5.9 Removing Macro Viruses and Repairing the Damage

Team-Fly

	Malicious Mobile Code: Virus Protection for Windows By Roger A. Grimes
	Table of Contents
	Chapter 5.  Macro Viruses

When a macro virus infects an application, at the very least, it infects the current document and autoloading data. An ever-growing number of macro viruses edit your registry, drop off or modify batch files, disable your menus , and cause all other sorts of damage. When you need to disinfect a system from a very ambitious virus, there is no one tool that can look for and remove all traces at once. Always start by trying to use your antivirus scanner. I've included five steps for manually removing macro virus code. Removing a virus by hand means learning everything you can about the virus. Learn about its actions, file and registry manipulations. If I can, I read the source code using the HMVS tool listed below, but you may feel more comfortable researching the virus on the Web. Either way, learn as much as you can.

5.9.1 Try a Virus Scanner

Using a current, reputable virus scanner should still be your first line of defense and removal. Most virus scanners can detect and repair the document damage done by most macro viruses, and do it more quickly than you can do it by hand. Most do not repair your registry, re-enable your application's virus protection, or fix other modifications to your system. They simply remove the macro virus from infected files. If you are allowing a scanner to remove a new virus for the first time, make a backup copy of the infected file first (most antivirus tools have this as an option during the cleaning). Many documents I have cleaned have been completely ruined by macro virus cleaning tools. Also, macro virus removers typically remove all macros found in a document, even if they had nothing to do with the virus.

If your virus scanner turns up nothing, but you still suspect a virus, try these next five ideas.

5.9.2 Get a Clean Application

Getting a clean application starts with getting a clean global template and clean startup files. If any of your global templates have become suspect (and the scanner didn't find anything), rename or delete them using Explorer while the application is closed. For both Word and Excel, search for and delete or move any infected files in your Startup directories. When you restart Word, it will re-create a clean global template and give you a clean environment to work with. If you had special settings or macros stored in a template that you wanted to retain, you should manually reset them in the new template.

5.9.3 Bypass Automacros

If you suspect a macro virus, it cannot hurt to hold down your Shift key while opening Word or Excel, or while opening up a document, workbook, or template. Doing so will automatically disable any automacros present. The Shift key can be held down while exiting to disable any AutoClose macros. This measure only provides a temporary answer, and most macro viruses utilize other menu commands, like FileSaveAs , to do their dirty work.

This bypassing trick does not always work, especially on Word 6.0, so check to see if the virus is active afterward.

5.9.4 Inspect Data and Delete Malicious Macros

Open up your suspected macro document, being sure to disable macros. You have three macro tools within Office at your disposal: Macro Editor, Organizer, and Visual Basic Editor. I usually use all three to ensure everything is cleaned up. Make sure the infected document is in the active window. Use the Macro Editor, Tools Macro Macros to view and delete any visible macros. Be sure to click All active templates and documents at the bottom. Choosing the Edit option opens up VBE so you can inspect the macro code closer. With VBE, you can remove individual macro lines, although since most documents and workbooks shouldn't contain macros, it's just as easy to delete the whole macro in the Macro Editor or Organizer. You can't view or edit macro code in the Organizer, as it acts on the macro as a whole. Clean any suspected templates before cleaning files, or else your hard work will be for naught.

Using Organizer

Organizer excels at cleaning up and inspecting template files. Choose Tools Templates and Add-ins Organizer so you can view the visible macros and other associated template properties. If a template file contains properties that would be hard to re-create if the whole file was deleted, you can use the Organizer to create a new template from the old (minus the macro virus code):

1. Rename the old infected template prior to starting Word. Word will create a blank copy when you restart it.

2. Open the Organizer. The new global template should already be loaded in one window.

3. Open the old, infected template with the Open File button in the other window (you may need to select Close File first).

4. Select the Macro Project Items tab and delete suspected macros.

5. Use the other tabs to copy and delete other formatting properties as desired.

6. Click Close File to close the global template or file. When prompted to save changes to the file, choose Yes.

Using VBE

The Visual Basic Editor is one of your best tools for fighting macro viruses. First, open the suspected document in Word, and choose to disable macros, if prompted. Next, hit Alt-F11 to open VBE.

If VBE refuses to load because macros are disabled, start a new blank document (without closing the other document) and hit Alt-F11 again. It will load and you can select the other document and its modules to view.

In the Project Explorer window, expand the suspected project. Expand the module folder and click on a module and it should appear in the code window. Figure 5-13 shows the PSD2000 macro virus and its source code. Remember, virus coding can be hiding in projects besides ThisDocument or ThisWorkbook .

Figure 5-13. VBE is displaying the module code behind the Office 2000 macro virus, PSD2000

To view the module source code you might have to choose View Code from VBE's menu bar. You can remove the whole module by selecting File Remove. VBE will then ask if you want to export the module before removing it. Answer no.

You can delete parts of the code by highlighting it with your mouse or cursor and hitting your Delete key. When you exit the current document, Word will ask you if you want to save your changes. Answer yes, and your document will be virus free. You will also have to clean up any virus macros in any other infected templates and documents. If you decide to manually clean out the macros instead of deleting the whole module, be sure to remove the module subheadings as well as the macro coding. If not, Office will still think a macro is present. There are several techniques (locking the project, password-protect, etc.) a macro virus uses to prevent the viewing of its code. In these cases, use one of the following steps to completely remove the macro virus.

5.9.5 Repairing Word Documents

If your virus scanner does not recognize the macro virus and you don't want to manually remove macro virus coding, save your Word document as rich text format (RTF). This will save most of the formatting, but remove the macro code (it will remove all macros, not just malicious code). You can then open it back up in Word and resave. Make sure the virus is not active, so it can't play tricks on you like the Cap virus does.

An alternate method is to select the entire document and repaste to a new, clean document file. Choose Edit Copy. Close the infected document. Select File New and select a template type to start a new document. Choose Edit Paste to paste the document content (minus macros) to the new document. Use your macro inspection tools to verify that you did not copy the macro virus code with the content.

5.9.6 Manually Repairing Other Damage

Besides infecting the document, viruses will often modify the environment. They can modify menus and buttons , modify the registry, modify startup areas, and drop off other files.

Repairing damaged toolbars

Macro viruses often modify or damage Office's menus and buttons. A reliable approach to remove any malicious customizations is to right-click on a button-free area of the button bar, and select Customize Reset (both for menus and key bindings). You may need to restart the application. If your menu bar is still damaged, rename your global template and repeat the steps again. Excel also maintains a file called EXCEL.XLB , which contains customized button settings. You can search for and delete the file, if needed. Excel will create a new one.

Repairing Office registry items

Viruses often disable Office's security warnings by making registry changes, but they can modify the registry any way they want. Research what registry items the particular virus modifies and use REGEDIT to change or delete the affected keys. Microsoft has automated the repairing Office 2000-specific registry items. Office 2000 includes a new feature, Detect and Repair , under the Help menu option. Detect and Repair reinstalls all missing or corrupted Office EXE and DLLs, rewrites registry values with their default settings, and reinstalls all Windows Installer shortcuts. Detect and Repair will not remove most macro viruses, damaged toolbars, infected templates, or damaged documents.

Whenever you rerun Office's Setup program after you have installed it, you are automatically put in its Maintenance mode and offered the Repair Office option. You can then choose the Repair errors in my Office Installation or Reinstall Office. Choosing the repair option is the same as choosing Detect and Repair from the Help menu. The two modes are similar, but reinstalling Office will always replace all program files, not just damaged ones. Either option rewrites the registry values.

Office 2000 must find its original INSTALL.MSI file in the same directory as SETUP.EXE to work. In a few cases, where Office has come preinstalled , the INSTALL.MSI file isn't correctly positioned and even after much consulting with Microsoft, I had to reformat the machine to get Office reinstalled.

Office 97 registry settings can be written by reinstalling Office with the /y switch. Running SETUP.EXE /y prevents files from copying while at the same time fixing corrupted registry entries.

Manually investigating and fixing registry keys

Whenever possible, because of the complexity of the registry and its inherent problems, always try to fix application settings within the application before editing the registry. However, knowing where Office stores it's security settings can be helpful for determining what malicious code might have done. The registry keys for Office programs are located at HKCU\Software\Microsoft\Office\<versionnumber>\<application> and are mirrored in HKU\Default\Software\Microsoft\Office\<versionnumber>\<application> and HKLM\Software\Microsoft\Office\<versionnumber>\<application>. Thus, registry entries for Word 2000 are saved in HKCU\Software\Microsoft\Office\9.0\Word. Most of the settings that might interest us are located under the Options and Security subkeys (some keys are not written until the user changes settings from the defaults in Office).

Word 2000's macro security setting is stored at HKCU\ Software\Microsoft\Office\9.0\Word\Security\Level. The Level setting is 3 for high security, 2 for medium, and 1 for low. Turning off or on Word 97's macro warning messages can be accomplished by modifying HKCU\Software\Microsoft\Office\8.0\Word\Options\EnableMacroVirus. A 0 is off, a 1 is on. This registry setting was not added till version 7.0a.

A value named DontTrustInstalledFiles may be located under the Security subkey . It determines whether installed templates and add-ins should be trusted. A data setting of 1 allows them to be trusted, 0 tells Office not to automatically trust installed templates and add-ins. The HKLM\Software\Microsoft\VBA\Trusted key stores the digital certificates of the trusted sources. If the HKCU\Software\Microsoft\VBA\Trusted key exists, it will always be overridden by the HKLM values.

Prior to Word 95 (i.e. Word 2.x and 6.x), most customizable application settings were stored in .INI files (Word 6.x for NT used the registry). Early macro viruses modified .INI files instead of the registry database. If you are cleaning an early version of Word, be sure to check WINWORDx.INI (where x is the version number of Word) when removing all traces of the virus. For example, some versions of Concept kept an infection counter in WINWORD6.INI .

Clearing malicious system files

Many macro viruses write their code to files with the extension .SYS or .VXD. If you see a file with one of those extensions that you don't recognize (for many readers, that could be all of them), view it with a quick text editor. If the file is written in readable, plain-text ASCII, it's probably a malicious file and can be deleted. Files with the extension .SRC can be malicious uncompiled source code. You can delete or rename it to prevent a virus from compiling a more dangerous threat. I also look for new batch files ( *.BAT ) with recent creation dates. Batch files are often used to load malicious programs. I also check the AUTOEXEC.BAT , WINSTART.BAT , DOSSTART.BAT , and CONFIG.SYS files for anything abnormal.

Malicious startup files can be loaded in the Windows startup .INI files or the registry. I run SYSEDIT.EXE to examine WIN.INI (specifically the LOAD or RUN statements) and SYSTEM.INI (SHELL statement). Startup programs can also be loaded from the registry in HKLM\Software\Microsoft\Windows\CurrentVersion and Run, RunOnce, and RunServices subkeys.

5.9.7 Restore from a Backup

If nothing else works, consider deleting the damaged files and areas and restoring from a good backup.