November 5, 1999 Web posted at: 9:52 a.m. EST (1452 GMT) by Matthew Nelson

From...

(IDG) -- A new macro-based virus has been discovered, and is being described as the virus "that will not die until you put a stake in its heart" by anti-virus vendor Aladdin Knowledge Systems.

The latest macro virus to strike is a Microsoft Word 97 Macro virus called W97M.BMH, or simply BMH, which infects the global template or normal.dot of Word 97 and will infect every document opened or created on the infected system. This new virus is unique in that it not only infects the normal template but it creates a special file called SNrml.dot in the \Office\STARTUP directory.

While macro viruses are fairly easy to create and more and more common, this one is different because the normal procedure for removing such viruses, cleaning the normal.dot file, does not work with BMH. This is because the virus continues to infect the system from the special SNrml.dot file, according to Eric Vasbinder, product marketing manager for Aladdin.

MORE COMPUTING INTELLIGENCE
	IDG.net home page
InfoWorld home page
Top 10 antivirus tools
Are viruses Y2K compliant?
Let your ISP scan for viruses
Reviews & in-depth info at IDG.net
IDG.net's personal news page
Year 2000 World
Questions about computers? Let IDG.net's editors help you
Subscribe to IDG.net's free daily newsletter for IT leaders
Search IDG.net in 12 languages
News Radio
	Fusion audio primers
	Computerworld Minute

"It won't die, it's the undead virus," Vasbinder said. "Most macro viruses tend to infect the normal.doc template only, but the BMH virus is unique in that it creates another .dot template and it saves it in the office start up directory."

"As a result of that, even if you remove the virus from the normal.dot, it will come back. Every file that it's in the Office start up directory will be executed when Word starts up," Vasbinder added. "It will start up and reinfect the system once again."

To remove the virus, it is necessary to remove both .dot files, Vasbinder said.

Once the virus infects a system it will also set the macro virus warning system within Office to the lowest setting, enabling future virus infections. It will also alter the Word application so that when users try to activate features, a picture will be shown instead.

"It prevents you from performing certain actions in Word. It will modify the word configuration files, so that certain menu options inside word are unavailable," Vasbinder said. "It will instead of activating that option, it will display a picture instead."

No information was available regarding which functions were affected or what the picture was of, however.

An Aladdin eSafe anti-virus user in the United States discovered the virus this week using the products "Macro Terminator" technology, which scans for unauthorized macro file actions, according to the company. Anti-virus users with heuristic scanning as part of their system will most likely already be protected, according to Aladdin, but users should always update their DAT files frequently.