Stay protected from the "Wanna DecryptOr" ransomware outbreak.     Learn More

Sophos discovers first PowerPoint virus

December 16, 1998 Sophos Press Release

The last major component of Microsoft Office 97 to have escaped the activities of virus writers has now fallen victim to attack. On 10 December 1998, Sophos received a copy of PM97/Vic.a (aka PM97/Attach), which uses VBA5 and UserForms to infect PowerPoint files.

PM97/Vic.A executes when a Custom Dialog Box is activated. The virus looks in the directory C:\My Documents and opens up every file with the extension PPT. If the PPT file has a UserForm, the virus checks to see if the first line of its own code is present (i.e. if the PPT file has already been infected by PM97/Vic.A). If it is, the virus does not continue to execute. Otherwise, it inserts itself as the first 27 lines of code. If the document has multiple UserForms, PM97/Vic.A will infect each Form separately.

If PM97/Vic.A does activate, it is very obvious to the user. The computer screen flashes and PowerPoint claims to be opening many files.

PM97/Vic.A is important because it is the first PowerPoint virus and it will act as an example for future viruses. However, the likelihood of actual real world infections is slim for the following reasons: first, the C:\My Documents directory is hard coded in the virus, and in most situations this is not an area where users store PPT files - it is far more likely that they will be stored on a network share instead; second, in Sophos's experience only a small number of PowerPoint files contain UserForms; and third, the virus writer's website was closed very soon after the virus was posted there and consequently PM97/Vic.A has had only a very limited distribution.

Background to Office infectors

Microsoft Word was the first Office platform to fall victim to virus writers, with the first widespread macro virus, Winword/Concept, appearing in August 1995. The first Excel virus was Excel/Laroux, which appeared in the wild in February 1997. AM97/AccessiV, which attacks the macros and modules of the Access database, appeared in March 1998.