5.3 Microsoft Word and Excel Macros

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Table of Contents
Chapter 5.  Macro Viruses

5.3 Microsoft Word and Excel Macros

Although applications may share a common macro language, each has its own structure and way of operating. Macros written for one type of application usually do not work in another. Manipulating a document in Word is completely different than moving around in an Excel workbook. Even similar events, such as adding together the numbers from two cells , bears little resemblance to each other behind the scenes. To understand macro viruses, you must understand how each application uses macros.

5.3.1 Word Macros

Although macros in Word can be saved in a document, they are more often stored in a separate file type called a template (prior to Word 97, macros had to be stored in a template). The template can contain many of the settings a user wants to include in her default document, like font type, toolbar settings, key assignments, styles, font size , page layout, etc. Every Word document is based on a template, and that template is linked to the document. Whenever an existing or new document is opened, the template settings are applied first. A global template , usually called NORMAL.DOT , is in memory every time Word is loaded. This is a favorite of virus writers, because a macro placed there is able to infect more quickly.

When you choose File figs/u2192.gif New to start a new document, Word will prompt you to choose one of your available templates to use. The Blank Document template is based on Normal.dot .

Word comes with dozens of predefined templates for form letters, fax cover letters , business memos, and other forms. You can define your own personal templates and load them into whatever documents you like using the Tools figs/u2192.gif Templates and Add-Ins. To create a new template, take a blank document and make the changes to it that you would like to see reflected in all documents based upon the template. Then save your document as a .DOT file type with File figs/u2192.gif SaveAs. When you start a new document with File figs/u2192.gif New, select your new template. You can turn any template into a global template and load more than one global template at one time.

Templates are typically stored in a single subdirectory, which you can check by choosing Tools figs/u2192.gif Options figs/u2192.gif File Locations, but they can be loaded from several locations. Personal custom templates are stored in the User template directory, and templates shared between users are stored in the Workgroup template subdirectory. By default, the user templates are stored in C:\%windir%\Application Data\Microsoft or C:\%windir%\Profiles\%user_name%\Application Data\Microsoft . Any document saved as a template (regardless of the extension) and saved into a template subdirectory will function as a template.

5.3.2 Automacros

Like other applications with macro languages, Word and Excel have the ability to automatically launch a macro when a document or template is opened or whenever some other key event is initiated. This is done by naming a macro after a predefined keyword reserved for such a purpose. Here are some of the automacro's especially coveted by Word virus writers:

AutoExec

Runs whenever you start Word or load the global template

AutoOpen

Runs whenever you open an existing document ( Auto_Open in Excel)

AutoNew

Runs whenever you create a new document

AutoClose

Runs each time you close a document ( Auto_Close in Excel)

AutoExit

Runs whenever you quit Word or unload the global template

There are other system macros , such as FileSave and FileClose in Word and Workbook_Activate and Workbook_Deactivate in Excel, that automatically run when their associated event happens. In these cases, saving or closing a file would run macros with those names . There are even system macros associated with different menu options that allow programmers to define their own happenings when a particular menu option is chosen . Virus writers love to hide their creations by rewriting what happens when a user chooses Tools figs/u2192.gif Macrosby using a macro called ToolsMacro (known as menu interception ).

5.3.3 Visual Basic for Applications

Macros written for earlier versions of Word were written in a language called WordBasic , and only work in Word. In 1988, Bill Gates wrote an article entitled, "Beyond Macro Processing" for Byte magazine. In the article, Gates envisioned a common macro language that could be shared between applications. Built as part of the Visual Basic family (Visual Basic, VBScripting, etc.), Visual Basic for Applications (VBA) was first released in 1993 in Excel, and is now incorporated into many of Microsoft's applications. Office 97, and above, uses VBA throughout its applications as the underlying macro and programming language of choice. Now, over 80 different software vendors use VBA as their macro language, including Visio, AutoCAD, and Great Plains Accounting. VBA allows programmers and end userend users to take off-the-shelf software (Office in most cases) and create custom applications. Today, VBA is the programming language that macro virus writers must use to infect Office documents. Table 5-2 lists the different macro language versions used in different Microsoft Office applications.

Table 5-2. Office applications and macro languages they use

Program version

Macro language used

Word 6.x and 7.x

WordBasic

Excel 5.x and 7.x

VBA 3.0

Office 97, Word 8.0, Excel 6.0 and 8.0, Project 98, and Access 8.0

VBA 5.0

Office 2000, Outook 2000, and Front Page 2000

VBA 6.0

Office XP, Outlook 2002, Word 2002, Access 2002, and Front Page 2002

VBA 6.3

Even virus writers have to worry about upgrades. Viruses written in earlier macro languages will not work unless converted into VBA. Newer versions of Office (97 and above) automatically upgrade most earlier macros into their VBA counterparts, although not always perfectly . Macros stored in Word 97 (VBA5) usually run without modification in Word 2000 (VBA6), and vice versa, unless they contain methods and properties specific to a particular version. Word 2000 automatically converts WordBasic macros to VBA, but VBA macros will not convert back to WordBasic. This means macro viruses written in older macro languages may survive the conversion into newer macro languages, however, saving a Word 2000 macro back to Word 95 or Word 6.x will effectively destroy the virus.

In the world of VBA macros, you will hear the terms macro, module, and procedure thrown around. Prior to VBA, if you wrote a macro in a macro language, it was just called a macro. In VBA, programmers write modules, which contain sub-procedures (which we call still call macros). A module may contain one or more macros. Later on we will learn about objects and classes.

5.3.4 Excel Macros

Excel data files are called workbooks and have an .XLS extension. Each workbook can contain many worksheets (also known as sheets or spreadsheets). Each sheet has its own tab within the workbook. Macros in Excel can be stored in the same workbook as the data, but can also be stored in separate workbooks. Macros meant to be available to all workbooks are usually stored in a workbook called PERSONAL.XLS (used to be GLOBAL.XLM in earlier versions). This file functions much like a global template in Word.

Excel versions prior to 5.2 did not run VBA, but instead ran Excel's own macro language ( XLM ). Those macros are often called Excel 4.0 macros, and are treated differently within Excel 2000 and by antivirus software.

Excel has two startup directories where workbooks can be placed. Any workbooks in either startup directory will automatically be called when Excel is started. Excel's default startup directory is usually located at either C:\%windir%\Profiles\User_name\Application Data\Microsoft\Excel\XLStart or C:\%windir%\Program Files\Microsoft Office\Office\XLStart . An alternate startup directory can be selected using Tools figs/u2192.gif Options figs/u2192.gif General figs/u2192.gif Alternate Startup File Location.

Excel's automacros are called Auto_Open and Auto_Close . They are used in the same way as automacros in Word. Macros can also be activated by different key combinations, menu choices, and sheet activity. Macro viruses wishing to be activated every session need only infect a workbook and store themselves in Excel's startup directory. Then, when Excel loads, the virus loads. Most Excel viruses infect the current workbook, usually through a hidden sheet within the workbook, and also infect a startup directory workbook.

Excel and Word both have the ability to load attached programs called Add-Ins . In Excel, add-ins usually have the file extension, .XLA . Legitimate add-ins extend the functionality of the underlying application. Newer Excel viruses are installing themselves as Excel add-ins ( XA viruses ) and using older Excel macro languages (called Excel Formula Viruses or XF viruses ) to exploit weaknesses in antivirus detection tools.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net