|
|
|
Macro Viruses Viruses do not need to be written in assembly code or a higher language such as C. They can be written using any instruction set. Ask anyone who has worked with macros in programs such as 1-2-3 or Excel, WordPerfect, or Word, and you will discover that these work just like a programming language. As macros evolved from their origins in the 1970s in word processing (storing multiple keystrokes under one key) to spreadsheets in the early 1980s (enabling complex menu branches of conditional commands) they acquired a vital ingredient for virus making, automatic execution. Of course, the purpose of automated operation was to enable the creation of easy-to-use, macro-driven applications for less-experienced users. In the mid to late 1980s this became a major activity within some organizations. Macro power increased, driven by power users of programs like 1-2-3 who worked hard to reduce complex operations, such as invoicing, to simple macro menus. Macros acquired the ability to execute operating system commands and further extended their power in the early 1990s when software designers introduced cross-application macro languages, such as WordBasic. The result is a class of computer file which appears at first to be a data file, but which may actually contain a program of macro commands. This further blurred the distinction embodied in the oft-repeated advice that “your computer cannot be infected by a document” and “you can only be infected by programs.” These statements only remain true if we carefully define documents to exclude those containing macros (and any other pseudo-language such as PostScript, which can trigger hardware events when transmitted to a printer) and define programs to include executable code in the widest sense (including ANSI codes, which could execute some unwanted actions if placed in E-mail that was displayed in text mode). Ironically, Microsoft’s domination of the software market in the mid 1990s provided the final ingredient for a “document” virus outbreak, that is, a universal, transplatform application — Microsoft Word. In late August of 1995 people learned that there was a dark side to the compatibility benefits of a de facto standard for word processing. A new virus came to light, capable of being spread through the exchange of Microsoft Word documents. The virus, named Winword.Concept, replicates by adding internal macros to Word documents. If the virus is active on a system, an uninfected document can become infected simply by opening it and saving it using the “File Save As” menu option. Although Winword.Concept does not cause any intentional damage to the system, some users have reported problems when saving documents. The macro virus becomes active when you open an infected document, doing so via Microsoft Word’s “AutoOpen” macro, which executes each time you open a document. If you open an infected document with Word, the first thing the macro virus does is check the global document template, typically NORMAL.DOT, for the presence of either a macro named PayLoad or FileSaveAs. If either macro is found, the routine aborts and no infection of the global document template occurs. However, if these macros are not found, then several macros are copied to your global document template. During the course of copying the macros a small dialog box with an “OK” button appears on the screen. The dialog box simply contains the number “1” as its only text. The title bar of the dialog box indicates it is a Microsoft Word dialog box. This dialog will only be shown during the initial infection. Once these macros are added to the global document template, they replicate by means of the virus version of “File Save” command. Consequently any document created using File Save As will contain this macro virus. An uninfected user can simply open the document and become infected. This can even happen while you are online to the World Wide Web, if you have your Web browser configured to use Word as the viewer for DOC files (the remedy is to use a viewer program such as Word Viewer, instead, as described later in this chapter). Note that the “PayLoad” macro contains the following text:
Sub MAIN
REM That’s enough to prove my point
End Sub
However, “PayLoad” is not executed at any time. Because of the flexibility of Microsoft’s WordBasic macro language, almost anything could be performed here (including a file delete or other potentially damaging operating system commands). Also note that Word is available in many different languages, and in some versions the macro language commands have also been translated. This has the effect that macros written with English version of Word will not work in, for example, the Finnish version of Word. The result is that users of such a national version of Word will not get infected by this virus. However, using an infected document in a translated version of Word will not produce any errors, and the infection will stay intact even if the document is re-saved. Under these circumstances you should check for the presence of the virus in any case, in order not to spread infected DOC files further. There are some preventative measures built into Word that are supposed to control automatic macros. For example, the Word for Windows manual states that if you hold down Shift while double-clicking the Word icon in Program Manager, then Word will start up with file-related “auto-execute” macros disabled. However, while this ought to inhibit the actuation of some macro viruses like WinWord.Nuclear, which relies on this feature, many users have found that it doesn’t work. They also found that starting up Word with the command line WINWORD.EXE/m, which is supposed to achieve a similar effect, failed as well, as did holding down Shift while opening a document to disable any automatic macros in that file. Furthermore, many companies have invested a lot of development time in automatic Word macros to automate routine tasks. The best strategy for preventing infection is thus to scan all incoming documents. All products that achieve the NCSA’s antivirus certification (listed at www.ncsa.com) are capable of spotting macro viruses.
|