MS Word Macro Virus - Real, but Don't Freak Out!
by Paul Ducklin, Sophos, Plc (24 Aug 1995)

As many of you will know, there's a Microsoft Word macro virus out there
(variously known as "Winword.Concept", "WW6Macro" and "Prank Macro") that has
apparently made it into the wild. The idea of macro-language viruses is not
new -- indeed, AFAIR, Prof H. J. Highland, editor of Computers & Security,
demonstrated the possiblity under Lotus 1-2-3 several years ago.
What is new is that this Word macro virus seems to be in the wild, and that
it seems to be driving people wild. Certainly, news wires are abuzz. If we
believe what we're told, it's the End Of Computing As We Know It (again :-).

The concept is obvious, and has been much discussed. Most products can read
and write data files; some allow their data files to contain programmatic
commands that would more typically be typed at the keyboard or issued with a
mouse. The idea is that when you load a data file with a "command script" or
"macro" in it, you can carry out a whole sequence of program functions
automatically -- rather than having to type them in over and over again.

Many programs with macro support allow their macros to access a substantial
range of functions, such as opening, manipulating and closing files -- or even
issuing direct operating system commands. Some macro systems go even further
-- they allow macros to be mixed with regular data files, and they define
special types of macro (typically identified by a predefined name, or
position) which will automatically be fired up when a file is loaded or the
system is started. DOS has such a system -- no prizes for guessing where the
name AUTOEXEC.BAT comes from.

No prizes, either, for working out that data-file + macro-language +
autoexec-of-special-macros is a formula which works out to a security
nightmare. Viruses, Trojan Horses, modification-of-service attacks -- all are
remarkably possible in such an environment.

MS Word 6.0 has a particularly rich macro language (WordBasic), and a number
of "macro hooks" whereby an unsuspecting user can be lured into executing a
hitherto unseen and unknown macro simply by loading a document. This is how
Winword.Concept works -- we leave the actual details as an exercise to the
reader, for safety's sake.

Winword.Concept is obvious, and easy to handle. Most anti-virus software users
should be able to contact their vendor for help on how to detect and clean it
up. There is a bigger issue, though, which you would do well to address
now. Ask yourself if you are aware of any "automatic macro" facilities
in the software your organisation uses. And ask yourself if you know how to
control the operation and scope of these facilities.

For example, if you're a WinWord user, did you know that:

     a document can contain a macro which will usually be
     executed transparently and automatically when that document is opened?

     a macro, once running, can make changes to a set of global macros that
     may end up being transparently included in many or all documents
     created in the future?

     there are numerous "automatic" triggers in addition to the document-open
     one that malicious macro code might exploit?

You can see the risk here. You may know,or be told, though, that:

     holding down Shift whilst opening a document will inhibit the
     invocation of its automatic document-open macro.

     Tools/Options/Save includes an option ("Prompt to save NORMAL.DOT") w
     hich will make transparent changes to your global macros less likely.

     that you can instruct WinWord, when you load it, to switch off
     "automatic" macros altogether, by loading it with the command
     "WINWORD.EXE /mDisableAutoMacros", or by holding down the Shift key as
     you fire it up.

You may also, like me, try out these fixes and discover that the first and
last don't actually seem to work as suggested! There is a good trick for
WinWord, however: create yourself a global AutoExec macro (this is run when
Word starts up) that looks like this:

     Sub MAIN
         DisableAutoMacros
         MsgBox "Auto Macros are turned off", "Safety First!", 64
     End Sub

WinWord.Concept -- and other malware based on AutoOpen -- will not work if
you do this.

Control is in your hands. Don't panic. Take the opportunity to learn more
about features of the software you use, to test and verify any security
features you plan to utilise, and then to configure accordingly. Don't
treat this new Word virus as a nightmare; use it as an opportunity to take
stock, and to learn.

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.