Background
The first macro virus was discovered in August, 1995, and since then it
has been referred to by many different names: Prank virus, Word Prank
Macro, Concept virus, and WordMacro.Concept virus. The anti-virus
community, including Norman, has standardized on the name
"WordMacro.Concept".
WordMacro.Concept has been getting its fair share of attention, and
rightly so. In the past, computer viruses have infected executable code
(i.e., either binary files or boot sectors). WordMacro.Concept,
however, infects non-executable files * document files. Because
document files are exchanged more often than executable code,
WordMacro.Concept is widespread on the Internet and within
organizations.
In theory, it is possible for viruses to be written for any application
that has a built-in macro programming language. In fact, there is a
macro virus called ExcelMacro.DMV, designed to demonstrate how simple
it is to construct a macro virus for Microsoft's Excel application.
This article, however, focuses on macro viruses that infect Microsoft
Word documents.
WordMacro.Concept is harmless it does not contain any destructive
code. Some facts:
* it is platform independent (i.e., it functions in Word 6.x for
Windows 3.x, Word 6.0+ for the Macintosh, Word 7.0 for Windows 95, and
Word 6.0 for Windows NT.
* the source code is available, and therefore, variants of
WordMacro.Concept will surely appear.
Even though WordMacro.Concept does not do any harm, its rate of
infectiousness due to the nature of the host (document files) and the
fact that its source code is readily available to hackers result in it
being a high security risk. Therefore, WordMacro.Concept and other
macro viruses must be viewed seriously.
Other Word Macro Viruses By November, 1995, 4 macro viruses and 1 trojan
macro have been discovered. All are based on the WordBasic macro
programming language. However, we have reason to believe that there are
considerably more macro viruses in existence.
Half of the known macro viruses function in all national language
versions of Word, and the other half contain infectious code that only
propagates in English versions (including UK and Australian) of Word.
Note: Even though some macro viruses do not, for technical reasons,
propagate to uninfected documents in non-English versions of Word, some
macros may still be executed in an infected document opened in
non-English versions of Word. Therefore, it is important to be aware of
macro viruses even if you are running non- English versions of Word.
Following are short descriptions of the 4 macro viruses and the trojan
macro:
1. WordMacro.Concept:
* See description above. *
Propagates only in English versions of Word.
2. WordMacro.Nuclear:
* Contains the following macros:
AutoExec AutoOpen DropSuriv FileExit FilePrint FilePrintDefault
FileSaveAs InsertPayload Payload
* Contains destructive code.
Under certain circumstances, it will:
1. attempt to drop a DOS virus (PH33R)
2. overwrite IO.SYS and MSDOS.SYS
3. delete COMMAND.COM from the root directory.
4. add these text lines at the end of the document being printed:
"And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING
IN THE PACIFIC!"
* Is encrypted *
Propagates only in English versions of Word.
3. WordMacro.DMV:
* Contains the following macro: AutoClose
* Does not contain destructive code.
* Was developed as an example
of how simple it is to create a virus using WordBasic. * Source
code is available. * Propagates in all national language versions
of Word.
4. WordMacro.Rainbow:
* Is the most recently reported macro virus.
* At this time, we are not completely sure of the virus's
characteristics.
* It seems to contain code to manipulate the color settings
(foreground, background, and borders) in Word.
* We do not yet know if the virus contains destructive code.
* Propagates only in English versions of Word.
5. WordMacro.Trojan.FC:
* Contains the following macro: AutoOpen
* Contains destructive code: when an infected document is opened in
Word, the AutoOpen macro executes, starts a DOS session, and types
FORMAT C: /U. In addition, when DOS asks if you really want to format
drive C:, the macro will answer "yes" automatically. Note: If NVC.SYS
is running, the trojan's attempt to format will be stopped near the
end of the formatting process. Since this happens in Windows, you
will hear NVC.SYS's beep (if the beep has not been disabled) as a
warning, NVC.SYS will interrupt the format, and your C: drive will
be intact.
* Is encrypted. *
Propagates in all national language versions of Word.
Consequences As a result of the new open system architechture used in
modern applications, macro viruses have been able to constitute a new
security threat. Because there are few built- in security mechanisms in
open applications at this time, macro viruses can easily be spread via
networks, diskettes, external databases, and e-mail. Either there are no
specific limitations in these systems or there are a number of backdoors
that enable saboteurs to work around them.
Macro viruses will have a large impact on:
* Anti-virus product developers. Macro viruses are a new area for
R&D to tackle.
* Security measures in all businesses, government agencies, and private
households that use computers.
Many people have been asking us if there is anything they can do to
protect themselves. The answer lies in technical countermeasures. You
must either use open systems and spend money on security measures or
you must use solutions that are less open. Examples of less open
systems include:
* denying access to Internet and e-mail
* denying access to macros in software that contains a macro
programming language
* running diskless workstations, and so on
In either case, security personnel and management must be made aware of
this new security threat, and resources must be placed on implementing
countermeasures and on properly training the user community.
