Maximize
Bookmark

VX Heavens

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Introduction to macro viruses

Alan Solomon

[Back to index] [Comments (0)]

What is a macro?

Many applications provide the functionality to create macros. A macro is a series of commands to perform some application-specific task. Macros are designed to make life easier; for example, to perform some everyday tasks like text-formatting or spreadsheet calculations.

Macros can be saved as a series of keystrokes (the application records what keys you press); or they can be written in special macro languages (usually based on real programming languages like C and BASIC). Modern applications combine both approaches; and their advanced macro languages are as complex as general purpose programming languages. When the macro language allows files to be modified, it becomes possible to create macros which copy themselves from one file to another. Such self-replicating macros are called macro viruses.

History

Many software packages have a macro language. Perhaps the very first well- known and widespread was Lotus 123. It was proved long ago that for Lotus 123 it is possible to write a self-replicating macro (a virus macro) which would be capable of spreading from one file to another. However, viruses have never been a problem for Lotus 123; its macro language is rather simple; and access to files can be done only via menus. So, a virus for Lotus 123 would be extremely obvious - you would literally see the infection process right on your screen.

In December 1994, the researcher Joel McNamara wrote the first real macro virus . . . for demonstration purposes. It was called DMV (Document Macro Virus). In fact, there were two viruses written, DMV for Word for Windows and DMV for Excel for Windows. The samples were used to demonstrate the possibility of macro viruses under these platforms.

The first 'in the wild' macro virus appeared in the summer of 1995. This virus (perhaps written by one of Microsoft's employees) was the infamous WM/Concept. This soon became the most widespread virus ever. The comment within the body of the virus says 'That's enough to prove my point'. After the appearance of WM/Concept we saw other macro viruses within a couple of months - WM/Nuclear, WM/Hot, WM/Colors and WM/Atom.

By the end of May 1997 the total number of macro viruses had reached many hundreds. If we count every single-bit difference as a virus variant, the total number will be above 1,800. This figure is growing fast; currently we see more than five new macro viruses every day!

Platforms

Most macro viruses are written for Microsoft's Word for Windows and Excel for Windows. However there are also macro viruses for Lotus AmiPro (APM/Greenstripe); and we have seen multipartite viruses which infect DOS executables as well as Word for Windows documents (Anarchy.6093, for example).

The great difference between normal DOS viruses and macro viruses is that they spread environment which is more susceptible to change than DOS. There are many different versions of Word for Windows. These are upwardly compatible; so that a macro virus written for version 2.0 will run on version 6.0. However, the converse is not true. Office 97/Word for Windows 8.0 macro viruses will not work under version 6.0.

Macro viruses will work on any machine which runs Word for Windows or Excel for Windows - IBM PC, Macintosh and DEC Alpha computers. Moreover, these applications will run under different operating systems - Windows 3.x, Windows 95, Windows NT, MacOS and SoftWindows. There are certain differences in the implementation of the macro languages (like WordBasic or Visual Basic for Applications) on different machines (MacOS support, for example, is slightly different). Nevertheless, many macro viruses can spread successfully on very different types of computers. They are application-specific . . . all they need is Word for Windows or Excel for Windows.

OLE2

Data files (documents, spreadsheets, presentations, etc.) produced using Microsoft applications (all versions of Word from version 6.0, all versions of Excel and PowerPoint) are stored in so-called OLE2 files. OLE (which stands for 'Object Linking and Embedding' is just a standard that is able to store many different streams within one file. This means that an OLE2 file can store many unrelated items (known as streams) within it. For example, one such stream holds text, another one an embedded picture and yet another one macros.

The OLE2 technology is being licensed to other software producers, so many vendors are supporting this format. An OLE2 file is, in fact, a file system within a file. OLE2 files have a special signature at the beginning, a FAT (File Allocation Table) and a directory... just like a standard DOS disk. Access to OLE2 files is provided by OLE2.DLL, via function calls from applications. This DLL file supports all necessary functionality to work with OLE2 files (like add/delete/modify stream, read/write an OLE2 file, etc.).

To be able to scan macros inside the OLE2 files, Dr Solomon's FindVirus includes its own OLE2 GFS (Generic File System). This allows FindVirus to scan Word for Windows documents, not only under DOS, but also on Novell NetWare servers, UNIX, Macintosh, DEC Alpha and Sun machines.

WordBasic

Most macro viruses run under Word for Windows. Since this is a very popular word processor, it provides an effective means for viruses to spread. Most macro viruses are written using the macro language WordBasic. WordBasic is based on the good old BASIC programming language. However, it has many (hundreds of) extensions (for example, to deal with documents: edit, replace string, obtain the name of the current document, open new window, move cursor, etc.).

The life-cycle of a macro virus

The life-cycle of the great majority of Word for Windows macro viruses is as follows. The macro virus in a document being loaded gets control; typically via so-called auto macros, macros which are executed automatically at a specific time (such macros are AutoOpen, AutoClose, AutoExec and AutoExit). The corresponding macro copies all viral macros to the global template (on a PC, this is called NORMAL.DOT). The global template, which is used automatically when Word for Windows loads, contains user settings (for example, fonts used), shortcuts (key re-definitions) and can contain macros. If NORMAL.DOT contains an AutoExec macro, it will be executed when Word for Windows is started. If NORMAL.DOT contains AutoClose it will be executed every time any document is closed.

However, macro viruses do not necessarily have to infect the global template. Some infect files directly. They search for a 'victim' on a disk and infect it. WM/Snickers and WM/Ordo, for example, use the so-called MRU list (the Most Recently Used list is located at the bottom of the 'File' menu and usually consists of four items) to get the names of files to infect. Others drop their own template into the Word for Windows template directory (the WM/Eraser family, for example) and avoid changing the global template.

Interception of menu items

It is easy to modify the functionality of Word for Windows by associating any menu item with a macro. For example, many viruses have a macro called FileSaveAs. If this menu item is activated by a user, it is the macro which gets control; and it pretends to be a real menu option while it additionally copies virus macros to the destination file. Macro viruses can also modify, or remove, menu items (for example, many remove the Tools | Macro item, to make it impossible for the user to check for the presence of virus macros) using Tools | Customize functionality.

Key shortcuts

Macro virus can attach a macro to a particular keyboard key. WM/Gangsterz and WM/DLK1.a, for example, link their virus macros to frequently-used keys (like space, 'e', 'a') and activate when this key is pressed. This is one of the ways macro virus can avoid using auto macros to get the control.

Polymorphic macro viruses

There are many polymorphic macro viruses now (WM/FutureN, WM/Outlaw, WM/Slow, WM/Minimorph, etc.). They use Word for Windows' editing capabilities to modify their own macros (replace function, for example) before copying them. This makes the body of the virus variable. Such viruses are more obvious because in Word for Windows 6.0 the editing window can not be hidden completely; and such viruses are slower than normal ones.

The other approach to hide parts of the virus is to use document variables which are stored in a file (for example, a WordBasic program can assign a string variable 'A$' and then save it in a file along with macros). Such variables can contain bits and pieces of virus code/data which are used by virus macros.

Stealth and encryption

Stealth, in macro viruses, means implementing measures to prevent easy viewing of the virus. Some macro viruses remove Tools | Macro and File | Templates | Organizer items (see above). Others present the user with artificial empty dialog-boxes instead of real ones (which list all the virus macro names) to conceal the presence of alien [virus] macros.

Macros can be encrypted. Encrypted macros are simply stored in scrambled form (note that encryption of macros does not affect the text in a document, which is still easily readable). So there are encrypted and unencrypted macro viruses. When an encrypted macro is shown in Tools | Macro, the option to edit is not available. The encryption is easy to overcome - the key to decrypt the macros is in the file, so it is not a problem to scan encrypted macros for viruses.

Password protection

Word for Windows 6.0 - 7.0 documents can be password protected. This means that the whole file is scrambled; and access to the text and macros is not possible without deciphering the file. To access the macros, and scan them for viruses, the password is needed. However, the protection is weak and there are many shareware and freeware Word for Windows password- crackers around. Dr Solomon's FindVirus [from version 7.76] is able to do 'on-the-fly' scanning of password protected documents.

Under Office'97, macros are not password protected; so scanning for viruses is possible even when the text is protected with a password. However, disinfection might be difficult, as the area protected with the password may contain references to the body of a virus macro.

Office 97 is able to create 'read-only' macros. Such macros have special flag set and can not be edited using the Visual Basic editor. However, macros are not actually encrypted in any way and the body of the macro is easily accessible by any tools other than the built-in macro editor.

Corruptions

Word for Windows 6.0 contains buggy routines which are responsible for the copying of macros. As discovered by the author, any I/O error during the macro copying produces unpredictable results in the destination macro. For example, if the macro virus is in a document on a floppy disk, and the disk is removed when the macro copying is being done, parts of the written copy will be corrupted without any warnings.

In fact, there are about 70 different variants of WM/Npad virus; and all of them (except the original virus) are the result of the natural corruption described above. This natural corruption is a main source of macro viruses at the moment, because many macro viruses are able to replicate even if they are seriously corrupted (the WordBasic statement 'On Error Goto Next' helps a lot).

The template bit in DOC/DOT files

Word for Windows OLE2 files (documents) contain a special bit which indicates whether or not the current document contains anything but text. In DOC files, this bit is reset (zero) and in templates (DOT files) the bit is set (one). However the template bit itself is not linked to the file extension (and on the Macintosh there are no fixed extensions for files). So the following are all possible:

  1. a DOC file containing no macros, in which the template bit is set (this does not normally happen, but it is possible if all macros have been removed from the DOC file)
  2. a DOC file containing macros (virus macros, for example), in which the template bit is set (this occurs normally if the file is infected)
  3. a DOC file containing macros (virus macros, for example), in which the template bit is reset (this means that the virus is inactive, or 'dormant' - the virus will not infect unless somebody 'flips' the template bit)

The first situation often causes confusion for users. Even when a file is clean, Word for Windows insists on saving it as a template (File | SaveAs offers only 'Document Template' as the available file type). Furthermore, there is no functionality built in to Word for Windows to clear the template bit. The easiest way to overcome this problem is to select the whole text (Ctrl-5), paste it to the clipboard (Ctrl-C), close the file (Ctrl-W), create a new file (File | New) and paste the text into the new file (Ctrl+V). File | SaveAs will then work normally.

Mating

When different macro viruses meet on one system, they may 'mate'. WordBasic copies macros by name; and if the virus macro has been substituted by another virus, the new macro will be copied instead of the original. Such 'mated' viruses do exist and they replicate without problem, using macros taken from other macro viruses.

Macro viruses can also take macros from a set of legitimate macros in NORMAL.DOT. For example, many known macro viruses are the result of 'mating' between the ScanProt macro (an anti-WM/Concept macro released by Microsoft) and a macro virus.

Devolving

Some viruses are badly-written and 'lose' their own macros. For example, the original virus may consist of the set: {AutoOpen, FileSave, FileSaveAs}. If it replicates via AutoOpen, the complete macro set will be preserved. However, if the user invokes File | SaveAs, the virus will fail to copy the FileSave macro. The resulting virus (set: {AutoOpen, FileSaveAs}) is known as a devolved macro and original virus is devolving. When the virus is identified by Dr Solomon's FindVirus, this is denoted by attaching a digit to the name; for example, WM/Rapi.a and WM/Rapi.a1. Devolving macro viruses may be multi-level (that is, they lose different macros), resulting in many different variants. WM/Rapi is the best-known example of this.

VBA3 and VBA5

Excel for Windows 3.1 (Excel for Windows 5.0) includes the macro language VBA3 (Visual Basic for Applications, version 3). VBA3 was used as a prototype for VBA5 - the macro language used in Microsoft's Office 97 applications.

Visual Basic, up-converting and down-converting

In January 1997, Microsoft unveiled Office 97. This is a result of a complete re-write of the 'old' Microsoft Office suite (by " 'old' Microsoft Office" I mean Office 95, which includes Word for Windows 7.0 or 7.0a). In Office 97, all applications use the same macro language - VBA5 (Visual Basic for Applications, version 5). Word for Windows 8.0 (the version included in Office 97 ) has the ability to convert (re-compile) old macros into this new language. Many viruses can be re-compiled in this way, resulting in completely different viruses. However, sometimes these viruses are not viable, as the converter's success rate has been estimated by Microsoft at about 90%. Moreover, Microsoft included within the converter some sort of detection of the most common macro viruses, to prevent their re-compilation (so that, for example, some of the most common macro viruses like WM/Concept.a, WM/Wazzu.a and WM/Npad.a are not converted). Unfortunately, this feature was not included in the beta release of Office 97; and several macro viruses were 'up-converted' to the new format.

Another feature of Word for Windows 8.0 is that it produces a warning if the user tries to load a document which contains macros. It displays a dialog-box which says, 'The document you are opening contains macros or customizations. Some macros may contain viruses that could harm your computer.'. It then offers three options:

  1. Disable Macros [default]
  2. Enable Macros
  3. Do Not Open

This warning can be turned off, so that it will never appear again.

VBA5 is a much more complex language than WordBasic (in fact, it includes WordBasic as a subset of its commands) and its data is stored within a file in much more complex way (as many multi-level streams, containing lots of cross-references). This means that more complex macro viruses can be written (all existent Office 97 viruses are still similar to their WordBasic predecessors; even those which are not simply 'up-converted' from their WordBasic counterparts). This also means that anti-virus products have more problems detecting and removing these viruses.

Visual Basic macros are represented by two different entities - by a compiled macro body and compressed macro text (both are usually present in OLE2 files containing macros). When the macro text is modified, the macro body is re-compiled from it. Usually both instances of a macro contain the same information (but one is used by the Visual Basic editor, another by the Visual Basic interpreter). If there is corruption, however, this may not be true. For example, even if the macro text is missing, the compiled macro body could still be executed. Scanners should (and most of them do) rely on the compiled body, as this is the real executable macro code. Poor scanners use the macro text to detect viruses. This is easier, but it is less reliable (it is prone to miss the viable viruses if corruption to the macro text occurs).

Under Office 97, all major applications use the same macro language. This means that cross-application viruses are possible. Moreover, PowerPoint 97 (these files have the extension PPT) can now contain macros (this was not the case in previous versions of PowerPoint).

The Office 97 version of Excel for Windows is able to save spreadsheets in the old VBA3 format. This means that macro viruses in VBA5 format can be 'down-converted' back to VBA3 format. It is even possible to have both VBA3 and VBA5 incarnations of the macros in a single spreadsheet file. Such a file is readable by both old and new versions of Excel and contains two viruses. 'Down-converted' viruses can be 'up-converted' again; and this process (VBA5->VBA3->VBA5) does not necessarily result in exactly the same virus body - it is known that the formatting (spaces, tabulation, etc.) of the virus may change. That is why, if VBA5 viruses are to be identified properly, these variable parts of the macro code should be ignored.

Naming

It is a widely-accepted convention that macro virus names start with a platform identifier - 'WM' (Word Macro), 'XM' (Excel Macro), 'APM' (AmiPro Macro), 'W97M' (Office 97 Word Macro), 'X97M' (Excel 97 Macro). This is followed by the family name ('Rapi', for example), followed by a dot and a variant name. If the virus devolves [see above], an appropriate index is added. Some examples are given below.

If the virus is language-specific, the name can be followed by a country designator. For example, ':De' (for Germany) or ':It' (for Italy).

Anti-virus organization

There is a mailing-list, called 'VMacro', which consists of the most active anti-virus researchers in the field. They share the identification data [but not the virus samples - these are exchanged more carefully within CARO [Computer Anti-Virus Research Organisation) ] and discuss the family relationships of macro viruses and their names. The Virus Test Center (VTC) at Hamburg University publishes the list of known macro viruses monthly. It is available from their web-site - http://agn-www.informatik.uni-hamburg.de/vtc/.

[Back to index] [Comments (0)]
deenesitfrplruua