-----BEGIN PGP SIGNED MESSAGE----- __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Winword Macro Viruses (Concept, DMV, Nuclear, Colors, FormatC, Hot) February 7, 1996 18:00 GMT Number G-10 ______________________________________________________________________________ PROBLEM: Word macro viruses are no longer an isolated threat, but they are a significant hazard to the information on a computer. PLATFORM: Any platform that can run Microsoft Word 6.0 or later: Windows 3.1, WFW 3.11, Win 95, Windows NT, and Macintosh. DAMAGE: Files can be deleted and may not be recoverable. SOLUTION: Scan all new Word documents before opening them in the same way that you now scan all executable files before running them. Install version 2 of the Microsoft macro virus detection tool. ______________________________________________________________________________ VULNERABILITY The vulnerability of systems to this type of virus is high, ASSESSMENT: because most users are not in the habit of scanning documents. Documents are much more mobile than executable files in an organization, passingfrom machine to machine as different people write or edit them. ______________________________________________________________________________ CRITICAL Information Concerning Winword Macro Viruses CIAC has obtained information about six macro viruses currently in the wild, five of which infect Microsoft Word 6.0 documents, and one that infects an Excel worksheet. Two of these viruses are damaging. This bulletin describes these viruses: Concept (Prank) Working demo of a macro virus. DMV (Word) Working demo of a macro virus. DMV (Excel) Working demo of a macro virus. Nuclear Attempts damage but fails. Colors Changes screen colors. FormatC Deletes files on the hard drive. Hot Deletes Word documents when they are opened. WARNING: The new macro viruses are not detected by the original protection macro available from Microsoft which only detects Concept (scan831.dot, see CIAC Notes 95-12). A new protection program is available from Microsoft and most anti-virus scanner developers are adding macro virus detection to their products. The new Microsoft scanner is available from Microsoft at: http://www.microsoft.com/msoffice/freestuf/ msword/download/mvtool/mvtool20.exe with a description available at: http://www.microsoft.com/msoffice/freestuf/ msword/download/mvtool/mvtool2.htm The files are also available from the CIAC archive. What Are Macro Viruses? - ----------------------- A macro virus is a piece of self-replicating code written in an application's macro language. Many applications have macro capabilities such as the automatic playback of keystrokes available in early versions of Lotus 1-2-3. The distinguishing factor which makes it possible to create a virus with a macro is the existence of auto-execute macros in the language. An auto-execute macro is one which is executed in response to some event and not in response to an explicit user command. Common auto-execute events are opening a file, closing a file, and starting an application. Once a macro is running, it can copy itself to other documents, delete files, and create general havoc in a person's system. These things occur without the user explicitly running the macro. In Microsoft Word there are three types of hazardous, auto-executing macros: auto-execute macros, auto-macros, and macros with command names. There is one auto-execute macro in Word named AutoExec. If a macro named AutoExec is in the "normal.dot" template or in a global template stored in Word's startup directory, it is executed whenever Word is started. The only way to disable the execution of AutoExec is to insert the flag /m in the command line used to start Word. The second type of dangerous macros are auto-macros. Name Runs when you ------------------------------------ AutoNew create a new document. AutoOpen open a document. AutoClose close a document. AutoExit quit Word. The auto-macros can be disabled by executing the Word.Basic command "DisableAutoMacros" in a macro. Note that the example in Word's online help of executing this command in the command line when starting Word does not work. The command must be executed in a macro. Auto-macros are also disabled by holding down the shift key while opening a document. The third type of dangerous macros are those named for an existing Word command. If a macro in the global macro file or in an attached, active template has the name of an existing Word command, the macro command replaces the Word command. For example, if you create a macro named FileSave in the "normal.dot" template, that macro is executed whenever you choose the Save command on the File menu. There is no way to disable this feature. Macro viruses spread by having one or more auto-execute macros in a document. By opening or closing the document or using a replaced command, you activate the virus macro. As soon as the macro is activated, it copies itself and any other macros it needs to the global macro file "normal.dot". After they are stored in normal.dot they are available in all opened documents. At this point, the macro viruses try to spread themselves to other documents, usually by including an AutoClose macro that attaches the virus macros to the document and saves it. The macro viruses that cause damage contain a trigger that starts the damage routines and those routines do the actual damage. The trigger is some event that the virus writer has programmed his virus to watch for such as a date or the number of days since the infection occurred. An important point to make here is that Word documents (.DOC files) can not contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC. DMV (Word) Macro Virus - ---------------------- The DMV (Demonstration Macro Virus) virus was originally described in the paper "Document Macro Viruses" by Joel McNamara who conveniently infected the document containing the paper with the virus so the reader could experience it first hand. The virus itself is simply an example of how such a virus could be implemented and does not attempt to hide at all. The virus is not harmful and is relatively simple to remove using the Tools Macro command in Microsoft Word (See below). The virus installs a single macro named AutoClose onto the "normal.dot" global macro file. The AutoClose macro infects all new documents when they are closed. The macro does no damage other than to spread itself. When the macro runs, it displays numerous dialog boxes telling you what it is doing, making it obvious if you are infected. DMV (Excel) Macro Virus - ----------------------- The Excel version of the DMV macro virus works the same as the Word version but uses the Visual Basic for Applications language built into Excel. The Excel document contains a macro sheet which implements an AutoClose macro. When you close the file, the macro is activated and copies itself to Excel's global macro file. When other worksheets are closed, the macro attaches itself to them as well. Concept (Prank) Macro Virus - --------------------------- The Concept macro (alias Prank) is similar to the DMV macro virus in that it is a demonstration that a macro virus can be created. A document infected with the Concept virus contains the macros: AAAZAO AutoOpen AAAZFS Payload When an infected file is opened, the AutoOpen macro is run and copies the virus files to the global macro file. During the copying process it changes the name of AAAZFS to FileSaveAs. Whenever a document is saved, the FileSaveAs command copies the virus macros into it and saves it. The AAAZAO macro becomes the AutoOpen macro on the saved document file. The Payload macro does nothing. The first time the macro runs a dialog box appears with the single digit "1" contained in it. Nuclear Macro Virus - ------------------- A document infected with the Nuclear macro virus contains nine macros: AutoExec AutoOpen DropSuriv FileExit FilePrint FilePrintDefault FileSaveAs InsertPayload Payload All of these are copied to the global macro file when an infected document is opened. When any document is saved, the virus copies all the macros onto it and saves it. Printing a document during the last 5 seconds of any minute causes the following text to appear at the top of the printed page: "And finally I would like to say:" "STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!" After April 5th it attempts to delete your system files but fails because of a bug in the virus. The virus also attempts to infect a system with the Suriv binary virus, but fails again because of a bug. Colors Macro Virus - ------------------ A document infected with the Colors virus contains the following eight macros: AutoClose AutoExec AutoOpen FileExit FileNew FileSave FileSaveAs ToolsMacro The virus changes many of the menu items to make it difficult to delete. For example, it effectively removes the Tools Macros command so you can't list or delete the macros in a program with that command. After being accessed 300 times, Colors activates and randomly changes the system colors in the win.ini file making the screen look strange. FormatC Macro Virus - ------------------- The FormatC macro virus consists of a single macro named AutoOpen. Opening an infected document causes this macro to run and the macro copies itself to the global macro file. If the viruses payload is activated, it attempts to format the C: drive. WARNING: the format command in most modern versions of DOS can be reversed. If this virus strikes, get some knowledgeable help before doing anything to your system. Don't do anything that might write something on the hard drive until you get knowledgeable help. You may need only boot from a floppy and run unformat to recover the whole drive. What you do depends on what utility programs (Norton Utilities, PCTools, and so forth) you have installed on your system. Wordmacro/Hot - ------------- A new Word macro virus just appeared in the wild named Wordmacro/Hot and it is destructive. The Wordmacro/Hot virus attaches itself like the others, adding macros to documents and to the "normal.dot" global macro file. New documents are infected when they are saved. After about 14 days, the virus deletes the contents of any document as you open it and does a save which effectively wipes out the document. It is unlikely that you will be able to recover the contents of a file deleted in this way unless you have Make Backup turned on. Don't start opening the backup copies before cleaning the virus, because it will clear the contents of every document you open while it is active. An infected document contains the following macros: AutoOpen DrawBringInFrOut InsertPBreak ToolsRepaginat When the virus infects the Word program, these macros are copied to "normal.dot" and renamed in the same order to: StartOfDoc AutoOpen InsertPageBreak FileSave The virus adds the item: "OLHot=nnnnn" to the winword.ini file where nnnnn is a date 14 days in the future. The virus uses this date to determine when it is going to trigger. The virus also checks for the existence of the file: "c:\dos\ega5.cpi" and does not infect a machine if the file exists. This was apparently a feature to protect the virus writer. Detecting A Macro Virus - ----------------------- Document files must now be treated in the same manner as executables in terms of virus protection. If you don't know where a Word document has been, scan it before opening it with Word. Most anti-virus scanners have been modified to detect macro viruses in Word documents, so use those scanners to check any new documents that have been copied onto your machine. For example, version 2.21 of the shareware version of F-Prot detects all but the FormatC and Hot viruses. Microsoft has released a new version of its macro virus protection program (see below) that checks all Word documents as you open them and tells you if they contain a macro or not. It can only detect the Concept virus by name, but any document with a macro attached should be considered suspect. You can use the Organizer dialog box (see below) to check for strange macros attached to your documents. The Organizer can open a document in the background (without running any attached macros) and let you see what macros are attached to it. You can also use it to delete macros from a document. You can watch for virus activity when opening or saving a document, but it is generally preferable to detect a virus before it gets installed. If you have already opened a document that suspect has a virus, use the Tools Macro command to see a list of the macros attached to Word. If you can't open the Macro dialog box, try the Organizer dialog box instead. Protecting A System From Macro Viruses - -------------------------------------- A feature of Microsoft's products is that automatic execution of auto- macros and auto-execute macros is enabled by default. In fact, it is difficult to turn off. This is a problem in protecting against macro viruses. Currently, the best protection is to install Microsoft's macro virus protection template. The template is available directly from Microsoft's