Tuesday, November 22, 2005

Macro Viruses

When Microsoft included Visual Basic capabilities with its Microsoft Office suite several years ago, it inadvertently opened the floodgates for a new type of viral threat: the macro virus. These viruses infect Microsoft Access, Excel, PowerPoint, and Word documents, as well as documents from non-Microsoft products, such as Lotus Ami Pro and Corel-DRAW. Drawing on macros’ ability to automate user tasks, macro viruses are extremely powerful and flexible, performing actions as innocent as changing the colors on your Desktop to deeds as sinister as formatting your hard drive.
Today, macro viruses are the most widespread virus type, thanks to their qualities and ease of creation. Because macro viruses often appear tranquil, users sometimes disregard the potential damage they can achieve. Macro viruses spread easily by infecting the global template of a program, so that when a user opens a new document, the template automatically infects it. Macros can execute a large range of actions, all of which happen automatically, providing the perfect environment for viruses to cause trouble.
“The macro language allows you to issue a lot of operating system commands,” Hinojosa says. “So you can wipe out folders, files, all kinds of stuff. People don’t generally think of [macro viruses] that way. They think, ‘Oh, my Normal.dot template is infected. It’s not a big deal.’ But potentially you can do a lot of damage with these.”
Concept (also known as the MS.Concept or WM.Concept virus), the first Microsoft Word macro virus found in the wild, proved to be a colossal headache for companies of all sizes. The virus accidentally appeared on a software compatibility testing CD sent by Microsoft to hundreds of OEM (original equipment manufacturers) companies in August 1995, on another CD distributed by Microsoft in the United Kingdom, and on yet another CD from ServerWare. The virus ran rampant for years thereafter.
When infected by Concept, a user first sees a dialog box displaying the number “1,” and if the user clicks OK on the box, the virus takes control of several Word features. The virus copies several macros to the global template file (Normal .dot), making sure all new documents include the infection. These macros also change the behavior of the Save As option on the File menu, infecting any documents saved using this option.
Although the Concept virus usually ravaged office environments, a macro virus that appeared in 1999 caused worldwide panic among computer users of all types. Dubbed Melissa by anti-virus software vendors, the virus propagates via an email message that has a Word document attached to it. When opened, the document runs a macro, which lowers macro security settings on the computer (if necessary), and then emails an infected Word document to the first 50 entries in every Microsoft Outlook MAPI (Messaging Application Programming Interface) address book accessible by the user executing the macro.
The e-mail’s subject line appears as “Important Message from Sender Name” (where Sender Name represents the name used in Word’s registration settings on the sender’s PC). The e-mail’s body states: “Here is that document you asked for…don’t show anyone else ;-).”
Melissa also infects Word’s global template file for future document infection, and if the minute of the hour matches the day of the month during this initial infection, Melissa inserts the following message in the current document: “Twenty-two points, plus triple-word score, plus fifty points for using all my letters. Game’s over. I’m outta here.”
Aside from severely overloading networks, Melissa was not inherently dangerous. But there are other macro viruses that are certainly destructive. Nuclear, for example, uses nine macros to perform a host of damaging actions. In addition to infecting Word’s global template, Nuclear checks to see if the current date is April 5, and if it is, it alters several crucial system files, including Io.sys, MSDOS.sys, and Command.com. It also checks the system time, and if the current time is between 5 p.m. and 5:59 p.m., the virus inserts a different virus in the C:\DOS directory that infects COM and EXE files.
One of the more notorious Excel macro viruses is Laroux (appeared in July 1996). Working much like Concept, Laroux has no payload but uses two macros to infect all created or accessed spreadsheets by inserting its virus code into Personal.xls, a file that stores macros available to all Excel spreadsheets on the computer.


Post a Comment

<< Home