Norman Data Defense Systems Addresses Background The first macro virus was discovered in August, 1995, and since then it has been referred to by many different names: Prank virus, Word Prank Macro, Concept virus, and WordMacro.Concept virus. The anti-virus community, including Norman, has standardized on the name "WordMacro.Concept". WordMacro.Concept has been getting its fair share of attention, and rightly so. In the past, computer viruses have infected executable code (i.e., either binary files or boot sectors). WordMacro.Concept, however, infects non-executable files * document files. Because document files are exchanged more often than executable code, WordMacro.Concept is widespread on the Internet and within organizations. In theory, it is possible for viruses to be written for any application that has a built-in macro programming language. In fact, there is a macro virus called ExcelMacro.DMV, designed to demonstrate how simple it is to construct a macro virus for Microsoft's Excel application. This article, however, focuses on macro viruses that infect Microsoft Word documents. WordMacro.Concept is harmless it does not contain any destructive code. Some facts: * it is platform independent (i.e., it functions in Word 6.x for Windows 3.x, Word 6.0+ for the Macintosh, Word 7.0 for Windows 95, and Word 6.0 for Windows NT. * the source code is available, and therefore, variants of WordMacro.Concept will surely appear. Even though WordMacro.Concept does not do any harm, its rate of infectiousness due to the nature of the host (document files) and the fact that its source code is readily available to hackers result in it being a high security risk. Therefore, WordMacro.Concept and other macro viruses must be viewed seriously. Other Word Macro Viruses By November, 1995, 4 macro viruses and 1 trojan macro have been discovered. All are based on the WordBasic macro programming language. However, we have reason to believe that there are considerably more macro viruses in existence. Half of the known macro viruses function in all national language versions of Word, and the other half contain infectious code that only propagates in English versions (including UK and Australian) of Word. Note: Even though some macro viruses do not, for technical reasons, propagate to uninfected documents in non-English versions of Word, some macros may still be executed in an infected document opened in non-English versions of Word. Therefore, it is important to be aware of macro viruses even if you are running non- English versions of Word. Following are short descriptions of the 4 macro viruses and the trojan macro: 1. WordMacro.Concept: * See description above. * Propagates only in English versions of Word. 2. WordMacro.Nuclear: * Contains the following macros: AutoExec AutoOpen DropSuriv FileExit FilePrint FilePrintDefault FileSaveAs InsertPayload Payload * Contains destructive code. Under certain circumstances, it will: 1. attempt to drop a DOS virus (PH33R) 2. overwrite IO.SYS and MSDOS.SYS 3. delete COMMAND.COM from the root directory. 4. add these text lines at the end of the document being printed: "And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!" * Is encrypted * Propagates only in English versions of Word. 3. WordMacro.DMV: * Contains the following macro: AutoClose * Does not contain destructive code. * Was developed as an example of how simple it is to create a virus using WordBasic. * Source code is available. * Propagates in all national language versions of Word. 4. WordMacro.Rainbow: * Is the most recently reported macro virus. * At this time, we are not completely sure of the virus's characteristics. * It seems to contain code to manipulate the color settings (foreground, background, and borders) in Word. * We do not yet know if the virus contains destructive code. * Propagates only in English versions of Word. 5. WordMacro.Trojan.FC: * Contains the following macro: AutoOpen * Contains destructive code: when an infected document is opened in Word, the AutoOpen macro executes, starts a DOS session, and types FORMAT C: /U. In addition, when DOS asks if you really want to format drive C:, the macro will answer "yes" automatically. Note: If NVC.SYS is running, the trojan's attempt to format will be stopped near the end of the formatting process. Since this happens in Windows, you will hear NVC.SYS's beep (if the beep has not been disabled) as a warning, NVC.SYS will interrupt the format, and your C: drive will be intact. * Is encrypted. * Propagates in all national language versions of Word. Consequences As a result of the new open system architechture used in modern applications, macro viruses have been able to constitute a new security threat. Because there are few built- in security mechanisms in open applications at this time, macro viruses can easily be spread via networks, diskettes, external databases, and e-mail. Either there are no specific limitations in these systems or there are a number of backdoors that enable saboteurs to work around them. Macro viruses will have a large impact on: * Anti-virus product developers. Macro viruses are a new area for R&D to tackle. * Security measures in all businesses, government agencies, and private households that use computers. Many people have been asking us if there is anything they can do to protect themselves. The answer lies in technical countermeasures. You must either use open systems and spend money on security measures or you must use solutions that are less open. Examples of less open systems include: * denying access to Internet and e-mail * denying access to macros in software that contains a macro programming language * running diskless workstations, and so on In either case, security personnel and management must be made aware of this new security threat, and resources must be placed on implementing countermeasures and on properly training the user community.