Chapter 5. Macro Viruses

Antivirus researchers have talked about macro viruses since the early days of MMC. Two of the best, Dr. Fredrick Cohen and Ralf Burger, had discussed them in the 1980s, and Harold Highland had written a security paper about them in 1989. The antivirus industry knew they were possible, and it was perplexed that they didn't take off with Lotus 1-2-3 or WordPerfect. Maybe virus writers were just waiting for the right application. That application was Microsoft Word. The first Microsoft Office macro virus was released in December 1994. By 1995, Microsoft Office macro viruses had infected Windows computers all over the world. They soon eclipsed every other type of malicious mobile code, forever changing the antivirus landscape. In the past, antivirus researchers could always narrow their searches to executable programs and boot sectors. Macro viruses replicate using data files. Suddenly scanners had to go from searching for a few file types to investigating everything.

Today, macro viruses make up the majority of mobile code attacks in the world. Macro viruses effortlessly account for over half the infections reported each month. The U.S. Department of Energy, which maintains the Virus Response Team (ViRT) for the government, claims macro viruses represent 85 percent of their tracked infections. The Virus Bulletin (http:/www.virusbtn.com) published a virus prevalence table in which macro viruses grabbed the top five spots and 80 percent of the reported incidents. Because they are so prevalent , most macro virus infections aren't reported. Infected documents are becoming so common they don't raise eyebrows with support folks.

It doesn't take much to make a macro virus. All a virus writer needs is a macro language that can manipulate itself and other files, and be assured to be executed by a predefined event (such as a file opening). Macro viruses have been documented in the following applications: Word, Excel, Access, PowerPoint, Project, Lotus AmiPro, Visio, Lotus 1-2-3, AutoCAD, and Corel Draw. Although macro viruses can be created in any application with a feature-rich macro language, most are created with and for Microsoft's Office applications. According to InfoWorld magazine, there are over 90 million Microsoft Office users. Most macro viruses are written for Word and Excel. There are a few viruses, like O97M.Tristate.C, which infect more than one Office application (in this case, Word, Excel, and PowerPoint). Although there are other types of macro viruses, they don't constitute a significant threat yet. For that reason, this chapter will focus on Office macro viruses ( specifically concentrating Word and Excel macro viruses).