A Brief Summary of WordMacro Viruses

By Chris Stubbs (c.stubbs@bc.sympatico.ca)

1. About Macro Viruses

A macro is a sequence of keystrokes or commands that are used to automate repetitive tasks. Today's macro languages are very powerful and can be used to write a virus that can be just as dangerous as other types of viruses. Since they work in Word they can be worse than other kinds of viruses by doing nasty things like putting passwords on documents or adding offensive messages to printouts. Any menu item in Word could be a trigger for the destructive payload. A lot of viruses use ToolsMacro as a trigger, so don't use ToolsMacro if you suspect a virus infection. In fact, many macro viruses aren't visible in the Tools/Macro window. Cleaning macro viruses manually is tedious at best and dangerous at worst.

Word has some special Macro names that are run at certain times. For example, a macro virus in AutoOpen would be run when you open a document and would can copy itself when you open another document. There are many other ways a macro virus can spread from one document to another.

Since the virus is in NORMAL.DOT, reinstalling Word won't remove it. Deleting the NORMAL.DOT file won't remove the virus either because it will just become reinfected when one of the infected documents is opened. Also, not all macro viruses infect NORMAL.DOT.

A document usually cannot contain macros, but a template can, so the Word virus usually needs to change the document so it is a template. This means you might only be able to save it to the template directory, which is where you should look for any missing documents. In Word 97, a document doesn't need to be saved as a template to contain a macro virus. Upconverted and poorly written macro viruses will still save documents as templates.

Most of today's Word macro viruses use a temporary file to copy their code to other documents. This temporary file is usually in C:\ and has a SYS extension, but it is not really a system file. You should delete the file that is detected but you'll still have to remove the macro virus that created this file.

2. Why not to use MVTOOL/SCANPROT

I do not recommend SCANPROT for a few reasons.

It can be bypassed or deleted by a clever macro virus. If you open an infected document using a method besides FileOpen the protection may not detect the virus.

It cannot distinguish legitimate macros from virus macros. It requires the user to accurately determine 100% of the time whether a document's macros are a virus or not, just by reading that a document contains macros.

Also, SCANPROT is very slow and only detects the original, unmodified Concept virus. There are over 4,000 macro viruses right now.

I also include Disabling AutoMacros, Prompt To Save NORMAL.DOT, Word's built in virus protection, and making NORMAL.DOT read-only in this category. They can't distinguish the perfectly normal from the virus, and they can be bypassed. Of course they help, but for most people they're probably not worth the trouble for the protection they give and they give a false sense of security.

3. What kind of product to use

If you are a Windows user then there are a lot of different anti macro virus products available. Almost all Windows antiviruses have been updated to handle macro viruses. You should test how well they work and ask questions before you make any decisions on which one to buy. Most antivirus companies have evaluation version available to try out. You could try the antivirus programs on my site here.

If you have finished cleaning the virus and menu items such as ToolsMacro are still missing, then click the View menu, choose Toolbars, choose Customize, click the Menus tab, then click Reset All. The programs I have here to remove macro viruses can also restore the menu items .

4. Questions to ask

Here are some questions you might want to ask when deciding on an anti macro virus product.

Virus Page