Welcome to the Macro Virus Information Page!
SARC Technology Update (June 2 '97)
Macro viruses continue to rise in prominence, as 6-10 new variants are discovered every day. Included in June's Norton AntiVirus update is new technology which allows detection and repair of unknown macro viruses and virus remnants residing in document files.
The basis of the technology is that many viruses are known to "mate":
MS Word Macro Virus Family
The Word Macro family of viruses uses the WordBasic macro language to infect and replicate in and among MS Word documents and templates. Most notably, this new family of viruses is platform independent - they will infect documents and templates on DOS, Macintosh, Windows 3.x, Windows 95 and Windows NT operating systems.
These viruses use several of the features of the MS Word
"environment" to auto-execute viral macrocode.
Word Macro viruses force documents to be saved as MS Word templates, despite
what the name or extension of the document file might be recorded as.
WM.Concept is a MS Word macro virus that uses five macros to infect hosts and spread itself.
The macros are named:
All of the macros are easily visible from the Macro command of the Tools
pulldown menu within Microsoft Word.
The first stage of infection that users see is a dialog box displaying the
number "1" and an OK button.
Other than the number "1" displayed during initial residency, WM.Concept displays no message. However, the PayLoad macro contains the following message:
That's enough to prove my point
For more detailed information, link to Symantec Word Macro Viruses Information Page
For MS Word 6.x and 95:
Information on the Macro Virus Protection Tool
The Microsoft Corporation has developed a tool which installs a set of
protective macros that detect suspicious Word files and alert customers to
the potential risk of opening files with macros.
Although the primary purpose of the Macro Virus Protection tool is to alert users to the existence of macros in their documents and allow then to open their documents without macros, the tool also contains an updated version of the scanning code for the Concept virus (also known as the Word Prank Macro virus) and can be used to scan your hard disk for Word files that contain the Concept virus.
Customers can download a North American (English) or International (various
languages) version of the scanning tool from several on-line sites:
The Macro Virus Protection Tool (mvtool40.exe 71KB) includes two files:
Scanprot.dot: The template that installs the protection macros on the user's machine.
Readme.doc: A file that provides information about the tool and its operation.
For MS Word 95a (version 7.0a) and MS Word 97:
Virus Protection for the Normal.dot in Word 97
The virus protection macro is designed to protect the Normal template
against macro virus infections. This virus protection macro locks the
Visual Basic for Applications project of the Normal template and prevents
any macros from writing any VBA code to the Normal template.
to open (or download) the virus protection macro document (protection.doc).
Read the license agreement. The virus protection macro runs automatically as soon as you click the "Accept" button.
When prompted, specify a new password that you will remember; it will be used to protect Normal.dot.
The password you provide will be required each time you try to record a macro in the Normal.dot or install any macro solution that modifies code in the Normal.dot. Restart Windows each time after macro recording or writing code to Normal.dot, to ensure that virus protection is enabled.
You can see more Microsoft Word macro virus information here.
Microsoft Word Macro Virus Feature Article:
MS Excel Macro Virus Family
The MS Excel Macro family of viruses uses the ExcelBasic macro language to infect and replicate in and among MS Excel documents and templates. This new family of viruses tends to be platform dependent - they will not infect documents or templates on different operating systems.
XM.Laroux is a virus first discovered in July 1996 in Africa and Alaska and
is the first working Excel macro virus found in general circulation.
In infected spreadsheet files (Excel workbooks), the 'laroux' datasheet is not readily visible (it is hidden). When an infected spreadsheet is first opened on a system, the Auto_Open macro is automatically run by Excel, which in turn runs the Check_Files macro. This happens each time that a worksheet is activated.
The Check_Files macro then copies the worksheet with the virus code into a
spreadsheet file stored in the Excel startup directory named Personal.xls
XM.Laroux contains no deliberately destructive payloads: it exists only to replicate.
XM.Laroux is written in English.
XM.Laroux was discovered in a limited distribution and has showed no sign of rapid spread.
The XM.Sofa virus is the first member of the second family of Excel macro
viruses. First discovered by SARC in early December of 1996 (west coast
USA), XM.Sofa, like other Excel macro viruses, is written in MS Visual
Basic and it spreads by copying its own viral macros to other MS Excel spreadsheet hosts.
This virus contains 4 macro functions: Auto_Open, Auto_Range, Current_Open, and Auto_Close.
Next, the virus checks to see if the system is already infected. The virus
looks in the alternate startup directory for a file named BOOK.XLT (or
defaults to C:\MSOFFICE\EXCEL\XLSTART if that directory is not defined).
Microsoft Excel has detected a corrupted add-in file.
After the OK button is clicked, the file BOOK.XLT is created in the target startup directory, and the virus is ready to infect other spreadsheets.
Note: If the alternate startup directory is defined, but does not exist, the virus cannot create the BOOK.XLT file, will not be infectious upon startup and the message box will not be displayed.
When infecting, the virus creates two sheets, one with a name of 12 blank spaces and the other with 13 blank spaces. Both sheets contain the text of the macros, however, only one of them is specified as a Visual Basic module, while the other is defined as a normal worksheet.
XM.Sofa does not contain any deliberately harmful payloads.
Xuxa.1656 is a virus believed to originate in Mexico because of its
references to Xuxa, a popular children's television personality in Mexico.
On any Saturday in March, between 9 and 11 p.m., the following message is printed:
Xuxa Park 1.0 By Hades. Y luchemos para que todos los niños del mundo tengan derecho a soñar, a soñar por igual.
Translated into English, the message reads:
We fight for all the children of the world to have the right to dream, to dream as equals.
For more detailed information, link to Symantec Antivirus Research Center (SARC)
Microsoft Excel Virus Search Add-ins:
The Microsoft Excel Virus Search version 1.2 and 2.0 Add-Ins are tools that protect users against the ExcelMacro/Laroux and Laroux B macro viruses. The version 1.2 Add-in will also help identify but not remove the Sofa virus.
The version 1.2 Add-in runs on Microsoft Excel version 5.0 for Windows 3.1, Microsoft Excel version 5.0 for Windows NT (TM) and Microsoft Excel version 7.x for Windows 95 and Windows NT. The version 2.0 Add-in is designed only for Microsoft Excel 97.
To obtain Microsoft Excel Virus Search Add-ins for MS Office versions 95 or 97, link to: Microsoft
To obtain Microsoft Excel Virus Information, link to: Microsoft
Updated: February 7 '05 [1997 Historic Information]
Back: Business and PCs Updating page (Anti Virus)
Andrés Valencia: Communications