In Command Newsletter Summer/96, Page 3
Properly formatting this newsletter requires a Microsoft Explorer 3.0 or compatible browser.
Evaluating the Spread of Macro Viruses: One Year Later

Since late last summer, virus experts have noticed an alarming new trend in the type and number of viruses being reported as spreading "in the wild". Macro viruses, so named because they are written with and spread through the powerful macro languages of applications such as Microsoft Word or Excel (see page 8), are being reported "in the wild" with increasing frequency. What makes these viruses so problematic, and how can they best be detected and disinfected?

What is a Macro?

The theoretical description of a new virus written using a macro language such as WordBasic was first advanced in the late 1980s. A macro is a series of commands or instructions which can be grouped together into a single command. Macros are essentially mini-programs that can carry out and follow lists of instructions, usually saving a user keystrokes or repetitive tasks. The abilities of the macros are limited to the functions provided by the macro language. The power of the macro environment gives the program user the ability to automate many tasks, including file management, from within applications such as MS Word or Excel.

Unlike conventional DOS executables, which consist of machine code instructions carried out directly by the CPU, WordBasic macros are interpreted within MS Word. While standard DOS executable files (a subject complex enough for an article in its own right) are generally files with extensions like EXE, COM, and BAT, any Word document (more correctly, document template) can contain both data and executable code.

The Virus Connection For responsible Word users, macros can be of great use. WordBasic is a powerful tool, and can accomplish many tasks, including altering files, copying files, and executing other programs. But what makes this macro language so powerful is also what makes it a prime vehicle for viruses. Macro viruses challenge two previously held assumptions about computer viruses: that they only spread through traditional executable files (EXE, COM) and boot sectors, and that they are generally not cross-platform.

Viruses can now infect documents

A Word macro virus is a macro (list of instructions) or template file (usually with the .DOT extension) which masquerades as a legitimate MS Word document (usually with the extension *.DOC). An infected *.DOC file usually does not look any different to the average PC user, as it can still contain a normal document. The difference is that this document is really just a template or macro file, with instructions to replicate, and possibly cause damage. This unique characteristic of macro viruses forces a redefinition of two previous assumptions about viruses: that infectable executable files end in EXE, or COM, and that you�ll never get a virus through a document. Word macro viruses can be spread through harmless-looking e-mail attachments, through Read-Me.DOC files, or through any infected Word document! Reading infected documents with anything other than a copy of MS Word will not activate the infection, however (see Tech Tips, page 5).

Viruses can now spread among operating systems

A fundamental property of all viruses is that of replication. Word macro viruses can spread in most cases to any MS Windows environment or any operating system that runs a compatible copy of MS Word, including OS/2, and Macintosh. These viruses do not spread via modification of executable machine code, but by modification of data in files that are interpreted by the Microsoft Word program and any other versions of Word which support macros and WordBasic. This makes macro viruses potentially multi-platform/ multi-OS file infectors.

Some macro viruses whose payloads have no effect on a Mac (PC emulators excepted) will nevertheless replicate on a Mac unless they use one of the relatively few WordBasic functions specific to Windows in the infection/replication routine. An unsuspecting Macintosh owner could become a viral incubator for macro viruses with PC-only payloads.

What makes the spread of macro viruses all the more insidious is the combination of document infection and cross-platform replication. Documents are the most commonly transferred file type - their paths can include e-mail, diskette transfer, Internet or On-line service download, etc. Users must not only learn to protect their own data in new ways, but must also learn to be suspicious of what were once considered "safe" transfers of data from others.

Detection and Disinfection Options

The first line of defense against macro viruses should be to acquire a reputable anti-virus product such as F-PROT Professional, which can detect and disinfect macro viruses.

Next, consider how you can block security holes. If a large-scale outbreak should take place at your place of business, how would your anti-virus team handle the pressures of infection? Do you have a comprehensive plan to deal with virus attacks? Consult our feature, "Managing and Planning to Avoid Virus Attacks" on page 5, for tips and recommendations on securing your home or business.

Finally, continue to educate yourself on developments in computer security, including new virus threats. As experts learned with the introduction of the macro virus last year, preparation can be the key to prevention. By testing theories about how a macro virus could be attacked years in advance, virus experts were able to fend off the inevitable first wave of infections. The anti-virus industry is constantly changing in response to new virus threats; debating and evaluating theories about how new viruses might be created, and how to combat them. It is critical for system administrators to stay abreast of this ever-changing climate; preparation will make the difference in preventing a company-wide disaster.


Acknowledgments go to the sources below for help in providing information for this article:
Sarah Gordon, Dr. Richard Ford, Microsoft.

Next Page (4 of 5) | Exit Newsletter

For More Information

For more information on macro viruses, and viruses in general, point your World Wide Web browser to these URLs:

Tech Support | Products | About Us | Virus Information | Resellers & Distributors
Press Room | File Downloads | What's Hot! | Site Contents | Contact Us