Thoughtful, detailed coverage of the Mac, iPhone, and iPad, plus the best-selling Take Control ebooks.

Cross-Platform Virus Strikes Word Users

Though the possibility of a cross-platform virus moving as interpreted commands in data documents has been considered by computer experts, none had been seen in the user community until this month's discovery that a new virus was spreading within document macros interpreted by Microsoft's WordBasic macro language. The virus, dubbed "Word-Macro-9508" by the Macintosh antivirus community, can spread on any computer system using a version of Microsoft Word 6.0.

So far the virus has been seen mostly on DOS, Windows, and OS/2 computers running Word 6, in various locations in North America and Europe. It has been referred to as "WinWord.Concept", "WW6", and "WW6Macro" in the Windows community, though it is by no means restricted to the Windows version of Word 6. Microsoft's name for the virus is "Prank Macro". The code can be spread merely by opening an infected Word document - even one that has been transferred from a different operating system - since Word's macros are stored as data and are automatically recognized by any current version of the application.

The virus adds several new macros to Word's global macro pool, named "AAAZA0", "AAAZFS", "Payload", and "FileSaveAs". This last activates the virus in an infected file when the user chooses Save As from the File menu. The altered macros are then saved with the file. If the virus has infected your Word documents, you may see an alert window with the digit "1" in it when the virus is triggered, or you may notice that infected Word files are saved as templates rather than normal documents.

IBM has gathered a fair amount of information on the virus and how to combat it, and published it at:

Microsoft has released tools to combat the virus, obtainable on the Internet. As of this writing, Microsoft's fix renames the virus rather than removing it, and there have been reports that a supplied file system scan function may not find all infected files on a Macintosh. mw1222.hqx mw1222.hqx

[Note that Microsoft still isn't posting BinHex files correctly and this file must be downloaded in binary mode. Try using Netscape, which downloads most everything in binary, or Fetch, which has a Binary button that forces a binary download. Otherwise, configure your FTP client to treat the file suffix ".hqx" as a binary file, and be sure to change the setting back when you're done. -Geoff]

Datawatch Corporation has released an update (version 5.6.1) of its commercial Virex utility for Macintosh, available on commercial online services and at:

No updates are currently planned for the other Macintosh antiviral utilities; most do not attempt to address viruses that don't take a machine-code form.

Since Mac versions of Microsoft Word prior to 6.0 don't incorporate WordBasic, and since even on newer versions these macros are easily spotted and removed, users need not panic about this virus.

Information from:
Gene Spafford


READERS LIKE YOU! Support TidBITS by becoming a member today!
Check out the perks at <>
Special thanks to Charles Stableford, Catherine Franklin, Mike Kelly,
and Susan Joseph for their generous support!