutoExec, AutoOpen, FileSave, FileSaveAs, ToolsMacro, ToolsCustomize

The virus infects files that are opened (AutoOpen) or saved (FileSave, FileSaveAs).
This virus is very dangerous. On starting MS Word (macros AutoExec) the virus checks the system date and time. If day number is 20 or above and current hour is 11 or above, the virus display the text:
Reading menuallPlease wait !

It then deletes all files in all subdirectories (except \WINDOWS, \WINWORD and \WINWORD6) and creates the file C:\PESAN.TXT and writes following message to there:
Anda rupanya sedang sial, semua file di mesin ini kecuali yang berada
di direktori WINDOWS dan WINWORD telah hilang, jangan kaget, ini bukan
ulah Anda, tapi ini hasil pekerjaan saya…Barang siapa yang berhasil
menemukan cara menangkal virus ini, saya aka” + “n memberi listing
virus ini untuk Anda !!! Dan tentu saja saya akan terus datang kesini
untuk memberi Anda salam dengan virus-virus terbaru dari saya…selamat !
Bandung, , , Jam .

Where , , , e.t.c are current date and time.
The virus also disables Word menus Tools/Macro and Tools/Customize. In its macros the virus keeps destructive routine that never receives control, while accessing the Tools/Macro and Tools/Customize menus that routine displays the MessageBox:
Err@#*(c)
Fail on step 29296

and replaces all “a” characters with “#@” within current document.
Bandung.Rapi
This is a variant of “Bandung” virus. The file erasing routine is disabled (that code presents as comments). Instead of the C:\PESAN.TXT file this virus creates the C:\BACALH.TXT file and writes the text to there:
Assalamualaikum …, maaf @Rapi.Kom mengganggu anda sebentar. Pesan
ini aslinya bernama PESAN.TXT yang muncul di root direktori
setelah anda menjalankan Winword 6.0 yang templatenya (normal.dot)
telah tertulari macro menjijikkan ini. Macro ini (sebelum
@Rapi.Kom modifikasi) berasal dari file data Winword 6.0 (*.doc)
yang telah tertular macro ini. Bila file data tersebut di pangggil
(Open doc), maka macro secara otomatis menjalankan perintah-perintah
macro lain nya, yang antara lain mengcopykan diri ke global
template (normal.dot), juga pada tanggal dan jam tertentu akan
menghapus semua data di direktori tingkat 1, 2 dan 3 (kecuali Hidden
direktori), menjengkelkan bukan ?!. Siapapun pembuatnya pastilah
orang yang sirik !, masih banyak perbuatan baik lain yang bisa
kita kerjakan. … Malang, @Rapi.Kom”

is the same as in case of original “Bandung” virus.
Infected documents and infected NORMAL.DOT contain different sets of macros:
Document ¦ NORMAL.DOT
RpAE ¦ RpAE AutoExec
RpFO ¦ RpFO FileOpen
RpFS ¦ RpFS FileSave
RpTC ¦ RpTC ToolsCustomize
RpTM ¦ RpTM ToolsMacro
RpFSA ¦ RpFSA FileSaveAs
AutoOpen ¦ RpAO

The virus infects the files on FileOpen, FileSave and FileSaveAs calls. On FileOpen calls the virus also displays MessageBox with the text:
@Rapi.Kom
Thank’s for joining with us !

The macros RpTM (ToolsMacro) and RpTC (ToolsCustomize) are corrupted, and while accessing the Word menus Tools/Macro and Tools/Customize the system may halt.