Hi John,
In the message "Re: [MAGNet] Macro Virus protection", dated
2000-10-05, John Fiorillo wrote:
>As it happens, we were not able to entirely fix the MS Word 98 files
>that were infected, even after running Virex. The Virex application
>did indeed find some infected files and the professor used it to
>"repair" them (alas, without first noting the name of the virus).
>Nevertheless, any previously infected files still cause the macro
>virus alert window to open, even though the Virex program no longer
>recognizes any infected files.
Microsoft Word's "Macro Virus Protection" option (enabled by
default, configurable in Word 98 via the "Tools/Preferences..." menu
option, in the "General" panel) will display a warning dialog if you
open a file containing any macros, whether associated with a virus or
not.
If you or the professor can send me a copy of one (or more) of the
suspect files, I'd be happy to take a look at it (them).
>We were forced to open a fresh file window in MS Word and copy and
>paste the contents of the "corrupted" file into the new file window
>and then resave. The new file opens correctly and does not open the
>prompt window. The corrupted files were then deleted.
This method works fine. Some additional notes regarding Word macro
viruses, including ways to manually remove macro viruses from Word
files, appear below.
Aron Roberts
Workstation Software Support Group
---------------------------------------------------------------
The Normal template - where many viruses hang out
-------------------------------------------------
Most Word macro viruses stash a copy of themselves (or a portion of
their code) in the "Normal" template file. This file often serves as
the "launching point" for replicating to additional documents and/or
to deliver a 'payload' when a trigger event occurs.
Under the Mac OS, you can find this template file by searching for
a file whose name is exactly "Normal", or else you can look for that
file in the "Templates" folder in the "Microsoft Office 98" folder.
(Under Windows 95/98, you can likely find this file by searching for
NORMAL.DOT ...)
Determining if one's Normal template file is infected ...
---------------------------------------------------------
... by a VBA macro
------------------
To manually determine if the Normal template is infected with a
Visual Basic for Applications (VBA) macro, at least on a Mac running
Word 98 (I haven't tried this with Windows):
- From the "Tools" menu, select "Macro->Visual Basic Editor"
- From the "View" menu, select "Object Browser"
- Select "Normal" from the top left pop-up menu
- Select "This Document" from the "Classes" list
- Scroll down through the "Members of 'This Document'" list at right
to see if any items are highlighted (boldfaced). (Such items
apparently represent private items added to this file, such as
viral macro code.)
(One to look for: "Document_Open")
- After you're done, close the Visual Basic Editor by selecting
"Close and Return to Microsoft Word" from the "File" menu
... by a Word Basic macro
-------------------------
To manually determine if the Normal template is infected with an older-style
Word Basic macro, on a Mac running Word 98:
From Word's "Tools" menu, select "Macro->Macros". Select "Normal
(Global Template)" from the "Macros in" pop-up menu.
If the Macro->Macros command is not present, it's possible that a
macro has removed this command from Word's menus in order to make it
more difficult for you to detect infections.
You might then try using the "Organizer" function, which has a "Macro
Project Items" function that also lets you view macros in the Normal
template file. (You may need to use Word's "Tools" menu,
Customize..." item to allow you to conveniently access the Organizer
function via a keystroke, or to assign it to a menu.) If the
Macro->Macros function is still present, you can also get to the
Organizer function by clicking the "Organizer" button in the Macros
window.
To manually clean an infected document by removing its macros
-------------------------------------------------------------
At 08:29 -0700 2000-06-07, Pat McPeak sagely wrote:
>-if it's necessary to edit the file or send it to anyone else,
> select all from the read-only document & copy into a new
> document (must be done after deleting the infected template),
> or save as RTF and send or re-open as new Word document.
In addition to RTF, Greg Paschall also aptly noted today that
saving Word documents in document formats used by some earlier
versions of Word (which didn't use macros) may also strip newer Word
documents of their macros. For instance, saving documents in Word
5.x format for the Macintosh would likely do so.
This 'downgrading' may alter formatting or strip advanced
formatting features, so saving a document as RTF, then opening it
again in Word, is still the preferred way to clean documents.
However, Greg's and Pat's suggestions are also useful in another
context: by making a practice of exchanging Word documents which are
saved in RTF format, or which have been saved in a format used by an
earlier version of Word that does not use macros, these documents
will not contain macros and thus will not transmit macro viruses. In
Word 98 for the Macintosh, the default preference when saving files
can be changed in the "Tools" menu, "Preferences...", "Save" folder
tab, "Save Word files as" pop-up menu.
To manually clean the Normal template
-------------------------------------
At 08:29 -0700 2000-06-07, Pat McPeak sagely wrote:
>-delete the normal template (also any other infected templates,
> if any)
Low-cost ;-) protection methods against Word macro viruses
----------------------------------------------------------
At 08:29 -0700 2000-06-07, Pat McPeak sagely wrote:
>-make sure the Word macro virus protection option is on
>...
>-when opening any document that warns about macros, select
> the disable macros option; document will then be read only
A bit more detail regarding this macro virus protection option
built into Word -- and an addition:
If a Microsoft Word user understands what each of these options do,
and is comfortable with the idea of the warning dialogs that they may
occasionally trigger, it can be an excellent idea to enable both of
the following:
- "Macro virus protection" (as per Pat's suggestion above)
(in "Tools" menu, "Preferences...", "General" folder tab)
This will put up a warning dialog when a Word template
file containing macros is opened. This gives users
the option to open the file without macros, which is
always the safest way to proceed when opening any Word
file, or even to avoid opening the file altogether.
It appears that this option is enabled by default.
Two limitations of this feature:
- Some, perhaps many, macro viruses attempt to turn off this option.
- Users sometimes get tired of encountering annoying dialogs and
thus might be tempted to permanently turn off this option via
the handy checkbox right in that dialog ;-).
- "Prompt to save Normal template"
(in "Tools" menu, "Preferences...", "Save" folder tab)
This will warn when any changes are made to the Normal template.
This option does not appear to be enabled by default.
Most Word users (except for some intermediate and advanced
users) don't typically perform actions -- such as storing
global changes to styles -- that would result in changes being
made to the Normal template. Thus, if a warning about saving changes
to this file ever pops up, this *could* potentially be a warning
sign that a macro virus is attempting to store its viral macro(s)
in the Normal template.
It's also possible/likely that newer versions of Office, such as
Office 2000 for Windows and forthcoming versions of Office for the
Mac OS, offer additional protection options. [Postscript - I haven't
yet looked into whether Word 2001 for the Mac OS offers any
additional macro virus protection options. - Aron]
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <URL:http://mac.berkeley.edu/help/magnet/>.
This archive was generated by hypermail 2b29 : Thu Oct 05 2000 - 13:42:04 PDT