Macro viruses are an infection that poisons the life of any user. Even if you are a system programmer at least three times, she still has a good chance of fighting you. Many people simply underestimate this category of viruses and in vain, they are not as harmless as they seem. In terms of survivability, they can be compared with rats and cockroaches - they adapt to everything and very rarely die. It's time to deal with the macro infection once and for all.

Macro virus architecture

At the beginning, a clear definition: a macro virus is a virus that can reproduce and be stored on its own (without user intervention), using a macro language. From the definition it follows that macro viruses can live not only in Word documents, but in ANY office document that implements macro language functions such as copying macros and saving them. That’s almost full list applications exposed to the threat of macro infection: Word (any), Excel, AmiPro (this is a text editor), MS Visio, PowerPoint, MS Access and 1C. As you can see, the number of such programs is quite large, and on the Internet you can often find articles defining macro viruses as follows:
"viruses that infect document files in the format
WinWord". Some idiots wrote it!

Now let's talk about the structure of a macro virus for Word (as the most relevant). So. There is such a thing as standard macros. These include: AutoOpen, AutoClose, AutoExec, AutoExit, AutoNew. The prefix auto- means that the action is performed automatically, without user intervention (although this depends on the set security level, but we will talk about this later). That is, by adding an infection to a macro with that name, you can “revive” it. Also, for each standard action there is a standard macro. For example, to print FilePrint, to save FileSave, to save in a different format or with a different name FileSaveAs. And these macros can be infected.

The ultimate goal of any macro asshole is to fuck normal.dot (it stores all the template settings). Then all opened files will be infected and your texts will be damaged.
Word provides several levels of security: high, medium, and low. It also contains a built-in defense mechanism against macroinfection. According to the developers, this should act on macro viruses like silver on evil spirits. It may be that it works, if not for one “but”. It is because of this that I will not delve into the differences between security levels and the internal settings of Word. But the point is that ALL internal security parameters can be easily CHANGED through the registry. Fortunately, macro languages ​​allow this
do. I will not prescribe specific paths (where to look for what), so as not to tempt your playful hands. Those who are especially gifted can contact me by email - I will inform you, but “only for the purpose of familiarizing yourself with this vulnerability software, to eliminate them" :)

To sum it up, the structure of a macrovirus is as follows:

1. Redefine any standard or automatic useful macro so that it disables protection and corrects the security level.
2. Add infection there.
3. We check that this macro is in demand, and that the infection multiplies and is necessarily registered in Normal.dot

Everything is quite simple - this is why there are so many different variations of macro-creatures.

I'll kill you with my bare hands!

There are several popular ways to destroy macrogasms in already infected Word documents. Here they are almost all:

1. Create your own macro with the following code:
Sub Main
DisableAutoMacros
End Sub
You save this miracle under the name AutoExec and thus become invulnerable to auto macros.

2. If you manipulate the protection levels, then Word will ask for permission when executing macros.

3. Do not use doc format. After all, everything can be placed in RTF - the same fonts, design, tables, graphics... And RTF by definition does not contain macros. Everything would be ideal, but there is a drawback: when saving information in rtf format, all pictures are automatically converted to bmp format. This graphic format weighs so much that you wouldn’t wish it on your enemy. As a result, even after archiving, a loss in the size of the resulting file may lead to the fact that it simply will not fit on a floppy disk (depending, of course, on the number of pictures). True, if there are no graphics, then rtf is ideal.

Heavy artillery

It's time to be brave and kill the macro-creatures once and for all. The task is not so difficult to complete: you need an uninfected computer and the latest distribution of Kaspersky Anti-Virus. Several years ago, Kaspersky Lab developed a module called Office Guard. That's what we'll talk about.

Typically, Office Guard is not included in pirated distributions, but with some skill you can find it. What is this thing? Here's what the creators say about it:
"Office Guard is fundamentally new technology for protection against macro viruses and macro Trojans. Office Guard, which is designed for advanced users, implements a revolutionary approach to antivirus security based on the principles of a behavioral blocker. In contrast to the “classical” anti-virus protection schemes built on the basis of conventional context search, Office Guard solves the problem comprehensively, eliminating the very possibility of macro viruses operating on a protected computer. Office Guard distinguishes macro viruses not by external signs(the presence of a particular sequence of characters), but by their behavior, which is determined by the capabilities of the VBA programming language ( Visual Basic for
Application)."

The coolest feature is that it doesn't need to be updated! However, its use is fraught with many pitfalls:

1. It should be installed on an uninfected machine.
2. If you had Word installed, then you installed Office Guard, and then installed Excel, then only Word will be protected. Draw your own conclusions.
3. Office Guard catches viruses, but DOES NOT CURE them.

To solve the last problem, you just need an anti-virus scanner. Thus, AVP scanner + Office Guard give complete safety from macroviruses. If you want to treat documents, then from time to time you will have to download an update for
AVP.

However, let's be fair - you can't pull the blanket in favor of Kaspersky Lab, otherwise there will be conversations like:
“And how much did they pay you for promoting the product?”

Any updated antivirus gives a good, almost 100%,
protection against macrogases. It's just that each of them uses different technologies for this. For example, DrWeb uses a signature search and a heuristic analyzer,
This is what we talked about with its creators:

Your antivirus package does not include a separate module for combating macro viruses. Why? Do you think that a resident monitor guarantees security against macro viruses?

Tools for detecting and combating macro viruses are an integral part of the DrWeb core. And since the kernel is used by both the scanner and the monitor, all macro viruses are detected and treated equally well in both cases.

The WUA includes a separate module against macro viruses in MS Office. The developers claim that this module is based on a behavioral blocker that analyzes the actions of the patient program. As a result, this product provides a 100% guarantee against macro viruses until it is released. a new version VBA. Those. macroviruses are not searched for by signatures. The advantage of this
The approach is that having installed such a module once, it does not need to be updated. Now the questions: Does DrWeb search for macro viruses by signature?

DrWeb searches for macro viruses both by signature and using the built-in
original powerful heuristic analyzer. Macro search and analysis mechanism
implemented at several levels: the binary code of macros is also scanned,
their compiled and source text. This allows detection of known viruses,
their modifications, as well as unknown macro viruses. Thus,
It becomes possible not only not to depend on the version of the installed
MS Office package (the ability to intercept running macros has appeared
only in Office 2000 and was not available in previous versions), but also in general from
availability of MS Office on the computer on which scanning is performed
files - for example, on a corporate Internet gateway.

In addition, using a heuristic built on the same principles
analyzer, DrWeb is able to detect unknown Trojans,
backdoors, Internet worms, irc, batch (bat) and script
(vbs/vbe) viruses.

Your personal opinion: can a module from the WUA provide 100% safety from macroinfections?

The current situation is such that in order to effectively fight viruses, any modern
The antivirus product must be updated promptly. Unfortunately,
creating an “absolute” antivirus is impossible.

Questions answered
Sergey Yurievich Popov
Andrey Vladimirovich Basharimov

Developers antivirus programs Dr. WEB family.

Macro viruses are potentially unwanted utilities written in microlanguages ​​that are built into graphics and text processing systems. What files are infected by macro viruses? The answer is obvious. The most common versions for Microsoft programs Excel, Word and Office 97. These viruses are quite common, and creating them is as easy as shelling pears. This is why you should be extremely careful and careful when downloading documents from the Internet. Most users underestimate them, thereby making a grave mistake.

How does a PC become infected?

After we have decided what macro viruses are, let's figure out how they penetrate the system and infect the computer. A simple method of their reproduction allows you to hit the maximum number of objects in the shortest possible time. Thanks to the capabilities of macro languages, when closing or opening an infected document, they penetrate the programs being accessed.

That is, when using a graphic editor, macro viruses infect everything connected with it. Moreover, some are active all the time while texting or graphics editor work, or until the PC is completely turned off.

What is the principle of their work?

Their action occurs according to the following principle: when working with documents, Microsoft Word executes various commands issued in macro language. First of all, the program penetrates the main template, through which all files of this format are opened. In this case, the virus copies its code into macros that provide access to the main parameters. When exiting the program, the file in automatic mode saved in dot (used to create new documents). After which it gets into standard macros, trying to intercept commands sent to other files, infecting them too.

Infection occurs in the following cases:

1. If there is an auto macro in the virus (carried out automatically when the program is turned off or started).
2. The virus has a basic system macro (often associated with menu items).
3. Activates automatically when you press specific keys or combinations.
4. It reproduces only when it is launched.

Such viruses usually infect all files created and associated with programs in a macro language.

What harm do they do?

Macro viruses should not be underestimated, as they are full-fledged viruses and cause significant harm to computers. They can easily delete, copy or edit any objects containing, among other things, personal information. Moreover, they can also transfer information to other people using Email.

More powerful utilities can generally format hard drives and control the operation of the entire PC. That is why the opinion that this kind of computer viruses pose a danger exclusively for graphics and text editors is erroneous. After all, utilities such as Word and Excel work in conjunction with a number of others, which in this case are also at risk.

Recognizing an infected file

Often, files infected with macro viruses and susceptible to their influence are not at all difficult to identify. After all, they function completely differently from other utilities of the same format.

Danger can be identified by the following signs:

In addition, the threat is often easily detected visually. Their developers usually indicate in the “Summary” tab such information as the name of the utility, category, topic of comment and the name of the author, thanks to which you can get rid of a macro virus much faster and easier. You can call it using the context menu.

Removal methods

When you find a suspicious file or document, first scan it with an antivirus. If a threat is detected, antiviruses will try to cure it, and if unsuccessful, they will completely block access to it.

If the entire computer has been infected, you should use the emergency boot disk, which contains the antivirus with the latest database. It will scan your hard drive and neutralize all threats it finds.

If you cannot protect yourself in this way, your antivirus cannot do anything, and there is no rescue disk, then you should try the “manual” treatment method:

This way, you will remove the macro virus from the infected document, but this in no way means that it does not remain in the system. That is why it is recommended to scan the entire Personal Computer and all its data with antivirus or (their advantage is that they do not require installation).

The process of treating and cleaning a computer from infection with macro viruses is quite complex, so it is better to prevent infection at the initial stages.

This way, you will protect yourself and macro viruses will never penetrate the corresponding files.

Among the variety of viruses, one can single out macro viruses, which, like no other, are dangerous not only for operating system, but also for all information that is stored on connected hard drives. Viruses are specially written programs in macro languages ​​that are built into some modern systems data processing (spreadsheets, text editors etc.).

That is, everything that is used in offices, at home, etc. for maintaining reports, documentation and others. Viruses of this type are the most dangerous when viewed from the loss side text information. To reproduce, they use all the capabilities of macro languages ​​to the maximum and, using all the possibilities, transfer themselves (or rather the program code) from one infected file (usually a table or document) to others. Today, the most common are macro viruses for the software packages Office 97, Microsoft Word, and Excel. Macro viruses have also been developed that infect databases Microsoft data Access and Ami Pro documents.

For macro viruses to exist in a certain system (in this case, in the editor), it is extremely necessary to have a special software macro language built into the system with the following capabilities:

1. copying recorded macro programs from a specific file to any other;

2. binding the virus in a macro language to a specific file;

3. a unique opportunity to gain full control of the virus macro program (automatic or standard macros).

All of the above conditions are fully satisfied by the editors AmiPro, Microsoft Word Office 97, database Microsoft Access, as well as an Excel spreadsheet. All of these systems contain a variety of macro languages: Excel, Office 97 (including Access, Word 97 and Excel 97) - Visual Basic for Applications, and Word - Word Basic.

Today, four completely different systems are well known, for which there are separate viruses - Office 97, Microsoft Word, Excel and AmiPro. In these systems, macro viruses take full control during the closing or opening of the infected file. After gaining control, the virus intercepts all file functions, after which it freely infects files that are directly accessed. Thus, if you caught such a virus and were able to identify it, it is highly not recommended to open or generally work with the above programs until complete removal virus. If you neglect this rule, the virus can delete important information(documents, tables, etc.). By analogy with MS-DOS, we can safely emphasize that most modern macro viruses are resident: they behave actively while the editor itself is active, and not at the moment of opening/closing a file.

Viruses of the Macro family

Viruses of the Macro family use the capabilities of macro languages ​​built into data processing systems (text editors, spreadsheets, etc.).

For viruses to exist in a particular system, it is necessary to have a macro language built into it with the ability to bind a program in a macro language to a specific file, copy macro programs from one file to another, and obtain control of the macro program without user intervention (automatic or standard macros).

These conditions are satisfied Microsoft editors Word and AmiPro, as well as an Excel spreadsheet. These systems contain macro languages ​​(Word - Word Basic, Excel - Visual Basic), while macro programs are tied to a specific file (AmiPro) or located inside a file (Word, Excel), the macro language allows you to copy files (AmiPro) or move macro programs to service system files (Word, Excel), when working with a file under certain conditions (opening, closing, etc.), macro programs (if any) are called, which are defined in a special way (AmiPro) or have standard names (Word, Excel).

So, today there are three known systems for which viruses exist - Microsoft Word, Excel and AmiPro. In them, viruses take control when an infected file is opened or closed, intercept standard file functions and then infect files that are accessed in some way. By analogy with MS-DOS, we can say that macro viruses are resident - they are active not only at the moment of opening/closing a file, but also as long as the editor (system) itself is active.

Viruses for Microsoft Office"97

Macro.Office97.Frenzy

Consists of a single Frenzy macro containing the AutoOpen auto function. Infects the system when an infected file is opened. Then it is written into documents when they are opened. Depending on the system date and the system random counter, displays text

Word97.Frenzy by Pyro

Macro.Office97.Minimal

A rather primitive macro virus for Office 97. It contains a single AutoOpen macro. It infects the system when an infected file is opened; it is also written to documents when they are opened. Contains commented text

Vesselin Bontchev

Macro.Office97.NightShade

It consists of a single NightShade macro containing the AutoClose auto function and infects the system and documents when files are closed. Disables built-in virus protection and allows auto functions to run. Depending on the current date and the system random counter, displays text

Word97.NightShade by Pyro

On the 13th Saturdays, sets the NightShade password in documents.

Viruses for Microsoft Excel

Macro.Excel.Laroux

Infects Excel spreadsheets ( XLS files). Contains two macros: Auto_Open and Check_Files. When you open an infected file, Excel automatically runs the Auto_Open macro. In the virus, this macro contains only one command, which defines the Check_Files macro as being executed when any table (Sheet) is activated. Thus, the virus intercepts the procedure for opening tables and when the table is activated, the infected Excel calls the Check_Files macro, that is, the virus code.

Once in control, the Check_Files macro looks for the PERSONAL.XLS file in the Excel Startup Directory and checks the number of modules in the current Workbook. If a Workbook with a virus is active and the PERSONAL.XLS file does not exist (first infection), then the virus creates a file with this name in the Excel startup directory using the SaveAs command. As a result, the virus code from the current file is written to it. At the next loading Excel loads all XLS files from the launch directory, the infected PERSONAL.XLS file is also loaded into memory, the virus again takes control and when opening tables the Check_Files macro from PERSONAL.XLS will be called again.

If the number of modules in the current Workbook is 0 (the infected Workbook is not active) and the PERSONAL.XLS file already exists, then the virus rewrites its code into the active Workbook. After this, the active Workbook becomes infected.

It is not difficult to check your system for a virus. If the virus has already penetrated the computer, then the Excel directory should contain the PERSONAL.XLS file, in which the line laroux (in small letters) is visible. The same line is also present in other infected files.

Macro.Excel.Legend

Macro virus infecting Excel files. Contains one module (macro) named Legend. This module includes two procedures - Auto_Open and INFECT. Auto_Open is an Excel procedure that is automatically called when a file is opened. When launched, Auto_Open installs the second virus procedure (Infect) as a SheetActivate event handler, that is, when opening any table, Excel will call the Infect procedure.

When called, the Infect procedure infects either the PERSONAL.XLS file (when an infected file is open) or the current file (if it is not yet infected). After infection, the virus removes the Tools/Macro item from the menu. If UserName = "Pyro" and OrganizationName = "VBB", the virus immediately stops working and does not infect any files. Depending on the current day and the system random counter, the virus displays a MessageBox:

You've Been Infected By Legend!

Macro.Excel.Robocop

Macro virus that attacks Excel files. Includes two modules (macros): COP and ROBO. The ROBO module contains an automatically called Auto_Open procedure, which, when opening an infected document, writes the virus code to the PERSONAL.XLS file and sets the address of the table activation handler (SheetActivate) to the virus code. The virus then infects files when tables are opened.

ROBOCOP Nightmare Joker

Macro.Excel.Sofa

Infects Excel spreadsheets. Contains one module (macro), the name of which consists of 11 spaces and therefore is not visible in the list of macros in the Tools/Macros menu. The module contains four macro functions: Auto_Open, Auto_Range, Current_Open, Auto_Close. All virus functions return Null as a result.

When you open an infected file, the Auto_Open macro function is triggered, which “renames” Excel - Microsofa Excel appears in the title line instead of Microsoft Excel. If there is no BOOK.XLT file in the Startup Path directory (the system is not yet infected), then the following message is displayed on the screen:

Microsoft Excel has detected a corrupted add-in file.Click OK to repair this file.

Regardless of the user's response, a BOOK.XLT file containing the virus code is created in the Startup Path directory. After infection a message is displayed

File successfully repaired!

When loaded, Excel automatically downloads XLT files from the Startup Path and accordingly activates the virus. The virus assigns its Auto_Range function to the OnSheetActivate function and, each time the table is activated, it checks the active file for infection and, if the file is not infected, infects it.

The virus does not allow itself to be unloaded from Excel - when closing each file, it assigns the same Auto_Range function to the OnWindow function, that is, it is reactivated when a new file is opened.

Macro.Excel.Yohimbe

Consists of one module (macro) named Exec. This module contains three routines: Auto_Open, DipDing, PayLoad and the SheetExists function. The Auto_Open subroutine is automatically called when an infected file is opened - the virus infects PERSONAL.XLS. In case of any error, the virus is written to all open files(books). Before returning control, Auto_Open sets the DipDing routine to the Excel timer. This routine is called starting at 16:00 and infects open files.

The virus writes the string Yohimbe to the table header. It also sets a timer on the PayLoad subroutine - it is called at 16:45 and inserts an image and text into the current table

Macro viruses are programs written in languages ​​(macro languages) built into some data processing systems (text editors, spreadsheets, etc.). To reproduce, such viruses use the capabilities of macro languages ​​and, with their help, transfer themselves from one infected file (document or table) to others.

For viruses to exist in a specific system (editor), it is necessary to have a macro language built into the system with the following capabilities:

1. binding a program in a macro language to a specific file;

2. copying macro programs from one file to another;

the ability to gain control of a macro program without user intervention (automatic or standard macros).

Network computer viruses .

Network viruses include viruses that actively use protocols and capabilities of local and global networks. The main principle of a network virus is the ability to independently transfer its code to a remote server or workstation. Network viruses also have the ability to run their code on remote computer or push the user to run an infected file.

There are a large number of combinations - for example, file-boot viruses that infect both files and boot sectors of disks. Such viruses, as a rule, have a rather complex operating algorithm, often use original methods of penetrating the system, and use stealth and polymorphic technologies. Another example of such a combination is a network macro virus, which not only infects documents being edited, but also sends copies of itself by email.

Infected operating system(more precisely, the OS whose objects are susceptible to infection) is the second level of dividing viruses into classes. Each file or network virus infects files of one or more operating systems.

Macro viruses infect files in Word, Excel, and Office formats. Boot viruses are also targeted at specific formats for the location of system data in the boot sectors of disks.

Features of the operating algorithm computer viruses:

1. Residence.

2. Use of stealth algorithms.

3. Self-encryption and polymorphism.

4. Use of non-standard techniques.

Under the term residence refers to the ability of viruses to leave copies of themselves in system memory, intercept some events (for example, access to files or disks) and call procedures for infecting detected objects (files and sectors). Thus, resident viruses are active not only while the infected program is running, but also after the program has finished running. Resident copies of such viruses remain viable until the next reboot, even if all infected files on the disk are destroyed. Often it is impossible to get rid of such viruses by restoring all copies of files from distribution disks or backup copies. The resident copy of the virus remains active and infects again generated files. The same is true for boot viruses - formatting a disk when there is a resident virus in the memory does not always cure the disk, since many resident viruses infect the disk again after it is formatted.

Non-resident viruses, on the contrary, are active for a rather short time, only at the moment the infected program is launched. To spread, they search for uninfected files on the disk and write to them. After the virus code transfers control to the host program, the impact of the virus on the operation of the operating system is reduced to zero until the next launch of any infected program.

Stealth viruses in one way or another they hide the fact of their presence in the system.

TO polymorphic viruses These include those whose detection is impossible (or extremely difficult) using so-called virus masks - sections of constant code specific to a particular virus. This is achieved in two main ways - by encrypting the main virus code with a non-permanent key and a random set of decryptor commands, or by changing the executable virus code itself.

Various non-standard techniques are often used in viruses in order to hide themselves as deeply as possible in the kernel of the OS.

Destructive possibilities viruses can be divided into:

1. Harmless , which do not affect the operation of the computer in any way (except for reducing the free memory on the disk as a result of their distribution).

2. Non-hazardous , the influence of which is limited by a decrease in free disk memory and graphic, sound and other effects.