Softpanorama

May the source be with you, but remember the KISS principle ;-)
Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
(slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and  bastardization of classic Unix

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 5: Macro Viruses

5.1. Introduction

 

Macro virus infections are now the most frequent type of virus infections. In 1996-1997 almost every large company and government agency has reported cases of infection by the MS Word Macro viruses, mostly Concept, WIZ, Npad and CAP. A. The latest Melissa worm is similar although like any worm it tries self-propagate via e-mail.

Unlike ILOVEYOU virus neither of them is damaging, per se, but enormous amount of time has been spent trying to clean up infected documents. It requires an effort from both computer users and LAN administrators to be "macro virus aware", and may be continuing ignorance and reluctance to take simple measures outlined below has allowed macro viruses to become such a problem. of course Microsoft is part of the problem  -- they are see below. But to be fair they are also a part of the solution ;-)

Each macro virus is a set of macros written in MS Word macro language and as such have a definite life span that consists of three stages:

To present a substantial problem in the corporate environment the virus should first propagate undiscovered on a substantial number of workstations and infect at least several dozens popular documents that are often used as e-mail attachments. This phase can be called hidden propagation phase.

After tools for detection and eradication are introduced number of incidents are maximal (due to better detection) and virus has its peak.

In a month or so the number of infections start to decline and virus became a chronic problem. Not so very important, but which can not be ignored. Eventually after introduction of a new version of MS Word or other substantial changes in environment virus became unable to propagate and is dead.

For example in June, 1997 CAP.A macro virus was in it's peak. In June 1996 Concept was the main problem and in December 1996 WAZZU was the major problems. Not every macro virus has a clearly recognizable peak. For example, NPAD was never became a big problem, and infection rate were pretty much constant all the time, may be because available AV tool detected and disinfected it from the beginning.

Microsoft Office and VBA Macros

In 1987, IBM employees received a Christmas e-mail greeting that looked up names in recipients' e-mail directories and used them as new addressees, choking IBM's network for several days.

As Internet (so called SMTP) mail is now connected to internal mail systems in most organization it brought similar confusion to many corporate e-mail systems. The latest was 9largl overblown) Melissa incident.

For Office 6, Office 95 and Office 97 the saga of "infected" e-mail attachments that in reality contain MS Word documents with some (mostly primitive) self-replicating macros is offering new plot twists each year starting from 1995.

Microsoft have long been creating new ways to streamline routine tasks in document creating and Ms word is decent (although bloated) document editor. And sales of the Office show quite well that users like the resulting convenience, whether it takes the form of macro language push-buttons and icons for routine tasks.

In case of MS Word and Ms Office general, however, automation has outpaced the development of important safety features.  The notion of a privilege-controlling sandbox is foreign to MS Office with its heritage of running on non-connected single-user machines. Until Office 2000 MS Office tends to treat all macros and all of the actions they make, as trusted. There is no top-level control other that silly notification in Ms Word 97 about present of macros in the document, without any possibility to see names and browse the content of macros or delete them before executing (e.g. opening) of the document.  Sometimes Microsoft can be amazingly stupid...

Since the first release of Visual Basic for Ms Word that supported "mail-enabled" applications in the early 1990s, e-mail based worms were theoretically possible.

Policies on allowable e-mail content are necessary but not sufficient. currently probably one need a capability to deploy custom filters on e-mail gateway that can detect MS Word attachments and other executables content and/or can warn of unusual traffic patterns. Such tools demand deployment and careful management on every enterprise network

One needs to understand that Word macro viruses are really sets of macros and as such could attach themselves only to documents in native Word format (.DOC and .DOT). So if one uses .RTF (Rich Text Format)  or .HTML| (this format is available in MS Word 97 and Word 2000; it is available in MS Word 95 and MS Word 6.0 if you have Internet Assistant installed), no virus could attach itself to the document even if virus macros are loaded and active (but active virus can change mode of saving file to native MS Word format, as is the case with NPAD and CAP.A -- so you should better check the list of macros, anyway).

Any format other that native MS word format for document (.DOC) and templates (.DOT) is immune for macro virus infections. For example MS Mail documents are immune to macro viruses (they use RTF format)  as well as Word Perfect documents.

The following measures can improve the level of macro virus protection:

If you still use Ms Word several measures can help:

Prevention. Should We Avoid Microsoft Products ?

The irresistible question is: "How much blame does Microsoft deserve for the mess?"  My impression is that Microsoft was and is extremely virus-friendly corporation. When Word 7.0 was launched, macro viruses were already a serious issue, but Microsoft failed to include the possibility of using Authenticode although it was already available. Instead it included a hidden disinfector and a primitive macro warning feature. The latter, although useful, looks like a simple hack written in order to get rid of unimportant subject.  So MS Word remained an extremely user friendly environment for virus writers. Obviously, there aren't sufficient security controls for the macro language.

But this not limited to viruses -- Microsoft always try took the profit and left the problems to somebody else.  So FBI should probably be better off going after Microsoft instead of macro virus authors ;-) They made the whole mess possible with their total disregard for security.

Microsoft P.R. must be doing exceptionally well, for not many people seem to be pointing the finger at Microsoft. This virus was inevitable, it was bound to come up, just like the Internet Worm of years ago. The timing had to be perfect for a commonly used application with little security measures to come about, and boom it becomes a national epidemic. And the culprit is Microsoft arrogance.

Of course Microsoft is guilty as there are simple security options that can make macro virus writing much more difficult. And its important to implement this changes as Microsoft's Office suite of productivity software becomes more ubiquitous. BTW Office 2000 is a step in right direction.

But users or more correctly user ignorance is also part of the problem. Programs with scriptable engines and API for e-mail is often kind of overkill and are always a big security risk. Shouldn't you use something simpler like famous KISS principle suggests ;-).

Anyway, some anti-Microsoft measures may be appropriate ;-). The simplest step is to deinstall your Outlook and switch from non-portable Ms Word to more portable (and available for Linux) WordPerfect (which is also stronger in its support of HTML and XML) or Star Office.

A little bit less radical approach would be just to associate extension .DOC with WordPad, not with MS Word.  And this is really simple to do. WordPad does not execute any macros. And BTW it's a much faster way to read attachments.  Of course this will not solve all your problems, but at least its a step in the right direction. Anyway, if somebody is unsatisfied with Outlook it's a good time to switch.

As for on-the-fly protection with some AV tool -- it can help, but RTF is probably safer as in my experience on-the-fly AV protection creates more problems than it solves. Old good RTF is immune to Melissa tricks (but only for those that understand what RTF is -- files with extension RTF not necessary contain documents in the RTF format ;-).  See doc2rtf  for additional information.

RTF format is a really simple and effective protection against macro viruses,
especially if documents are automatically checked and converted by e-mail gateway

In 80% of cases or even more you do not need to store document in native MS Word format. It you use no large GIFS and no macros in your document there is really no justification for usage of this extremely complex format (each Ms Word document in native format is essentially a virtual disk with table of contents and files stores with this messy and undocumented by Microsoft structure).

The RTF format is fully transparent to MS Word and lessen the possibility of spreading of macro virus (any MS Word macro virus) with the document. It does not eliminate it the risk completely due to simple fact that extension RTF does not guarantee that document is in MS Word format (it can be in native MS Word format) much like extension .DOC does not guarantee that the document is in the native Ms Word format In other words it is possible to have documents with extension RTF that are in reality in native MS Word format and thus can contain macros ;-)... So we need some simple and quick method of checking the result of conversion: is it a real RTF or a fake (document in the native MS Word format just stored with extension .RTF).  Again I would like to stress that if document does not contain graphics or macros than RTF is as compact as native DOC format and should be used. That is especially important if attachments are sent to multiple designation or outside corporation. See document DOC2RTF on how correctly convert the document to the .RTF format and how to check if document with extension RTF is in RTF format.

RTF format is a really simple and effective protection against macro viruses, especially if documents are automatically checked and converted by e-mail gateway.

In Word 2000  one can save document in XML as well but this is still new for me format and cannot recommend it right now.

2. Are you infected ?

Macro viruses are generally very easy to spot. Not only because they in most case are either visible in Tools|Macro menu or the menu is disabled. There are other simple tests.  For example, if you try to save document in RTF format and macro virus is active there is a good chance that instead of RTF, the document will be saved in native MS Word format. If not, macro virus will be gone, anyway ;-).

The most general warning sign is a strange change in the MS Word behavior. For example a common problem that users experience when they are infected with MS Word macro virus is that documents can be saved as templates only e.g. in Template directory.

There are several general methods to determine if you are infected or not:

3. List of macros for the most common macro viruses

Macro viruses are really set of macros that have ability to propagate themselves in MS Word environment. The main characteristics of MS Word that make it such a virus-friendly environment is that .DOC format could store not only documents, but macros as well. In this sense there is no principal difference between .DOC and .DOT formats. That gives MS Word additional flexibility, but as the same time make macro viruses such a problem.

In order to determine if you are infected it is very useful to know of what macros each virus consist of. List of macro for most frequent  viruses is displayed below.

Some macro viruses (for example Wazzu.S) are poorly debugged. So appearance of the message "WordBasic Err 124"( Unknown Command, Subroutine, or Function) in most cases mean that the opened document contain such a macro virus. User should immediately look into list of macros via Tools|Macro menu.

4. Is an attachment that you received infected ?

The most reliable way to check if an attachment is infected is to save it to disk to some directory (for example C:\TEMP). There are two methods of checking an attachment. Both are somewhat cumbersome :-(.

The first is it save an attachment to the C:\TEMP directory. That two possibilities arise:

Again only attachments that are in native MS Word document could be infected, so if the attachments is in RTF format -- again please remember that extension RTF is neither necessary not sufficient --  it's save to open it.

In MS Word 97 user need to check if macro protection is enabled in Tools|Option|General and use this feature.

5. Tools for dealing with Macro virus infections

There are several tools for fighting macro virus infections. Any single tool has its strong and week points, so only by combining them one can provide decent level of macro virus protection.

The simplest way to cut down the number of infections is to use WordPad as a default viewer for MS Word files by associating it with extensions DOC, RTF and DOT. This simple measure is highly recommended and can lessen exposure. WordPad does not execute any macros. And BTW it's a much faster way to read attachments.  Of course this will not solve all your problems, but at least its a step in the right direction.

Paradoxically, but the most powerful tool for scanning and disinfections MS word documents is MS Word itself.  Ms Word native document format is proprietary and tools from another vendors (including all AV vendors) are not usually very successful decoding complex cases, especially one year or so after introduction of a new version by Microsoft.  Reverse engineering Microsoft formats take time and money. that's one reason why I am advocating open source ...

But ability to protect yourself from MS Word macro viruses strongly depends on your level of knowledge of MS Word. So leaning it a little bit deeper will substantially improve your level of macro virus protection.

Again the best version to use is Word 2000. Upgrade definitely is more cost effective than anti-virus software.  Norton Utilities are a must on Windows 9x as they would help to recover files that can be possibly destroyed by the virus or by yourself.

Actually each version of MS Word is slightly more virus-resistant than previous versions. For Windows 95 or Windows NT users switching to MS Word 2000  is highly recommended. It is much better product anyway. Before service pack 1 Word 97 has no possibility to write documents in MS Word 6 format. So it saved them in RTF format with extension .DOC -- trick from Microsoft that unintentional helped to improve level of AV protection. Work 97 also has different macro language than Word 95 and Word 6, so the following macro viruses, will NOT be converted (e.g. will be disinfected automatically) on opening document in Ms Word 6.0|Word 95 format:  Cap. A. Concept, Wiz, Rainbow, Atom, Banding, Osco, Bubba, Cryptic, Divine, DMV, Format, Hot, MAMA, PAD, Nuclear, Parasite, Phantom, RedDwarf, Seuche (NOP), Xenixos.

BTW Cap.A macros will be converted, but virus will not be able to replicate further.

Again, I strongly recommend to use integrated protection in WinWord 2000, because its quite effective. For good old WinWord 6 one can install SCANPROT.DOT set of protective macros. That tool will warn the user if document contain macros. See SCANPROT for additional information (slightly outdated).

6. General MS Word settings that improve level of AV protection

Switching to MS Word 2000 substantially improves macro virus protection. Also most MS Word 6 macro viruses that use protected macros will NOT be converted to new macro language that is used in Ms Word 97 and Word 2000. Beleave me there is no substitute to upgrade -- you need to pay money to Microsoft for (better late that never) improved level of macro virus protection ... IMHO this is  more cost effective way to protect yourself that upgrading AV product or buying new AV product.

If you enable High security setting MS Word 2000 will ignore VBA macros,  which gives the user a decent level of protection -- only signed macros from trusted sources will be executed. So those, who for some reason are running Word2000 beta are actually in much better shape that Word97 users:

Word 97 is much less secure that MS Word 2000, but several setting and tricks in MS Word 97 can (slightly) improve level of protection from the macro viruses:

6.1. Prompt to Save Normal Template

Prompt to Save Normal Template is an option available via Tools|Options|Save menu.  If user will check the box "Prompt to Save NORMAL.DOT" in Tools|Options|Save, he/she will be prompted whether to save NORMAL.DOT template after any change affecting NORMAL.DOT.  For example, attempts to save NORMAL.DOT template after opening an attachment are usually suspicious and before doing so it is wise to analyze list of macros that are present in your Tools|Macro box.

6.2. Should you use the Shift key on opening a suspicious attachment ?

This is mixed blessing and you should not do that although theoretically it could help ;-).

According to Microsoft if the  Shift key  is pressed during opening of attachment it will block any Auto* macro from execution. As most macro viruses rely of the AutoOpen  macro for infection it will  prevent  AutoOpen macro from infecting Ms Word environment. Similarly, if the Shift key is pressed at exit and on Save, the AutoClose macro will not be executed. In order to correctly make use of this feature, one must be holding down either shift key at the moment you double-click an attachment.  The shift key must be released only after document will be loaded. This not very interesting or useful feature, but taking into account general luck of macro virus protection tools in MS Word sometimes worth trying.

In reality implementation was definitely buggy in Word 6. don't know about later version.

6.3. Creating additional menu item and/or icon for viewing list of macros

The most common way to check for macros would be through the Tools| Macro menu. Some viruses (CAP.A) can intercept ToolsMacro. So it is recommended to create your own replacement to Tools|Macro menu.  To make a replacement of  Tools|Macros…

  1. Make sure the normal.dot is writable...
  2. Click on Tools|Customize...
  3. Choose the Menus tab
  4. Under Categories click on Tools
  5. Under Commands click on ListMacros
  6. For Position on menu: choose (At bottom)
  7. Click on Rename.
  8. Close the editing session. Exit and save all changes.

It is safer to view macros in document files through the use of the Organizer function. The organizer function can be achieved through either File|Templates|Organizer… or Format|Styles|Organizer… or by creating your own icon on the toolbar. It's an architectural flow in Ms word that this feature is not available on opening each document with macros.

6.5. should you enlarge the list of recently used files ?

Probably, but remember that Meslissa type of virus can send them to you friend and relatives ;-). Enlarged  list provides a better tracking of recently used files than default setting (4 recent files). But again this is also a double-edges sword -- that created a security risk by exposing the files that you edited recently. You decide...

6.7. Disable option  "Allow Fast Save"

I recommend to disable option "Allow Fast Save" in Tools|Options|Save menu. In this case structure of the document will be a little bit simpler (document will also occupy less space on the hard drive). That also means that analyses of the document with any other AV tool will be faster and more likely correct -- the document will have much less chances to be misinterpreted or even corrupted by F-macro and other macro disinfection tools.

7. Generic methods of disinfection

There are 2 generic methods of disinfection using MS Word:

7.1. Conversion to .RTF using WordPad

See Doc2RTF for more details. The simplest and most reliable method of disinfect ion is to convert infected document to .RTF format using WordPad (not Ms Word -- WordPad does not have any macro capabilities so it will not be affected by any virus; Ms Word can be affected if, for example Normal.DOT template is still infected).

After that user need delete original (infected) file with extension .DOC, and if NORMAL.DOT was not protected with read-only attribute restore from the backup or,  if there is no useful customarizations, delete NORMAL.DOC template (as it is also become infected after opening infected document).

After such a disinfection you could continue to use document in .RTF format (recommended) or if you wish you could convert document back to .DOC format anytime.

NOTE: If you try to save the document in RTF format in Ms Word with virus macros present, save operation can be intercepted by the virus (CAP.A do this) and modified on the fly, so that document will be saved in the native DOC format with extension RTF.

You can check this by opening the document in Notepad.

Also, if virus macro are present, then NORMAL.DOT template is usually also infected (unless it is write-protected). So please does not forget to restore from the backup  or delete NORMAL.DOT template in case it was not protected with attribute read-only. NORMAL.DOT is targeted by most macro viruses so opening of infected document usually lead to infection of NORMAL.DOT. Some viruses, for example WAZZU.K  delete read-only attribute from the NORMAL.DOT template, so due to DOS limitations it is not an absolute protection.

If F-macro could not disinfect the virus and F-Prot detects a virus in a document (possible false positive) user could save file as RTF document and in this way avoid further problems. Later if he/she wishes, document could be converted back to native MS Word format with .DOC extension. Again I would like to stress that saving file in .RTF format kill any macro virus, not only Concept, so it is very powerful tool in dealing with macro virus infections.

See document DOC2RTF for details.

7.2 Tools|Macro menu in MS Word as a detection and disinfection tool

Attention: CAP.A  virus disable the Tools|Macro menu and this is a symptom of infection by this particular virus.

If it is not disabled by the virus (CAP.A is an example of such a virus) MS Word Tools|Macro menu can show the list of macros. For most macro viruses, including Concept and Wazzu that gives you a possibility to delete virus macros (see below) e.g. to disinfect the document from the virus.

In this case user needs to know list of macros that a virus consist of, or at least list of macros that are normally present in his NORMAL.DOT template (to see this list one need to go to Tools|Macro menu and write down the list shown or print the screen).

To delete all viruses macros please open Tools|Macro menu. Highlight macro you want to delete in this menu, than use Delete button. Repeat for each virus macro listed above.

This is most effective method of disinfecting of infected e-mail attachments that are in MS Mail message boxes. So after infected files are detected on your hard drive you need to check all e-mail attachments and if they are infected either delete them or delete virus macros and save them again.

For example, a file is definitely infected with MS Word Concept virus if when checked menu item Tools and submenu Macro within MS Word user will see following five macros:

AAAZAO
AAAZFS
AutoOpen
FileSaveAs
Payload

  Similarly file is most probably infected with WAZZU virus if macro

autoOpen

is present in this list.

These two viruses were quite widespread in the first part of 1997l. For other viruses list of macros will be different, but if user knows what macros are present at his/her NORMAL.DOT template, than it is easy to detect new macros in the list. Suspicious new macros could mean that your document is infected. So, it is recommended to write down the standard set of macros that you have and check it after loading new document into MS Word.

If the NORMAL.DOT template does not contain any additional macros, it could be cleaned by deleting it after closing MS Word. It will be recreated by MS Word on next session automatically, but all user-defined styles, customizations of tool bar, etc. will be lost.

9. Manual scanning and disinfection with F-macro

Disinfection of the document using freeware utility F-macro is described in the document Fmacro.htm

10. Problem of false alarms produced by F-prot

Version 2.xx of F-prot can not correctly detect many macro viruses, as it does not analyze complex OLE2 structure of MS Word documents. Essentially F-prot use simple string search methods to detect a viruses. This is a very unreliable method and in many cases F-prot produce so called "false positives": e.g. it considers documents to be infected even if virus macros were just present (renamed or deactivated). So such documents cannot transmit the virus and are not infected in an exact meaning of this word. F-macro and SCANPROT usually give much better diagnostics. If you have files that are detected by F-prot as infected but are not detected as infected by F-macro you have false positive. This is usually the result of using other AV package (McAfee SCAN). In this case user should first convert document to .RTF format, delete the original file, and then convert file back to the .DOC. format.

 11. What to do if current version of the AV package could not disinfect macro virus during login.

It's not big deal. Restore from backup or delete NORMAL.DOT if it is infected. To test if NORMAL.DOT is infected open MS Word and see if Tools|Macro menu is present and if yes that if macros that could be attributed to virus are present in Tools|Macro menu.

Then save in RTF format each document that you will open, so that new documents do not became infected.

There are 2 ways to proceed:

12. Troubleshooting and useful WWW links

Macro viruses are not a big deal. It is often possible to analyze and disinfect new macro virus even without knowledge of VBA, but you will be much better off even with rudimentary knowledge of this beast ;-).   One of the first first things to do when new macro virus is found is to update F-macro to the latest version from the ftp://www.datafellows.com/f-prot/tools/. If new version detects and disinfects the virus then it all documents should be scanned with it (may be without disinfection if information is valuable and virus is new).   Description of macro virus usually can be found at www.datafellows.com.

Good library of macro virus descriptions is on the DrSolomon site http://www.drsolomon.com/vircen/enc/list.cfm?letter=Macro+Viruses

McAfee (now Network Associates) site http://www.avertlabs.com can also be useful as McAfee often is one of the first vendor that reacts on viruses that were discovered in USA. Symantec is also quite good in this respect.

Microsoft site usually is not very useful in finding information about  a new macro virus, but it is pretty useful for finding MS Word add-ons, including add-ons for macro virus protection.

Although not directly connected to macro virus protection, service packs for MS Office usually contain a lot of fixes that improve stability of MS Word and they should  not be ignored. Here are some links to Microsoft WEB page that sometimes can be useful: