Prevention Against Virus

Prevention Against Virus Essay, Research Paper

Free Macro AntiVirus Techniquesby Chengi Jimmy KuoDirector, AV ResearchMcAfee Associates Inc. It has been over two years since Concept was unleashed upon an unsuspecting world. In that time, Word Macro viruses have become the most prevalent virus threat to organizations. Multitudes of “buy my macro antivirus” solutions are available. But let’s start with things you can do for free. Ultimately, these are going to be the most effective since they don t cost extra money. This paper will discuss the pros and cons and where and how to use some of the free macro antivirus techniques. The techniques to be discussed include: Word’s own “Prompt to Save Normal.dot”, making your NORMAL.DOT read-only, using the shift keys, disabling automacros, keeping a backup of NORMAL.DOT and checking against it, as well as methods against Excel viruses. The paper ends with the author describing the methods he actually uses to protect himself in his day-to-day work against macro viruses. [Bold text represent text shown on the screen or text to be typed in as is.][Italicized text represent file names. Generally, this means you can replace the name.] 1.0 Introduction to Macro Viruses Macro viruses can exist for any number of products that allow the user the ability to write macro code which can write to the disk to propagate more macros. The platform with the most viruses present is Microsoft’s Word for Windows. Viruses spread easiest in this environment because documents can contain both text and macros. But by combining both text and macros, the user has much more power and usability features. The two go hand in hand. More power to the user. More potential for macro viruses. As it is Microsoft s intention to do the former, we will all have to contend with macro viruses for a very long time. Excel, also by Microsoft, is afflicted similarly. Excel macro viruses came after the Word macro virus. The same dynamics that affect Word also affect Excel. Excel also uses OLE2 container files which has macros and all of the cell functions and data in the same file. When Office97 came along, all the macro languages converged upon Visual Basic 5 (VB5), making cross-application viruses a theoretical possibility. This makes the possibility of macro viruses for other platforms only a matter of time, especially as more and more vendors independently support VB5. 1.1 Word Macro Viruses Viruses are defined by their ability to spread. A Word macro virus spreads easiest when it intercepts the macro execution path by making use of one or more of Word s AUTO macros, or by using a menu replacement. Then it places itself into the global environment, for instance by updating the normal.dot file. Most of the approaches below target that scenario. 2.0 Microsoft s First Suggestions In the summer of 1995, Microsoft unleashed Concept.A upon the world. The world, the antivirus companies, and Microsoft were not prepared for this. Microsoft came forth with the following suggestions. 2.1 Prompt to Save Normal Template Prompt to Save Normal Template is an option available from within Word. Microsoft made this option the first macro virus prevention method when it suggested its use against Concept.A. To activate the option, click on Tools then Options… Then choose the Save tab. About the middle, on the left, check Prompt to Save Normal Template. As noted above, a virus must spread. This is most easily accomplished by getting into the global environment. The global environment is represented by the file normal.dot. If a virus attempts to alter normal.dot and this option is in use, Word will inform you that there is a request to change the Normal Template as you attempt to exit. At this time, you can respond that you do not wish to allow such a change. Presumably, the user would know of any intentional changes and presumably, know the right answer. But, even with this option in use, it is possible to open an infected file and infect the environment. The warning does not occur until exit from Word. Thus any documents opened and saved after the initial infected document will also be infected. In section 4.1 Read-Only Normal.dot, there will be further discussion on discovering that one has been infected throughout the day, and what to do about it. This is because the benefits derived from setting Prompt to Save Normal Template are similar to those of making the normal.dot file a read-only file. The primary differences between these two actions are, first, the option through Word is easy to turn off and many viruses have already incorporated the instruction. Second, this is an option from within Word and is activated prior to the attempt to write to normal.dot. However, no law prevents the use of both! And since they re both free and don t conflict, why not? PRO:Easy to set.Commands required to set this feature can be automated.Protects against some of the most wild viruses, like Concept.A, Wazzu.A, and NPad. CON:Easy for virus to turn off.Does not inform until AFTER infection. All documents accessed after the infected document in that session will be infected.Any benefit achieved is a subset of 4.1 Read-Only Normal.dot. 2.2 Create a Payload macro The second suggestion supplied by Microsoft was to create a Payload macro. I m not going to give this any further dignity by even telling you how to do this. PRO: Protects against Concept.A. CON: Does little else. This suggestion showed that those unfamiliar with the antivirus industry would be doomed to repeat many of the same mistakes that were made at its infancy. This technique targets just one virus. The AV industry was borne of similar suggestions. But it soon learned this was not a viable long-term solution. 2.3 ScanProt ScanProt is a macro package written by Microsoft. Its original intention was to protect against Concept.A and to provide a mechanism for users to be alerted if any incoming document had macros. The objectives were noble and have since been incorporated directly into the product in versions 7.0a and Word 97. Unintended though, was the misfortune of various ScanProt macros being absorbed into spreading viruses. This causes a mating scenario between an existing virus and ScanProt and unfortunately produces a virus variant. As AntiVirus producers, we endeavor to solve users problems without creating new ones. The scenario involving ScanProt macros and the creation of new viral variants makes it something we cannot recommend, even with its virtues. Another action undertaken by ScanProt is to rename macros associated with viruses to alternative names. As such, it makes viruses non-functional. It also makes them irremovable by some antivirus products. PRO: Protects against Concept.A. Alerts if any macros exist in document. CON: ScanProt macros have been absorbed into many viruses and now spread as part of the virus. Note: The best features have been incorporated directly into Word 7.0a and Word97. 3.0 Methods Provided by Word A number of things provided by Word can be used to lessen the chance or slow down the spread of viruses. 3.1 The Shift Key The shift key (either shift key will work) allows for a file to be opened without allowing any AUTO* macros to execute. This will prevent viruses that use the AutoOpen macro in order to spread. Similarly, if held down at exit, the AutoClose macro will not be executed. In order to correctly make use of this feature, one must be holding down either shift key at the moment Word is activated. So, be sure to be holding the key down with one hand while the other hand is double-clicking the Word icon. It might seem obvious, but it s not an easy thing to do, even if you remember to. The shift key must be held down for the duration of Word s startup process. Letting go early may allow a macro to execute. PRO:Allows opening and closing documents without activating the AutoOpen or AutoClose macros. CON:Easy to forget to do.Only stops AUTO macros when you remember to hold down the shift key.All other macro replacements are still in place and will still infect.Requires too much coordination and constant reminder to make use of it.Benefits are a subset of DisableAutoMacros.Sometimes it doesn t work. And when it doesn t, you won t know and it ll be too late. 3.2 Menu Choices within Word Macro viruses are macros. Macros are separate from the text and are not seen unless one goes looking for them. The most common way to check for macros would be through Tools then Macro Unfortunately, viruses can intercept menu items. And the most commonly intercepted function is ToolsMacro. This makes it unwise in a suspect situation to use Tools/Macro to determine if macros exist in documents. In section 3.4 Customized Tools/Macro, you will be shown how to create your own replacement to Tools/Macro. Meanwhile, it is safe for you to view macros in document files through the use of the Organizer function. The organizer function can be achieved through either File/Templates/Organizer or Format/Styles/Organizer or by creating your own following the instructions in section 3.4. To see if macros exist in a document file without being affected by them, exit and restart Word without opening any documents. If you suspect that the normal.dot file or the startup environment may be infected, you need to rename the file and rename all the document files in the startup directory to other than DOC or DOT so Word can be started in a pristine state. To insure that no virus affects your viewing of a suspect file, one must insure that Word is started in a pristine state by following the previous directions. Upon starting Word, get to the organizer via one of the previously mentioned methods. Choose the Macros tab. On the left half of the box would be a button labeled Close File. Click that button to change the label to Open File Click on Open File to get a Browse box. Choose the target file to investigate. (By default, Word lists the .dot files. If the file you wish to investigate is not so named, you should change the Files of Type: drop-down box to All Files.) The filename will be shown. If any macros exist in the file, they will be listed in the big box. If not, normal.dot will show up again with its macros. Practice on a file that you know has macros in it, or practice on the file created in section 3.3. PRO:Safely determines if any macros exist in the target file. CON:You know if there are macros. But you can t tell if it s a virus or not. 3.3 DisableAutoMacros Earlier, we discussed the use of the shift keys. But it was listed as subset of DisableAutoMacros. DisableAutoMacros is a Word macro function to do what it says. If the function is invoked and turned on, no Auto functions will execute automatically until the function is turned off (or until the next Word session). We have mentioned that most macro viruses make use of an auto function. Thus removing the ability to automatically execute the auto functions limits those viruses from easily infecting your system. Ironically, the best way to invoke this function is through an AutoExec macro. However, in the following instructions, the end result will be an AutoExec function in its own template file, not in the normal.dot file. I recommend the template file to be placed in the default startup directory in order to keep the normal.dot file pristine. And, in this manner, it is easier to give the file to others and harder for viruses to find and remove. Start by making sure your normal.dot is writeable, and empty… Click on Tools, Macros…In the Macro Name: box, Enter autoexecClick on Create. Edit the macro to insert the DisableAutoMacros command: Sub MAIN DisableAutoMacros 1 End Sub Close the editing session. Exit and save all changes. In the DOS environment,copy msoffice emplatesormal.dot msofficewinwordstartupoauto.doterase msoffice emplatesormal.dot PRO:Disables all AUTO macros.Much less chance of infection. CON: Not foolproof. Does not disable other intercepted macros, nor key shortcuts, etc.Environment is no longer pristine. May lead others to believe the macro you have established is suspicious and cause technical support issues. 3.3.1 Prompt to Save Normal Template in noauto.dot In creating noauto.dot in the above process, it is beneficial to also include the command which turns on the Prompt to Save Normal Template choice. This can be accomplished by using the following macro in place of the above: Sub MAIN DisableAutoMacros 1 ToolsOptionsSave .GlobalDotPrompt = 1 End Sub This insures that the option is set every time, should normal.dot be deleted, or something resets the option. This also allows the MIS director to distribute one file which enforces two of the ideas instead of just one. 3.4 Customized Tools/Macro Because default menu items are often targeted by macro viruses and intercepted, it is important to know how to make your own menu items which will have the same functionality as those which would be intercepted. The following is the instructions to create an equivalent to Tools/Macros Make sure the normal.dot is writeable… Click on Tools, Customize… Choose the Menus tabUnder Categories click on ToolsUnder Commands click on ListMacrosFor Position on menu: choose (At bottom)Click on Rename. Close the editing session. Exit and save all changes. In DOS, please remember to make normal.dot readonly again. Following this, you will have an additional choice under Tools to list the macros in your document. PRO: Bypasses the need to use Tools/Macro…Not subject to virus payloads tied to Tools/Macro. CON: Works until viruses start to intercept Tools/ListMacros.But, now that you know how to do this, you can create your own toolbar choices for such things as the Organizer function in section 3.2 Menu Choices within Word. 3.5 Word 7.0a and Word97 After macro viruses came along, Microsoft looked for some very basic and simple rules. It came upon the rule, If you don t have macros, it can t have macro viruses. And derived from this rule, If there are macros in the document, that could be a virus. Thus in Word 7.0a (available for the Windows95 platform) and in Word97, a new check box was added to Tools/Options /General. This check box allows the user to be alerted if any macros exist in a document which is about to be opened. If such a document is encountered, the user is given the choice of stopping, continuing unaltered, or continuing with the macros disabled. If the user chooses to continue with the macros disabled, the file is opened in a read-only state and cannot be changed. For the average user and the home user, it is wise to have this option turned on. Obviously, the ones who should not use this option would be the ones who regularly use macros. An alarm system such as this is only useful if it generates few alarms. And when it does generate an alarm, such an alarm needs to be, reflecting a virus. Many alarms which turn out to not be viruses will cause the user to be anesthetized and he will likely disregard the next alarm or turn it off. Although seemingly perfect in its simplicity, Microsoft added some usability touches to it and thus created some security holes. These security holes have previously been documented by Vesselin Bontchev and revolve around certain conditions where Microsoft would expect macros to appear. Thus if those macros turn out to be viral, the initial warning won t alert because the macros were expected to be there. PRO:Generally effective. If there s a macro in the document, it tells you so. CON:Alerts on everything (almost).People are apt to turn it off. 3.6 Read-Only Recommended for Normal.dot In section 4, methods will be presented for the operating system to enforce the ReadOnly (RO) attribute of normal.dot. However, Word also allows for its own enforcement of normal.dot as a RO file. Therefore, even if the file is not RO, Word can still open it as if it were. Which also means, if the file is RO, this choice will be meaningless. At the end of this section will be instructions on how to turn on this option. The downside to using this option is that each time you start Word, it will ask you if you wish to open the file as read-only. This can become bothersome and lead you to turn it off quickly. Of the techniques described in this paper, this is the most bothersome as it will interfere with a message even in a clean environment. Most techniques described in this paper are quiet most of the time. To set up this option:Start a Word session and explicitly open the normal.dot file. (Normally found in MsOfficeTemplates.)Click on Tools, Options… Choose the Save tab. The instructions are the same as in section 2.1 Prompt to Save Normal Template.At the bottom, on the left, in a box titled File-Sharing Options for normal.dot, check Read-Only Recommended. Close the editing session. Exit and save all changes. PRO:Allows flexibility for those who would sometimes want their normal.dot to be read-only and sometimes not. CON:Asserts a message to you each time you start Word.People are apt to turn it off. 3.7 Password protect Normal.dot Yet another offering under the Save tab of Tools, Options , adjacent to Read-Only Recommended, is Write-Reservation Password (For Word97: Password to modify). If this choice is invoked, each time Word is started, the user will be asked for enter the password or open the file as read-only. The advantage of this is that only select people will be allowed to modify normal.dot, and only if that person knows beforehand that he wishes to change it. The disadvantage is that only select people can clean up such an infection. And on those occasions when normal.dot is allowed to be infected, no warning is given that it has been. To set up this option:Start a Word session and explicitly open the normal.dot file. (Normally found in MsOfficeTemplates.)Click on Tools, Options… Choose the Save tab. The instructions are the same as above.At the bottom, on the left, in a box titled File-Sharing Options for normal.dot, type a password into the Write-Reservation Password box. You will then be asked to confirm the password. Type in that same password again.Close the editing session. Exit and save all changes. PRO:Allows flexibility to a select few who would sometimes want their normal.dot to be read-only and sometimes not. CON:Asserts a message to you each time you start Word.Only that same select few can clean up the global infection. 3.8 (Word97) Lock VB Project for Normal.dot As a user of Word97, there is yet another method to make normal.dot a write-protected document. This feature is to prevent modules from being created, viewed, or copied into the Template Project. Macro viruses, which would be Visual Basic modules, would fall into that class. However, font selections, AutoText, and other stylistic choices and settings do not. Thus a user could change certain default choices in normal.dot without having to overcome protections, and also not allow the standard macro virus to infect. To set this up, make sure the normal.dot is writeable…Start a Word97 session.Press ALT-F11 to open the VB-Editor.Click on View, Project Explorer to activate.Mark Normal in the Project Explorer.Click on Tools, Normal Properties Choose the Protection tab.

Check Lock project for viewing and set a password.Click on File, Save Normal.Close the editing session. PRO:Virus cannot bypass this unless it happens to guess your password.Users needing to change Autotext and Toolbars won t be affected. 4.0 Using the Operating System to Advantage 4.1 Read-Only Normal.dot Probably the most effective thing one can do for oneself is to change the attribute of normal.dot to be read-only. As it is so easy to do and quite effective, it is also the most talked about method on the Internet. Hopefully, many of you already have this in place in one form or another. DOS has the concept of attribute bits. The most commonly referenced are the System, Read-Only (RO), Hidden, and Archive bits. The specific attribute bit which interests us is the Read-Only bit. If the RO bit is set, normal DOS system calls will refuse to write or change the file. Thus, in theory, if the normal.dot file is RO, no virus will be able to change it. As noted before, a virus generally wants to change the global environment. This generally causes the normal.dot be rewritten. However, if the RO bit is set, when Word opens normal.dot, it recognizes and stores this fact. When Word exits, it remembers normal.dot was RO and refuses any attempt to change it. If it’s such a good idea to set the read-only bit, why doesn’t everyone just do that? What’s the downside? The most obvious consideration is, the file is read-only. It can t be changed, not even if it was your intention. Thus someone who constantly changes one s normal.dot, a RO normal.dot will severely crimp his productivity. While this would seem for such a user that he cannot use this technique, that is not true. A user of macros can still operate with a RO normal.dot if he stores all his macros in files in the default startup directory. So, such a user would change his normal mode of operation. Macros would be handled as in the way we added noauto.dot in section 3.3. Second, and a very important note, is that one doesn’t realize a virus is active until AFTER exiting Word. The significant technical note is to recognize that Word informs you of the attempt to write to normal.dot when it exits. So, all during the time you are using Word, files will continue to be merrily infected without warning. Only on exit do you realize that something bad has been happening through the day. Yet, you will know! And you can immediately shift into “virus forensics” mode. Forensics needs as much historical information as it can muster. To facilitate this, we would want to make use of the Most Recently Used (MRU) list. By default, Word’s MRU list is set to remember the last four files opened by the user. These are going to be the files of interest anyway. The files saved on that day are the ones to be chased down if any of them had been sent to anyone. With a default of only four, we need to increase the length of the MRU list. To do so, in Word, choose Tools then Options… then General. Go to the Recently Used File List and increase the number to its maximum of nine (and remember to check the item). [I use nine, even without the macro virus concern. It's simply more convenient when Word remembers the files you've been working on.] PRO:System level protection.Slows down viral spread.Will know within the day, enables activity tracking.Viruses cannot circumvent this to infect normal.dot in same session.More files available in the MRU list. CON:If user must constantly update his macros, productivity would be hindered.May create false sense of security. 4.2 Word Viewer One of the most common infection vectors is via receiving a document through email, double-clicking on it and having Word automatically open and (without the other protections in place) getting infected. This is governed by one of two setups. It will be either the email program itself being programmed to activate Word based on whatever criteria it uses, or it will be based on the email program making use of the registry. In this section, we shall cover the steps necessary to change the default association of .DOC and .DOT files to Word. This affects such activities as double-clicking, drag-and-drop, and Explorer. [Unfortunately, I was unable to find how to turn off CC:Mail s .DOC and .DOT association to Word.] Reminding ourselves, the purpose of this paper is to cover topics which will help to prevent or reduce macro virus infections. The title of this section is Word Viewer because if instead of using Word to read .DOC files, another program is used instead, one which does not support macros, macro viruses would be less capable of spreading. WordView or WordPad are such programs. WordPad supports no macros. WordView has restricted support of macros. Therefore this section covers the necessary steps to redirect the registry associations of .DOC and .DOT from Word to WordPad or WordView. Find WordPad.EXE (or WordView.EXE) on your system. Note the full pathname for the file.Find REGEDIT.EXE or REGEDT32.EXE on your system and execute.Under HKEY_CLASSES_ROOT, locate .doc and .dotTraverse the structure until you locate Shell then command.Change the associated command to the full pathname of WordPad.EXE. HKEY_CLASSES_ROOT.doc Word.Document.6Word.Document.6 shellopen command C:Program FilesWindows NTAccessoriesWordPad.exe %1 All the commands have to be changed: Open, New, PRO: Does not support macros. CON: WordPad is just not Word.Avoid macros, but doesn t tell you they re there.Some e-mail programs disregard registry! (They re not Windows compatible, despite claims.) If you do not have a viewer, one can be retrieved, free from:http://www.microsoft.com/msword/internet/viewer/viewer97/license.htm 4.3 Replace Normal.dot Every Time In normal DOS usage, there is the regular suggestion to boot clean before running antivirus programs. While there is no need to enforce a clean Word environment before running antivirus programs, it is still worthwhile to know that one s environment is clean before each new day s use. One way this is accomplished is to delete and replace one s normal.dot file each day. We use autoexec.bat to force this each time the machine is booted. Negatively, this effectively makes normal.dot not a useful mechanism to hold changes. If changes are not moved to the archived copy, they are lost. And this method does not inform the user of an infection. Simply the infection is destroyed. Since that s the normal course, I ve added the readonly attribute to the file. To set this up, do the following:cd msoffice emplatesmd archivecopy normal.dot archiveormal.goo (Goo is short for good and presumably won t conflict with any other extensions in use.)attrib +r archiveormal.goo Add the following to autoexec.bat:pushd msoffice emplateserase /f normal.dotcopy archiveormal.goo normal.dotattrib +r normal.dotpopd [If you do not have pushd/popd, use full directory pathnames.] endbat [transition to empty endbat.bat file, see section 4.6] PRO: Boots Word clean every day. CON:Hassle to change any macros. Doesn t tell you if anything happened. 4.4 Check For Changes to Normal.dot Another way to ensure a clean startup of Word, instead of forcing it to be replaced with a new version each day, is to check the present version against the known clean one which had been archived. This method differentiates from the previous one in its ability to alert the user of changes having occurred. To achieve this, we have to save a copy of the current (hopefully clean) normal.dot file. The setup:cd msoffice emplatesmd archivecopy normal.dot archiveormal.gooattrib +r archiveormal.goo Add the following to autoexec.bat:diff msoffice emplatesarchiveormal.goo msoffice emplatesormal.dot > NULDiff is a program similar to fc (from DOS). Fc does not return the necessary errorlevel for use in this manner. Ask the local guru for a copy of diff. He s sure to have one.if errorlevel 1 goto changed[continue]goto end :changedecho normal.dot changed^GThe ^G represents a CTRL-G, which is hold down the Ctrl key, and press G. It causes a beep.pause:endendbat PRO:Informs of any change. Insures clean NORMAL.DOT each day. Generally silent, no problems. CON:Not until next bootup. Requires expert to setup. Requires expert to understand use. 4.5 Check the Startup Directory In section 3.3, after creating noauto.dot, it was suggested that the file be placed in Word s Startup directory. Any template file stored in this directory is automatically installed into Word s environment when Word starts up. That also makes this directory the target of viral attacks as any virus could add itself to an environment by dumping a template file in this directory. Therefore, it is important to keep an eye on the directory to make sure the contents of the directory do not change. To make sure no viruses are added to the directory, we need to store a listing of the directory from a known clean state. Then, each time the machine is started, we make use of autoexec.bat to check that the current contents of the directory is not different from the list which represents what it should be. The code needed to make this happen can be seen below. To set up:Start Word and locate the default Startup directory.Click on Tools.Go to Options Choose the File Locations tab.Look for the entry related to Startup. [If there are three dots in the directory name, double click on the entry to see the full directory name. Write down this directory name. Below, the code example uses msofficeWinwordStartup as that directory.]Cancel, etc. and exit from Word.In DOS, continue by executing the following instruction. dir /b /a msofficeWinwordStartup > %TEMP%startup.lst This dir command creates the list which lists the current contents of the Startup directory and stores this list in your defined temporary directory. If you have an older version of DOS, it may not have some of the parameters that are used. To explain the instruction, /b creates the short form of this command./a includes hidden files so virus writers cannot use that to hide.%TEMP% is replaced by DOS with the defined temp directory. Add the following to autoexec.bat:dir /b /a msofficeWinwordStartup > %TEMP%startup.chk diff %TEMP%startup.lst %TEMP%startup.chk > NULif errorlevel 1 goto diff_startup[continue]goto end :diff_startupecho Word startup directory changed^Gpause:endendbat PRO:Informs of any change.Insures clean boot up each day.Generally silent, no problems. CON:No warning until next boot up.Requires expert to setup.Requires expert to understand use. 4.6 endbat.bat At the end of previous sections, endbat.bat is referenced. In the battle against macro viruses, it is important to know that many macro viruses have payloads which attach extra code to the autoexec.bat file. When this happens, the next time the machine is started, the code added by the macro virus will execute. Thus, it is important to come up with a method which prevents such payloads from taking effect. With batch files, there are two different ways to transfer control to another batch file. One method is to call the second batch file. In this way, after the completion of the second batch file, control is returned to the caller. The second method transfers control directly to another batch file. This method does not return control upon completion of the second batch file. So, first, we create an empty batch file called endbat.bat. And in the autoexec.bat, instead of letting it end by executing the last instruction, we transfer control to endbat, which finishes the startup process. With this setup, any code that is added by a macro virus to the end of autoexec.bat does not ever gain control. Thus, none of that code runs. This same setup will cause software installations which add to the end of autoexec.bat to also fail in the same way. In such situations, simply remove the endbat transfer and replace it at the end of autoexec.bat again. PRO: Endbat.bat immunizes against the effect of viruses adding additional code to end of autoexec.bat. CON:May interfere with software installations that write to autoexec.bat. But prior to macro viruses, that was the use for this setup. 4.7 Rename debug.com and debug.exe Another favored method by virus writers to deposit payloads onto users machines is by way of a debug script. (A debug script is readable text instructions sent to the DOS utility named debug to create a binary file.) Usually, this is used to deliver virus programs or other binary data. To combat this, one can rename or remove debug from users that don t normally have need for that program. (And almost all users don t ever need nor know how to use debug.) Verify that the program is no longer available by typing debug on a command line. If the program still runs, the job is not yet complete. PRO: Users won t be affected by the deposited payloads of viruses that use debug to plant such onto machines. CON:Users don t have the program to use. Not a problem for most users. 5.0 Excel macro viruses 5.1 Check the XLSTART Directory Excel has a startup directory similar to Word. Any template file found in this directory is automatically loaded into Excel on startup. This directory is the XLSTART subdirectory under where Excel exists. This behavior being exactly the same as Word, it means we can use the similar code as was discussed in section 4.5 Check the Startup Directory. dir /b /a msofficeExcelXLStart > %TEMP%xlstart.lst [Please see section 4.5 for a full explanation of the command.] Add the following to autoexec.bat:dir /b /a msofficeExcelXLStart > %TEMP%xlstart.chk diff %TEMP%xlstart.lst %TEMP%xlstart.chk > NULif errorlevel 1 goto diff_xlstart[continue]goto end :diff_xlstartecho Excel startup directory changed^Gpause:endendbat The PROs and CONs are exactly the same as with the same function for Word. 5.2 Create a Personal.xls File We should have learned not to do this by now. This technique is equivalent to creating a Payload macro to address Word macro viruses. Laroux.A checks for the existence of a file by the name of personal.xls in Excel s XLSTART directory. If one exists, it does not infect. Thus, if we put a file by that name in that directory, we will be immunized from Laroux.A. As with Concept.A, Laroux.A is the most widespread of all Excel viruses. And as has happened in the Word arena, other viruses have appeared and other variants of Laroux now exist rendering this technique to little or no effect. To create such a file, simply take an empty Excel file and place it in the XLSTART subdirectory under where Excel is located. PRO:Works against Laroux.A. CON:Works only against Laroux.A. An interesting consequence of cleaning a Laroux infection from the system is that it leaves a clean file by the name of personal.xls (or binv.xls, etc.) in the XLSTART directory. Although I didn t suggest creating one to thwart infection, I do recommend that the file should be left there. The reason for this is that 1) it has already been proven that the particular strain of the virus is spreading nearby. Thus a defense against it is prudent. And 2), removing the file is actually more work than leaving it. 6.0 Author’s recommendations Throughout this paper, I have made hints as to the usefulness of each method. But there are so many and I haven t suggested which to use in combination. Still, I m going to chicken out and not exactly recommend but rather tell you which I use. I have a read-only normal.dot. In addition, I use Prompt to Save Normal Template. In section 2.1, I made a quick comment that the two do not conflict and thus it s possible to use both. Both are meant to warn you by the end of the day if you happened to have gotten your environment infected during the day. But, why use both? Isn t one enough? The first answer is that it doesn t hurt, so why not? The second answer is that some viruses try to undo one or the other. And some both. So, using both techniques means a virus has to attack both simultaneously to circumvent the protection. And if nothing is happening, both are quiet so they won t disturb your everyday work. I also use the DisableAutoMacros template as distributed in the separate file noauto.dot. Most viruses make use of an auto macro of one sort or another to spread. And all the viruses in the wild do. With this macro in place, viruses will not automatically activate and the chance of spreading something, even if you come in contact with it is much smaller. Furthermore, as described in its section, an MIS director can create this file and send it to the whole company to be placed in the appropriate location. Thus this can have a corporate wide impact with little effort. In preparing this paper, I also tried out most of these techniques. I plan to incorporate the checking of the XLSTART directory and Word s startup directory. The XLSTART directory technique is the only significant technique against Excel viruses. Sadly, I was infected by Laroux.A from within my own company recently. (Luckily, I recognized it immediately within a minute.) So, it s starting to hit home. And more Word viruses seem to be taking advantage of the startup directory technique as well. Lastly, throughout all the Office97 products, each is programmed to alert if any macros exist in an incoming document, be that Word, Excel, Powerpoint, Access, or any other. The products in their default mode have the macro alert on. Don t turn it off until you hit your first false alarm. And even then, judge how much trouble the false alarm caused. If you feel that it was not a problem, leave the setting on. The alert is not perfect (the problem scenarios have been documented in Vesselin Bontchev s paper for the 1996 Virus Bulletin Conference). But until you meet a false alarm, it won t have caused you any issues. And it would take effort to turn it off anyway. Might as well do that later than sooner. 6.1 Handling Suspect Documents For the MIS director who must handle their corporation s suspect documents, here are some tips. Use all the techniques in section 6.0. If a file is suspect, create a clean environment by using the process outlined in section 3.3. Examine the file using File/Templates/Organizer, before opening any other files. If the suspect file does not have a ToolsMacro entry, use it to rename the macros to shortened names before examining the macros. If it does, create your own ListMacros menu option and use it instead of ToolsMacro. Lastly, and my only plug for my own product, if you use the DOS version of Scan, if you scan the single file, and Scan reports Analyzed: 1, Scanned: 0, Possibly Infected: 0 then the file has no macros and thus cannot have a virus. If it reports Analyzed: 1, Scanned: 1, Possibly Infected: 0 then the file does have macros. Send it to your favorite (or not) AV Researcher and have him or her tell you if it s infected. 6.1.1 Cleaning Infected Documents There is also the rare occasion that an MIS director must clean an infected document immediately so the document can be used without delay. As AV vendors, we recommend against this activity, but also, as AV vendors, we recognize that we can t necessarily help you every minute of every day. Please use this technique with utmost care, and only if you can t avoid it. This is best done on a stand-alone machine. But if that can t be accomplished, be extra careful! After verifying that the virus does not have an EditCopy or EditCut macro, and there are no templates in the startup directory nor normal.dot, open the file while holding the shift key. (Or for the adventurous, place noauto.dot into the startup directory.) Select entire Document.Edit/Copy to Clipboard.File/Exit from Word.Delete normal.dot (or rename it) and remove all files from the startup directory.Restart Word.File/New a new empty document.Edit/Paste from Clipboard.File/SaveAs as a new document. In so doing, be sure that the file is not automatically being saved as a template. If so, the environment is infected. And assuming all the above was handled properly, pick up the phone and call your AV vendor. 7.0 Acknowledgments Vesselin Bontchev, AV Research, FRISK Software Intl.Stefan Geisenheiner, AV Research, Amsterdam, NL., McAfee Associates. German translation available.Raymond M. Glath, Sr., President, RG Software Systems.Jivko Koltchev, AV Research, Santa Clara, CA, McAfee Associates.Akihiko Muranaka, Tokyo, Japan, McAfee Associates. Japanese translation available.Francois Paget, AV Research, Paris, France, McAfee Associates. French translation available.