MS Word Macro Virus - Real, but Don't Freak Out! by Paul Ducklin, Sophos, Plc (24 Aug 1995) As many of you will know, there's a Microsoft Word macro virus out there (variously known as "Winword.Concept", "WW6Macro" and "Prank Macro") that has apparently made it into the wild. The idea of macro-language viruses is not new -- indeed, AFAIR, Prof H. J. Highland, editor of Computers & Security, demonstrated the possiblity under Lotus 1-2-3 several years ago. What is new is that this Word macro virus seems to be in the wild, and that it seems to be driving people wild. Certainly, news wires are abuzz. If we believe what we're told, it's the End Of Computing As We Know It (again :-). The concept is obvious, and has been much discussed. Most products can read and write data files; some allow their data files to contain programmatic commands that would more typically be typed at the keyboard or issued with a mouse. The idea is that when you load a data file with a "command script" or "macro" in it, you can carry out a whole sequence of program functions automatically -- rather than having to type them in over and over again. Many programs with macro support allow their macros to access a substantial range of functions, such as opening, manipulating and closing files -- or even issuing direct operating system commands. Some macro systems go even further -- they allow macros to be mixed with regular data files, and they define special types of macro (typically identified by a predefined name, or position) which will automatically be fired up when a file is loaded or the system is started. DOS has such a system -- no prizes for guessing where the name AUTOEXEC.BAT comes from. No prizes, either, for working out that data-file + macro-language + autoexec-of-special-macros is a formula which works out to a security nightmare. Viruses, Trojan Horses, modification-of-service attacks -- all are remarkably possible in such an environment. MS Word 6.0 has a particularly rich macro language (WordBasic), and a number of "macro hooks" whereby an unsuspecting user can be lured into executing a hitherto unseen and unknown macro simply by loading a document. This is how Winword.Concept works -- we leave the actual details as an exercise to the reader, for safety's sake. Winword.Concept is obvious, and easy to handle. Most anti-virus software users should be able to contact their vendor for help on how to detect and clean it up. There is a bigger issue, though, which you would do well to address now. Ask yourself if you are aware of any "automatic macro" facilities in the software your organisation uses. And ask yourself if you know how to control the operation and scope of these facilities. For example, if you're a WinWord user, did you know that: a document can contain a macro which will usually be executed transparently and automatically when that document is opened? a macro, once running, can make changes to a set of global macros that may end up being transparently included in many or all documents created in the future? there are numerous "automatic" triggers in addition to the document-open one that malicious macro code might exploit? You can see the risk here. You may know,or be told, though, that: holding down Shift whilst opening a document will inhibit the invocation of its automatic document-open macro. Tools/Options/Save includes an option ("Prompt to save NORMAL.DOT") w hich will make transparent changes to your global macros less likely. that you can instruct WinWord, when you load it, to switch off "automatic" macros altogether, by loading it with the command "WINWORD.EXE /mDisableAutoMacros", or by holding down the Shift key as you fire it up. You may also, like me, try out these fixes and discover that the first and last don't actually seem to work as suggested! There is a good trick for WinWord, however: create yourself a global AutoExec macro (this is run when Word starts up) that looks like this: Sub MAIN DisableAutoMacros MsgBox "Auto Macros are turned off", "Safety First!", 64 End Sub WinWord.Concept -- and other malware based on AutoOpen -- will not work if you do this. Control is in your hands. Don't panic. Take the opportunity to learn more about features of the software you use, to test and verify any security features you plan to utilise, and then to configure accordingly. Don't treat this new Word virus as a nightmare; use it as an opportunity to take stock, and to learn.