     WinWord.Nuclear
   
     The WinWord.Nuclear virus infects Microsoft Word documents as well
     as, through a dropped virus, COM, EXE and NewEXE (Windows) files.
     
     The virus in documents is the encrypted macros. It can drop the
     COM/EXE/NewEXE virus.
     
     Being dropped, the COM/EXE/NewEXE virus stays memory resident and
     hits executable files, but it cannot hit Microsoft Word documents.
     
     The macro-virus consists of the following macros:

 AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault,
 InsertPayload, Payload, DropSuriv, FileExit

     During installation these macros are copied into the Global Macros
     area.
     
     All these macros call to "DropSuriv" macro which checks the system
     time and drops the COM/EXE/NewEXE virus if the time is within 17:00
     / 18:00. While dropping, the virus uses the DEBUG utility.
     
     First, the virus checks the C:\DOS\DEBUG.EXE. If it finds this file,
     the virus creates a temporary file named PH33R.SCR in the C:\DOS
     directory and writes a hex dump of the COM/EXE/NewEXE virus and
     DEBUG commands into there. Then the virus creates the temporary file
     EXEC_PH.BAT with the following strings inside:

 @echo off
 debug  nul

     and executes that.
     As the result the DEBUG utility creates the copy of the
     COM/EXE/NewEXE virus (in memory) and executes it. This virus hooks
     INT 21h and writes itself at the end of COM/EXE/NewEXE files on
     file-opening, execution, renaming and changing of file attributes.
     
     The execution of the BAT-file is taking place in the background, so
     the user does not know that there are two(!) viruses on his PC.
     
     Then, the virus deletes the temporary PH33R.SCR and EXEC_PH.BAT
     files.
     
     When printing documents, the virus appends the following text
     approximately to each 12th file (if the seconds are 55 or more):

 And finally I would like to say:
 STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

     These strings are appended to the document immediately before
     printing, so the user does not see them (often documents occupy more
     than one screen). This is a very curios effect, especially when
     sending documents via fax.
     
     On 5th of April the virus erases the IO.SYS and COMMAND.COM files.
     
     
     There are some text strings in COM/EXE/NewEXE part of this virus:

 =Ph33r=
 Qark/VLAD

   
     &copy; Copyright 1995 Eugene V. Kaspersky - All Rights reserved.
     GV140995
