Common auto-execute events are opening a file, closing a file, and starting an application. Once a macro is running, it can copy itself to other documents, delete files, and create general havoc in a person's system. These things occur without the user explicitly running the macro.
In Microsoft Word there are three types of hazardous, auto-executing macros: auto-execute macros, auto-macros, and macros with command names. There is one auto-execute macro in Word named AutoExec. If a macro named AutoExec is in the "normal.dot" template or in a global template stored in Word's startup directory, it is executed whenever Word is started. The only way to disable the execution of AutoExec is to insert the flag /m in the command line used to start Word. The auto-macros can be disabled by executing the Word.Basic command "DisableAutoMacros" in a macro.
Note that the example in Word's online help of executing this command in the command line when starting Word does not work. The command must be executed in a macro. Auto-macros are also disabled by holding down the shift key while opening a document.
The third type of dangerous macros are those named for an existing Word command. If a macro in the global macro file or in an attached, active template has the name of an existing Word command, the macro command replaces the Word command. For example, if you create a macro named FileSave in the "normal.dot" template, that macro is executed whenever you choose the Save command on the File menu. There is no way to disable this feature.
Macro viruses spread by having one or more auto-execute macros in a document. By opening or closing the document or using a replaced command, you activate the virus macro. As soon as the macro is activated, it copies itself and any other macros it needs to the global macro file "normal.dot." After they are stored in normal.dot they are available in all opened documents. At this point, the macro viruses try to spread themselves to other documents, usually by including an AutoClose macro that attaches the virus macros to the document and saves it.
The macro viruses that cause damage contain a trigger that starts the damage routines and those routines do the actual damage. The trigger is some event that the virus writer has programmed his virus to watch for such as a date or the number of days since the infection occurred. An important point to make here is that Word documents (.DOC files) cannot contain macros, only Word templates (.DOT files) can contain macros. However, it is a relatively simple task to mask a template as a document by changing the file name extension from .DOT to .DOC.
A document infected with the Concept virus contains the macros: AAAZAOAutoOpen, AAAZFS Payload. When an infected file is opened, the AutoOpen macro is run and copies the virus files to the global macro file. During the copying process it changes the name of AAAZFS to FileSaveAs. Whenever a document is saved, the FileSaveAs command copies the virus macros into it and saves it. The AAAZAO macro becomes the AutoOpen macro on the saved document file. The Payload macro does nothing.
The first time the macro runs a dialog box appears with the single digit "1" contained in it. There is a procedure available that disables the Concept Virus and protects your computer/files from becoming infected again.
The CCC encourages all Microsoft Word users to perform the following procedure:
Copy the template SCANPROT - .DOT from any server at O:\SINGLE\ - MSOFFICE\TEMPATE to your C:\MSOFFICE\WINWORD\ - TEMPLATE directory. From within Microsoft Word, follow these steps:
1. Click File, Open
2. From the Open dialog box, change to the C:\MSOFFICE\ - WINWORD\TEMPLATES directory
3. Change List Files of Type to All Files at the bottom of the dialog box.
4. Scroll and select the SCANPROT.DOT template.
5. Click OK to open the template.
The template will automatically walk you through the procedure to disable the Concept Virus if it finds it on your computer. It will tell you if it does not find the virus and when the procedure is complete. You are given the option to continue checking files created after February 1995 (the creation date of the Concept Virus) through the Batch Cleanup Procedure window. This template will protect your computer from contracting this strain of the Concept Virus in the future.
If you try to open SCANPROT - .DOT again to check disks, for example, a warning will appear that states this file contains macros in it that could alter Word commands or damage your files. It will give you the option to disable them, DO NOT DISABLE THESE MACROS IN SCANPROT.DOT, click No! These particular macros are there to protect your computer from further infection! When you click No the next window would be the Batch Cleanup procedure and from here you could clean your disks.
***If you see this warning when you try to open a regular word document, then your computer may have a macro virus. You should click "Yes" to disable the macro and then save the cleaned file using the original filename, to write over the infected file. The CCC will continue to keep you updated on viruses as well as any computer related information.
CORRECTIONS: In the last issue of Newspeak, the location of the Windows95 software is on the Novell servers at O:\SYSTEM\ - WINSTALL\
WINSTALL\WIN95APP.LST, not WIN95APPS.LST. Also, the shop's web address is http://ccc-shop.wpi.edu, not http://ccc_shop - .wpi.edu.
Give feedback: newspeak@wpi.wpi.edu