Home of the World Famous VIRUS BUSTERS
Download Antivirus Software
What to Do If You Have a Virus
Virus Filtering
Viruses Seen at U-M
Hoaxes, Hooey, and Hogwash
Urban Legends
U-M Resources
Other Resources
Contact Us
We Ain't 'Fraid O' No Virus!

Word Macro Viruses Fact Sheet

While many new viruses appear every day—there are over 12,000 as of June 12, 1997—relatively few of them actually spread far enough to become a problem. Certainly fewer than 1000 viruses account for over 99% of the infections worldwide, and many of those viruses are several years old. Macro viruses have made it easier for viruses to spread quickly, however, in part because because they can be sent as email attachments. Although the number of macro viruses is growing rapidly (over 900 already), top quality antivirus products are usually updated quickly enough so that usually users are protected if they keep their products up-to-date.

For those who have a top quality antivirus product like Dr Solomon's Anti-Virus Toolkit (PC and Macintosh) or F-PROT Professional (PCs only), macro viruses aren't much of a concern—they are handled automatically by the on-access component, e.g., WinGuard or MacGuard for DSAV, so that infected documents cannot be loaded until the virus is removed, and the on-demand scanner e.g., FindVirus for DSAV, F-MACRO (F-PROT Pro) or F-MACROW (F-PROT Shareware) can disinfect properly. This is the best solution, short of not using Microsoft products at all, since the procedure is almost transparent for the user, and it is a simple, automated procedure to remove an infection from many documents.

PC users who do not have access to DSAV should consider using F-MACROW from the F-PROT Shareware package. Note that the F-PROTShareware product is FREE for individual, non-commercial use. While it will not prevent Word or Excel, etc. from opening an infected document, it will allow proper removal of all infected documents automatically whenever the user requests a scan. Please do remember to change the "action" from Report Only to one of the Disinfect options by clicking on the appropriate button.

Unfortunately, Macintosh users don't have such an option; there are no Freeware or Shareware applications for teh Macintosh that offer automatic removal of Word Macro viruses. [Disinfectant is free, but helpless against Word Macro viruses.] There are some other approaches, however, that both Macintosh and PC users may consider:

  • Microsoft offers a tool for "protection" against Word Macro viruses, but it is so woefully inadequate that we cannot in good consience include a link to it here. This was true when it was first made available in October(?) 1995—when there was only one Word Macro virus; it goes without saying how useful it is with 1000 different macro viruses that we see today. As an example of its failings, consider this: if a user opens an infected document by double-clicking on its icon—the prevalent method for Macintosh users, and becoming more common in the PC world—instead of launching Word and then using File/Open, then the Microsoft scheme fails completely. Even if users are trained to use the tool properly, it takes only one lapse to make the protection useless.

  • Padgett Peterson has written a Freeware tool called MacroList that can help, but it is neither trivial to use nor automatic. You can find MacroList, including a beta version for Word 8 (Office '97 on PCs) at the following locations: Note that Pagdett's pages are sometimes difficult to reach.

  • There is a procedure that one may use to remove Word macro viruses safely by hand, but it is non-trivial and must be applied to each document, whether or not it actually is infected. Moreover, it does not prevent future infections. Nonetheless, the procedure may prove useful in an emergency, and can be applied on both Macintosh and PC.

Of course, a scanner can't remove a virus it doesn't recognize, so it may be necessary to update the scanner whenever a virus outbreak occurs. Since new versions are released on a regular schedule, a special distribution mechanisim is needed for emergency situations. DSAV does this via extra drivers; F-PROT does it via a macro definition file available from the F-PROT ftp site.

For a historical outlook on how to handle Word Macro viruses, click here. Please note that this procedure is no longer safe to do for Macro viruses in general, and is tedious even for the original WordMacro/Concept.A virus.

 

U-M Virus Busters

virus.busters@umich.edu

ITS | University of Michigan
Copyright © 1996-2008 The Regents of The University of Michigan

visits since this site was redesigned 5/21/04

This page last updated April 27, 2004