%%File: VIRS0848.TXT
%%Name/Aliases: Hot, Winword  Hot, Wordmacro/Hot, macro
%%Platform: Win, Win NT, Mac
%%Type: Macro., 
%%Disk Location: Microsoft Word document.
%%Features: Direct acting.
%%Damage: Deletes Word documents as they are opened
%%Size: Adds Macros to Word document files
%%See Also: WordMacro.Nuclear, Concept, FormatC , Colors, DMV, Hot, 
Imposter, Irish, Infezione, Wazzu, Atom, Xenixos, Polite, Boom, 
Friendly, NOP, Pheew, Lbynj
%%Notes: Wordmacro/Hot is a word macro virus and it is destructive. The 
Wordmacro/Hot virus attaches itself like the others, adding macros to 
documents and to the "normal.dot" global macro file. New documents are 
infected when they are saved. After about 14 days, the virus deletes the 
contents of any document as you open it and does a save which 
effectively wipes out the document. It is unlikely that you will be able 
to recover the contents of a file deleted in this way unless you have 
Make Backup turned on. Don't start opening the backup copies before 
cleaning the virus, because it will clear the contents of every document 
you open while it is active. 

An infected document contains the following macros: 

   AutoOpen     DrawBringInFrOut     InsertPBreak     ToolsRepaginat

When the virus infects the Word program, these macros are copied to 
"normal.dot" and renamed in the same order to: 

   StartOfDoc   AutoOpen             InsertPageBreak  FileSave

The virus adds the item: "OLHot=nnnnn" to the winword.ini file where 
nnnnn is a date 14 days in the future. The virus uses this date to 
determine when it is going to trigger. The virus also checks for the 
existence of the file: "c:\dos\ega5.cpi" and does not infect a machine 
if the file exists. This was apparently a feature to protect the virus 
writer. 

The HOT virus makes calls to external functions in the Windows API. 
Because of this, it is specific to Windows 3.1 and will not work on Win 
95 or  the Macintosh. On the Mac, it causes a  macro error and does not 
infect Normal.

Removal: Mac: SAM 4.0.8 does not detect  this virus. The April 96 
release of SAM is supposed to add detection and removal of HOT. 
PC: F-PROT 2.22 detects