It has been over two years since Concept was unleashed
upon an unsuspecting world. In that time, Word Macro viruses
have become the most prevalent virus threat to organizations.
Multitudes of "buy my macro antivirus" solutions are
available. But let's start with things you can do for free.
Ultimately, these are going to be the most effective since they
don't cost extra money.
This paper will discuss the pros and cons and
where and how to use some of the free macro antivirus techniques.
The techniques to be discussed include: Word's own "Prompt
to Save Normal.dot", making your NORMAL.DOT read-only, using
the shift keys, disabling automacros, keeping a backup of NORMAL.DOT
and checking against it, as well as methods against Excel viruses.
The paper ends with the author describing the methods he actually
uses to protect himself in his day-to-day work against macro
viruses.
[Bold text represent text shown on the screen or text to be typed in as is.]
[Italicized text represent file names. Generally,
this means you can replace the name.]
Macro viruses can exist for any number of products
that allow the user the ability to write macro code which can
write to the disk to propagate more macros. The platform with
the most viruses present is Microsoft's Word for Windows. Viruses
spread easiest in this environment because documents can contain
both text and macros. But by combining both text and macros,
the user has much more power and usability features. The two
go hand in hand. More power to the user. More potential for
macro viruses. As it is Microsoft's intention to do the former,
we will all have to contend with macro viruses for a very long
time.
Excel, also by Microsoft, is afflicted similarly.
Excel macro viruses came after the Word macro virus. The same
dynamics that affect Word also affect Excel. Excel also uses
OLE2 container files which has macros and all of the cell functions
and data in the same file.
When Office97 came along, all the macro languages
converged upon Visual Basic 5 (VB5), making cross-application
viruses a theoretical possibility. This makes the possibility
of macro viruses for other platforms only a matter of time, especially
as more and more vendors independently support VB5.
1.1 Word Macro Viruses
Viruses are defined by their ability to spread.
A Word macro virus spreads easiest when it intercepts the macro
execution path by making use of one or more of Word's AUTO macros,
or by using a menu replacement. Then it places itself into the
global environment, for instance by updating the normal.dot
file.
Most of the approaches below target that scenario.
2.0 Microsoft's First Suggestions
In the summer of 1995, Microsoft unleashed Concept.A
upon the world. The world, the antivirus companies, and Microsoft
were not prepared for this. Microsoft came forth with the following
suggestions.
2.1 Prompt to Save Normal Template
Prompt to Save Normal Template
is an option available from within Word. Microsoft made this
option the first macro virus prevention method when it suggested
its use against Concept.A. To activate the option, click on Tools
then Options... Then choose the Save tab.
About the middle, on the left, check Prompt to Save Normal
Template.
As noted above, a virus must spread. This is most
easily accomplished by getting into the global environment. The
global environment is represented by the file normal.dot.
If a virus attempts to alter normal.dot and this option
is in use, Word will inform you that there is a request to change
the Normal Template as you attempt to exit. At this time, you
can respond that you do not wish to allow such a change. Presumably,
the user would know of any intentional changes and presumably,
know the right answer.
But, even with this option in use, it is possible
to open an infected file and infect the environment. The warning
does not occur until exit from Word. Thus any documents opened
and saved after the initial infected document will also be infected.
In section 4.1 Read-Only Normal.dot,
there will be further discussion on discovering that one has been
infected throughout the day, and what to do about it. This is
because the benefits derived from setting Prompt to Save Normal
Template are similar to those of making the normal.dot
file a read-only file. The primary differences between these
two actions are, first, the option through Word is easy to turn
off and many viruses have already incorporated the instruction.
Second, this is an option from within Word and is activated prior
to the attempt to write to normal.dot.
However, no law prevents the use of both! And since
they're both free and don't conflict, why not?
PRO:
Easy to set.
Commands required to set this feature can be automated.
Protects against some of the most wild viruses, like
Concept.A, Wazzu.A, and NPad.
CON:
Easy for virus to turn off.
Does not inform until AFTER infection. All documents accessed after the infected document in that session will be infected.
Any benefit achieved is a subset of 4.1 Read-Only
Normal.dot.
The second suggestion supplied by Microsoft was to
create a Payload macro. I'm not going to give this any
further dignity by even telling you how to do this.
PRO:
Protects against Concept.A.
CON:
Does little else.
This suggestion showed that those unfamiliar with
the antivirus industry would be doomed to repeat many of the same
mistakes that were made at its infancy. This technique targets
just one virus. The AV industry was borne of similar suggestions.
But it soon learned this was not a viable long-term solution.
ScanProt is a macro package
written by Microsoft. Its original intention was to protect against
Concept.A and to provide a mechanism for users to be alerted if
any incoming document had macros.
The objectives were noble and have since been incorporated
directly into the product in versions 7.0a and Word 97.
Unintended though, was the misfortune of various
ScanProt macros being absorbed into spreading viruses. This causes
a "mating" scenario between an existing virus and ScanProt
and unfortunately produces a virus variant.
As AntiVirus producers, we endeavor to solve users'
problems without creating new ones. The scenario involving ScanProt
macros and the creation of new viral variants makes it something
we cannot recommend, even with its virtues.
Another action undertaken by ScanProt is to rename
macros associated with viruses to alternative names. As such,
it makes viruses non-functional. It also makes them irremovable
by some antivirus products.
PRO:
Protects against Concept.A.
Alerts if any macros exist in document.
CON:
ScanProt macros have been absorbed into many viruses and now spread as part of the virus.
Note: The best features have been incorporated directly
into Word 7.0a and Word97.
3.0 Methods Provided by Word
A number of things provided by Word can be used to
lessen the chance or slow down the spread of viruses.
The shift key (either shift key will work) allows
for a file to be opened without allowing any AUTO* macros to execute.
This will prevent viruses that use the AutoOpen macro in order
to spread. Similarly, if held down at exit, the AutoClose macro
will not be executed.
In order to correctly make use of this feature, one
must be holding down either shift key at the moment Word is activated.
So, be sure to be holding the key down with one hand while the
other hand is double-clicking the Word icon. It might seem obvious,
but it's not an easy thing to do, even if you remember to. The
shift key must be held down for the duration of Word's startup
process. Letting go early may allow a macro to execute.
PRO:
Allows opening and closing documents without activating
the AutoOpen or AutoClose macros.
CON:
Easy to forget to do.
Only stops AUTO macros when you remember to hold down the shift key.
All other macro replacements are still in place and will still infect.
Requires too much coordination and constant reminder to make use of it.
Benefits are a subset of DisableAutoMacros.
Sometimes it doesn't work. And when it doesn't,
you won't know and it'll be too late.
Macro viruses are… macros. Macros are separate
from the text and are not seen unless one goes looking for them.
The most common way to check for macros would be through Tools
then Macro… Unfortunately, viruses can intercept
menu items. And the most commonly intercepted function is…
ToolsMacro. This makes it unwise in a suspect situation to use
Tools/Macro… to determine if macros exist in documents.
In section 3.4 Customized Tools/Macro, you will be shown
how to create your own replacement to Tools/Macro.
Meanwhile, it is safe for you to view macros in document
files through the use of the Organizer function. The organizer
function can be achieved through either File/Templates/Organizer…
or Format/Styles/Organizer… or by creating your own
following the instructions in section 3.4.
To see if macros exist in a document file without
being affected by them, exit and restart Word without opening
any documents. If you suspect that the normal.dot file
or the startup environment may be infected, you need to rename
the file and rename all the document files in the startup directory
to other than DOC or DOT so Word can be started in a pristine
state. To insure that no virus affects your viewing of a suspect
file, one must insure that Word is started in a pristine state
by following the previous directions.
Upon starting Word, get to the organizer via one
of the previously mentioned methods. Choose the Macros
tab. On the left half of the box would be a button labeled Close
File. Click that button to change the label to Open File…
Click on Open File… to get a Browse box. Choose
the target file to investigate. (By default, Word lists the .dot
files. If the file you wish to investigate is not so named, you
should change the Files of Type: drop-down box to All
Files.) The filename will be shown. If any macros exist
in the file, they will be listed in the big box. If not, normal.dot
will show up again with its macros. Practice on a file that you
know has macros in it, or practice on the file created in section
3.3.
PRO:
Safely determines if any macros exist in the target
file.
CON:
You know if there are macros. But you can't tell
if it's a virus or not.
Earlier, we discussed the use of the shift keys.
But it was listed as "subset of DisableAutoMacros."
DisableAutoMacros is a Word macro function to do
what it says. If the function is invoked and turned on, no Auto
functions will execute automatically until the function is turned
off (or until the next Word session). We have mentioned that
most macro viruses make use of an auto function. Thus removing
the ability to automatically execute the auto functions limits
those viruses from easily infecting your system.
Ironically, the best way to invoke this function
is through an AutoExec macro. However, in the following instructions,
the end result will be an AutoExec function in its own template
file, not in the normal.dot file. I recommend the template
file to be placed in the default startup directory in order to
keep the normal.dot file pristine. And, in this manner,
it is easier to give the file to others and harder for viruses
to find and remove.
Start by making sure your normal.dot is writeable,
and empty...
Click on Tools, Macros...
In the Macro Name: box, Enter autoexec
Click on Create.
Edit the macro to insert the DisableAutoMacros command:
Sub MAIN
DisableAutoMacros 1
End Sub
Close the editing session. Exit and save all changes.
In the DOS environment,
copy \msoffice\templates\normal.dot \msoffice\winword\startup\noauto.dot
erase \msoffice\templates\normal.dot
PRO:
Disables all AUTO macros.
Much less chance of infection.
CON:
Not foolproof.
Does not disable other intercepted macros, nor key shortcuts, etc.
Environment is no longer pristine. May lead others to believe the macro you have established is suspicious and cause technical support issues.
3.3.1 Prompt to Save Normal Template in noauto.dot
In creating noauto.dot in the above process,
it is beneficial to also include the command which turns on the
Prompt to Save Normal Template choice. This can be accomplished
by using the following macro in place of the above:
Sub MAIN
DisableAutoMacros 1
ToolsOptionsSave .GlobalDotPrompt = 1
End Sub
This insures that the option is set every time, should
normal.dot be deleted, or something resets the option. This also
allows the MIS director to distribute one file which enforces
two of the ideas instead of just one.
Because default menu items are often targeted by
macro viruses and intercepted, it is important to know how to
make your own menu items which will have the same functionality
as those which would be intercepted. The following is the instructions
to create an equivalent to Tools/Macros…
Make sure the normal.dot is writeable...
Click on Tools, Customize...
Choose the Menus tab
Under Categories click on Tools
Under Commands click on ListMacros
For Position on menu: choose (At bottom)
Click on Rename.
Close the editing session. Exit and save all changes.
In DOS, please remember to make normal.dot
readonly again.
Following this, you will have an additional choice
under Tools to list the macros in your document.
PRO:
Bypasses the need to use Tools/Macro...
Not subject to virus payloads tied to Tools/Macro.
CON:
Works until viruses start to intercept Tools/ListMacros.
But, now that you know how to do this, you can create
your own toolbar choices for such things as the Organizer function
in section 3.2 Menu Choices within Word.
After macro viruses came along, Microsoft looked
for some very basic and simple rules. It came upon the rule,
"If you don't have macros, it can't have macro viruses."
And derived from this rule, "If there are macros in the
document, that could be a virus."
Thus in Word 7.0a (available for the Windows95 platform)
and in Word97, a new check box was added to Tools/Options…/General.
This check box allows the user to be alerted if any macros exist
in a document which is about to be opened. If such a document
is encountered, the user is given the choice of stopping, continuing
unaltered, or continuing with the macros disabled.
If the user chooses to continue with the macros disabled,
the file is opened in a read-only state and cannot be changed.
For the average user and the home user, it is wise
to have this option turned on. Obviously, the ones who should
not use this option would be the ones who regularly use macros.
An alarm system such as this is only useful if it
generates few alarms. And when it does generate an alarm, such
an alarm needs to be, reflecting a virus. Many alarms which turn
out to not be viruses will cause the user to be anesthetized and
he will likely disregard the next alarm or turn it off.
Although seemingly perfect in its simplicity, Microsoft
added some "usability" touches to it and thus created
some security holes. These security holes have previously been
documented by Vesselin Bontchev and revolve around certain conditions
where Microsoft would expect macros to appear. Thus if those
macros turn out to be viral, the initial warning won't alert because
the macros were expected to be there.
PRO:
Generally effective. If there's a macro in the document,
it tells you so.
CON:
Alerts on everything (almost).
People are apt to turn it off.
In section 4, methods will be presented for the operating
system to enforce the ReadOnly (RO) attribute of normal.dot.
However, Word also allows for its own enforcement of normal.dot
as a RO file. Therefore, even if the file is not RO, Word can
still open it as if it were. Which also means, if the file is
RO, this choice will be meaningless.
At the end of this section will be instructions on
how to turn on this option. The downside to using this option
is that each time you start Word, it will ask you if you wish
to open the file as read-only. This can become bothersome and
lead you to turn it off quickly. Of the techniques described
in this paper, this is the most bothersome as it will interfere
with a message even in a clean environment. Most techniques described
in this paper are quiet most of the time.
To set up this option:
Start a Word session and explicitly open the normal.dot file. (Normally found in \MsOffice\Templates.)
Click on Tools, Options...
Choose the Save tab. The instructions are the same as in section 2.1 Prompt to Save Normal Template.
At the bottom, on the left, in a box titled File-Sharing
Options for normal.dot, check Read-Only Recommended.
Close the editing session. Exit and save all changes.
PRO:
Allows flexibility for those who would sometimes
want their normal.dot to be read-only and sometimes not.
CON:
Asserts a message to you each time you start Word.
People are apt to turn it off.
Yet another offering under the Save tab of
Tools, Options…, adjacent to Read-Only Recommended,
is Write-Reservation Password (For Word97: Password
to modify). If this choice is invoked, each time Word is
started, the user will be asked for enter the password or open
the file as read-only.
The advantage of this is that only select people
will be allowed to modify normal.dot, and only if that
person knows beforehand that he wishes to change it.
The disadvantage is that only select people can clean
up such an infection. And on those occasions when normal.dot
is allowed to be infected, no warning is given that it has been.
To set up this option:
Start a Word session and explicitly open the normal.dot file. (Normally found in \MsOffice\Templates.)
Click on Tools, Options...
Choose the Save tab. The instructions are the same as above.
At the bottom, on the left, in a box titled File-Sharing Options for normal.dot, type a password into the Write-Reservation Password box. You will then be asked to confirm the password. Type in that same password again.
Close the editing session. Exit and save all changes.
PRO:
Allows flexibility to a select few who would sometimes
want their normal.dot to be read-only and sometimes not.
CON:
Asserts a message to you each time you start Word.
Only that same select few can clean up the global
infection.
As a user of Word97, there is yet another method
to make normal.dot a write-protected document. This feature
is to prevent modules from being created, viewed, or copied into
the Template Project. Macro viruses, which would be Visual Basic
modules, would fall into that class.
However, font selections, AutoText, and other stylistic
choices and settings do not. Thus a user could change certain
default choices in normal.dot without having to overcome
protections, and also not allow the standard macro virus to infect.
To set this up, make sure the normal.dot is writeable...
Start a Word97 session.
Press ALT-F11 to open the VB-Editor.
Click on View, Project Explorer to activate.
Mark Normal in the Project Explorer.
Click on Tools, Normal Properties…
Choose the Protection tab.
Check Lock project for viewing and set a password.
Click on File, Save Normal.
Close the editing session.
PRO:
Virus cannot bypass this unless it happens to guess your password.
Users needing to change Autotext and Toolbars won't
be affected.
Probably the most effective thing one can do for
oneself is to change the attribute of normal.dot to be
read-only. As it is so easy to do and quite effective, it is
also the most talked about method on the Internet. Hopefully,
many of you already have this in place in one form or another.
DOS has the concept of attribute bits. The most
commonly referenced are the System, Read-Only (RO), Hidden, and
Archive bits. The specific attribute bit which interests us is
the Read-Only bit. If the RO bit is set, normal DOS system calls
will refuse to write or change the file. Thus, in theory, if
the normal.dot file is RO, no virus will be able to change
it.
As noted before, a virus generally wants to change
the global environment. This generally causes the normal.dot
be rewritten. However, if the RO bit is set, when Word opens
normal.dot, it recognizes and stores this fact. When Word
exits, it remembers normal.dot was RO and refuses any attempt
to change it.
If it's such a good idea to set the read-only bit,
why doesn't everyone just do that? What's the downside?
The most obvious consideration is, "the file
is read-only." It can't be changed, not even if it was your
intention. Thus someone who constantly changes one's normal.dot,
a RO normal.dot will severely crimp his productivity.
While this would seem for such a user that he cannot
use this technique, that is not true. A user of macros can still
operate with a RO normal.dot if he stores all his macros
in files in the default startup directory. So, such a user would
change his normal mode of operation. Macros would be handled
as in the way we added noauto.dot in section 3.3.
Second, and a very important note, is that one doesn't
realize a virus is active until AFTER exiting Word. The significant
technical note is to recognize that Word informs you of the attempt
to write to normal.dot when it exits. So, all during the
time you are using Word, files will continue to be merrily infected
without warning. Only on exit do you realize that something bad
has been happening through the day.
Yet, you will know! And you can immediately shift
into "virus forensics" mode. Forensics needs as much
historical information as it can muster. To facilitate this,
we would want to make use of the Most Recently Used (MRU) list.
By default, Word's MRU list is set to remember the
last four files opened by the user. These are going to be the
files of interest anyway. The files saved on that day are the
ones to be chased down if any of them had been sent to anyone.
With a default of only four, we need to increase
the length of the MRU list. To do so, in Word, choose Tools
then Options... then General. Go to the Recently
Used File List and increase the number to its maximum of nine
(and remember to check the item). [I use nine, even without the
macro virus concern. It's simply more convenient when Word remembers
the files you've been working on.]
PRO:
System level protection.
Slows down viral spread.
Will know within the day, enables activity tracking.
Viruses cannot circumvent this to infect normal.dot in same session.
More files available in the MRU list.
CON:
If user must constantly update his macros, productivity would be hindered.
May create false sense of security.
One of the most common infection vectors is via receiving
a document through email, double-clicking on it and having Word
automatically open and (without the other protections in place)
getting infected. This is governed by one of two setups. It
will be either the email program itself being programmed to activate
Word based on whatever criteria it uses, or it will be based on
the email program making use of the registry.
In this section, we shall cover the steps necessary
to change the default association of .DOC and .DOT files to Word.
This affects such activities as double-clicking, drag-and-drop,
and Explorer. [Unfortunately, I was unable to find how to turn
off CC:Mail's .DOC and .DOT association to Word.]
Reminding ourselves, the purpose of this paper is
to cover topics which will help to prevent or reduce macro virus
infections. The title of this section is "Word Viewer"
because if instead of using Word to read .DOC files, another program
is used instead, one which does not support macros, macro viruses
would be less capable of spreading. WordView or WordPad are
such programs. WordPad supports no macros. WordView has restricted
support of macros.
Therefore this section covers the necessary steps
to redirect the registry associations of .DOC and .DOT from Word
to WordPad or WordView.
Find WordPad.EXE (or WordView.EXE) on your system. Note the full pathname for the file.
Find REGEDIT.EXE or REGEDT32.EXE on your system and execute.
Under HKEY_CLASSES_ROOT, locate .doc and .dot
Traverse the structure until you locate Shell then command.
Change the associated command to the full pathname
of WordPad.EXE.
HKEY_CLASSES_ROOT
.doc
Word.Document.6
Word.Document.6
shell
open
command
C:\Program Files\Windows NT\Accessories\WordPad.exe
"%1"
All the commands have to be changed: Open, New, …
PRO:
Does not support macros.
CON:
WordPad is just not Word.
Avoid macros, but doesn't tell you they're there.
Some e-mail programs disregard registry! (They're
not Windows compatible, despite claims.)
If you do not have a viewer, one can be retrieved, free from:
http://www.microsoft.com/msword/internet/viewer/viewer97/license.htm
In normal DOS usage, there is the regular suggestion
to boot clean before running antivirus programs. While there
is no need to enforce a clean Word environment before running
antivirus programs, it is still worthwhile to know that one's
environment is clean before each new day's use.
One way this is accomplished is to delete and replace
one's normal.dot file each day. We use autoexec.bat
to force this each time the machine is booted. Negatively,
this effectively makes normal.dot not a useful mechanism
to hold changes. If changes are not moved to the archived copy,
they are lost. And this method does not inform the user of an
infection. Simply the infection is destroyed.
Since that's the normal course, I've added the readonly
attribute to the file.
To set this up, do the following:
cd \msoffice\templates
md archive
copy normal.dot archive\normal.goo (Goo is short for "good" and presumably won't conflict with any other extensions in use.)
attrib +r archive\normal.goo
Add the following to autoexec.bat:
pushd \msoffice\templates
erase /f normal.dot
copy archive\normal.goo normal.dot
attrib +r normal.dot
popd [If you do not have pushd/popd, use full directory pathnames.]
endbat [transition to
empty endbat.bat file, see section 4.6]
PRO:
Boots Word clean every day.
CON:
Hassle to change any macros.
Doesn't tell you if anything happened.
4.4 Check For Changes to Normal.dot
Another way to ensure a clean startup of Word, instead
of forcing it to be replaced with a new version each day, is to
check the present version against the known clean one which had
been archived. This method differentiates from the previous one
in its ability to alert the user of changes having occurred.
To achieve this, we have to save a copy of the current
(hopefully clean) normal.dot file.
The setup:
cd \msoffice\templates
md archive
copy normal.dot archive\normal.goo
attrib +r archive\normal.goo
Add the following to autoexec.bat:
diff \msoffice\templates\archive\normal.goo \msoffice\templates\normal.dot > NUL
Diff is a program similar to fc (from DOS). Fc does not return the necessary errorlevel for use in this manner. Ask the local guru for a copy of diff. He's sure to have one.
if errorlevel 1 goto changed
[continue]
goto end
:changed
echo normal.dot changed^G
The "^G" represents a CTRL-G, which is "hold down the Ctrl key, and press G." It causes a beep.
pause
:end
endbat
PRO:
Informs of any change.
Insures clean NORMAL.DOT each day.
Generally silent, no problems.
CON:
Not until next bootup.
Requires expert to setup.
Requires expert to understand use.
In section 3.3, after creating noauto.dot,
it was suggested that the file be placed in Word's Startup directory.
Any template file stored in this directory is automatically installed
into Word's environment when Word starts up. That also makes
this directory the target of viral attacks as any virus could
add itself to an environment by dumping a template file in this
directory. Therefore, it is important to keep an eye on the directory
to make sure the contents of the directory do not change.
To make sure no viruses are added to the directory,
we need to store a listing of the directory from a known clean
state. Then, each time the machine is started, we make use of
autoexec.bat to check that the current contents of the directory
is not different from the list which represents what it should
be. The code needed to make this happen can be seen below.
To set up:
Start Word and locate the default Startup directory.
Click on Tools.
Go to Options…
Choose the File Locations tab.
Look for the entry related to Startup. [If there are three dots in the directory name, double click on the entry to see the full directory name. Write down this directory name. Below, the code example uses \msoffice\Winword\Startup as that directory.]
Cancel, etc. and exit from Word.
In DOS, continue by executing the following instruction.
dir /b /a \msoffice\Winword\Startup > %TEMP%\startup.lst
This dir command creates the list which lists the
current contents of the Startup directory and stores this list
in your defined "temporary" directory. If you have
an older version of DOS, it may not have some of the parameters
that are used. To explain the instruction,
/b creates the short form of this command.
/a includes hidden files so virus writers cannot use that to hide.
%TEMP% is replaced by DOS with the defined "temp"
directory.
Add the following to autoexec.bat:
dir /b /a \msoffice\Winword\Startup > %TEMP%\startup.chk
diff %TEMP%\startup.lst %TEMP%\startup.chk > NUL
if errorlevel 1 goto diff_startup
[continue]
goto end
:diff_startup
echo Word startup directory changed^G
pause
:end
endbat
PRO:
Informs of any change.
Insures clean boot up each day.
Generally silent, no problems.
CON:
No warning until next boot up.
Requires expert to setup.
Requires expert to understand use.
At the end of previous sections, endbat.bat
is referenced. In the battle against macro viruses, it is important
to know that many macro viruses have payloads which attach extra
code to the autoexec.bat file. When this happens, the
next time the machine is started, the code added by the macro
virus will execute. Thus, it is important to come up with a method
which prevents such payloads from taking effect.
With batch files, there are two different ways to
transfer control to another batch file. One method is to "call"
the second batch file. In this way, after the completion of the
second batch file, control is returned to the "caller."
The second method transfers control directly to another batch
file. This method does not return control upon completion of
the second batch file.
So, first, we create an empty batch file called endbat.bat.
And in the autoexec.bat, instead of letting it end by
executing the last instruction, we transfer control to endbat,
which finishes the startup process.
With this setup, any code that is added by a macro
virus to the end of autoexec.bat does not ever gain control.
Thus, none of that code runs. This same setup will cause software
installations which add to the end of autoexec.bat to also
fail in the same way. In such situations, simply remove the endbat
transfer and replace it at the end of autoexec.bat again.
PRO:
Endbat.bat immunizes against
the effect of viruses adding additional code to end of autoexec.bat.
CON:
May interfere with software installations that write
to autoexec.bat. But prior to macro viruses, that was
the use for this setup.
Another favored method by virus writers to deposit
payloads onto users' machines is by way of a debug script. (A
debug script is readable text instructions sent to the DOS utility
named debug to create a binary file.) Usually, this is
used to deliver virus programs or other binary data.
To combat this, one can rename or remove debug
from users that don't normally have need for that program.
(And almost all users don't ever need nor know how to use debug.)
Verify that the program is no longer available by
typing "debug" on a command line. If the program
still runs, the job is not yet complete.
PRO:
Users won't be affected by the deposited payloads
of viruses that use debug to plant such onto machines.
CON:
Users don't have the program to use. Not a problem
for most users.
5.0 Excel macro viruses
Excel has a startup directory similar to Word. Any
template file found in this directory is automatically loaded
into Excel on startup. This directory is the XLSTART subdirectory
under where Excel exists. This behavior being exactly the same
as Word, it means we can use the similar code as was discussed
in section 4.5 Check the Startup Directory.
dir /b /a \msoffice\Excel\XLStart > %TEMP%\xlstart.lst
[Please see section 4.5 for a full explanation of
the command.]
Add the following to autoexec.bat:
dir /b /a \msoffice\Excel\XLStart > %TEMP%\xlstart.chk
diff %TEMP%\xlstart.lst %TEMP%\xlstart.chk > NUL
if errorlevel 1 goto diff_xlstart
[continue]
goto end
:diff_xlstart
echo Excel startup directory changed^G
pause
:end
endbat
The PROs and CONs are exactly the same
as with the same function for Word.
We should have learned not to do this by now.
This technique is equivalent to creating a Payload
macro to address Word macro viruses. Laroux.A checks for the
existence of a file by the name of personal.xls in Excel's
XLSTART directory. If one exists, it does not infect.
Thus, if we put a file by that name in that directory, we will
be immunized from Laroux.A. As with Concept.A, Laroux.A is the
most widespread of all Excel viruses.
And as has happened in the Word arena, other viruses
have appeared and other variants of Laroux now exist rendering
this technique to little or no effect.
To create such a file, simply take an empty Excel
file and place it in the XLSTART subdirectory under where
Excel is located.
PRO:
Works against Laroux.A.
CON:
Works only against Laroux.A.
An interesting consequence of cleaning a Laroux infection
from the system is that it leaves a clean file by the name of
personal.xls (or binv.xls, etc.) in the XLSTART
directory. Although I didn't suggest creating one to thwart infection,
I do recommend that the file should be left there. The reason
for this is that 1) it has already been proven that the particular
strain of the virus is spreading nearby. Thus a defense against
it is prudent. And 2), removing the file is actually more work
than leaving it.
Throughout this paper, I have made hints as to the
usefulness of each method. But there are so many and I haven't
suggested which to use in combination. Still, I'm going to chicken
out and not exactly recommend but rather tell you which I use.
I have a read-only normal.dot. In addition,
I use Prompt to Save Normal Template. In section 2.1, I made
a quick comment that the two do not conflict and thus it's possible
to use both. Both are meant to warn you by the end of the day
if you happened to have gotten your environment infected during
the day.
But, why use both? Isn't one enough?
The first answer is that it doesn't hurt, so why
not? The second answer is that some viruses try to undo one or
the other. And some both. So, using both techniques means a
virus has to attack both simultaneously to circumvent the protection.
And if nothing is happening, both are quiet so they won't disturb
your everyday work.
I also use the DisableAutoMacros template as distributed
in the separate file noauto.dot. Most viruses make use
of an auto macro of one sort or another to spread. And all the
viruses in the wild do. With this macro in place, viruses will
not automatically activate and the chance of spreading something,
even if you come in contact with it is much smaller. Furthermore,
as described in its section, an MIS director can create this file
and send it to the whole company to be placed in the appropriate
location. Thus this can have a corporate wide impact with little
effort.
In preparing this paper, I also tried out most of
these techniques. I plan to incorporate the checking of the XLSTART
directory and Word's startup directory. The XLSTART directory
technique is the only significant technique against Excel viruses.
Sadly, I was infected by Laroux.A from within my own company
recently. (Luckily, I recognized it immediately within a minute.)
So, it's starting to hit home. And more Word viruses seem to
be taking advantage of the startup directory technique as well.
Lastly, throughout all the Office97 products, each
is programmed to alert if any macros exist in an incoming document,
be that Word, Excel, Powerpoint, Access, or any other. The products
in their default mode have the macro alert on. Don't turn it
off until you hit your first false alarm. And even then, judge
how much trouble the false alarm caused. If you feel that it
was not a problem, leave the setting on. The alert is not perfect
(the problem scenarios have been documented in Vesselin Bontchev's
paper for the 1996 Virus Bulletin Conference). But until you
meet a false alarm, it won't have caused you any issues. And
it would take effort to turn it off anyway. Might as well do
that later than sooner.
For the MIS director who must handle their corporation's
suspect documents, here are some tips.
Use all the techniques in section 6.0. If a file
is suspect, create a clean environment by using the process outlined
in section 3.3. Examine the file using File/Templates/Organizer,
before opening any other files. If the suspect file does not
have a ToolsMacro entry, use it to rename the macros to
shortened names before examining the macros. If it does, create
your own ListMacros menu option and use it instead of ToolsMacro.
Lastly, and my only plug for my own product, if you
use the DOS version of Scan, if you scan the single file, and
Scan reports "Analyzed: 1, Scanned: 0, Possibly Infected:
0" then the file has no macros and thus cannot have a virus.
If it reports "Analyzed: 1, Scanned: 1, Possibly Infected:
0" then the file does have macros. Send it to your favorite
(or not) AV Researcher and have him or her tell you if it's infected.
There is also the rare occasion that an MIS director
must clean an infected document immediately so the document can
be used without delay. As AV vendors, we recommend against this
activity, but also, as AV vendors, we recognize that we can't
necessarily help you every minute of every day. Please use this
technique with utmost care, and only if you can't avoid it.
This is best done on a stand-alone machine. But
if that can't be accomplished, be extra careful!
After verifying that the virus does not have an EditCopy
or EditCut macro, and there are no templates in the startup directory
nor normal.dot, open the file while holding the shift key.
(Or for the adventurous, place noauto.dot into the startup
directory.)
Select entire Document.
Edit/Copy to Clipboard.
File/Exit from Word.
Delete normal.dot (or rename it) and remove all files from the startup directory.
Restart Word.
File/New a new empty document.
Edit/Paste from Clipboard.
File/SaveAs as a new document.
In so doing, be sure that the file is not automatically being
saved as a template. If so, the environment is infected. And
assuming all the above was handled properly, pick up the phone
and call your AV vendor.
Vesselin Bontchev, AV Research, FRISK Software Intl.
Stefan Geisenheiner, AV Research, Amsterdam, NL., McAfee Associates. German translation available.
Raymond M. Glath, Sr., President, RG Software Systems.
Jivko Koltchev, AV Research, Santa Clara, CA, McAfee Associates.
Akihiko Muranaka, Tokyo, Japan, McAfee Associates. Japanese translation available.
Francois Paget, AV Research, Paris, France, McAfee
Associates. French translation available.