Unknown Macro Viruses
In a perfect world, you'd never have to face a Word macro virus that could not be detected and cleaned by anti-virus software. But - it can happen, and here's how to detect the situation and live with it until a fix is found!
The following are highly suggestive of Word virus infection:
Note that with default settings, or after a previous infection is cleared, items (1,2) may apply.
How do Word viruses work?
Word has had a macro language since version 6.0 at least, but added Visual BASIC for Applications (nicknamed "Venereal BASIC for Attacks") in Word 97. VBA viruses do not show up as macros under the menu Tools, Macro, Macros; they will also not run in earlier versions of Word.
Word bases every new document on the Normal.dot template and inherits macros from there - so in order to persist from one Word session to the next, the virus must infect this file. If it wishes to infect documents as they are saved, then it has to infect the Save, SaveAs and/or Close actions in the File menu. The virus itself will take the form of macros that are auto-run by Word on opening the file, or VBA code that is typically attached to the Open, New and Close actions for the document.
Some viruses such as CAP subvert SaveAs, so that the file is saved internally as a Word document (with macros and/or VBA code) even if the file name ends in .rtf, .txt, .htm or whatever extension your chosen SaveAs file type would have used. Viruses also routinely knock out Tools, Macros menu entry; Tools, Customize (so you can't add a toolbar icon to get into Macros or VBA Editor); "Warn on saving changes to Normal template" option under Tools, Options, Save, and "Macro Virus Protection" option under Tools, Options, General. The latter usually persist after virus is cleaned.
CAP dates from the age of Word 6, but in the three successive major revisions of Word, Microsoft has failed to give Word a clue that maybe-perhaps-maybe a file names something.txt or something.rtf has no business containing Word macros and auto-running them is a Bad Idea.
Preventing persistent infection
You can prevent an infection from persisting from one Word session to the next, by creating a clean Normal.dot and making this read-only at the file system level:
Preventing run-time infection
If "Macro Virus Protection" is set, you will be prompted to enable macros when opening a document in Word; just say no! A stronger form of protection is to use Word Viewer 97 instead of Word 97 to open arbitrary files; that can't be infected. Good luck in defending such viewers against Office, and keeping the tortuous file association relationships from autobotching themselves.
Once you have allowed macros or VBA code in a file to run, Word will be infectious (i.e. in the run-time infected state) until you exit Word. If you allow Word to write to the Normal template on exit, then infection will become persistent.
Cleaning infected files
The general idea is to save the document in a form that cannot contain macros or VBA code, yet preserve the information and layout of the file. Word 6/95 .doc format can contain macros and thus macro viruses (e.g. CAP, Concept) but cannot contain VBA viruses (e.g. Class, Ethan, Melissa). Other non-Microsoft formats (e.g. Word Perfect, Rich Text Format .rtf, etc.) cannot contain either.
If the virus does not subvert SaveAs (the way that CAP does; Ethan and Melissa.A don't) then you can clean files as follows:
If you want to send a clean form of the document, you can send the version saved in step (4). To check that the file is clean, try dragging it into or opening it from WordPad; if WordPad sees gunk, it's probably viral code in internal .doc format.
Dealing with 'droppers'
Some Word viruses 'drop' additional files elsewhere on the hard drive; these can be companion viruses such as "ScanDisk.com", or code packages called by the virus such as .dlls and additional VBA code. As "C:\" is often the only known location, it's often used, though the code may be disguised in various ways; e.g. Ethan drops C:\Ethan.___ and Class drops C:\Class.obj files there. If you find such files, rename them; then create null files of same name and set attributes of these Read-Only. For a bit of extra resistance, rename away Attrib.exe to prevent malware from scripting it in order to reverse your read-only attribute protection.
The virus can also automate the use of such code by editing the startup axis (e.g. writing changes to Run= key in Win.ini, Runxxxx keys in registry, editing AutoExec.bat and so on). In this way, payloads more destructive than possible within Word macros or VBA can be delivered. Check these settings from time to time!
It's presumptuous to assume every user uses the same software you do, i.e. to send files in Word 97 .doc format if you don't know the recipient uses Word 97. It also presumes the trust of the recipient to send documents in a form that can carry macros. So Rich Text Format is preferred for outgoing attachments!
As malware can automate the sending of messages, or attach files to your genuine messages, it's good practice to refer to each and every attached file within the text of the message itself, using phrasing that cannot be guessed by malware automation.
(C) Chris Quirke, all rights reserved
Back to index