These viruses use several of the features of the MS Word "environment" to auto-execute viral macro code. Once an infected document is opened and the virus launched, generally, the virus will infect the user’s NORMAL.DOT template. This template is the basis for the majority of other documents and templates and is globally available to all other MS Word templates on the system. Once entrenched in the NORMAL.DOT file, the virus will spread to all other documents and templates as they are opened. Note that, by default, the NORMAL.DOT template is the first document opened when you launch MS Word without specifying a different document on the command line. This will immediately put the virus in control every time you launch MS Word.
The default NAV settings do not check non-binary files. In order for NAV to detect these viruses, you must have the external detection file (VIRSPWD.DAT) in your NAV directory and you must set your scanning options to scan "All Files." For more information on setting this option, see Chapter 8 "Customizing Virus Checking" of your User’s Guide. With that in place, scan your system as usual. The VIRSP*.DAT files are only effective when using the DOS NAV scanners and NAVBOOT.EXE for Windows 95 (they will not work within Windows).
The first stage of infection that the user will see is a dialog box displaying the number "1" and an OK button. Once the OK button is pressed by the user, the virus gains control. The virus replaces the File, Save As... function with its own, which forces the user to save all documents as new templates. In addition, without notice, the virus will take the contents of the AAAZAO macro and place it in another macro called AutoOpen in the new templates and copy the AAAZFS, AAAZAO and PayLoad macros to the new file. The AutoOpen macro is automatically started each time a template is opened. Thus, the virus replicates to the new documents.
Other than the number "1" displayed during initial residency, there is no message displayed. However, a message is contained in the PayLoad macro:
That’s enough to prove my point
When an infected host document or template is opened, the virus is launched from the AutoOpen macro automatically by MS Word. The virus checks for the presence of a macro named "AutoExec." If found, the virus aborts the infection process, otherwise it copies all of the viral macros to the global template. Immediately after copying the macros, if the date is April 5th of any year, WinWord.Nuclear checks for the presence of and then clears all attributes except the System attribute on C:\IO.SYS, C:\MSDOS.SYS and C:\COMMAND.COM. Then it deletes C:\COMMAND.COM.
Another means of infection is when the user attempts to save a document with the Save As... function. As with the other infection routines, it copies all of the viral macros to the global template as the file is saved.
The third infection macro, AutoExec, is automatically launched when MS Word is first executed. Here again the macro checks for the presence of a macro named "AutoExec." If found, the virus aborts the infection process, otherwise it copies all of the viral macros to the global template. Following the infection check, the virus polls the system time. If the time is between 5:00pm and 5:59pm (inclusive) on any day, the macro uses an elaborate DEBUG routine to drop a binary virus to the C:\DOS directory. Once the binary virus is in memory and infectious, the macro removes any trace of the dropping and infection routines.
The Ph33r virus dropped by WinWord.Nulcear is a fully replicating virus unto itself. Once dropped and launched it will infect both .COM and .EXE files. In addition, it can infect Windows executables as well as standard DOS executables.
The message carried by the virus is displayed only when printing, and then only in the last 4 seconds of any minute (if the time in seconds is 56, 57, 58 or 59). When printing any infected Word file during that time bracket, the macro virus will insert a message on the last page which is printed along with the rest of the document:
And finally I would like to say:
STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!