Type Macro virus
Date Discovered 2002.06.13
Place of Origin
Source Language
Platform Microsoft Word
Infection Length
Reported Costs

Iron, also known as Nori, is a Word macro virus. This virus contains a malicious payload that can either delete text from a Word document or erase the entire hard drive.

Table of Contents


When a Word document infected with Iron is executed, it creates a file called Iron.tmp at the root of the C: drive. It uses this file to infect the NORMAL.DOT template and any active documents. Any new documents using the Normal template or documents created while an infected file is open. The virus disables the following settings to help its spreading:

  • Macro virus protection (VirusProtection)
  • The prompt to confirm conversion when opening a document (ConfirmConversion)
  • The prompt to confirm saving of the global template, (SaveNormalPrompt)

It has two malicious payloads and one or the other will activate on April 1. It will delete all text in an active document, unless it finds a registry key setting the local machine's registered organization to "IRON". In this case, it erases all files and folders on drive C:.


Iron has going from Iron.A to at least Iron.G.


VS Antivirus, W97M/Nori.A

Atli Gudmundsson., W97M.Nori.A. 2007.02.13

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License