What is a Macro Virus

Macro Viruses in Microsoft Word and Excel
There are many types of "Macro" viruses. The two applications that we have the most problems are Microsoft Word and Microsoft Excel.

General Information on Macro Viruses What are Macros?
What are Macro Viruses?
What applications can Macro Viruses infect?
Can Macro Viruses be spread across platforms?
Macro Viruses in Microsoft Word
Templates
Activation
Automacros
System Macros
Language Dependence
Custom Macro Assignment
Execute-Only Macros Option
Macro Virus Stealth Characteristics
Changes: Word 6 & 7 to Word97
Macro Viruses in Microsoft Excel
Workbooks
Personal.XLS
Activation
Changes: Excel 6 & 7 to Excel97
How to Repair Macro Virus Damages
How to Prevent Macro Virus Infections in Microsoft Word
General Information on Macro Viruses
What are Macros?

Macros can be used in applications such as Word or Excel to automate complex or repetitive tasks. Once written, macros are assigned a keystroke combination, toolbar button or menu item which will activate the macro.

Macros are saved as a series of instructions in a language such as Visual Basic. Once recorded, the user can edit the macro or even add sophisticated instructions that are not normally recordable. This gives the knowledgeable user the capability to not only automate functions within the application, but to perform system functions such as deleting, renaming, or setting file attributes.

What are Macro Viruses?

A Macro Virus uses the application's built-in power and functionality to replicate and spread. When a user receives and opens a file containing a viral macro, the viral macro will be either automatically run by opening the document or will be executed by the user by a certain key combination, a menu command, a toolbar button, etc. The viral macro will copy itself, the method depending on which application the viral macro is written for. The Macro Virus will then be present in files that the user opens, and can spread through various distribution methods.

Some dangerous things a Macro Virus can do besides simply spreading might be to delete/change document contents, change settings in the Word environment, set a password, delete files, copy a DOS Virus to the user's system or insert harmful lines into the config.sys or autoexec.bat files.

What applications can Macro Viruses infect?

Theoretically, a Macro Viruses can be written for any application that stores a macro in a form that can be opened and edited using a language such as WordBasic or Visual Basic. In practice, most discovered Macro Viruses are predominantly written for Microsoft Word and Excel.

Microsoft Word v.6, 7: High Risk for Macro Virus infection.

Microsoft Word97: Moderate to High Risk at present, but number of Macro Viruses will increase.

Microsoft Excel v.6, 7, 97: Moderate to High Risk for Macro Virus infection.

Microsoft PowerPoint v.6, 7, 97: Minimal Risk at present, but risk will increase.

Microsoft Access v.6, 7, 97: Minimal Risk at present, but risk will increase.

Lotus 1-2-3: Recent Versions: Minimal Risk, no known Macro Viruses exist "in the wild."

WordPerfect Recent Versions: Minimal Risk, no known Macro Viruses exist "in the wild."

Ami-Pro Recent Versions: Minimal Risk, no known Macro Viruses exist "in the wild."(A virus called "GreenStripe" exists and is designed to spread in Ami-Pro, but it has not been found "in the wild."

Can Macro Viruses be spread across platforms?

Macro Viruses can potentially spread across different platforms, such as PC-to-Mac. Macro Viruses exist and spread within the application environment, which for macros is common among the different platform versions. Some Macro Viruses that try to do damage to a part of the user's system outside of Word will not be able to do that damage on a different machine platform. For example, a Macro Virus that tries to edit the user's Config.sys file on a PC is going to have a hard time doing the same thing on a Mac, which has no Config.sys file. So a Macro Virus that spreads and does damage on one machine could spread to another type of machine and replicate but do no damage. It is possible for a Macro Virus to figure out what kind of system its running on, and change its behavior accordingly, but this is not common.

Macro Viruses in Microsoft Word

Templates

When a user records a macro and then saves it, it is stored in the template that the user has applied. If the user doesn't specify a template, then macros are saved in Normal.dot , the default template. Macros that are saved in Normal.dot are available for the user to use in any document the user has open, even if the user has applied another template. For this reason, Normal.dot is also called the Global Template.

For a Word Macro Virus to function, it generally copies itself into the user's Global Template, and once there it will always be ready to perform its task, and spread itself to whatever documents the user opens. The virus can also save itself to a template in the Startup folder that Word checks on start-up. Any templates in the Startup folder will have their Macros loaded as global macros before the Global Template's macros are loaded. In Word 6 & 7, macros are only allowed to be saved in a template. Therefore, in order for a macro virus to be able to copy itself to a file a virus must change the file type to a template. The next time the user opens an infected document (now converted to a template) Word will notice the file type "template," (the file extension may still be DOC) and only allow the user to SAVE the file AS a template with an DOT extension into the User Template Directory. Word 6 will also disable the user's option to change the directory in which a file is stored, if that file has been converted to a template.

Activation

Any number of means can activate macro Viruses. If a user receives an infected file and opens it, the Macro Virus can and will eventually be activated by the user's actions, depending on how the virus writer has written it. The Macro Virus might have a function so that it might not do anything yet, but may only activate after repeated use of a key combination or command.

Automacros

Automacros are macros that will be executed when the user executes a specific type of command. For example, the Automacro "AutoOpen", if it is present in the Global Template or in the infected file that the user has just opened, will execute when the user opens a file. It is common for many Word Macro Viruses to save copies of themselves as Automacros and they are then activated whenever the user, for example, opens a document or performs some other task that will execute an Automacro.

If an uninfected user has the Automacros disabled, it is impossible for him to be infected through an Automacro alone, but he can be infected through other forms of viral macros.

These are the five Automacros that can exist in Word:

Macro name When it activates

AutoExec

When you open Word or load a global template

AutoNew

Every time you create a new document

AutoOpen

Every time you open an existing document

AutoClose

Every time you close a document

AutoExit

When you exit Word or unload a global template

System Macros

These are macros that are executed when the user performs a predefined word command such as saving a file. For example, if there is a macro present in the Active or Global Template called "FileSave" this will be executed whenever a user uses the built in FileSave command by using Menu|File|Save, by clicking the save button, or by using the keyboard command "Control-S." A Macro Virus with this name will execute whatever instructions it contains on activation. For example, the FileSave macro could go out and perform any sort of mischief, and then as its last task save the file so as to trick the user into believing that it was behaving normally. System macros can also be used to hide commands or to trick the user by displaying a false dialogue box, etc. (See also STEALTH CHARACTERISTICS)

Language Dependence

When a Macro Virus is said to be language dependent, this means that it can only spread in a limited number of language forms of Word. For example, a language dependent Macro Virus written for the German language version of Word will spread only in the German language version. Most of the Macro Viruses that exist are language dependent, but it is possible to write a virus that spreads in multiple language versions. Language Dependence exists largely because all of the System Macros have different names in the different languages, and many Macro Viruses use System Macros to function properly. Automacro names are the same in all language versions, and therefore Automacro-based Macro Viruses are at least potentially language independent.

Custom Macro Assignment

These are macros that are defined by the user, and have unique names. An example might be one that a user made up to insert his or her name and title at the end of a letter. These can be activated by a keyboard shortcut (such as simply pressing the space bar), by a custom toolbar button, or by a custom menu item. Macro Viruses use custom macros to help hide themselves, because it is obvious that system or automacros that suddenly appear might contain a virus, and would alert someone who is used to looking for these kinds of macros.

Any one of the above types or any combination of them can be used to spread a Macro Virus.

Execute-Only Macros Option

A Macro Virus writer can save his macro in a form known as Execute-Only which means that it cannot be edited, as that would reveal the viral code within the macro. The user will notice that in Tools|Macro|Macros, the option "edit" is grayed out when an execute-only macro is selected.

Macro Virus Stealth Characteristics

A Macro Virus can be called stealthy when it tries to trick the user into believing it is not present, or makes changes in Word in order to protect itself from being deleted.

If the user believes he has a virus, he can use the Tools|Macro command in the menu to see what macros are present in the system, and the viral macros would be revealed. One not so subtle stealth technique would be to simply delete the command from the menu and therefore make it hidden and unusable.

A Macro Virus could also simply hide the functions of the Tools|Macro command by making nothing happen when the user selects it. With a macro, the virus writer can make custom dialogue boxes and can use this to trick the user. For example a Macro Virus could make a custom dialogue box appear when the user selects Tools|Macro that makes it appear that there are no strange macros present.

NOTE: If the user notices strange behavior while trying to use a familiar command like Tools|Macro, the user should not keep trying to use the command. There could be chance that repeated attempts that could activate a damaging payload.

Changes: Word 6 & 7 to Word97 Word version '97 uses a different Macro Language. Versions 6 & 7 use WordBasic and Word97 uses Visual Basic 5. When you open an Word 6 or 7 document in Word '97, any Word 6 or 7 macros contained will be converted from WordBasic to Visual Basic. It is possible that a Macro Virus can still work after the conversion from Word 6 & 7 to Word97, but in some cases this damages the Macro Virus's ability to infect and replicate.

A virus check is now included in the Word97 release which will checks for viruses during the conversion process and stops some Concept, Wazzu, MDMA?NPAD? variants at the time this document was written (April 1997). Once converted with the to Word97/VisualBasic 5 format, the virus will never again be checked by the Word conversion feature and could continue to spread. Some viruses, which lose their ability to spread after the conversion, may still be able to activate and perform their payload.

As more users switch to Word97, viruses specifically written to work in Word97 will become more common. Because VisualBasic is a much more powerful language than WordBasic, these new Macro Virus forms can and probably will be more complex and potentially more dangerous than the common Word 6 & 7 Macro Viruses.



Macro Viruses in Microsoft Excel
Workbooks

Excel's method of storing macros is different than that of Word. Excel stores macros in an Excel Workbook (*.xls) file. In order to be loaded globally, the Excel file containing the macro must be located in Excel's designated start up directory (this directory is usually called "XLStart").

Personal.XLS

If a user records a macro and specifies that he/she wishes to save it for global use, by default Excel creates a file called "Personal.xls" in the XLStart directory and saves the macro there. The Personal.xls file is sometimes targeted by Macro Viruses for replication. Macro Viruses can also simply copy themselves to any Excel files in the XLStart directory or create a file there, as all the files in this directory will have their macros loaded globally.

Activation

Like Macro Viruses in Word, Macro Viruses in Excel typically use Automacros to replicate and/or activate. The most commonly used Automacros are AutoOpen and AutoClose, which activate when a user opens or closes a spreadsheet. Automacros can also be assigned to activate when a user activates a specific sheet by selecting it, or deactivates a sheet by selecting another. Other custom macros could also be activated by keystrokes.

Changes: Excel 5 & 7 to Excel97

Microsoft Excel versions 5 & 7 use Visual Basic 4 as their Macro language, and Excel97 uses Visual Basic 5. Macro Viruses present in a file created with version 5 or 7 will have their macros converted to Visual Basic 5 format, and will almost always work after the conversion.

NOTE: It is impossible for existing viruses today to switch from Word 6 & 7 to Excel 5 & 7 and vice-versa, because of the fact that they use different macro languages.



How to Repair Macro Virus Damages
PROBLEM: When saving my work, I can't change the file type from "Document Template" to "Word Document."

Non Infection Explanation A

Inadvertently, a Word document has been opened or created as a template file. Unfortunately, you cannot change the file type of a template. To save your work as a Word document instead of a template, do the following procedure:

On the File menu, click New, and then click the template on which you want to base the new document (Normal.dot).

Click Document, and then click OK.

Copy or Cut/ Paste all of your work from the original file to the new document.

Save the new document, making sure that you click Word Document in the Save As Type box in the Save As dialog box.

NOTE: If your original file contains macros, AutoText entries, custom toolbars, menu settings, and shortcut keys and you wish the document to have the same capabilities, you will need to copy these items to the template on which you based the document.

Possible Infection - Explanation B: If your Word environment is infected by a macro virus, you will notice the above mentioned symptom. If you have deleted all viral macros using Tools | Macro | Delete you still may not be able to save your "cleaned" document as a Word Document(*.doc). We DO NOT recommend this removal method by hand. This is because a macro virus may re-infected your environment from another document you open or may activate when you click on Tools | Macro .

SOLUTION: (provided by McAfee) 1. Use VirusScan to scan all WORD documents on your system. You can quickly and automatically examine all your files, followed by reliable virus removal. Please be sure that you are running the most current version of Scan with the most recent DAT files. 2. If you have already removed a macro virus by hand: McAfee AVResearch provides a tool, which guides you through the process of resetting a template.

PROBLEM: While loading your document Word requires a password OR you are unable tomake changes in your document.

Non-Infection Explanation A

Word provides several ways to restrict changes to a document:

You may do the following: You can assign a protection password, which prevents unauthorized users from opening the document... Or assign a password when you route a document for review, which prevents any changes except for annotations and marked revisions. Finally, you may assign a password when you use form fields to create a form, which prevents others from changing the sections you specify.

Possible Infection Explanation B Some macro viruses now are capable of setting passwords as part of their infection. For example, using your Save As function might cause a virus to set a password. You may be infected by a macro virus if you notice one of these following symptoms: - Protection password prompt before the document gets loaded - Tools|Unprotect Document menu entry appears - Changes in the document are not allowed to be saved under the same filename

SOLUTION: (provided by McAfee)

Use VirusScan to scan all WORD documents on your system.

You will need the exact password (case sensitive) used by the virus. Our tool will only work for one specific password.. You will need to get the password from our website within the Virus Information Library under the macro virus which you are infected with. If you can not obtain the password please contact virus_research@cc.mcafee.com.

McAfee AVResearch provides a tool, which guides you through the process of cleaning out a password without activating the virus.

PROBLEM: "After cleaning a macro virus I still can't see a Word menu entry, which was deleted by the virus during infection."

Possible Infection Explanation

A macro virus to avoid its detection may have deleted some Word menu entries by a user. These side effects need to be restored by the user.

SOLUTION:

If you have no private menu customization use VIEW|TOOLBARS...|CUSTOMIZE... or TOOLS|CUSTOMIZE... , activate the Menus tab and click on the Reset All button. This will restore the default menu system of MS Word.



How to Prevent Macro Virus Infections in Microsoft Word
Mark NORMAL.DOT as read-only. This generally prevents NORMAL.DOT from infection.

Continue to frequently scan all documents using VirusScan or better use Vhield's On-Access-Scan feature.

Use Word 7.0a or Word97 from Microsoft.These versions present an Alert box when the file, you are going to open, contains MACROS *OR* CUSTOMIZATION (f.i. also for a customized toolbar button). You also have the opportunity to disable unknown macros.

NOTE:Viruses or users can turn off this feature.

 
                                                                                                                     
Home