PENN PRINTOUT
The University of Pennsylvania's Online Computing Magazine

PENN PRINTOUT April 1997 - Volume 13:8

[Printout | Contents | Search ]


Macro viruses unmasked

By Caroline Ferguson and William Couture

Macro viruses are a relatively new arrival on the virus scene, but in less than two years they have become one of the most widely spread virus "families." This article explains what macro viruses are, what they do, and how to deal with them. The focus is on the macro viruses that infect Microsoft Word, because these form the largest virus group and the one most troublesome for Penn.


What is a macro virus?

Any virus that uses "higher level" programming features can be considered a macro virus. Previously, many viruses were created using lower level system code to infect and damage computer files. Occasionally, viruses would be created using macro language tools, but the tools were not very powerful or flexible. Viruses were hard to create.

To allow users the ability to write custom routines (macros) in applications like Word and Excel, Microsoft included with these applications a version of Visual BASIC, a "higher level" programming language that was powerful and easy to use -- and easy to create viruses with.

Why are macro viruses appearing now? Why do they all seem to be in Microsoft Word?

Microsoft has extended the power of macros, and Word is now the word processing program of choice on both the Windows 95 platform and the Macintosh. Microsoft has made its macro language more powerful and at the same time made it easier to use. The new macro language can now create macros that have an effect outside of the application they are written for; e.g., a Word macro can delete or change files in the operating system. With a language so powerful, and Word being so prevalent, it was only a matter of time before macro viruses became endemic at Penn.

`

How are macro viruses different from other types of computer viruses?

Macro viruses differ from other types of computer viruses in the manner in which they spread and in their ability to move between different computing platforms.

Before macro viruses, there were basically two ways to become infected by a virus. The first, and most common, was to boot your computer with an infected disk, which then infected your hard drive. After the hard drive was infected, any non-write-protected \ disk inserted in the infected computer became a "carrier" for the virus. The second way to become infected was to run an infected application, which, in turn, usually infected all of the applications you ran subsequently.

Macro viruses, however, use the most valuable part of your computer, your data, as the means of infection. For example, a document is created using a copy of Microsoft Word that has a macro virus -- the document then becomes infected with the same virus. The file is passed to you and you open the file in your copy of Word. The act of opening the file infects your copy of Word by infecting the "normal.dot" file, which contains macros and your Word preferences (default font, margins, etc.). Any Word files you now create or open become infected with the virus.

Macro viruses can also move between computing platforms, something that previous viruses didn't readily do. Traditional viruses couldn't move between computing platforms because the instructions that made up the low level system code were different across different computing platforms. Macro viruses can move between different computing platforms because the documents, which carry the infection, use the same file format on different computing platforms. The same feature that lets you use documents created in Word for Windows 95 with your Word for the Macintosh is what allows the virus to spread across different computers. Some macro viruses take this feature into account, including platform-specific instructions. For instance, MDMA includes instructions to damage Windows 3.X, Windows 95, and Macintosh.


How can I tell if my computer has been infected by a macro virus?

The primary indication that your computer has been infected by a macro virus is that your Word documents are being saved as templates. On Windows 3.x and 95, template files have a .dot extension. On the Macintosh, template files appear as regular Word document except that they have an arrow on top of their icon. You may also notice system instability: illegal instructions in Windows 95, General Protection Faults in Windows 3.x, and System bombs on the Macintosh.

Another indication of infection is finding macro names other than the ones that you created or that are typically included with Word. However, some macro viruses disable access to the Tools' Macro dialog box to prevent you from seeing the additional macro names.

Depending on the macro virus, there may be other indications, from the obvious -- the Colors macro virus changes the Windows 3.x color scheme -- to the not so obvious -- the WAZZU virus randomly scatters the word "WAZZU" through infected documents. Some are more damaging -- MDMA deletes Windows 95 Control Panels, forcing you to reinstall Windows in order to repair the damage.


What can I do to prevent infection by a macro virus?

The easiest way to prevent infection by a macro virus is to install and use an anti-virus package. You should also make sure that you keep the anti-virus package current so you can deal with new viruses as they are discovered. ISC recommends Vi-Spy, current version 15.0, for use with DOS/Windows 3.x and Windows 95. Disinfectant, the currently supported anti-virus software for the Macintosh, does not detect or remove macro viruses.

ISC is currently evaluating Macintosh anti-viral packages that do detect and remove macro viruses, as well as the more traditional Macintosh viruses, and will have a recommended package soon.

In addition to using an anti-viral package, you may want either to disable macros or set up your system to warn you if one is loaded. This will prevent your computer from becoming infected by any new viruses that your package has not been updated to handle. You must decide for yourself if the potential benefit of being able to use macros outweighs the potential possible damage from macro viruses.

You cannot disable macros in Word 6.0 or 7.0, but you can write-protect the "normal.dot" file. A write-protected "normal.dot" file will generate an error message if a macro virus attempts to infect Word and your document. (Write-protecting the "normal.dot" file disables any attempt to change it.) In Word 97 you can choose to be notified if macros are included in a document that you are attempting to load: to do so, select Tools, Options, General, and then select Macro virus protection.

Finally, the most extreme way to avoid macro viruses is not to use Microsoft Word at all. While there are macro viruses for word processors other than Word, none are as ubiquitous.

Macro viruses are problematic, but with the right tools and an understanding of how and why macro viruses work, you can prevent them from damaging your data and disrupting your work.


CAROLINE FERGUSON is a Consultant, ISC Client Services Group; WILLIAM COUTURE is a Consultant, RG Software Systems, Inc.