Unknown Macro Viruses

In a perfect world, you'd never have to face a Word macro virus that could not be detected and cleaned by anti-virus software. But - it can happen, and here's how to detect the situation and live with it until a fix is found!

Suspecting infection

The following are highly suggestive of Word virus infection:

  1. Word no longer prompts when opening files with macros
  2. Word no longer prompts on saving changes to Normal template
  3. Tools menu, Macro and other entries are grayed or ineffective
  4. There are unfamiliar macros listed in Tools, Macro, Macros
  5. There is VB code in New, Close or Open methods in VB Editor
  6. Word behaves strangely in general; unable to save changes etc.
  7. Non-Word users complain they can no longer read your .rtf saves
  8. Odd files crop up in C:\ (keep C:\ fairly clear so you can see this)

Note that with default settings, or after a previous infection is cleared, items (1,2) may apply.

How do Word viruses work?

Word has had a macro language since version 6.0 at least, but added Visual BASIC for Applications (nicknamed "Venereal BASIC for Attacks") in Word 97. VBA viruses do not show up as macros under the menu Tools, Macro, Macros; they will also not run in earlier versions of Word.

Word bases every new document on the Normal.dot template and inherits macros from there - so in order to persist from one Word session to the next, the virus must infect this file. If it wishes to infect documents as they are saved, then it has to infect the Save, SaveAs and/or Close actions in the File menu. The virus itself will take the form of macros that are auto-run by Word on opening the file, or VBA code that is typically attached to the Open, New and Close actions for the document.

Some viruses such as CAP subvert SaveAs, so that the file is saved internally as a Word document (with macros and/or VBA code) even if the file name ends in .rtf, .txt, .htm or whatever extension your chosen SaveAs file type would have used. Viruses also routinely knock out Tools, Macros menu entry; Tools, Customize (so you can't add a toolbar icon to get into Macros or VBA Editor); "Warn on saving changes to Normal template" option under Tools, Options, Save, and "Macro Virus Protection" option under Tools, Options, General. The latter usually persist after virus is cleaned.

CAP dates from the age of Word 6, but in the three successive major revisions of Word, Microsoft has failed to give Word a clue that maybe-perhaps-maybe a file names something.txt or something.rtf has no business containing Word macros and auto-running them is a Bad Idea.

Preventing persistent infection

You can prevent an infection from persisting from one Word session to the next, by creating a clean Normal.dot and making this read-only at the file system level:

  1. Close Word
  2. Start, Find; look in all drives for "Normal.dot"
  3. Rt-click each one found, and rename to (say) NORMAL.VIR
  4. Run Word and make the settings you require:
    - set paper size to A4 (default)
    - set Tools, Options, Save to "Warn on changes to Normal template"
    - set Tools, Options, General for "Macro Virus Protection"
  5. Now you can close Word, after clicking Yes to save changes to the (new) Normal.dot
  6. Start, Find; look in all drives for "Normal.dot"
  7. Rt-click the one found; Properties, Read-Only (check that box)

Preventing run-time infection

If "Macro Virus Protection" is set, you will be prompted to enable macros when opening a document in Word; just say no! A stronger form of protection is to use Word Viewer 97 instead of Word 97 to open arbitrary files; that can't be infected. Good luck in defending such viewers against Office, and keeping the tortuous file association relationships from autobotching themselves.

Once you have allowed macros or VBA code in a file to run, Word will be infectious (i.e. in the run-time infected state) until you exit Word. If you allow Word to write to the Normal template on exit, then infection will become persistent.

Cleaning infected files

The general idea is to save the document in a form that cannot contain macros or VBA code, yet preserve the information and layout of the file. Word 6/95 .doc format can contain macros and thus macro viruses (e.g. CAP, Concept) but cannot contain VBA viruses (e.g. Class, Ethan, Melissa). Other non-Microsoft formats (e.g. Word Perfect, Rich Text Format .rtf, etc.) cannot contain either.

If the virus does not subvert SaveAs (the way that CAP does; Ethan and Melissa.A don't) then you can clean files as follows:

  1. 'Harden' Word as discussed previously
  2. Close Word, so as to avoid run-time infection
  3. Open infected file, say No to macros
  4. SaveAs (say) Rich Text Format to strip macros and VBA
  5. (best practice) Close and restart Word
  6. If original document was read-only, delete it in Explorer or My Computer
  7. Open the file saved in (4) from Word
  8. SaveAs Word 97 (or whatever version) .doc format

If you want to send a clean form of the document, you can send the version saved in step (4). To check that the file is clean, try dragging it into or opening it from WordPad; if WordPad sees gunk, it's probably viral code in internal .doc format.

Dealing with 'droppers'

Some Word viruses 'drop' additional files elsewhere on the hard drive; these can be companion viruses such as "ScanDisk.com", or code packages called by the virus such as .dlls and additional VBA code. As "C:\" is often the only known location, it's often used, though the code may be disguised in various ways; e.g. Ethan drops C:\Ethan.___ and Class drops C:\Class.obj files there. If you find such files, rename them; then create null files of same name and set attributes of these Read-Only. For a bit of extra resistance, rename away Attrib.exe to prevent malware from scripting it in order to reverse your read-only attribute protection.

The virus can also automate the use of such code by editing the startup axis (e.g. writing changes to Run= key in Win.ini, Runxxxx keys in registry, editing AutoExec.bat and so on). In this way, payloads more destructive than possible within Word macros or VBA can be delivered. Check these settings from time to time!

Attachment etiquette

It's presumptuous to assume every user uses the same software you do, i.e. to send files in Word 97 .doc format if you don't know the recipient uses Word 97. It also presumes the trust of the recipient to send documents in a form that can carry macros. So Rich Text Format is preferred for outgoing attachments!

As malware can automate the sending of messages, or attach files to your genuine messages, it's good practice to refer to each and every attached file within the text of the message itself, using phrasing that cannot be guessed by malware automation.

 

(C) Chris Quirke, all rights reserved

Back to index