|
[ Go to April 1997 Table of Contents ]
Features
Macros-a feature found in many applications-make it easy to automate routine operations. Microsoft Word has a particularly powerful macro capability with sophisticated programmable links to the Windows operating system. Because of that-and because it's so widely used-Word has been singled out as a target by virus writers. Excel is also a frequent target. More than 200 Word macro viruses have been identified. They're distributed via infected Word style templates-an effective means of entry, since each time Word opens a document (DOC) file, it also opens a template (DOT) file. Word uses templates to hold style settings and macro scripts. A template can even include macros that execute automatically whenever a document is opened or closed. For example, Word's AutoOpen and AutoClose macros facilitate document editing by doing things like bringing up custom toolbars. Virus writers can exploit these very capabilities. Because only templates can contain macros, macro viruses force an infected document to be saved as a template. The virus disguises the infected template by renaming it with the DOC extension. When you open an infected file, it loads into Microsoft Word as its own style template. If the file contains an AutoOpen macro, all actions written in the macro are executed immediately. The virus' harmful instructions are then copied to the global macro pool, which usually resides in a template called NORMAL.DOT. From there, destructive macros can spread to other documents as you open them. The more insidious variations of these macros don't immediately damage document text. Instead, they let you gradually infect every document before they reveal themselves. Their presence becomes more obvious as they start changing document margins and tab settings, inserting alphanumeric strings and attacking Windows system files. When the Macro Attacks When one of the first Word macro viruses-the Prank virus-appeared, Microsoft posted a cure on its Web site. Microsoft's remedy was an antiviral template called SCANPROT.DOT. It worked for Prank, but it is not effective against current Word macro viruses. In fact, SCANPROT.DOT may interfere with other antivirus programs, making document disinfection more difficult. To be safe, you should install a newer third-party antivirus product, such as those Microsoft lists at its Web site (http://www.microsoft.com/kb/articles/q49/5/00.htm). The latest version of Word (Word 97) now issues a warning when it detects a suspicious macro, but it does not automatically remove or clean it. If you think your PC has a Word macro virus, and you don't yet have antivirus software installed, your best bet is to avoid saving or opening any Word documents. If damaging changes appear in a document, you may be able to preserve the file by closing Word using Ctrl+Alt+Delete. Microsoft also offers help for manually removing macro viruses (http://www.microsoft.com/mswordsupport/content/usage/macrovirus/default.htm). But an antivirus program is still recommended. You can try editing your Word templates (Tools/Macro/Edit) and manually deleting suspicious AutoOpen and AutoClose macros. But this may not be a reliable cure for some of the newer virus variations.
|