Last week in TidBITS-382, I wrote a short piece warning people not to become complacent about viruses on the Macintosh. I received a number of notes, including one thanking me for the article (the reader ran Disinfectant, which promptly found virus infestations on his hard disk). Most, however, talked about what has become a more serious issue since I was last seriously involved in the anti-virus world – macro viruses, and especially those lurking in Microsoft Word 6.0 documents. Although we covered this topic in TidBITS-312 and TidBITS-314, the subject needs more attention.
Viruses and Macro Viruses — On the Macintosh, viruses are usually small bits of code embedded in other files that can replicate themselves between files and between machines. Viruses may or may not cause damage; some are deliberately destructive, but some are just annoying. When I wrote about viruses last week, I was thinking about the traditional sort, which infect Macintosh files, mostly applications and the System file. The free program Disinfectant finds these viruses by scanning files for the specific code resources used by the viruses. Most Macintosh viruses are in fact named for their code resource signatures, such as nVIR and MBDF.
Macro viruses aren’t larger versions of viruses. They share the basic virus definition – small bits of code with replication capabilities that are embedded in other files – but instead of being Macintosh code resources, they’re written in application macro languages, such as HyperTalk, Word Basic, or – conceivably – even AppleScript or Frontier’s UserTalk. Unfortunately, since high-level application macro languages are generally easier than C, assembly, or other low-level programming languages, neophyte scum find it easier to write (or shamelessly copy and modify) macro viruses than more traditional viruses. Since Disinfectant only scans code resources, it doesn’t identify macro viruses, and cannot protect you from them.
Disinfectant also doesn’t attempt to detect another class of malicious programs, called Trojan Horses. These programs often pose as a utility, game, or other useful program, but perform anything from a prank to severe disk damage when they run. Trojan Horses are rare on the Macintosh, and commercial anti-virus utilities should detect known examples.
The first macro viruses I know of were written in HyperTalk. They infected HyperCard stacks, and some still exist today, although few are destructive. HyperCard is alive and well, but it doesn’t have the wide distribution and use it did when Apple bundled it for free with every Mac. As a result, HyperCard viruses aren’t as much of a problem as they might be. For more information about HyperCard viruses and tools for eliminating them, check out HyperActive Software’s HyperCard Viruses page.
Word Macro Viruses — Of far more concern today are Word (and to a lesser extent, Excel) macro viruses. These viruses, written in Microsoft’s Word Basic macro language (available only in Microsoft Word 6.0 and later), are embedded in Word documents. When an infected document is open, the macro viruses can copy themselves into your global template file, and from there into other Word documents.
To judge from the listings maintained by the Virus Test Center at the University of Hamburg, many Word macro viruses (over 1,100) exist, and new ones appear constantly. The problem is simple – since the Microsoft Office applications, including Word and Excel, are cross-platform, macro viruses written by PC users in Word Basic are often virulent even on the Macintosh as long as you run Word 6.0 or later. Of course, those macro viruses that try to do things like issue FORMAT C: commands can’t hurt a Mac, but they can replicate themselves. Mike Groh, Software Development Manager at Virex manufacturer Datawatch, noted, "Macro viruses are quickly becoming a larger problem than Mac system viruses ever were at their peak. Improved cross-platform support for the Macintosh has brought with it one of the headaches of the PC world."
A number of readers commented that these macro viruses are commonplace in corporations because people trade Word documents around all the time, and corporations are more likely than individuals to have upgraded to, and standardized on, Word 6.0. Even worse, it’s easy for these infected files to find their way into backup tapes and onto CD-ROMs, which makes it easier for them to spread and re-infect cleaned systems.
Eliminating Macro Viruses — Since you can’t use Disinfectant to find or remove Word macro viruses or any other sort of macro virus, you must rely on other tools. The two commercial anti-virus applications I mentioned last week, Virex and SAM, can both identify and eliminate many of these macro viruses, although reports from readers indicate that the viruses change frequently enough that even keeping up with Datawatch’s and Symantec’s updated virus listings isn’t always enough. With over 200 new macro viruses appearing each month, that’s not surprising, although Datawatch reportedly tries to do next-business-day turnaround when a customer sends in a new virus.
Microsoft also provides information about macro viruses and tools to help identify them. Notes from readers haven’t been particularly positive about the performance and usefulness of the main utility, called MVTOOL, and the Microsoft Web site comments: "MVTOOL is able to scan for and disinfect files that contain the Concept virus. However, it is not able to detect or remove any of the other known macro viruses and is prone to crashing when processing a large number of files." MVTOOL works by notifying you when documents that you open contain macros, and lets you open the documents without the macros, which is useful, but not nearly as hands-off as anti-virus tools should be. Users simply can’t be expected to know what is and what is not a macro virus.
Since I mainly use Word 5.1 when I use Word at all, I’ve never run into a Word macro virus and can’t offer advice from personal experience. However, my feeling is that if you use and rely heavily on Word 6.0 or later, particularly if you frequently trade files with other users, it’s worth getting and installing not only Microsoft’s MVTOOL, but another commercial anti-virus tool such as Virex or SAM. Of course, if you don’t need Word 6.0’s features, Word 5.1 doesn’t suffer from macro viruses at all, and can safely open infected Word 6 files. Ideally, a future version of Microsoft Office would have a feature that would prevent macro viruses.
In the end, be careful out there. A major reason that the Macintosh world is plagued by relatively few traditional viruses is that the anti-virus tools are updated so quickly and utilized by such a large number of Macintosh users (and many of the programmers worked together on identifying and eliminating each new virus) that the viruses never had a chance to spread far. Vigilance is the only defense. If you own a commercial anti-virus program that fails to catch a macro virus that infects your documents, be sure to send the infected document (clearly labeled, of course) to the program’s manufacturer immediately, so they can add it to their list of viruses to eradicate. Only then can we hope to get the upper hand in the fight against the macro viruses.