5.8 Detecting Macro Viruses

Team-Fly    

 
Malicious Mobile Code: Virus Protection for Windows
By Roger A. Grimes
Table of Contents
Chapter 5.  Macro Viruses

5.8 Detecting Macro Viruses

Macro viruses, because they are contained in frequently shared datafiles, are good at spreading, and this accounts for the reason why they are currently the most popular malicious mobile code type on the planet. However, there are dozens of symptoms, beyond your virus scanner going off, that should make you suspect a macro virus. Most of these apply to Word macro viruses, but others apply to any type.

5.8.1 Macro Warnings

Most of the newer versions of Office (97 and later) will warn you if a document, workbook, or datafile contains macros with the following message:

C:\< path >\<filename> contains macros. Macros may contain viruses. It is always safe to disable macros, but if the macros are legitimate , you might lose some functionality.

Office 2000's default security level, High, will disable macros and not display a warning.

Office then offers to disable the macros by default. A use need only hit Enter or accept the default action to disable the macro virus. Most people do not utilize files with macros, and thus, such a warning usually means a virus is present. If more end users understood the importance of this warning, macro viruses would not be the problem they are today. If you see a macro warning, you are probably opening an infected document unless your normal Office environment includes macros.

5.8.1.1 Ways viruses can get around macro warnings

Unfortunately, there are many ways a virus can get around Office's inspection of macros. Some are caused by technology changes between versions, and others from the way Microsoft treats situations. Older versions of some Office applications, such as Excel 97 will not detect class viruses in infected files, although Office 2000 seems to handle them appropriately. Prior to Office 2000, Microsoft considered documents stored in the Startup or Template directories ( user and workgroup) to be trusted. Thus, many viruses went out of their way to infect templates in those specially treated folders. The only warning you might get is a conversion message as it updates the macros of older viruses.

There have been numerous confirmed reports of instances in which Office applications do not check for macro viruses if the documents are opened or printed in an unusual way. For instance, in most Office applications you can print multiple documents at once by selecting them, right-clicking, and choosing the Print option. Word 97 will open each document and print it, but it fails to check it for viruses. Several unpatched versions of Internet Explorer will automatically open Office documents stored on the Web without prompting the user or warning about macro viruses.

Excel 97 will not warn you about viruses if a document is password protected. Macro viruses have a hard time infecting password-protected documents, but it's not impossible . Fortunately for scanners , VBA code is not explicitly encrypted in a password-protected Office document, so the documents can be scanned without actually opening them.

In October 1999, Microsoft released a security patch for Excel 97 and 2000 that closed a newly found hole for worksheet viruses. Most popular spreadsheet programs can save spreadsheets, and their accompanying macros, in a file format called Symbolic Link (SYLK). Macro viruses coded in a SYLK file could be opened and executed without warning the user. Although Microsoft has offered a patch to close the hole, few have yet to install it.

Microsoft announced another Excel exploit, called the Register.ID vulnerability in the Microsoft Security Bulletin MS00-051 . Register.ID is an Excel function, just like Sum , Count , or Average . Its intended purpose is to allow Excel to look for the registered ID of a .DLL , and if the DLL is not registered, register it. The exploit happens because the Register.ID function is allowed to execute a .DLL from within the workbook without warning the user. A previously placed malicious .DLL on the local PC or one that is reachable in the Network Neighborhood could be launched and allow a complete compromise of the computer.

Many vendors , including Microsoft, make document viewers. These viewing programs allow you to view the documents, including formatting, without really opening the document. It's quicker and usually safer. Viewers are often included with email programs as protection against macro viruses. In spite of what I've just said, some of these viewers will execute macros within those documents without warning. The viewer included with Word 7.0 would execute some of the macro coding, but nicely ignore any potentially damaging commands. A macro virus could execute and display graphics or messages, but be prevented from copying and deleting files.

In another exploit known as the Word Mail Merge Vulnerability , a Word mail merge document can have an Access database specified as a data source. Access doesn't have macro security, but can contain VBA viruses. When a malicious mail merge document is opened, it could launch a virus stored in Access without setting off macro warnings. Microsoft closed this hole with Office Service Release 1a.

Most of these weaknesses have been fixed in Office 2000, but some have not, and others like them are sure to be discovered in the future. The lesson learned here is that documents opened, viewed , or printed can bypass the normal File figs/u2192.gif Open process and result in unwarned infection. For this reason, Microsoft has released several security updates that force email users to save file attachments so they cannot just double-click and open the attached file.

Other applications using VBA as their macro language, such as Visio, have macro-warning abilities .

5.8.2 False-positives

False-positive warning messages (warning when no is virus present) are sure to happen in your Office experience. Often, if you install a new program, such as Visio, that has the capability to interface with Office, it will install new templates or macros. Office will prompt you with a macro warning message, but in most cases, it is safe to allow the macros to run. If you don't, and it is from a legitimate source, your new program may not install correctly.

In today's Internet world, documents often contain hyperlinks to objects and files outside of your current document. Office may prompt you with a message similar to the macro warning saying, "Some files can contain viruses or otherwise be harmful to your computer. It is important to be certain that this file is from a trustworthy source. Would you like to open the file?" This will be displayed regardless of whether or not the linked file contains a virus and regardless of whether your macro virus protection is enabled or disabled. Read the message and make a decision.

5.8.3 Your Word Document Will Only Save as a Template

Word macro viruses almost always attempt to infect the global template. Some early macro viruses infected documents and converted them to template files (a requirement to store macros in earlier versions of Word). Although a template file usually has the file extension .DOT , template files can have any extension, including .DOC , and Word will still interpret them as template files. You will be clued into the change if the Save as type option is grayed out while you're attempting to save your document, or if the location to which the document is trying to save is same as your default template directory. As Figure 5-11 shows, Windows gives different icons to documents and templates.

Figure 5-11. Notice the difference between the document type icons
figs/mmc_0511.gif

5.8.4 Unexpected Document Modifications,Words, Messages, Graphics

One of the most common signs of infection is an unexpected change in your document or Word environment. The Wazzu virus randomly transposes words of text and writes the word, "wazzu," into the document. Nuclear prints a message against nuclear testing. Colors changes your Windows color settings by modifying WIN.INI . Some viruses display messages or pictures, others unexpectedly prompt you for passwords. Some viruses may save a document without prompting the user to do so. Word does not have a feature that automatically saves files when you close them, but you will always be prompted. At the same time, it's important to rule out non-virus document corruption, too. It is not uncommon for a single Word document to become corrupt, but if you see strange happenings on two or more documents, or on more than one PC in the office, you should probably start suspecting a virus.

5.8.5 New Macros Appear

Unless your Word or Excel environment entails a large number of macros, you shouldn't be seeing a lot of macros running. Using the three macro tools previously reviewed, you should view which macros and modules are active. If you see macros with the Auto prefix, FileSaveAs , or ToolsMacros , then you probably have a macro virus. If you, like the majority of users, don't ever use macros, seeing any macros should be a sign that something is wrong. For example, seeing personal.xls!auto_open or personal.xls!check_files should alert you to the XM.Laroux virus.

5.8.6 Tools figs/u2192.gif Macro Is Disabled

Many macro viruses disable the Tools figs/u2192.gif Macro or Tools figs/u2192.gif Customize menu options to prevent users from seeing all the new malicious macros. Some viruses print up a fake error message when you try to access it. The end result is the same. If you don't think you should be running macros and you cannot view the Tools figs/u2192.gif Macro menu option, you probably have a virus. If you go to use the Visual Basic Editor and you receive a warning that the project is locked, you almost certainly have a virus.

5.8.7 Global Template File Date Is Current

Word's global template file, NORMAL.DOT , is usually not modified unless you are making some new format change, or creating a new macro. In most cases, the last modified date of the global template file should not be near the current date. If it is, it is often a sign of a virus infection.

5.8.8 Startup Directory Contains New Files

By default, files located in Word and Excel Startup directories are opened when their respective programs are launched. Macro viruses often save malicious files to the Startup directories in order to be loaded first into memory. Because of a shortsighted decision, Microsoft Office does not warn you when documents in your Startup directories contain macros.

The sudden appearance of a PERSONAL.XLS can mean you have the Laroux Excel virus. Most users do not have any documents in their Startup directory. You can locate your default Startup directories in Word by choosing Tools figs/u2192.gif Options figs/u2192.gif File Locations. In Excel, the primary Startup file location is always called XLStart . The alternate startup location can be found under Tools figs/u2192.gif Options figs/u2192.gif General figs/u2192.gif Alternate startup file location.

5.8.9 View the Document with a Text Editor

When I'm looking to see if a particular document or template is infected, I'll often open the suspected file in a text editor. Although viruses can easily encrypt their routines and use module names that provide no clues, most of the time I'll see something that confirms my suspicions.

In Figure 5-12, I used the DOS EDIT command to find embedded text strings that revealed the Ethan virus. Sometimes this trick will get around stealth macro viruses that hide their presence when the infected document is opened in its official application. In my initial discovery of this example, an up-to-date virus scanner had not detected anything.

Figure 5-12. Document infected with the Ethan virus
figs/mmc_0512.gif

And at the time, I hadn't heard of the Ethan virus, but I saw enough snippets of code that confirmed a virus's presence. If a document contains macros, they will often be located near the end. In this particular case, the words Normal, Virus, Output As, DoWhile, Rand Dir, Creat , Virus, Protection, Cancel, and Kill set off warning bells . Visible in the bottom right is the name "E Frome," for whom the virus is named.

It is interesting to note that the source code text of any VBA virus is never executed. Instead, VBA code is translated into an intermediate p-code representation for execution. The source text can be manually removed without affecting the virus's execution. The source code is only maintained for potential conversion issues.


Team-Fly    
Top


Malicious Mobile Code. Virus Protection for Windows
Malicious Mobile Code: Virus Protection for Windows (OReilly Computer Security)
ISBN: 156592682X
EAN: 2147483647
Year: 2001
Pages: 176

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net