Series: The Macros Strike Back
How to fight annoying, fast- spreading macro viruses.
Article 1 of 6 in series
by Geoff Duncan
More Word Macro Viruses -- According to a recent CIAC bulletin, new Microsoft Word macro viruses have been discovered, and at least two of the new varieties are damagingShow full article
More Word Macro Viruses -- According to a recent CIAC bulletin, new Microsoft Word macro viruses have been discovered, and at least two of the new varieties are damaging. (See TidBITS-312 for a related story.)
Although the worst effects are still reserved for Windows users (apparently the virus engineers aren't up-to-date on cross-platform concerns), users of Microsoft Word 6.0 or 6.0.1 on the Macintosh should be concerned. Microsoft has released new tools to combat these viruses, and many commercial anti-virus products are being updated to detect them as well.
I haven't examined or tested Microsoft's new virus protection tools, and though Microsoft claims these tools work on a Macintosh, they're posted in a self-extracting ZIP format for DOS/Windows machines. StuffIt Expander with Expander Enhancer will decompress the file; so will Thomas Brown's popular Mac shareware utility ZipIt. As with Microsoft's earlier anti-virus tool, Microsoft's new utility only scans files opened by choosing Open from the File menu; documents which are double-clicked in the Finder or chosen from the recent documents list are not scanned. [GD]
Microsoft -- 206/635-7200 -- <firstname.lastname@example.org>
Article 2 of 6 in series
by Geoff Duncan
In TidBITS-292, we reported on a cross-platform virus written in WordBasic that affected some users of Microsoft Word 6.0, mostly on non-Macintosh platformsShow full article
In TidBITS-292, we reported on a cross-platform virus written in WordBasic that affected some users of Microsoft Word 6.0, mostly on non-Macintosh platforms. Since then, an additional WordBasic virus has appeared; although the WordBasic viruses discovered so far are not particularly destructive, they present a support headache for Macintosh managers, and - according to reports - the viruses are becoming more common on the Mac.
I've found a good deal of information about the viruses online, and Microsoft has released a set of anti-virus tools to combat the problem.
For the record, the viruses spread as WordBasic macros included in Word 6 documents, and - because WordBasic works across platforms - the viruses can infect any machine running Word 6, regardless of platform. On the Macintosh, the virus only affects Microsoft Word 6.0 and 6.0.1; earlier versions of Word do not include WordBasic and cannot be infected, even when using infected Word 6 documents from another system. Commercial anti-virus utilities like Virex and SAM can detect the viruses, but the freeware Disinfectant does not, since it's designed only to pursue viruses in machine code form. If you use a commercial anti-virus package, contact your vendor if you have questions about detecting WordBasic viruses.
Quick checks with some large corporate and educational Macintosh sites using Word 6 didn't reveal widespread concern, although incidence varied widely. One source at a large site estimated that 80 to 90 percent of Macs in the company were infected; conversely, several sites reported they'd never seen the viruses on a Mac. An educational site reported detecting and removing the viruses "a few times a week," and a support manager at a large corporation noted the WordBasic viruses appear frequently on Macs in heavily cross-platform departments. Several sources noted that Mac users think the virus can't spread to the Mac, and thus take no preventative measures.
I've seen no reports of significant damage caused by the viruses; the main cost seems to be the time support personnel spend dealing with it or purchasing and installing anti-virus software, a task apparently sometimes dictated by (in the words of one source) "overly paranoid" management. One site reported the virus had spread in an infected template file to nearly every employee via email. "No one got hurt, but we spent well over a week chasing it down, explaining everything, and re-assuring everybody. That certainly wasn't cheap." Interestingly, all these sources spoke to me only on the condition they remain anonymous.
If you use or support Word 6 in an environment where documents are regularly exchanged with others (particularly outside your organization), it might be worth investigating how to detect the viruses and manage the situation, rather than waiting for a larger problem to develop. Microsoft's detection tool takes a while to scan a hard disk (especially on a Mac), but you only need to do it once. Better safe than sorry.
Microsoft -- 206/635-7200
Article 3 of 6 in series
Though the possibility of a cross-platform virus moving as interpreted commands in data documents has been considered by computer experts, none had been seen in the user community until this month's discovery that a new virus was spreading within document macros interpreted by Microsoft's WordBasic macro languageShow full article
Though the possibility of a cross-platform virus moving as interpreted commands in data documents has been considered by computer experts, none had been seen in the user community until this month's discovery that a new virus was spreading within document macros interpreted by Microsoft's WordBasic macro language. The virus, dubbed "Word-Macro-9508" by the Macintosh antivirus community, can spread on any computer system using a version of Microsoft Word 6.0.
So far the virus has been seen mostly on DOS, Windows, and OS/2 computers running Word 6, in various locations in North America and Europe. It has been referred to as "WinWord.Concept", "WW6", and "WW6Macro" in the Windows community, though it is by no means restricted to the Windows version of Word 6. Microsoft's name for the virus is "Prank Macro". The code can be spread merely by opening an infected Word document - even one that has been transferred from a different operating system - since Word's macros are stored as data and are automatically recognized by any current version of the application.
The virus adds several new macros to Word's global macro pool, named "AAAZA0", "AAAZFS", "Payload", and "FileSaveAs". This last activates the virus in an infected file when the user chooses Save As from the File menu. The altered macros are then saved with the file. If the virus has infected your Word documents, you may see an alert window with the digit "1" in it when the virus is triggered, or you may notice that infected Word files are saved as templates rather than normal documents.
IBM has gathered a fair amount of information on the virus and how to combat it, and published it at:
Microsoft has released tools to combat the virus, obtainable on the Internet. As of this writing, Microsoft's fix renames the virus rather than removing it, and there have been reports that a supplied file system scan function may not find all infected files on a Macintosh.
[Note that Microsoft still isn't posting BinHex files correctly and this file must be downloaded in binary mode. Try using Netscape, which downloads most everything in binary, or Fetch, which has a Binary button that forces a binary download. Otherwise, configure your FTP client to treat the file suffix ".hqx" as a binary file, and be sure to change the setting back when you're done. -Geoff]
Datawatch Corporation has released an update (version 5.6.1) of its commercial Virex utility for Macintosh, available on commercial online services and at:
No updates are currently planned for the other Macintosh antiviral utilities; most do not attempt to address viruses that don't take a machine-code form.
Since Mac versions of Microsoft Word prior to 6.0 don't incorporate WordBasic, and since even on newer versions these macros are easily spotted and removed, users need not panic about this virus.
Article 4 of 6 in series
Last week in TidBITS-382, I wrote a short piece warning people not to become complacent about viruses on the Macintosh. I received a number of notes, including one thanking me for the article (the reader ran Disinfectant, which promptly found virus infestations on his hard disk)Show full article
Last week in TidBITS-382, I wrote a short piece warning people not to become complacent about viruses on the Macintosh. I received a number of notes, including one thanking me for the article (the reader ran Disinfectant, which promptly found virus infestations on his hard disk). Most, however, talked about what has become a more serious issue since I was last seriously involved in the anti-virus world - macro viruses, and especially those lurking in Microsoft Word 6.0 documents. Although we covered this topic in TidBITS-312 and TidBITS-314, the subject needs more attention.
Viruses and Macro Viruses -- On the Macintosh, viruses are usually small bits of code embedded in other files that can replicate themselves between files and between machines. Viruses may or may not cause damage; some are deliberately destructive, but some are just annoying. When I wrote about viruses last week, I was thinking about the traditional sort, which infect Macintosh files, mostly applications and the System file. The free program Disinfectant finds these viruses by scanning files for the specific code resources used by the viruses. Most Macintosh viruses are in fact named for their code resource signatures, such as nVIR and MBDF.<ftp://ftp.acns.nwu.edu/pub/disinfectant/ disinfectant36.sea.hqx>
Macro viruses aren't larger versions of viruses. They share the basic virus definition - small bits of code with replication capabilities that are embedded in other files - but instead of being Macintosh code resources, they're written in application macro languages, such as HyperTalk, Word Basic, or - conceivably - even AppleScript or Frontier's UserTalk. Unfortunately, since high-level application macro languages are generally easier than C, assembly, or other low-level programming languages, neophyte scum find it easier to write (or shamelessly copy and modify) macro viruses than more traditional viruses. Since Disinfectant only scans code resources, it doesn't identify macro viruses, and cannot protect you from them.Disinfectant also doesn't attempt to detect another class of malicious programs, called Trojan Horses. These programs often pose as a utility, game, or other useful program, but perform anything from a prank to severe disk damage when they run. Trojan Horses are rare on the Macintosh, and commercial anti-virus utilities should detect known examples.
The first macro viruses I know of were written in HyperTalk. They infected HyperCard stacks, and some still exist today, although few are destructive. HyperCard is alive and well, but it doesn't have the wide distribution and use it did when Apple bundled it for free with every Mac. As a result, HyperCard viruses aren't as much of a problem as they might be. For more information about HyperCard viruses and tools for eliminating them, check out HyperActive Software's HyperCard Viruses page.
Word Macro Viruses -- Of far more concern today are Word (and to a lesser extent, Excel) macro viruses. These viruses, written in Microsoft's Word Basic macro language (available only in Microsoft Word 6.0 and later), are embedded in Word documents. When an infected document is open, the macro viruses can copy themselves into your global template file, and from there into other Word documents.
To judge from the listings maintained by the Virus Test Center at the University of Hamburg, many Word macro viruses (over 1,100) exist, and new ones appear constantly. The problem is simple - since the Microsoft Office applications, including Word and Excel, are cross-platform, macro viruses written by PC users in Word Basic are often virulent even on the Macintosh as long as you run Word 6.0 or later. Of course, those macro viruses that try to do things like issue FORMAT C: commands can't hurt a Mac, but they can replicate themselves. Mike Groh, Software Development Manager at Virex manufacturer Datawatch, noted, "Macro viruses are quickly becoming a larger problem than Mac system viruses ever were at their peak. Improved cross-platform support for the Macintosh has brought with it one of the headaches of the PC world."
A number of readers commented that these macro viruses are commonplace in corporations because people trade Word documents around all the time, and corporations are more likely than individuals to have upgraded to, and standardized on, Word 6.0. Even worse, it's easy for these infected files to find their way into backup tapes and onto CD-ROMs, which makes it easier for them to spread and re-infect cleaned systems.
Eliminating Macro Viruses -- Since you can't use Disinfectant to find or remove Word macro viruses or any other sort of macro virus, you must rely on other tools. The two commercial anti-virus applications I mentioned last week, Virex and SAM, can both identify and eliminate many of these macro viruses, although reports from readers indicate that the viruses change frequently enough that even keeping up with Datawatch's and Symantec's updated virus listings isn't always enough. With over 200 new macro viruses appearing each month, that's not surprising, although Datawatch reportedly tries to do next-business-day turnaround when a customer sends in a new virus.
Microsoft also provides information about macro viruses and tools to help identify them. Notes from readers haven't been particularly positive about the performance and usefulness of the main utility, called MVTOOL, and the Microsoft Web site comments: "MVTOOL is able to scan for and disinfect files that contain the Concept virus. However, it is not able to detect or remove any of the other known macro viruses and is prone to crashing when processing a large number of files." MVTOOL works by notifying you when documents that you open contain macros, and lets you open the documents without the macros, which is useful, but not nearly as hands-off as anti-virus tools should be. Users simply can't be expected to know what is and what is not a macro virus.
Since I mainly use Word 5.1 when I use Word at all, I've never run into a Word macro virus and can't offer advice from personal experience. However, my feeling is that if you use and rely heavily on Word 6.0 or later, particularly if you frequently trade files with other users, it's worth getting and installing not only Microsoft's MVTOOL, but another commercial anti-virus tool such as Virex or SAM. Of course, if you don't need Word 6.0's features, Word 5.1 doesn't suffer from macro viruses at all, and can safely open infected Word 6 files. Ideally, a future version of Microsoft Office would have a feature that would prevent macro viruses.In the end, be careful out there. A major reason that the Macintosh world is plagued by relatively few traditional viruses is that the anti-virus tools are updated so quickly and utilized by such a large number of Macintosh users (and many of the programmers worked together on identifying and eliminating each new virus) that the viruses never had a chance to spread far. Vigilance is the only defense. If you own a commercial anti-virus program that fails to catch a macro virus that infects your documents, be sure to send the infected document (clearly labeled, of course) to the program's manufacturer immediately, so they can add it to their list of viruses to eradicate. Only then can we hope to get the upper hand in the fight against the macro viruses.
Article 5 of 6 in series
The point of many viruses, macro or otherwise, is to annoy people, waste time, and generally eat bandwidth of various sorts. That's ironic, given the amount of space the topic consumes whenever it appears in the press (see TidBITS-383)Show full article
The point of many viruses, macro or otherwise, is to annoy people, waste time, and generally eat bandwidth of various sorts. That's ironic, given the amount of space the topic consumes whenever it appears in the press (see TidBITS-383). But, since numerous readers made useful comments and suggestions, we wanted to pass along the information to help everyone understand more about the macro virus problem. This will be it for virus coverage in TidBITS for a while, but you can find a great deal more information about viruses on the Macintosh (including macro viruses) on David Harley's Viruses and the Macintosh FAQ at:
If it hurts... Of all the responses I received, the simplest (and often presented with tongue firmly planted in cheek) solution offered to the Word macro virus problem was simply to avoid using Microsoft Word 6 or other programs that suffer from macro viruses. That of course won't work universally, because people don't always have much choice about the programs they use.
Auto-running Macros -- Others suggested turning off auto-running macros in Word 6, which prevents some macro viruses from replicating or performing other anti-social acts. Unfortunately, many macro viruses use alternate methods of activation, including deceptive names, co-opted common command key shortcuts, and captured menu items. So, although turning off auto-running macros in Word 6 might help slightly, it's not a reliable solution.
Locked Normal Template -- One intriguing solution for preventing the spread of Word macro viruses, from Tyler Stewart <email@example.com>, was to lock the Normal template file, which lives in the Templates folder in the Word folder. Select it in the Finder and choose Get Info from the File menu, then click the Locked checkbox. Locking the Normal template prevents any macro virus from infecting it, but macro viruses could also transfer themselves to other open documents or run without replicating. More problematic is the fact that Word 6 seems to cache the Normal template in RAM, so the RAM copy can be infected (and thus pass on the infection during that session) even with the Normal template locked. In other words, this solution won't always work and might prove irritating if you need to change the Normal template.
File Conversions -- A number of readers suggested variants on file conversion techniques. Microsoft Word 5 can't run macros of any sort, so it's safe from Word 6 macro viruses. Some people thought that macros could be carried in a file that Word 5 had converted, opened, saved, and which was then re-opened in Word 6. Datawatch's Mike Groh reported that they've had no reports of macros surviving the conversion process, either via Word 5 or via translators such as DataViz's MacLinkPlus. In both our and Datawatch's testing, conversions stripped the macros.
Eliminating Macros Entirely -- Some folks suggested techniques that might work for eliminating all macros in Word documents. But, macros are not inherently evil, and anything that blindly removes all macros could easily destroy useful or even necessary macros. Tools like Microsoft's MVTOOL aren't so destructive, since they offer the choice of opening documents without macros on a per-file basis. However, don't trust MVTOOL's protection (accomplished via a macro called SCANPROT, which confused some readers), because it works only if you use the Open command in Word's File menu to open the files. If you double-click a Word file in the Finder or use other methods of opening files from outside Word (like the Recent Files hierarchical menu, or Now Super Boomerang), MVTOOL won't work. Read the documentation with MVTOOL carefully before relying on it.
Other Anti-virus Utilities -- Just to be complete, Datawatch's Virex and Symantec's SAM aren't the only commercial anti-virus programs available for the Mac that can detect and eliminate macro viruses. Also available are McAfee's VirusScan and Dr. Solomon's FindVirus, and others may exist as well. I have no recommendations here other than to note that Datawatch's Mike Groh was voluntarily helpful in checking and commenting on these articles. Viruses affect everyone, so I'd lean toward companies who participate in the communities their software protects.
Eternal Vigilance -- This entire topic came up because of my warning in TidBITS-381 that the Macintosh community was becoming complacent about viruses. Several readers alerted me to infected CD-ROMs that have recently been distributed to numerous people, including Apple's Official May 1997 Marketing ToolKit, which goes to dealers and the media. There are two lessons to be learned. First, don't trust even seemingly innocuous sources, because even CD-ROMs and disks from reputable companies can become infected. Second, if you're in charge of mastering CDs or creating master disks, check the disks with anti-virus software! It's simply unacceptable for any widely distributed CD-ROM or floppy to carry infected files.
Design a Sandbox -- I believe that the eventual solution to these macro viruses is for the companies producing software with macro capabilities to take the responsibility of designing their programs in such a way to eliminate macro viruses. Although Sun's Java language undoubtedly isn't perfect, it was designed to prevent malicious uses. Even if someone finds a way around that design, it won't be as easy as it is with macro languages. I won't pretend to know if it's even possible to create a macro language that doesn't suffer from macro viruses, but with the number of macro viruses that appear every day, it's clear that the problem is very real.
Article 6 of 6 in series
I know I said I wouldn't write more about macro viruses a number of issues ago, but I couldn't resist passing on these useful pieces of information. Michael Gibbs comments: An ironic aspect of your warning regarding virus-infected disks from "official" sources is that most application installers recommend that you disable extensions, in many cases disabling your Mac's immune systemShow full article
I know I said I wouldn't write more about macro viruses a number of issues ago, but I couldn't resist passing on these useful pieces of information.Michael Gibbs <firstname.lastname@example.org> comments:
An ironic aspect of your warning regarding virus-infected disks from "official" sources is that most application installers recommend that you disable extensions, in many cases disabling your Mac's immune system. I am in the habit of allowing SAM to check all the installation disks before restarting without extensions.
Michael has an excellent point: checking original disks before installing is a good idea. However, since many application installers store their files in compressed archives which can prevent an anti-virus check from detecting infection, cautious sorts might also want to run a check immediately after installing a new program.A not-necessarily official Microsoft representative wrote:
The next version of Word for the Macintosh will contain the same level of improved protection as Word 97 for Windows. Word will warn the user when opening any document containing macros and allow the user to open the document without macros enabled. This option is enabled by default. Word will also allow the user to lock and password protect the Normal template at the VBA project level, which prevents any macros from being added to Normal, but does not prevent other customizations, such as styles or toolbar changes. All of this is implemented within Word itself, so does not suffer from the limitations currently in SCANPROT.
Your comment on macros not surviving conversion is absolutely correct. Currently, any and all conversions to or from Word pass through RTF as the interchange format. There has never been (and most likely never will be) a way for macros to be represented in RTF, so therefore any conversions will strip existing macros out of the document. This is actually a simple way for users to disinfect documents - simply save the document out as RTF [also known as Interchange Format in some Save As dialogs -Tonya] and then read it back into Word. The contents of the document itself will be unchanged, but macros, menu customizations, keyboard mappings, and so on will all be stripped out.Kendall Bullen <email@example.com> offers this tip:
Instead of opening a file that could have a macro, create a new Word document, choose File from the Insert menu, and insert the suspect file into the new document. Word will insert the formatted text just fine, but won't auto-run any macros that might have executed if you had opened the file normally (you also lose other template information). We've used this to "clean" several documents in Word 6, and it's worked fine for us.
Jonathan Rynd <firstname.lastname@example.org> noted that Padgett Peterson has written a freeware macro scanner for Microsoft Word called MacroList that has worked well in his experience.