ARN

Macro viruses take over from boot sector

With the reduction in the use of floppy disks, the boot sector virus has all but disappeared. Its place has been taken by the macro virus.

While not presenting the same potential for major damage to computers, macro viruses can still cause endless hours of frustration as users try to eliminate them.

It still adds up to good business for suppliers of antivirus software. That is if they can concentrate on the business, and avoid sooling their lawyers on each other.

Macro viruses are, technically, another form of parasitic virus. They attach themselves to a host template and start replicating. Any other effect they may have (such as deleting files, showing pictures, etc) is in addition to this fundamental "virus-like" behaviour.

What makes the macro viruses a class of their own is that they are transmitted - an executable component in an otherwise non-executable data file.

Luke Hoban, technical communicator at anti-virus developer Cybec, points out that almost all known macro viruses are written in either WordBasic (Microsoft Word's macro language); VBA, the macro language developed for other Microsoft products; or VBA5, which is used by the Microsoft 97 suite of products.

"Macros are executable code intended to automate tasks in applications. The macro language is extremely powerful, and can call out to external programs. This makes macro viruses potentially quite dangerous," Hoban said.

They are also the first "platform independent" virus, in that they will run on Macintosh computers as well as PCs. Another way of looking at it is that they depend on the application as their platform, rather than the operating system.

Prior to macro viruses, a user would have had to run an executable file or attempt to boot from an infected disk to infect their PC. Users understood that they could be running infected files and tended to check them before running them.

However, macro viruses are found in Word documents and, with the vast increase in the number of attachments sent inside e-mail messages which are opened simply by clicking on them, the risk of virus infection has increased.

In the early days of the macro virus - mid 1995 - users were seldom aware that such documents posed any risk. Even now, there is much confusion about the risk of viruses in e-mail attachments.

Macro viruses may arrive attached to a spreadsheet or document. When the file is opened it will transfer the macros that make up the virus from the file to the application's global template.

Many of the Winword macro viruses use AutoOpen, because it is run as soon as a document is opened. This allows the virus to copy itself into the global template (Normal.DOT). The easiest way for the virus to spread is to use the File/Save As sequence when a newly created file is being saved.

Modified versions of existing files are saved using the Save As option - this is also a popular trigger for the virus to infect a new file. Because macros can only be stored in a template, most macro viruses will change the internal structure of the document file into a template file but keep the document (.DOC) extension. The file looks and works like a normal document but can carry macros due to the modifications made to its internal structure.

When these newly infected files are sent to another person, the virus life cycle starts again - MS Word and some other applications are available on a number of platforms and in a number of international languages giving a greater variety of environments where macro viruses can propagate.

People copy, edit and share MS Word documents more often than sharing a floppy disk and this, too, gives Winword macro viruses the opportunity to spread faster than other varieties of viruses, particularly in a LAN or WAN network environment. Macro viruses have also used the growing popularity of attaching Word documents to e-mail, and downloading files from the Internet as additional vehicles to infect many more computers.

While the majority of the current macro viruses have been designed for MS Word, there are also macro viruses for Excel, Ami Pro, and potentially any other software product that allows users to define their own macros.

"The fastest method to check if a document is infected is to open the document and select Tools/Macro (and then macros for Word97 users) and see if there are any macros that should not be there," said Hoban.

The best method to detect infected Word documents is to use a virus scanner to scan for the presence of infected macros before the application has an opportunity to run them and infect your global template (Normal.DOT for MS Word).

Debugging your machine

Hoban said the first step that a virus scanner such as Cybec's VET will make is to check the length and the CRC (Cyclic Redundancy Check) value for each macro.

"These results are checked against the list of macros known to be infected. Once all of the macros have been checked, the number of infected macros and their combined CRC length will be matched to a database of known viruses and the virus is positively identified. All of the macros that make up the virus (or viruses if you are infected with more than one variety) will be removed, and the document checked to see if it has attributes that indicate that it is a template file. If no template characteristics are found it can be assumed that the original file was a document and it can safely be converted back with a DOC extension.

Hoban said there are several ways to clean macro viruses.

The easiest is to open Word and keep the shift key pressed down while you open a file (this stops any macros from being run). Next, select Tools/Macro/Macros and see if there are any macros present that should not be there and delete them.

"The second method is to instruct an antivirus scanner to scan a file, directory or drive for viruses," he said.

The third is Resident Protection which will automatically scan documents when you attempt to perform certain actions, ie Open, Save or SaveAs a document. When you attempt to open a Word document your antiviral software checks the file.

"If the file is infected, the virus will be removed and, if possible, returned to working order", said Hoban.

Cybec's Vet95/NTVersion 9.41 will detect and remove all current Word 6.0 and 7.0 macro viruses during on demand scan. Vet95's Resident Protection will detect and automatically clean documents infected with Winword macro viruses and Excel macro viruses. Version 9.41 can also detect viruses under Word97.

Cybec

Tel 1300 36 4750ÊFax (03) 9521 0727