What files do macro viruses infect. What are macro viruses? Viruses by type of destructive actions

Internet tips

Macro viruses are potentially unwanted programs that are written in macro languages ​​embedded in text or graphics processing systems. The most widespread versions of viruses are for Microsoft Word, Excel and Office 97. Since creating a macro virus is so easy, they are quite common. Be very careful when downloading questionable documents from the Internet. Many users underestimate the capabilities of these programs, while making a huge mistake.

How a macro virus infects a computer

Thanks to a simple method of propagation, macro viruses are able to infect a large number of files in the shortest possible time. Using the capabilities of macro languages, when opening or closing an infected document, they easily penetrate into all programs that, in one way or another, are being accessed. That is, if you open an image using a graphics editor, the macro virus will spread through files of this type. And some of the viruses of this type can be active as long as a graphics or text editor is open, or even until the very shutdown of the personal computer.

Macroviruses act according to the following principle: when working with a Microsoft Word document, it reads and executes various commands that are given in the macro language. First of all, the malicious program will try to penetrate the main document template, thanks to which all files of this format are opened. In this case, the macro virus creates a copy of its code into global macros (macros that provide access to key parameters) And when you exit the program in use, it is automatically saved to a dot - file (used to create new documents). The virus then invades the standard file macros in order to intercept commands sent to other files, thus infecting them too.

Infection with a macro virus occurs in one of four cases:

  1. If there is an auto macro in the virus (it is executed automatically when the program starts or stops).
  2. The virus contains a basic system macro (usually associated with menu items).
  3. The virus is activated automatically when you press a certain key or combination.
  4. The virus propagates only when it is launched directly.

All files associated with a program in a macro language can damage macro viruses.

What harm do macro viruses carry

In no case should you underestimate macro viruses, as they are the same full-fledged viruses and can do no less harm to a personal computer. Macroviruses are perfectly capable of deleting, editing or copying files containing personal information and transmitting it to another person via email. And more powerful programs can even format the hard drive and take control of your computer. So the opinion that macro viruses are dangerous only for text editors is erroneous, because often Word and Excel come into contact with a huge number of different programs during their work.

How to recognize an infected file

Usually, files that have succumbed to the influence of a macro virus are quite easy to identify, because they work differently from other programs of the same format.

The presence of macro viruses can be determined by the following characteristics:

  1. Word document is not saved in a different format (using the "save as ..." command)
  2. the document cannot be moved to another folder or to another drive
  3. inability to save changes in the document (using the "save" command)
  4. frequent appearance of system messages about a program error with the corresponding code
  5. abnormal document behavior
  6. Most macro viruses can be detected visually, as their creators often like to specify information such as program name, topic, category, author name, and comments in the Summary tab (opened using the context menu).

How to delete a virus-infected file from your computer

The first thing to do when you find a suspicious document or file, scan it with antivirus software. Almost always, when a threat is detected, antiviruses will try to cure the file or completely block access to it. In more severe cases, when the entire computer is already infected, use an emergency installation disk containing an antivirus with an updated database. It will scan your hard drive and neutralize any malware it finds. In cases where the antivirus is powerless, and there is no rescue disk at hand, use the "manual" treatment method:

  1. in the "View" tab, uncheck the "Hide extension for all registered file types" checkbox.
  2. find the infected file and change the extension from .doc to .rtf
  3. delete the Normal template. dot
  4. change the file extension back and restore the original parameters

As a result of these actions, we removed the virus from the infected document, but this does not mean that it could not remain in the computer system, therefore, as soon as possible, scan all objects on your PC with an antivirus.

How to protect yourself from macro viruses

It can be quite difficult to cure a computer from macro viruses, so it is best to avoid infection. To do this, make sure that your antivirus is regularly updated. Before copying files from other media or from the Internet, carefully check them for malware. If you have weak or no antivirus, save documents in .rtf format, so the virus will not be able to penetrate them.

Of course, remembering each of them "in person" is an impossible and unnecessary task. However, some are worth knowing more about due to their danger and widespread prevalence. In this article, we will analyze what these are - macro viruses. And also why it is important to adequately assess their threat.

Macroviruses are ...

The first half of the name of the malicious element comes from the word "macro". It is an integrated component of an MS Word or Excel document written in VBA. The macro has quite wide capabilities: it can format the hard drive, delete files, copy confidential data from the information stored on the PC and send it via an e-mail box. Hence the great danger of such an element being destroyed.

A macro virus is a program written in a macro language for further integration into a number of processing systems and text programs and editors, software for working with tables, etc. The propagation of malicious elements occurs due to the capabilities of macro languages. Therefore, they are quite easily transferred from document to document, from one computer to another. What files do macro viruses infect most often? These are mainly Word, Excel documents.

How does it spread?

Infection of the PC is quite simple. You just need to open or close a file infected with a macro virus on your computer. At the same time, malicious elements intercept standard ones. Then they begin to infect all such files that you access on your device.

Macroviruses are also resident malicious elements. That is, they are active not only at the moment of opening / closing a document, but also throughout the entire operation of a text, graphic or spreadsheet program! And some of them are even able to remain in the computer's RAM until it is turned off.

It should be noted that they are extremely easy to create: it is enough for an attacker to open the "Word", go to the "Service", and then to the "Macros". Then he chooses the Visual Basic editor, where he can already write a malicious program in the VBA language.

How the virus works

When implementing a particular command, Word searches for and executes the corresponding macros:

  • Saving a document - FileSave.
  • Print output - FilePrint.
  • Opening a text file - AutoOpen.
  • Closing the document - AutoClose.
  • Launching the program itself - AutoExec.
  • Creating a new file - AutoNew and so on.

Similar macros, but with different names, are used by Excel.

To infect a Word file, the malicious program uses one of these techniques:

  • The macro virus already contains an auto macro.
  • The defeat of the system begins when you set to perform the task provided by the developer of the virus.
  • One of the standard macros is overridden. Usually the latter is associated with some sort of "Word" menu item.
  • By pressing a certain key or a combination of them, you, without knowing it, trigger a malicious auto-macro. And he is already starting his "work".

Macro viruses infect files in the following way:

  1. You open an affected text document.
  2. The virus code is copied into the global macros of the document.
  3. The latter, already infected, are automatically written to a dot-document (template named Normal.dot) when the file is closed.
  4. The next step is to redefine standard macros by the virus. This helps him to intercept commands for working with electronic documents.
  5. When these macros are called by you, the file you are working on becomes infected.

Now let's decide how to establish the presence of these malicious elements on a computer.

Detection of macro viruses

File viruses in texts and tables can be identified as follows:

  • I can't write a document to another disk or directory via "Save As ..."
  • The impossibility of saving the file in a different format (checked through the "Save as ..." command).
  • It does not come out to save the changes you made to the file.
  • The Security Level tab becomes unavailable. You can find it along the path: "Service" - "Macro" - "Security".
  • When working with a document, a system message may appear indicating an error.
  • The file behaves strangely in a different way.
  • If you invoke the context menu of the suspect document by right-clicking and clicking on "Properties", the developer of the malicious program will indicate random information or just a set of characters in the sections of the "Summary" tab.

Eliminating the problem

The easiest way, of course, is to prevent any misfortune. In this case, your computer must have a modern antivirus with a constantly updated database of threats. Many such programs have a monitor loaded into RAM. It detects infected files as soon as they try to open them. The anti-virus first of all tries to cure such a document, and if it is unsuccessful (which happens very rarely) it blocks access to it.

If you find a threat on an unprotected computer, then you need to download an antivirus or an appropriate utility that will detect, neutralize or delete the infected file. It is also important to be vigilant yourself: do not open documents from sources unknown to you, or, as a last resort, before that, scan them for malicious elements.

Macroviruses are a threat that spreads through text and table files. Today it is easy to detect and eliminate, which does not diminish the danger and harm caused by this malicious program.

In particular, about those representatives of this large family that amaze documents Word.

Typical signs of presence are:

1) the impossibility of saving the infected document Word to another format (by command Save as…);

2) the impossibility of writing a document to another directory or to another disk with the command Save as…;

3) the impossibility of saving the changes made to the document (the command Save);

4) inaccessibility of the tab Security level(menu Service - Macro - Security…);

5) since many viruses are written with errors (or do not work correctly in different versions of the package Microsoft Office), then the corresponding messages with an error code may appear;

6) other "oddities" in the behavior of documents Word;

7) can often be detected visually. The fact is that most virus writers are distinguished by their vanity: in the file properties Word(window Properties called by right click - select from Properties) on the tab Summary fill in the input fields ( Name, Theme, author, Category, Keywords and

Macroviruses are life-threatening infections for any user. Even if you are at least three times a system programmer, she still has a good chance of fighting you. Many people simply underestimate this category of viruses and in vain, they are not as harmless as they seem. In terms of survivability, they can be compared with rats and cockroaches - they adapt to everything and very rarely die. It's time to deal with macro-infection once and for all.

Macrovirus architecture

In the beginning, a clear definition: a macro virus is a virus that can multiply and store itself (without user intervention), using a macro language. It follows from the definition that macro viruses can live not only in Word documents, but in ANY office document that implements such functions of the macro language as copying macros and saving them. any), Excel, AmiPro (this is such a text editor), MS Visio, PowerPoint, MS Access and 1C. As you can see, the number of such programs is quite large, and on the Internet you can often find articles defining macro viruses like this:
"viruses infecting document files in
WinWord ". Some idiots wrote!

Now let's talk about the structure of the macro virus under Word (as the most relevant one). So. There is such a thing as standard macros. These include: AutoOpen, AutoClose, AutoExec, AutoExit, AutoNew. The prefix auto- means that the action is performed automatically, without user intervention (although this depends on the set security level, but we will talk about this later). That is, by adding an infection to a macro with this name, you can "revive" it. Also, each standard action has its own standard macro. For example, for printing FilePrint, for saving FileSave, for saving in another format or with another name FileSaveAs. And these macros can be infected.

The ultimate goal of any macro-bloke is to have normal.dot (it stores all the template settings). Then all opened files will be infected and your texts will get a skiff.
Word provides several levels of security: high, medium, and low. It also contains a built-in macroinfection protection mechanism. This, as conceived by the developers, should act on macro viruses like silver against evil spirits. It may be that it works, if not for one "but". It is because of him that I will not delve into the differences between security levels and the internal settings of Word "a. And the point is that ALL internal security parameters can be easily CHANGED through the registry. Fortunately, macro languages ​​allow this
make. I will not prescribe a specific path (where to look for what), so as not to seduce your playful hands. Especially gifted people can contact me by soap - I will let you know, but "only for the purpose of acquainting themselves with this software vulnerability, to eliminate them" 🙂

To summarize, the structure of the macro virus looks like this:

1. We override any standard or automatic useful macro so that it disables protection and fixes the security level.
2. Add the infection there.
3. We check that this macro is in demand, and that the infection multiplies and must be registered in Normal.dot

It's simple enough - it is because of this that there are so many different variations of macro-stuff.

I will kill with my bare hands!

There are several popular ways to destroy macro gadgets in already infected Word documents. Here are almost all of them:

1. Create your own macro with the following code:
Sub Main
DisableAutoMacros
End Sub
Save this miracle under the name AutoExec and thus become invulnerable to auto macros.

2. You manipulate the protection levels - then Word will ask permission when executing macros.

3. Do not use doc format. After all, everything can be placed in RTF - the same fonts, design, tables, graphics ... And RTF does not contain macros by definition. Everything would be perfect, but there is a minus: when saving information in rtf-format, all pictures are automatically converted to bmp-format. This graphic format weighs so much that the enemy does not wish. As a result, even after archiving, the loss in the size of the resulting file can lead to the fact that it simply does not fit on a floppy disk (it depends, of course, on the number of pictures). However, if there are no graphics, then rtf is perfect.

Heavy artillery

It's time to get up the courage and kill the macrobeasts once and for all. The task is not so difficult to perform: you need an uninfected computer and the latest distribution kit of Kaspersky Anti-Virus. Several years ago, Kaspersky Lab developed a module called Office Guard. We'll talk about him.

Usually Office Guard is not included in pirated distributions, but with some skill it can be found. What is this thing? Here's what the creators say about it:
"Office Guard is a groundbreaking technology for protecting against macro viruses and macro Trojans. Designed for advanced users, Office Guard implements a revolutionary approach to providing anti-virus security based on the principles of a behavioral blocker. In contrast to the" classic "anti-virus protection schemes based on conventional contextual search, Office Guard solves the problem comprehensively, excluding the very possibility of macro viruses functioning on a protected computer.Office Guard distinguishes macro viruses not by their external features (the presence of a particular sequence of characters), but by their behavior, which is determined by the capabilities of the programming language VBA (Visual Basic for
Application). "

The coolest feature is that it doesn't need to be updated! However, its use is fraught with many pitfalls:

1. Install it on an uninfected machine.
2. If you had Word, then you installed Office Guard, and then installed Excel, then only Word will be protected. Draw your own conclusions.
3. Office Guard catches viruses, but DOES NOT CURE.

To solve the last problem, you just need an antivirus scanner. Thus, AVP Scanner + Office Guard provide complete security against macro viruses. If you want to treat documents, then from time to time you will have to download an update for
AVP.

However, let's be fair - you can't drag the blanket in the direction of Kaspersky Lab, otherwise there will be conversations like:
"And how much did you get paid to promote the product?"

Any updated antivirus gives a good, almost 100%,
protection against macrogads. It's just that each of them uses different technologies for this. For example, DrWeb uses signature search and heuristic analyzer,
what we talked about with its creators:

Your antivirus package does not include a separate module for combating macro viruses. Why? Do you think that a resident monitor guarantees security against macro viruses?

Macro virus detection and control tools are an integral part of the DrWeb core. And since the kernel is used by both the scanner and the monitor, all macro viruses are detected and treated equally well in either case.

The WUA includes a separate module against macro viruses in MS Office. The developers claim that this module is based on a behavioral blocker that analyzes the actions of the patient program. As a result, this product provides a 100% guarantee against macro viruses until a new version of VBA is released. Those. the macro virus is not searched for by signatures. The advantage of this
approach is that by installing such a module once - it does not need to be updated. Now questions: Does drWeb ​​look for macro viruses by signature?

DrWeb searches for macro viruses both by signatures and using the built-in
original powerful heuristic analyzer. Mechanism for searching and analyzing macros
implemented at several levels: the binary code of macros is also scanned,
their compiled and source code. This allows the detection of known viruses,
their modifications, as well as unknown macro viruses. Thus,
it becomes possible not only not to depend on the version of the installed
MS Office package (the ability to intercept executed macros appeared
only in Office 2000 and was absent in previous versions), but in general from
the presence of MS Office on the computer on which the scan is performed
files - for example, on a corporate Internet gateway.

In addition, using a heuristic based on the same principles
analyzer, DrWeb is able to detect unknown Trojans,
backdoors, internet worm viruses, irc, batch (bat) and script
(vbs / vbe) viruses.

Your personal opinion: can a module from the WUA provide 100% safety against macroinfection?

The current situation is such that in order to effectively fight viruses, any modern
the antivirus product must be updated in a timely manner. Unfortunately,
creating an "absolute" antivirus is impossible.

The questions were answered
Sergey Yurievich Popov
Andrey Vladimirovich Basharimov

Developers of anti-virus programs of the Dr.WEB family.

Macroviruses are potentially unwanted utilities written in micro languages ​​that are built into graphics and text processing systems. What files do macro viruses infect? The answer is obvious. The most common versions for Microsoft Excel, Word and Office 97. These viruses are quite common, how to create them as easy as shelling pears. That is why you should be extremely careful and accurate when downloading documents from the Internet. Most users underestimate them, thus making a gross mistake.

How does a PC get infected?

After we have decided what macro viruses are, let's see how they penetrate the system and infect the computer. A simple way of their reproduction allows hitting the maximum number of objects in the shortest possible time. Thanks to the capabilities of macro languages, when closing or opening an infected document, they penetrate the programs that are being accessed.

That is, when using a graphical editor, macro viruses infect everything associated with it. Moreover, some are active all the time while the text or graphics editor is working, or even until the PC is completely turned off.

What is the principle of their work

Their action takes place according to the following principle: working with documents, Microsoft Word executes a variety of commands, given in the macro language. First of all, the program penetrates into the main template, through which all files of this format are opened. In this case, the virus copies its code into macros that provide access to the main parameters. Exiting the program, the file is automatically saved in dot (used to create new documents). Then it gets into standard macros, trying to intercept commands sent to other files, infecting them too.

Infection is carried out in the following cases:

  1. If there is an auto macro in the virus (it is carried out in automatic mode when the program is turned off or started).
  2. The virus has a basic system macro (often associated with menu items).
  3. It is activated automatically when you press specific keys or combinations.
  4. It multiplies only when it starts.

Such viruses usually infect all files created and linked to programs in the macro language.

What harm do they do

Do not underestimate macro viruses, as they are full-fledged viruses and cause significant harm to computers. They can easily delete, copy or edit any objects containing, including personal information. Moreover, they also have access to the transfer of information to other people via e-mail.

Stronger utilities can generally format hard drives and control the operation of the entire PC. That is why the opinion that this kind of computer viruses pose a threat exclusively to graphic and text editors is erroneous. After all, utilities such as Word and Excel work in conjunction with a number of others, which in this case are also at risk.

Recognizing an infected file

It is often not difficult to identify files that have been infected with macro viruses and have succumbed to their influence. After all, they function quite differently from other utilities of the same format.

The danger can be identified by the following signs:

In addition, threats are often easily detected visually. Their developers usually provide information such as the name of the utility, the category, the subject of the comment, and the name of the author in the "Summary" tab, which makes it much faster and easier to get rid of the macro virus. It can be called using the context menu.

Removal methods

Having found a suspicious file or document, first scan it with an antivirus. If a threat is detected, antiviruses will try to cure it, and if it fails, they will completely close access to it.

If the entire computer was infected, you should use an emergency boot disk that contains an antivirus with the latest database. It will scan your hard drive and neutralize all threats it finds.

If you cannot protect yourself in this way, your antivirus cannot do anything, and there is no rescue disk, then you should try the method of "manual" treatment:


Thus, you will remove the macro virus from the infected document, but this in no way means that it has not remained in the system. That is why it is recommended, as soon as possible, to scan the entire personal computer and all its data with an antivirus or (their advantage is that they do not require installation).

The process of curing and clearing a computer from infection with macro viruses is rather complicated, so it is better to prevent infection at the initial stages.


Thus, you will be safe and macro viruses will never infiltrate the corresponding files.

Did you like the article? To share with friends:
You may also be interested in