Menu
homeErrors

Macroviruses and their capabilities. Malicious programs and viruses (macro viruses, stealth and polymorphic viruses) Macro viruses and methods of their design

Evgeniy Kaspersky

Macro viruses are programs written in languages ​​(macrolanguages) built into some data processing systems (text editors, spreadsheets, etc.).

To reproduce, such viruses use the capabilities of macro languages ​​and, with their help, are transferred from one infected file (document or table) to others. The most widespread macro viruses are for Microsoft Word, Excel and Office 97.

  1. For viruses to exist in a specific system (editor), it is necessary to have a macro language built into the system with the following capabilities:
  2. linking a program in a macro language to a specific file;
  3. copying macro programs from one file to another;

obtaining control of a macro program without user intervention (automatic or standard macros).

  1. The described conditions are met by MS Word, MS Office 97 and AmiPro editors, as well as the MS Excel spreadsheet.
  2. These systems contain macro languages ​​(MS Word - Word Basic, MS Excel and MS Office 97 - Visual Basic), with:
  3. macro programs are tied to a specific file (AmiPro) or are located inside a file (MS Word/Excel/Office 97);

macro language allows you to copy files (AmiPro) or move macro programs to system service files and editable files (MSWord / Excel / Office 97);

In the four software products mentioned above, viruses take control when an infected file is opened or closed, hijack standard file functions and then infect files that are somehow accessed. By analogy with DOS, we can say that most macro viruses are resident viruses: they are active not only when the file is opened or closed, but as long as the editor itself is active.


general information

The physical location of the virus inside the file depends on its format, which in the case of Microsoft products is extremely complex: each Word, Office 97 document file or Excel spreadsheet is a sequence of data blocks (each of which also has its own format), connected together using a large amount of service data. This format is called OLE2 (Object Linking and Embedding). The file structure of Word, Excel and Office 97 (OLE2) resembles a complex file system of DOS disks: the “root directory” of a document or table file points to the main subdirectories of various data blocks, several “FAT tables” contain information about the location of data blocks in the document, etc. .d.

Moreover, the Office Binder system, which supports Word and Excel standards, allows you to create files that simultaneously contain one or more documents in Word format and one or more tables in Excel format, and Word viruses can infect Word documents, and Excel viruses can infect Word documents. viruses - Excel tables, and all this is possible within one disk file. The same is true for Office 97.

It should be noted that MS Word versions 6 and 7 allow you to encrypt macros present in the document.

Thus, some Word viruses are present in infected documents in encrypted (Execute only) form.

Most known viruses for Word are incompatible with national (including Russian) versions of Word or, conversely, are designed only for localized versions of Word and do not work under the English version. However, the virus in the document still remains active and can infect other computers with the corresponding version of Word installed on them.

It is interesting that the formats of Word documents, Excel tables and especially Office 97 have the following feature: document files and tables contain “extra” data blocks, i.e. data that is in no way related to the text or tables being edited, or copies that accidentally ended up there other file data. The reason for the occurrence of such data blocks is the cluster organization of data in OLE2 documents and tables. Even if only one character of text is entered, one or even several data clusters are allocated for it. When saving documents and tables in clusters that are not filled with “useful” data, “garbage” remains, which ends up in the file along with other data.

The amount of “garbage” in files can be reduced by canceling the Word/Excel “Allow Fast Save” setting item, however, this only reduces the total amount of “garbage”, but does not remove it completely.

It should also be noted that some versions of OLE2.DLL contain a small flaw, as a result of which, when working with Word, Excel and especially Office 97 documents, random data from the disk, including confidential ones (deleted files, directories and etc.).
MS Word/Excel/Office 97 viruses:

work principles

When working with a document, MS Word versions 6 and 7 perform various actions: open the document, save, print, close, etc. At the same time, Word searches for and executes the corresponding built-in macros: when saving a file using the File/Save command, the FileSave macro is called, when when saving using the command File/SaveAs - FileSaveAs, when printing documents - FilePrint, etc., if, of course, such macros are defined.

There are also several "auto macros" that are called automatically under various conditions. For example, when you open a document, Word checks for the presence of the AutoOpen macro. If such a macro is present, then Word executes it. When closing a document, Word executes the AutoClose macro, when starting Word, the AutoExec macro is called, when shutting down - AutoExit, and when creating a new document - AutoNew.

  1. Similar mechanisms, but with different macro and function names, are used in Excel/Office 97.
  2. Macro viruses that infect Word, Excel or Office 97 files usually use one of the three techniques listed above:
  3. The virus macro is automatically called when you press any key or key combination.

There are also semi-viruses that do not use the listed techniques and reproduce only if the user independently launches them for execution.

Most macro viruses contain all their functions in the form of standard MS Word/Excel/Office 97 macros. There are, however, viruses that use techniques to hide their code and store their code in the form of non-macros. Three such methods are known. They all take advantage of macros' ability to create, edit, and execute other macros. Typically, such viruses have a small (sometimes polymorphic) macro loader that calls the built-in macro editor, creates a new macro, fills it with the main virus code, executes it, and then usually destroys it to hide traces of the virus. The main code of such viruses is present either in the body of the virus itself in the form of text strings, or is stored in the document variable area or in the Auto-text area.

Work algorithm
macro viruses for Word

Most known Word viruses (versions 6, 7 and Word 97) when launched transfer their own code to the global document macro area (“general” macros).

When you exit Word, global macros (including virus macros) are automatically written to the global macros DOT file (usually NORMAL.DOT). Thus, the virus is activated at the moment when Word loads global macros.

Then the virus overrides (or already contains) one or more standard macros (for example, FileOpen, FileSave, FileSaveAs, FilePrint) and thus intercepts commands for working with files. When these commands are called, the file being accessed is infected. To do this, the virus converts the file into the Template format (which makes further changes to the file format impossible, i.e., converting to any non-Template format) and writes its macros into the file, including the Auto macro.

Another way to introduce a virus into a system is based on so-called “Add-in” files, i.e. files that are service additions to Word. In this case, NORMAL.DOT is not changed, and Word, when launched, loads the virus macros from the file (or files) defined as “Add-in”. This method almost completely replicates the infection of global macros, with the only exception that the virus macros are stored not in NORMAL.DOT, but in some other file.

It is also possible to introduce a virus into files located in the STARTUP directory. In this case, Word automatically loads template files from this directory, but such viruses have not yet been encountered.

Macro virus detection

Characteristic signs of the presence of macroviruses are:

  1. inability to convert an infected Word document to another format;
  2. infected files are in Template format, since when infected, Word viruses convert files from the Word Document format to Template
  3. inability to write a document to another directory or to another disk using the “Save As” command (Word 6 only);
  4. the STARTUP directory contains “foreign” files;
  5. the presence in the Book of “extra” and hidden Sheets.

To check the system for a virus, you can use the Tools/Macro menu item. If “foreign macros” are detected, they may belong to a virus. However, this method does not work in the case of stealth viruses, which “prohibit” the operation of this menu item, which, in turn, is a sufficient reason to consider the system infected.

Many viruses have bugs or do not work correctly in different versions of Word/Excel, causing these programs to produce error messages, for example:

WordBasic Err = error number.

If such a message appears when editing a new document or table without knowingly using any custom macros, this may also be a sign of system infection. Also a signal of a virus are changes in files and system configuration of Word, Excel and Windows. Many viruses change the Tools/Options menu items in one way or another - allowing or disabling the “Prompt to Save Normal Template”, “Allow Fast Save”, “Virus Protection” functions. Some viruses set a password on files when they are infected.

A large number of viruses create new sections and/or options in the Windows configuration file (WIN.INI).

Naturally, the manifestations of a virus include such “unexpected things” as the appearance of messages or dialogs with rather strange content or in a language that does not match the language of the installed version of Word/Excel.
Recovery

affected objects

To neutralize Word and Excel viruses, it is enough to save all the necessary information in the format of non-documents and non-tables. The most suitable is the RTF text format, which includes almost all the information from the original documents and does not contain macros.

Then you should exit Word/Excel, destroy all infected Word documents, Excel tables, NORMAL.DOT for Word and all documents/tables in the STARTUP directories of Word/Excel. After this, you should launch Word/Excel and restore documents/tables from RTF files.

As a result of this procedure, the virus will be removed from the system, and almost all information will remain unchanged. However, this method has a number of disadvantages. The main one is the complexity of converting documents and tables into RTF format if their number is large. In addition, in the case of Excel, it is necessary to separately convert all Sheets in each Excel file.

Another significant drawback is the loss of normal macros used during operation.

Therefore, before starting the described procedure, you should save their original text, and after neutralizing the virus, restore the necessary macros in their original form.
Where do viruses come from?

and how to avoid infection

The main source of viruses today is the Internet.

The described case of virus spread is most often recorded by antivirus companies. But it is not uncommon for an infected document file or Excel spreadsheet to end up on the commercial information mailing lists of a large company due to an oversight. In this case, not five, but hundreds or even thousands of subscribers to such mailings will suffer, who will then send infected files to tens of thousands of their subscribers.

Public file servers and electronic conferences are also one of the main sources of virus spread.

Almost every week we receive a message that one of the users has infected their computer with a virus that was received from a BBS, ftp server or electronic conference.

In this case, infected files are often “uploaded” by the author of the virus to several BBS/ftp or sent to several conferences under the guise of new versions of some software (including antiviruses).

In the case of a mass distribution of a virus through BBS/ftp file servers, thousands of computers may be affected at the same time, but in most cases, DOS or Windows viruses are “distributed”, the speed of spread of which in modern conditions is much lower than that of their macro counterparts. For this reason, such incidents almost never end in mass epidemics.

The third way for viruses to quickly spread is through local networks. If you do not take the necessary protective measures, then when an infected workstation enters the network, it infects one or more service files on the server, various software, standard template documents or Excel spreadsheets used in the company, etc.

Computers installed in educational institutions also pose a danger. If one of the students brought a virus on his floppy disks and infected one of the school computers, then all the other students working on this computer will also receive another “infection”.

The same applies to home computers if more than one person works on them. There are often situations when a student son (or daughter), working on a multi-user computer at an institute, drags a virus onto his home computer, as a result of which the virus ends up on the computer network of his father’s or mother’s company.

It is quite rare, but it is still quite possible to infect your computer with a virus during its repair or routine inspection. Repairmen are people too, and some of them tend to not care about basic computer security rules.

Among the variety of viruses, one can single out macro viruses, which, like no other, are dangerous not only for the operating system, but also for all information stored on connected hard drives. Viruses are specially written programs in macro languages ​​that are built into some modern data processing systems (spreadsheets, text editors, etc.).

That is, everything that is used in offices, at home, etc. for maintaining reports, documentation and others. Viruses of this type are the most dangerous if you look at the loss of text information. To reproduce, they use all the capabilities of macro languages ​​to the maximum and, using all the possibilities, transfer themselves (or rather the program code) from one infected file (usually a table or document) to others. Today, the most common are macro viruses for the software packages Office 97, Microsoft Word, and Excel. Macro viruses have also been developed that infect Microsoft Access databases and Ami Pro documents.

For macro viruses to exist in a certain system (in this case, in the editor), it is extremely necessary to have a special software macro language built into the system with the following capabilities:

1. copying recorded macro programs from a specific file to any other;

2. binding the virus in a macro language to a specific file;

3. a unique opportunity to gain full control of the virus macro program (automatic or standard macros).

All of the above conditions are fully satisfied by the AmiPro editors, Microsoft Word Office 97, the Microsoft Access database, as well as the Excel spreadsheet. All of these systems contain a variety of macro languages: Excel, Office 97 (including Access, Word 97 and Excel 97) - Visual Basic for Applications, and Word - Word Basic.

Today, four completely different systems are well known, for which there are separate viruses - Office 97, Microsoft Word, Excel and AmiPro. In these systems, macro viruses take full control during the closing or opening of the infected file. After gaining control, the virus intercepts all file functions, after which it freely infects files that are directly accessed. Thus, if you caught such a virus and were able to identify it, it is highly recommended not to open or generally work with the above programs until the virus is completely removed. If you neglect this rule, the virus can delete important information (documents, tables, etc.). By analogy with MS-DOS, we can safely emphasize that most modern macro viruses are resident: they behave actively while the editor itself is active, and not at the moment of opening/closing a file.

Macro virus - this is a varietycomputer virusesdeveloped onmacro languages, built into such application packagesBY, How Microsoft Office. To reproduce, such viruses use the capabilities of macrolanguages ​​and, with their help, are transferred from one infectedfileto others. Most of these viruses are written forMS Word.

The most widespread macro viruses are for Microsoft Word, Excel and Office 97.

For viruses to exist in a specific system (editor), it is necessary to have a macro language built into the system with the following capabilities:

  1. linking a program in a macro language to a specific file;
  2. copying macro programs from one file to another;
  3. obtaining control of a macro program without user intervention (automatic or standard macros). The described conditions are met by MS Word, MS Office 97 and AmiPro editors, as well as the MS Excel spreadsheet. These systems contain macro languages ​​(MS Word - Word Basic, MS Excel and MS Office 97 - Visual Basic), with:

1. macro programs are tied to a specific file (AmiPro) or are located inside a file (MS Word/Excel/Office 97);

2. macro language allows you to copy files (AmiPro) or move macro programs to system service files and editable files (MSWord / Excel / Office 97);

3. when working with a file under certain conditions (opening, closing, etc.), macro programs (if any) are called, which are defined in a special way (AmiPro) or have standard names (MS Word/Excel/Office 97).

In the four software products mentioned above, viruses take control when an infected file is opened or closed, hijack standard file functions and then infect files that are somehow accessed. By analogy with DOS, we can say that most macro viruses are resident viruses: they are active not only when the file is opened or closed, but as long as the editor itself is active.

Work principles

Macro viruses that infect Word, Excel, or Office 97 files typically use one of the following three techniques:

There are also semi-viruses that do not use the listed techniques and reproduce only if the user independently launches them for execution.

Most macro viruses contain all their functions in the form of standard MS Word/Excel/Office 97 macros. There are, however, viruses that use techniques to hide their code and store their code in the form of non-macros. Three such methods are known. They all take advantage of macros' ability to create, edit, and execute other macros. Typically, such viruses have a small (sometimes polymorphic) macro loader that calls the built-in macro editor, creates a new macro, fills it with the main virus code, executes it, and then usually destroys it to hide traces of the virus. The main code of such viruses is present either in the body of the virus itself in the form of text strings, or is stored in the document variable area or in the Auto-text area.


Macro virus detection


Characteristic signs of the presence of macroviruses are:
  • inability to convert an infected Word document to another format. Infected files are in Template format, since when infected, Word viruses convert files from the Word Document format to Template;
  • inability to write a document to another directory or to another disk using the “Save As” command (Word 6 only);
  • the STARTUP directory contains “foreign” files;
  • the presence of “extra” and hidden Sheets in the Book.

In particular, about those representatives of this large family that affect documents Word.

Characteristic signs of presence are:

1) impossibility of saving an infected document Word to another format (by command Save as…);

2) the impossibility of writing a document to another directory or to another disk with the command Save as…;

3) the impossibility of saving changes made to the document (command Save);

4) tab inaccessibility Security level(menu Service – Macro – Security…);

5) since many viruses are written with errors (or do not work correctly in different versions of the package Microsoft Office), then corresponding messages with an error code may appear;

6) other “oddities” in the behavior of documents Word;

7) can often be detected visually. The fact is that most virus writers are distinguished by their vanity: in the file properties Word(window Properties called up by right-clicking – select from Properties) on the tab Summary fill in the input fields ( Name, Subject, Author, Category, Keywords And

Macro viruses are potentially unwanted utilities written in microlanguages ​​that are built into graphics and text processing systems. What files are infected by macro viruses? The answer is obvious. The most common versions for Microsoft Excel, Word and Office 97. These viruses are quite common, and creating them is as easy as shelling pears. This is why you should be extremely careful and careful when downloading documents from the Internet. Most users underestimate them, thereby making a grave mistake.

How does a PC become infected?

After we have decided what macro viruses are, let's figure out how they penetrate the system and infect the computer. A simple method of their reproduction allows you to hit the maximum number of objects in the shortest possible time. Thanks to the capabilities of macro languages, when closing or opening an infected document, they penetrate the programs being accessed.

That is, when using a graphic editor, macro viruses infect everything connected with it. Moreover, some are active all the time while the text or graphics editor is working, or even until the PC is completely turned off.

What is the principle of their work?

They operate according to the following principle: when working with documents, Microsoft Word executes various commands issued in macro language. First of all, the program penetrates the main template, through which all files of this format are opened. In this case, the virus copies its code into macros that provide access to the main parameters. When exiting the program, the file is automatically saved in dot (used to create new documents). After which it gets into standard macros, trying to intercept commands sent to other files, infecting them too.

Infection occurs in the following cases:

  1. If there is an auto macro in the virus (carried out automatically when the program is turned off or started).
  2. The virus has a basic system macro (often associated with menu items).
  3. Activates automatically when you press specific keys or combinations.
  4. It reproduces only when it is launched.

Such viruses usually infect all files created and associated with programs in a macro language.

What harm do they do?

Macro viruses should not be underestimated, as they are full-fledged viruses and cause significant harm to computers. They can easily delete, copy or edit any objects that contain, among other things, personal information. Moreover, they can also transfer information to other people using email.

More powerful utilities can generally format hard drives and control the operation of the entire PC. That is why the opinion that this kind of computer viruses pose a danger exclusively for graphics and text editors is erroneous. After all, utilities such as Word and Excel work in conjunction with a number of others, which in this case are also at risk.

Recognizing an infected file

Often, files infected with macro viruses and susceptible to their influence are not at all difficult to identify. After all, they function completely differently from other utilities of the same format.

Danger can be identified by the following signs:

In addition, the threat is often easily detected visually. Their developers usually indicate in the “Summary” tab such information as the name of the utility, category, topic of comment and the name of the author, thanks to which you can get rid of a macro virus much faster and easier. You can call it using the context menu.

Removal methods

When you find a suspicious file or document, first scan it with an antivirus. If a threat is detected, antiviruses will try to cure it, and if unsuccessful, they will completely block access to it.

If the entire computer has been infected, you should use an emergency boot disk that contains an antivirus with the latest database. It will scan your hard drive and neutralize all threats it finds.

If you cannot protect yourself in this way, your antivirus cannot do anything, and there is no rescue disk, then you should try the “manual” treatment method:


This way, you will remove the macro virus from the infected document, but this in no way means that it does not remain in the system. That is why it is recommended to scan the entire personal computer and all its data with an antivirus or (their advantage is that they do not require installation) at the first opportunity.

The process of treating and cleaning a computer from infection with macro viruses is quite complex, so it is better to prevent infection at the initial stages.


This way, you will protect yourself and macro viruses will never penetrate the corresponding files.