Home of the World Famous VIRUS BUSTERS
Download Antivirus Software
What to Do If You Have a Virus
Virus Filtering
Viruses Seen at U-M
Hoaxes, Hooey, and Hogwash
Urban Legends
U-M Resources
Other Resources
Contact Us
We Ain't 'Fraid O' No Virus!

Removing Word Macro Viruses by Hand

Bruce P. Burrell (bpb@umich.edu)

This is a procedure for emergency use only! The proper way to remove macro viruses is with antivirus software. Use at your own risk! Moreover, it is not for the inexperienced computer user, though we will try to make it as accessible as possible.

This procedure works only for Microsoft Word. When applied properly, it should work for Word 6 and 7, but may not apply to Word 8 (part of Office'97 for PC platforms). Also, it does not apply to Excel or other Microsoft products that can be infected with macro viruses.

To be successful at removing all instances of a virus, the main procedure below must be applied to EVERY template (and, ideally, every document also) so it is impractical for handling more than a few documents.

Finally, note that this procedure will remove ALL macros, not only viral ones. This may not be a suitable approach for those who make heavy use of macros; such users will probably be able to afford antivirus software, and will find the time the following procedure takes makes using it too expensive, compared to using antivirus software.

Before starting, it is wise to make backups to tape or diskettes of all important documents and templates! If the following procedure causes damage by misuse or bad luck, then there will still be the original copy available. Of course, if the documents and templates now behave as they should, the backup with the possibly infected documents and templates should be destroyed, and a new backup created.

Down to Business

First, one must make certain that the installed version of Word is not infected with any virus. To ensure that this is true, several conditions should hold (perhaps not strictly necessary, but sufficient):

  • The Normal template is not infected
  • None of the global templates are infected
  • None of the StartUp files are infected

The safest way to make sure this is true is to uninstall Word, delete any remaining folders from the Word installation, and then reinstall from the original CD-ROM or floppies. Of course, before deleting those folders, one should make sure that there are no user documents within, either moving them to different folders, to diskette, or just letting them be deleted along with the folders.

A less safe but usually reliable method follows. You may want to make copies of any files you are about to delete by storing them on diskette, "just in case":

  • If Word is running, exit from it with File/Exit or File/Quit.
  • Delete all copies of the Normal template, perhaps after saving copies on a floppy diskette. This is usually found in the same folder as Word, and also in the Template folder of the folder where Word resides. On PC platforms, the file will be named NORMAL.DOT; on Macintoshes, it will just be named Normal.
  • Delete any templates stored in the Templates folder of Word.
  • Delete all files in the Startup folder of Word.
  • Delete the Word Settings (6) file on Macintoshes, or WINWORD.OPT on PCs.

When you have completed the reinstall, or have deleted the specific files mentioned in the alternate procedure, there should not be any active Word macro viruses when you launch Word itself (not by opening a document before Word is running). The extra cautious user will either launch Word directly, or check aliases (Macintosh), shortcuts (Windows 95 and NT), or Program Items (Windows 3.x) to be sure that Word is really being launched, rather than a decoy created by a virus:

  • First, check the Word application to make sure that its size is correct.
  • On a Macintosh, check aliases to Word with File/Get Info to be sure that the alias points to the Word application, not something else.
  • Windows 95 and NT users should use Settings/Toolbar under the Start menu to make sure that Word is being run.
  • Windows 3.x users should select the Microsoft Word icon and press to make sure that the Command Line information is correct.

Now for the main procedure:

  1. Launch Word by double-clicking on the Word application's icon (Macs and PCs), using the Start/Programs menu (Win95 and WinNT), or using File/Run (PC platforms)

    Do not open Word by double-clicking on a Word document or template.

  2. Use File/Close to close the empty document automatically created by Word.

    Situation check: if a named document opens, you've made an error. Go back to the very beginning, uninstalling and reinstalling Word.

  3. Use the File/Templates menu, and click on the Organizer button, then select the Macros tab.

  4. Now select the Open File button and select a document to examine.

  5. Delete any macros found in the Macros window; to be safe, you should delete Toolbars and Autotext entries as well.

  6. When the previous step (5) is completed, choose Close File and return to the Open File procedure in step (4) above. Continue until all Word templates are processed.

Unfortunately, files that have any macros, etc. removed in this fashion will remain templates, and except under Word 8, the File SaveAs menu does not allow templates to be stored in any other form. To change a template back to a document, one must select the entire document Edit/Select All, then use Edit/Copy, paste the result into a new, empty document, and then use File/SaveAs to save in Document format.

You may wish to do the same procedure with Word Documents by changing the List Files of Type dropdown menu to Word Documents, but it is much more important to handle all the default Word Templates first, since those are the most likely to contain viruses.

Be aware that it is not always easy to know when a Word file is a template, and when it is a document. Suffice it to say that pathological cases abound, and the only real way to know without opening the file with Word—which could spread a virus, if the file is infected—is to use binary editors. This is one more reason why it is an excellent idea to leave virus detection and removal to the antivirus products, instead of doing it "by hand".

 

U-M Virus Busters

virus.busters@umich.edu

ITCS | University of Michigan
Copyright © 1996-2005 The Regents of The University of Michigan

visits since this site was redesigned 5/21/04

This page last updated April 27, 2004