Detect Date 01/11/2002
Class Virus
Platform MSWord

Technical Details

This virus uses an uncommon way of spreading. Instead of copying its macro program to the macro area in victim documents, it just writes to documents a reference to a template (attached template) which contains virus macros. MS Word97 when opening a such document detects the reference to the attached template, opens it and executes its macros. The virus macro gets control and runs infected procedure. As a result the infected documents have no macro code, but on their opening the virus macro code is loaded by Word97 and executed.

In the known versions of this virus the reference to attached template points to a file on a remote Internet site (virus-writers Web site). As a result, MS Word97 on opening an affected document downloads and processes the template that is placed in the Internet zone. Because of that virus author(s) are able to “upgrade” virus code by replacing the template on their Web site.

This way of spreading allows the virus to bypass the anti-virus protection (VirusWarning) in old versions of MS Word97. These Word97 versions have a security breach: the anti-virus protection is not activated by Word97 to scan attached templates for macro code. This bug in MS Word97 was fixed in the beginning of 1999.

The virus contains the comments:

Active Template Update

Find out the statistics of the threats spreading in your region