Menu
Solving Office 97's virus woes

Solving Office 97's virus woes

There is no doubt Microsoft Office 97 has been a hit. Since its release last year, corporate sites are migrating from previous versions of Office. Office 97 includes Outlook, the combined information manager and e-mail client, an ani-mated Office Assistant, and new Internet tools. The professional version also comes with Access. Unfortunately, Office 97 also comes with some built-in issues surrounding macro viruses.

During a recent review of antivirus products, I discovered that evolution is not always a positive process. Simply by loading some common Word 6/Word 7 macro viruses into Word 97, I inadvertently generated new, mutated viruses. What was worse, after the conversion some antivirus products were unable to detect quite a few of the new viruses.

What I had unwittingly created were "upconverted" Word macro viruses. They differed so much from the original macro viruses that some antivirus programs no longer recognised them as such.

To understand why this happened, it is necessary to go back to Word 6 and Office 95's Word 7. The very first macro viruses were written in Word's WordBasic programming language, and they still make up the bulk of Word macro viruses that are found in the wild.

Macro virus threat

When Microsoft released Office 97, however, not only did it change the Word file format, it also introduced a new programming language for Word: Visual Basic for Applications, Version 5.0 (VBA5). To preserve users' WordBasic macros, Microsoft built in automatic conversion of these to the new VBA5 language.

Microsoft does attempt to ward off the Word macro virus threat - Word 97 blocks upconversion of some common viruses such as Alliance, Atom, Bandung, Concept, NPAD, Wazzu and Xenixos.

"We prevent the 'upconversion' of 40 of the most common macro viruses when opening a document in Office 97 created by a previous version of Office," said Andrew Dixon, Office product manager at Microsoft in the US.

Dixon also points to the disable/enable macros dialogue that alerts users to documents with macros as a further defence against viruses.

However, the antivirus code in Office 97 is not perfect. It can miss the viruses it is supposed to detect if these have been modified or if the scan string is in an unexpected place in the file. Worse, the antivirus feature was not implemented in the beta versions of Office 97, so some viruses escaped detection and became upconverted during the beta program, such as the W97/Wazzu. A virus. Further complicating matters, the macro-upconverter can produce different Office 97 variants of the same Word 6/Word 7 virus.

There is an intense debate in antivirus circles as to how great a threat the upconverted viruses pose, how to deal with them, and, most importantly, how to test antivirus products against them.

According to antivirus researcher and developer Dr Vesselin Bontchev of Frisk Software International (www.complex.is), makers of F-PROT antivirus in Iceland, the problem is not that great a threat - so far.

However Nick FitzGerald, the editor of anti-virus industry and testing publication Virus Bulletin (www.virusbtn.com), said the real number of upconversions is likely to be under-reported.

Virus secrecy

FitzGerald says virus incidents are treated with strict secrecy by many corporations to avoid exposure to compensation claims from outside recipients of infected documents. This makes it hard to estimate the actual number of attacks.

Because every Office 97 user is, in essence, issued the means of creating upconversions, does that mean the antivirus industry should upconvert macro viruses too? This question has split the antivirus producers into two camps. One camp says there is no way antivirus producers should upconvert, as it means they will produce new viruses.

Though upconversion viruses may appear to pose a minor threat compared to the more than 2000 in-the-wild WordBasic viruses, it makes sense to reduce that threat. By following simple steps recommended by antivirus experts, users can eliminate most of the risk.

How to protect against upconverting

l Apply the Service Release 1 patch for Office

97 immediately

l Do not mix Office 95 and Office 97, if possible

l Unless you absolutely need macros in Word

documents, use RTF

l Invest in an antivirus solution.


Follow Us

Join the newsletter!

Error: Please check your email address.
Show Comments