Andrés Valencia

Welcome to the Macro Virus Information Page!

[Historic Information]

SARC Technology Update (June 2 '97)

Macro viruses continue to rise in prominence, as 6-10 new variants are discovered every day. Included in June's Norton AntiVirus update is new technology which allows detection and repair of unknown macro viruses and virus remnants residing in document files.

The basis of the technology is that many viruses are known to "mate":
When a new virus infects a document that is already infected with another virus, the result can be a new variant that would neither be detected nor repaired using normal identification methods.
The new technology (called "Macro Component") detects and repairs these new sets even before the Symantec AntiVirus Research Center (SARC) has seen an instance of the infection. By verifying that all macros can be attributed to a known macro virus, all such traces can be removed safely. The likelihood of any future matings is reduced considerably.

MS Word Macro Virus Family

The Word Macro family of viruses uses the WordBasic macro language to infect and replicate in and among MS Word documents and templates. Most notably, this new family of viruses is platform independent - they will infect documents and templates on DOS, Macintosh, Windows 3.x, Windows 95 and Windows NT operating systems.

These viruses use several of the features of the MS Word "environment" to auto-execute viral macrocode.
Once an infected document is opened and the virus launched, generally, the virus will infect the user's NORMAL.DOT template.
This template is the basis for the majority of other documents and templates and is globally available to all other MS Word templates on the system.
Once entrenched in the NORMAL.DOT file, the virus will spread to all other documents and templates as they are opened.
Note that, by default, the NORMAL.DOT template is the first document opened when you launch MS Word without specifying a different document on the command line.
This will immediately put the virus in control every time you launch MS Word.

Word Macro viruses force documents to be saved as MS Word templates, despite what the name or extension of the document file might be recorded as.
Forcing documents to be saved as templates is used as a means of propagation as macros are not saved in standard .DOC files.
Only templates can contain any actual macrocode and therefore be used as a carrier.

WM.Concept:

Description:

WM.Concept is a MS Word macro virus that uses five macros to infect hosts and spread itself.

The macros are named:

• AAAZAO
• AAAZFS
• AutoOpen
• FileSaveAs
• PayLoad

All of the macros are easily visible from the Macro command of the Tools pulldown menu within Microsoft Word.
Upon infection, WM.Concept looks for the PayLoad and FileSaveAs macros. If it finds either macro, WM.Concept aborts infection. If it does not find either macro, WM.Concept begins the infection process.

The first stage of infection that users see is a dialog box displaying the number "1" and an OK button.
Once users press the OK button, WM.Concept gains control. The virus replaces the Save As command in the File pulldown menu with its own command, which forces the user to save all documents as new templates.
Without notice, WM.Concept takes the contents of the AAAZAO macro and places it in another macro, called AutoOpen, in the new templates, and copies the AAAZFS, AAAZAO, and PayLoad macros to the new file.
The AutoOpen macro is automatically started each time a template is opened, allowing the virus to replicate in the new documents.

Other than the number "1" displayed during initial residency, WM.Concept displays no message. However, the PayLoad macro contains the following message:

That's enough to prove my point

For more detailed information, link to Symantec Word Macro Viruses Information Page

For MS Word 6.x and 95:

Information on the Macro Virus Protection Tool

The Microsoft Corporation has developed a tool which installs a set of protective macros that detect suspicious Word files and alert customers to the potential risk of opening files with macros.
Upon being alerted, users are given the choice of opening the file without executing the macros, opening the file as is, or canceling the file open operation.
Opening the file without macros ensures that macro viruses are not transmitted and does not affect the content of the document.
Unless users can verify that the macros contained in the document will not cause damage, Microsoft recommends opening the file without macros.

Although the primary purpose of the Macro Virus Protection tool is to alert users to the existence of macros in their documents and allow then to open their documents without macros, the tool also contains an updated version of the scanning code for the Concept virus (also known as the Word Prank Macro virus) and can be used to scan your hard disk for Word files that contain the Concept virus.

Customers can download a North American (English) or International (various languages) version of the scanning tool from several on-line sites:
The scanning tool, information, and instructions, can be downloaded from the Microsoft World Wide Web site at http://www.microsoft.com/msword/freestuff/mvtool/mvtool2.htm or through MSN, The Microsoft Network, using go word: macrovirustool.
It is also posted in the Word forums on other on-line services such as CompuServe® and America Online®.
In addition, customers using English versions of Word can get the tool by calling Microsoft's Product Support Services at 206-462-9673 for Word for Windows, and 206-635-7200 for Word for the Macintosh, or by sending e-mail to wordinfo@microsoft.com

The Macro Virus Protection Tool (mvtool40.exe 71KB) includes two files:

Scanprot.dot: The template that installs the protection macros on the user's machine.

Readme.doc: A file that provides information about the tool and its operation.

For MS Word 95a (version 7.0a) and MS Word 97:

Virus Protection for the Normal.dot in Word 97

The virus protection macro is designed to protect the Normal template against macro virus infections. This virus protection macro locks the Visual Basic for Applications project of the Normal template and prevents any macros from writing any VBA code to the Normal template.
If a Word 97 document is infected with a macro virus, the virus will not be able to reproduce nor infect the Word environment.
This protection is on for as long as you do not record nor edit macros in Normal.dot.
If you attempt to record or edit any macros in Normal.dot you will be prompted for a password. Once you enter the password, the protection is turned off to allow you to modify the macrocode in Normal.dot.
In order for the protection to be on again, Windows needs to be restarted. Therefore, in order to avoid virus infections, you should not open any other documents if you have been editing or recording macros in Normal.dot until you restart Windows.
This virus protection macro is designed for the U.S. version of Word 97 but is also effective for most European versions.
The virus protection macro will not protect against all viruses but does provide reliable protection against the most widespread existing viruses, including Concept, Wazzu, NPad, and any other viruses that spread by copying themselves into Normal.dot.
In some cases, the virus protection macro may also prevent viruses that already reside in Normal.dot from infecting other documents.
If, after using this tool, you start noticing error messages when opening or closing documents, it may mean that your Normal.dot is already infected with a virus.
This virus protection macro does not actually remove any viruses - it only helps prevent them from spreading.

Directions:

Click here to open (or download) the virus protection macro document (protection.doc).
(Open protection.doc in MS Word 95a or MS Word 97, if it is not already open)
Click "Enable Macros" when prompted.

Read the license agreement. The virus protection macro runs automatically as soon as you click the "Accept" button.

When prompted, specify a new password that you will remember; it will be used to protect Normal.dot.

The password you provide will be required each time you try to record a macro in the Normal.dot or install any macro solution that modifies code in the Normal.dot. Restart Windows each time after macro recording or writing code to Normal.dot, to ensure that virus protection is enabled.

You can see more Microsoft Word macro virus information here.

Microsoft Word Macro Virus Feature Article:
Find out if Word is infected with a macro virus and what to do about it.

This information is from: Virus Protection for the Normal.dot in Word 97 at Microsoft's Web site.

MS Excel Macro Virus Family

The MS Excel Macro family of viruses uses the ExcelBasic macro language to infect and replicate in and among MS Excel documents and templates. This new family of viruses tends to be platform dependent - they will not infect documents or templates on different operating systems.

XM.Laroux:

XM.Laroux is a virus first discovered in July 1996 in Africa and Alaska and is the first working Excel macro virus found in general circulation.
The actual virus code consists of two macros called Auto_Open and Check_Files. The macros are stored in a hidden datasheet named 'laroux'.

In infected spreadsheet files (Excel workbooks), the 'laroux' datasheet is not readily visible (it is hidden). When an infected spreadsheet is first opened on a system, the Auto_Open macro is automatically run by Excel, which in turn runs the Check_Files macro. This happens each time that a worksheet is activated.

The Check_Files macro then copies the worksheet with the virus code into a spreadsheet file stored in the Excel startup directory named Personal.xls
(By default, this directory is \MSOffice\Excel\XLStart)
Personal.xls is the global macro spreadsheet; macros stored there are automatically available to all other Excel spreadsheets on the system.
Copying these macros to Personal.xls enables the infection of all other spreadsheets opened or created on the infected system in the future.

XM.Laroux contains no deliberately destructive payloads: it exists only to replicate.
XM.Laroux only works on Microsoft Windows operating systems using Excel versions 5 and 7.
It does not work in the Macintosh environment.

XM.Laroux is written in English.

XM.Laroux was discovered in a limited distribution and has showed no sign of rapid spread.

XM.Sofa:

The XM.Sofa virus is the first member of the second family of Excel macro viruses. First discovered by SARC in early December of 1996 (west coast USA), XM.Sofa, like other Excel macro viruses, is written in MS Visual Basic and it spreads by copying its own viral macros to other MS Excel spreadsheet hosts.
Unlike XM.Laroux (the first known, viable Excel macro virus) which infects by creating a file called PERSONAL.XLS in the default startup directory, XM.Sofa spreads by way of a file called BOOK.XLT placed in the alternate startup directory.

This virus contains 4 macro functions: Auto_Open, Auto_Range, Current_Open, and Auto_Close.
When an infected file is opened, the virus takes control and changes the caption at the top of the screen to 'Microsofa Excel', instead of the normal 'Microsoft Excel'.

Next, the virus checks to see if the system is already infected. The virus looks in the alternate startup directory for a file named BOOK.XLT (or defaults to C:\MSOFFICE\EXCEL\XLSTART if that directory is not defined).
If the file does not exist in the in the target directory, the virus displays the following message box and infects the system:

Microsoft Excel has detected a corrupted add-in file.
Click 'OK' to repair this file.

After the OK button is clicked, the file BOOK.XLT is created in the target startup directory, and the virus is ready to infect other spreadsheets.

Note: If the alternate startup directory is defined, but does not exist, the virus cannot create the BOOK.XLT file, will not be infectious upon startup and the message box will not be displayed.

When infecting, the virus creates two sheets, one with a name of 12 blank spaces and the other with 13 blank spaces. Both sheets contain the text of the macros, however, only one of them is specified as a Visual Basic module, while the other is defined as a normal worksheet.

XM.Sofa does not contain any deliberately harmful payloads.

Xuxa.1656:

Xuxa.1656 is a virus believed to originate in Mexico because of its references to Xuxa, a popular children's television personality in Mexico.
When an infected file is executed, Xuxa.1656 becomes memory-resident and then infects files as they are run. The system frequently crashes when Xuxa.1656 is infecting .EXE files, or running them after they have been infected. Whether they run or not, almost all .COM or .EXE files can be repaired by Norton AntiVirus after they have been infected by Xuxa.1656.

On any Saturday in March, between 9 and 11 p.m., the following message is printed:

Xuxa Park 1.0 By Hades. Y luchemos para que todos los niños del mundo tengan derecho a soñar, a soñar por igual.

Translated into English, the message reads:

We fight for all the children of the world to have the right to dream, to dream as equals.

For more detailed information, link to Symantec Antivirus Research Center (SARC)

Microsoft Excel Virus Search Add-ins:

The Microsoft Excel Virus Search version 1.2 and 2.0 Add-Ins are tools that protect users against the ExcelMacro/Laroux and Laroux B macro viruses. The version 1.2 Add-in will also help identify but not remove the Sofa virus.

The version 1.2 Add-in runs on Microsoft Excel version 5.0 for Windows 3.1, Microsoft Excel version 5.0 for Windows NT (TM) and Microsoft Excel version 7.x for Windows 95 and Windows NT. The version 2.0 Add-in is designed only for Microsoft Excel 97.

To obtain Microsoft Excel Virus Search Add-ins for MS Office versions 95 or 97, link to: Microsoft

To obtain Microsoft Excel Virus Information, link to: Microsoft

Updated: February 7 '05   [1997 Historic Information]

Back: Business and PCs Updating page (Anti Virus)