Virus Busters Home

Word Macro Viruses

by Bruce P. Burrell - bpb@umich.edu
for the U-M Virus Busters - virus.busters@umich.edu
Last Modified: 14 June 1997

This information can be freely reproduced in any medium, as long as the information is unmodified.

Last Updated: 14 November 1996

DOS/Windows Users
NOTE: Since this document was written, better methods have become available for DOS/Windows users. Those users should employ the F-MACROW program that comes with F-PROT which is much better and safer than trying to handle v iruses "by hand", so please use that method instead.

Macintosh Users
Macintosh users don't have such attractive options; the procedure documented below is gory (particularly when one has many documents to disinfect), but it's the best we have at the moment. Mac users may also want to access Microsoft's "solution" SCANPROT, also available from F-PROT site.

Quick Jumps to Sections in This Document
Intro
Background
Word Macro Viruses at U-M
Learning More About Word Macro Viruses
Detecting and Removing the Concept Word Macro Virus
Preventing Word Macro Viruses

Intro

This document contains a bit of background about Word Macro Viruses in general and what we've seen of them at U-M in particular, pointers to more information, and instructions about how to control some of these new viruses. It's not brief, so I've tried to organize it so that it gets more detailed as it goes on; I hope that this will make it easier for those who don't want or need to read the whole thing.

Background

With the advent of Word 6 and its macros created with WordBasic, there is a new type of virus "in the wild". The interesting thing about these viruses is that they infect documents rather than executables, and therefore a document infected on a DOS machine and later read on a Macintosh can infect the Mac as well. Some would consider these the first cross-platform viruses, while others view them as having the common platform of WordBasic. In any event, they can spread from Mac to DOS and vice versa.

Word Macro viruses, like all others, can do damage intentionally or by accident; whether or not they are malicious, it's a bad idea to have them on one's machine. The first Word Macro virus (Concept) displays its presence with a dialog box, and doesn't do anything bad on purpose, but it can still cause problems. Another Word Macro virus (Nuclear) attempts -- but, fortunately, fails, to delete system files on IBM machines, and to install an old DOS virus. I hope this provides evidence, as if subscribers to this group weren't convinced already, that these new viruses are a significant threat.

Word Macro Viruses at U-M

While many places have been hard hit by them, we've been fortunate at the U-M Ann Arbor campus. I saw a report of a corporation with over 20,000 documents infected with the first known Word Macro virus, known as Concept. We have had a few confirmed reports of Concept here, but as far as I know we've not had much of a problem. No other Word Macro viruses (Colors, DMV, Hot, Nuclear) have been confirmed at U-M, though I've had a reliable report of Nuclear.

Update (11/14/96): We've now seen Concept, Nuclear, and Wazzu at U-M.

On the IBM side, F-PROT recognizes Concept, Colors, DMV, and Nuclear but does not yet remove them; it doesn't recognize the Hot virus just discovered this week. Disinfectant doesn't recognize *any* viruses that infect data, e.g., the Hypercard viruses or Word Macro viruses. At least with the Word Macro viruses, it is possible to put Mac Word 6 documents on a DOS disk and scan them on a DOS machine, but there isn't a good solution yet.

Learning More about Word Macro Viruses

For more information about Word Macro viruses, you might want to point your web browser to http://www.datafellows.com/macrovir.htm.

Detecting and Removing the Concept Word Macro Virus

When a system is first infected by Concept, a dialog box with a "1" in it will appear on screen. A more formal test appears below:

To detect whether the Concept virus has infected Word 6, do the following:

  1. Run/Launch Word
  2. Select the Tools menu and choose Macros
  3. Examine the list of macro names for the following names: 
             AAAZFS
         AAAZAO
         AutoOpen
         PayLoad
         FileSaveAs
    If these names are present, then the Concept virus has infected!

DOS users, of course, may use the U-M supported antivirus software F-PROT to detect the Concept virus.

To Remove the virus from Concept-infected .DOC and .DOT files:

  1. Open Word 6 without opening any documents. To do this, double-click on the Word icon, not on one of its documents
  2. View the macro list as above, and delete the macros AAAZFS, AAAZAO, AutoOpen, PayLoad, and FileSaveAs
  3. Create the AutoExec macro in following section, Preventing Word Macro Viruses
  4. Exit Word, and confirm that you want to save the global changes
  5. Relaunch Word and open any infected documents found by F-PROT (DOS users) or all documents (Mac users, or at least the commonly used ones, or ones shared with others)
  6. Check the macro list, and remove the bad ones I've listed above
  7. Close each document examined, and save changes for any found to be infected
  8. That ought to do it. Please feel free to contact me or virus.busters@umich.edu if you have any problems.

N.B.: There are a few FreeWare products that are supposed to automate the removal of Concept, but I haven't have the opportunity to test them. If you have problems with the instructions above, or have a large outbreak of Concept, let me know and I'll check them out for you. When I'm certain that they don't make things worse, I'll pass them along.

Update: I've had good reports about the temporary solutions for both Mac and DOS offered by MicroSoft; note that these solutions won't prevent ALL macro viruses, only Concept, so it is of limited value. None-the-less, see http://www.microsoft.com/msword/freestuff/mvtool/mvtool2.htm for more information.

Preventing Word Macro Viruses (or at least making it more difficult for them to infect)

[The following text is taken from an article that Paul Ducklin, a programmer for the British antivirus program Sophos SWEEP!, posted to alt.comp.virus in August '95. It was the first word I got about these new viruses. Thanks, Paul! -BPB] 

> To prevent the transparent permanent modification of your global
> environment, go to Tools/Options/Save and switch on "Prompt to
> save NORMAL.DOT". Malicious macros could easily change this
> setting back, of course, but this is a safety measure which you
> might as well take.
> 
> Finally, you might wish to use one of Word's auto-execute macros
> to your advantage. Under Tools/Macro, create a macro called
> AutoExec that looks like this:
> 
>    Sub MAIN
>       DisableAutoMacros
>       MsgBox "Auto Macros are turned off", "Safety First!", 64
>    End Sub

[Note from BPB: If you get tired of the dialog box this creates and 
having to close it, change the 64 above to -1.  That will make a dialog 
appear in the status bar in the lower lefthand corner when Word starts, 
but it will disappear quickly.  No dialog box will appear, either.]

> This macro is triggered whenever WinWord starts (a serious
> potential hole!), and serves to disable the feature which
> WinWord.Concept uses to actuate.

Last updated: Wednesday, 02-Jan-2002 20:03:28 EST.
University of Michigan Virus Busters - virus.busters@umich.edu visits to this page since 14 Jun 1997.