Subject Winword Macro Viruses Date 9-feb-96
50721344fff0914bccf26ea4dc25e1555a859daf50a8271abc52c95f990df2f6-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
Content-Type: text/plain; charset=us-ascii
=============================================================================
Security Advisory CERT-NL
=============================================================================
Author/Source : Henk Steenman Index : S-96-05
Distribution : World Page : 1
Classification: External Version: 1
Subject : Winword Macro Viruses Date : 9-feb-96
=============================================================================
By courtesy of CIAC we received the following information.
In CIAC Bulletin G-10, the threat of different (Word, Excell) macro viruses
are reported.
CERT-NL recommends to take very good notice if this applies to your situation,
and take relevant steps. This is a much under estimated problem!
=============================================================================
____________________________________________________________________________
PROBLEM: Word macro viruses are no longer an isolated threat, but they are
a significant hazard to the information on a computer.
PLATFORM: Any platform that can run Microsoft Word 6.0 or later:
Windows 3.1, WFW 3.11, Win 95, Windows NT, and Macintosh.
DAMAGE: Files can be deleted and may not be recoverable.
SOLUTION: Scan all new Word documents before opening them in the same way
that you now scan all executable files before running them.
Install version 2 of the Microsoft macro virus detection tool.
______________________________________________________________________________
VULNERABILITY The vulnerability of systems to this type of virus is high,
ASSESSMENT: because most users are not in the habit of scanning documents.
Documents are much more mobile than executable files in an
organization, passing from machine to machine as different
people write or edit them.
______________________________________________________________________________
CRITICAL Information Concerning Winword Macro Viruses
CIAC has obtained information about six macro viruses currently in the wild,
five of which infect Microsoft Word 6.0 documents, and one that infects an
Excel worksheet. Two of these viruses are damaging. This bulletin describes
these viruses:
Concept (Prank) Working demo of a macro virus.
DMV (Word) Working demo of a macro virus.
DMV (Excel) Working demo of a macro virus.
Nuclear Attempts damage but fails.
Colors Changes screen colors.
FormatC Deletes files on the hard drive.
Hot Deletes Word documents when they are opened.
WARNING: The new macro viruses are not detected by the original
protection macro available from Microsoft which only detects Concept
(scan831.dot, see CIAC Notes 95-12). A new protection program is
available from Microsoft and most anti-virus scanner developers are
adding macro virus detection to their products. The new Microsoft
scanner is available from Microsoft at:
http://www.microsoft.com/msoffice/freestuf/
msword/download/mvtool/mvtool20.exe
with a description available at:
http://www.microsoft.com/msoffice/freestuf/
msword/download/mvtool/mvtool2.htm
The files are also available from the CIAC archive.
What Are Macro Viruses?
- - - - -----------------------
A macro virus is a piece of self-replicating code written in an
application's macro language. Many applications have macro capabilities
such as the automatic playback of keystrokes available in early versions
of Lotus 1-2-3. The distinguishing factor which makes it possible to
create a virus with a macro is the existence of auto-execute macros in
the language. An auto-execute macro is one which is executed in response
to some event and not in response to an explicit user command. Common
auto-execute events are opening a file, closing a file, and starting an
application. Once a macro is running, it can copy itself to other
documents, delete files, and create general havoc in a person's system.
These things occur without the user explicitly running the macro.
In Microsoft Word there are three types of hazardous, auto-executing
macros: auto-execute macros, auto-macros, and macros with command names.
There is one auto-execute macro in Word named AutoExec. If a macro named
AutoExec is in the "normal.dot" template or in a global template stored
in Word's startup directory, it is executed whenever Word is started.
The only way to disable the execution of AutoExec is to insert the flag
/m in the command line used to start Word.
The second type of dangerous macros are auto-macros.
Name Runs when you
------------------------------------
AutoNew create a new document.
AutoOpen open a document.
AutoClose close a document.
AutoExit quit Word.
The auto-macros can be disabled by executing the Word.Basic command
"DisableAutoMacros" in a macro. Note that the example in Word's online
help of executing this command in the command line when starting Word
does not work. The command must be executed in a macro. Auto-macros are
also disabled by holding down the shift key while opening a document.
The third type of dangerous macros are those named for an existing Word
command. If a macro in the global macro file or in an attached, active
template has the name of an existing Word command, the macro command
replaces the Word command. For example, if you create a macro named
FileSave in the "normal.dot" template, that macro is executed whenever
you choose the Save command on the File menu. There is no way to disable
this feature.
Macro viruses spread by having one or more auto-execute macros in a
document. By opening or closing the document or using a replaced
command, you activate the virus macro. As soon as the macro is
activated, it copies itself and any other macros it needs to the global
macro file "normal.dot". After they are stored in normal.dot they are
available in all opened documents.
At this point, the macro viruses try to spread themselves to other
documents, usually by including an AutoClose macro that attaches the
virus macros to the document and saves it. The macro viruses that cause
damage contain a trigger that starts the damage routines and those
routines do the actual damage. The trigger is some event that the virus
writer has programmed his virus to watch for such as a date or the
number of days since the infection occurred.
An important point to make here is that Word documents (.DOC files) can
not contain macros, only Word templates (.DOT files) can contain macros.
However, it is a relatively simple task to mask a template as a document
by changing the file name extension from .DOT to .DOC.
DMV (Word) Macro Virus
- - - - ----------------------
The DMV (Demonstration Macro Virus) virus was originally described in
the paper "Document Macro Viruses" by Joel McNamara who conveniently
infected the document containing the paper with the virus so the reader
could experience it first hand. The virus itself is simply an example of
how such a virus could be implemented and does not attempt to hide at
all. The virus is not harmful and is relatively simple to remove using
the Tools Macro command in Microsoft Word (See below). The virus
installs a single macro named AutoClose onto the "normal.dot" global
macro file. The AutoClose macro infects all new documents when they are
closed. The macro does no damage other than to spread itself. When the
macro runs, it displays numerous dialog boxes telling you what it is
doing, making it obvious if you are infected.
DMV (Excel) Macro Virus
- - - - -----------------------
The Excel version of the DMV macro virus works the same as the Word
version but uses the Visual Basic for Applications language built into
Excel. The Excel document contains a macro sheet which implements an
AutoClose macro. When you close the file, the macro is activated and
copies itself to Excel's global macro file. When other worksheets are
closed, the macro attaches itself to them as well.
Concept (Prank) Macro Virus
- - - - ---------------------------
The Concept macro (alias Prank) is similar to the DMV macro virus in
that it is a demonstration that a macro virus can be created. A document
infected with the Concept virus contains the macros:
AAAZAO AutoOpen
AAAZFS Payload
When an infected file is opened, the AutoOpen macro is run and copies
the virus files to the global macro file. During the copying process it
changes the name of AAAZFS to FileSaveAs. Whenever a document is saved,
the FileSaveAs command copies the virus macros into it and saves it. The
AAAZAO macro becomes the AutoOpen macro on the saved document file. The
Payload macro does nothing. The first time the macro runs a dialog box
appears with the single digit "1" contained in it.
Nuclear Macro Virus
- - - - -------------------
A document infected with the Nuclear macro virus contains nine macros:
AutoExec AutoOpen DropSuriv
FileExit FilePrint FilePrintDefault
FileSaveAs InsertPayload Payload
All of these are copied to the global macro file when an infected
document is opened. When any document is saved, the virus copies all the
macros onto it and saves it. Printing a document during the last 5
seconds of any minute causes the following text to appear at the top of
the printed page:
"And finally I would like to say:"
"STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!"
After April 5th it attempts to delete your system files but fails
because of a bug in the virus. The virus also attempts to infect a
system with the Suriv binary virus, but fails again because of a bug.
Colors Macro Virus
- - - - ------------------
A document infected with the Colors virus contains the following eight
macros:
AutoClose AutoExec AutoOpen
FileExit FileNew FileSave
FileSaveAs ToolsMacro
The virus changes many of the menu items to make it difficult to delete.
For example, it effectively removes the Tools Macros command so you
can't list or delete the macros in a program with that command.
After being accessed 300 times, Colors activates and randomly changes
the system colors in the win.ini file making the screen look strange.
FormatC Macro Virus
- - - - -------------------
The FormatC macro virus consists of a single macro named AutoOpen.
Opening an infected document causes this macro to run and the macro
copies itself to the global macro file. If the viruses payload is
activated, it attempts to format the C: drive.
WARNING: the format command in most modern versions of DOS can be
reversed. If this virus strikes, get some knowledgeable help before
doing anything to your system. Don't do anything that might write
something on the hard drive until you get knowledgeable help. You may
need only boot from a floppy and run unformat to recover the whole
drive. What you do depends on what utility programs (Norton Utilities,
PCTools, and so forth) you have installed on your system.
Wordmacro/Hot
- - - - -------------
A new Word macro virus just appeared in the wild named Wordmacro/Hot and
it is destructive. The Wordmacro/Hot virus attaches itself like the
others, adding macros to documents and to the "normal.dot" global macro
file. New documents are infected when they are saved. After about 14
days, the virus deletes the contents of any document as you open it and
does a save which effectively wipes out the document. It is unlikely
that you will be able to recover the contents of a file deleted in this
way unless you have Make Backup turned on. Don't start opening the
backup copies before cleaning the virus, because it will clear the
contents of every document you open while it is active.
An infected document contains the following macros:
AutoOpen DrawBringInFrOut InsertPBreak ToolsRepaginat
When the virus infects the Word program, these macros are copied to
"normal.dot" and renamed in the same order to:
StartOfDoc AutoOpen InsertPageBreak FileSave
The virus adds the item: "OLHot=nnnnn" to the winword.ini file where
nnnnn is a date 14 days in the future. The virus uses this date to
determine when it is going to trigger. The virus also checks for the
existence of the file: "c:\dos\ega5.cpi" and does not infect a machine
if the file exists. This was apparently a feature to protect the virus
writer.
Detecting A Macro Virus
- - - - -----------------------
Document files must now be treated in the same manner as executables in
terms of virus protection. If you don't know where a Word document has
been, scan it before opening it with Word. Most anti-virus scanners have
been modified to detect macro viruses in Word documents, so use those
scanners to check any new documents that have been copied onto your
machine. For example, version 2.21 of the shareware version of F-Prot
detects all but the FormatC and Hot viruses.
Microsoft has released a new version of its macro virus protection
program (see below) that checks all Word documents as you open them and
tells you if they contain a macro or not. It can only detect the Concept
virus by name, but any document with a macro attached should be
considered suspect.
You can use the Organizer dialog box (see below) to check for strange
macros attached to your documents. The Organizer can open a document in
the background (without running any attached macros) and let you see
what macros are attached to it. You can also use it to delete macros
from a document.
You can watch for virus activity when opening or saving a document, but
it is generally preferable to detect a virus before it gets installed.
If you have already opened a document that suspect has a virus, use the
Tools Macro command to see a list of the macros attached to Word. If you
can't open the Macro dialog box, try the Organizer dialog box instead.
Protecting A System From Macro Viruses
- - - - --------------------------------------
A feature of Microsoft's products is that automatic execution of auto-
macros and auto-execute macros is enabled by default. In fact, it is
difficult to turn off. This is a problem in protecting against macro
viruses.
Currently, the best protection is to install Microsoft's macro virus
protection template. The template is available directly from Microsoft's
web site or from the CIAC archive. A description of the scanner is
available at:
http://www.microsoft.com/msoffice/freestuf/
msword/download/mvtool/mvtool2.htm
and the scanner itself is available at:
http://www.microsoft.com/msoffice/freestuf/
msword/download/mvtool/mvtool20.exe
If you don't find these files at microsoft.com, it could be that the
scanner has been revised again. In that case, connect to:
http://www.microsoft.com
and use the search command to search for "macro virus".
To install the macro virus protection, simply open the template file
with Word and follow the instructions. The macros automatically install
themselves in your global macro file (just like the virus). A protected
version of Word should have the following four macros are attached to
the "normal.dot" file:
AutoExit FileOpen InstVer ShellOpen
FileOpen calls ShellOpen whenever a document is opened. ShellOpen checks
each newly opened document to see if it has any macros attached. If
there are macros in the document that is being opened, ShellOpen
displays a dialog box giving you the choice to open the document anyway,
remove the macros and open it, or cancel the open command.
If, for some reason, you can't use Microsoft's protection macro, you can
disable auto-macros. You have three options:
1. Disable the auto-macros.
2. Disable the auto-macros and the auto-execute macro.
3. Hold down Shift whenever you open a file to disable the AutoOpen
macro.
To disable auto-macros, create the following macro named AutoExec in the
global macro file (normal.dot).
MAIN
DisableAutoMacros 1
MsgBox "Auto-macros are disabled."
End Sub
All auto-macros are disabled but a virus could still infect a system if
it is activated by a command that replaces a normal command.
To disable auto-macros and the auto-execute macro, create the following
macro in the global macro file (normal.dot) and name it
"DisableMyAutoMacros".
MAIN
DisableAutoMacros 1
MsgBox "Auto-macros are disabled."
End Sub
In the Program Manager or the Explorer in Windows 95, select the Word
icon and choose the Properties command on the File menu. Add the
following switch to the command line for Word.
/mDisableMyAutoMacros
This command disables the AutoExec macro and runs the
DisableMyAutoMacros procedure when Word starts up. Again, this does not
disable macros with command names from replacing the commands. This also
only works if you start Word by double clicking on the Word icon. If you
start Word by double clicking on a document, it will not see the switch
and will not run the DisableMyAutoMacros procedure.
When you hold down the Shift key while opening or double clicking a
document, the AutoOpen macro is prevented from running. Other auto-
macros may still run so you must check for a virus before doing anything
else.
WARNING: The three methods of disabling auto-macros and the auto-execute
macro do not fully protect you from a virus. While they prevent the
auto-execute and auto-macro commands from running, they do not prevent
any macros named the same as commands from replacing those commands. Any
virus that uses replaced commands to initiate an infection will not be
stopped. Only an external scanner or the Microsoft template will detect
a document containing macros before it is opened.
Removing Macro Viruses
- - - - ----------------------
If you have an anti-virus scanner which detects and removes a macro
virus, use it instead of trying to do it by hand. The scanner will
generally do the job and is much easier than removing the virus by hand.
If you have Microsoft's virus macro protection installed, it will give
you the option to remove any attached macros when you open the document.
If you save the document with the same name, it will overwrite the
infected document.
If you don't have a scanner or the protection macro, you can use the
Organizer to find and remove macro viruses without infecting your
system. The first step is to start Word and open the Organizer dialog
box. There are two ways to open the Organizer: 1. use the Tools Macro
command and press the Organizer button; 2. use the File Templates
command and press the Organizer button. In the Organizer dialog box
click the macros tab, click the Open File button, select the infected
document and click OK. Back in the Organizer dialog box, select all the
macros listed in the file and click the Delete button to remove them.
Click the Close File button to close and save the file. The file can now
be opened normally.
If you have just infected yourself by opening an infected document,
don't close the document or quit Word. If you close the infected file or
quit Word, you run the risk of running another of the auto-execute
macros. See if you can get to the Organizer dialog box. Once in the
Organizer you can delete the virus macros from the infected document and
from the "normal.dot" file. Save those files, quit Word and restart it.
You can then use the Organizer to check other documents for a virus
infection.
If you can't get to the Organizer, quit Word without saving anything,
find the "normal.dot" file and delete it. When you restart Word, it will
create a new, empty "normal.dot" file. Note that you will also lose any
custom styles which were stored in the "normal.dot" file and will have
to redefine them.
On The Macintosh
- - - - ----------------
These macro viruses will run under Word 6 on the Macintosh, but most of
the file access capability used by the viruses to damage a system will
not work well. This is because file naming conventions on the Macintosh
are different from those on other systems. Since the damaging parts of
the viruses are written with a DOS-based file system in mind, it is
unlikely that they will work.
Macro Viruses and E-Mail Messages
- - - - ---------------------------------
Many rumors have been circulated around the network about there being an
e-mail message that destroys your system when you read it (Good Times).
This can not happen with the current batch of mail readers. While an
infected document could be attached to an e-mail message and would be
downloaded to your disk when you read the attached message, it will not
automatically be executed. As long as it has not been executed or read,
it can not infect your system with a virus. At this point, you should
scan it to make sure it is not infected.
Conclusions
- - - - -----------
Macro viruses are here to stay and we must deal with them in the same
manner that we have had to deal with other viruses. If you don't know
where a file has been, don't use it in your computer until you scan it.
That is, if it is an executable, don't run it; if it is a document,
don't open it. It does not matter how you obtained the file, whether it
is a download from a BBS or web site, an attachment to an e-mail
message, or a shrink-wrapped package from a commercial developer, scan
them all. Even blank, preformatted disks are occasionally showing up
with viruses.
The second thing to do is to install the Microsoft macro virus
protection template to warn you if a document contains macros before you
open it.
Keep in mind that while Microsoft products are being targeted by these
viruses, they are not the only products which have a macro capability
which could be exploited. Hopefully, in the next release of software
programs which include extensive macro capabilities, there will be an
easy way to disable macro execution and warn the user if documents
contain macros. This change will make the problem of macro viruses go
away very quickly.
____________________________________________________________________________
CIAC wishes to acknowledge the help of Michael Messuri and Charles Renert of
Symantec Corp. and Chuck Noble of Digital Equipment Corp. for valuable
assistance in the preparation of this bulletin.
____________________________________________________________________________
============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).
All CERT-NL material is available under:
http://cert.surfnet.nl/
In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i
iQA/AwUBOL6IHjSYjBqwfc9jEQI3aACglBj9qZRCqRoMmbvPr2Whlq04BcAAn0/8
JTaCmOaxg8FThWV0j9heJ2QM
=HQh2
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed