MAC Virus

[scrapguy]

We keep having problems with a MS Word Macro virus (WM97) that keeps
infecting our outgoing word documents. How can I remove the macro
virus? Do you recommend a specific antivirus or cleaner for the MAC?
We have a powerbook G4 and a couple of older iBooks, I could use some
help on this.. Thanks

 

[Elliott Roper]

We keep having problems with a MS Word Macro virus (WM97) that keeps
infecting our outgoing word documents. How can I remove the macro
virus? Do you recommend a specific antivirus or cleaner for the MAC?
We have a powerbook G4 and a couple of older iBooks, I could use some
help on this.. Thanks

I might be wrong, but I think you are looking in the wrong place.
A Macro virus in a PC Word Document can be passed through a Macintosh
(That's Mac , not MAC which is a Media Access Controller aka an
ethernet card) but it won't affect the Mac or be passed from one Mac
Word document to another without the user going to a lot of trouble
with organiser to get it there.

So just look for the corrupt document from the dark side and lose it.
Run your Mac Office with the setting that warns you of any macro in the
document. treat all such with the deepest suspicion.

Beware of anti-virus products on Macintosh. They are worse than the
disease. You don't need them. They make your machine unstable. There
are no Macintosh viruses (yet)

 

[Jim Gordon MVP]

Hi,

Strange, I thought I just answered this. Here goes again...

What to Do If You Have a Macro Virus
http://support.microsoft.com/kb/181080

-Jim

 

[Elliott Roper]

Hi,

Strange, I thought I just answered this. Here goes again...

What to Do If You Have a Macro Virus
http://support.microsoft.com/kb/181080

Is there a more up-to-date version of that 2002 report?
How many of the viruses and workarounds are still effective in Word X
and Word 2004? It looks like the workarounds are good but a bit
heavy-handed. Why keep hiding normal? Won't organizer see all the
macros everywhere?

 

[John McGhie [MVP - Word and Word Macintosh]]

Hi Elliott:

That article is still pretty current. The only difference is that Virex,
NAV and most of the other antivirus products will now find macro viruses on
the Mac.

There was a "fools paradise" period when Mac AV products looked only for
viruses that could infect the Mac. Since there were very few, it made the
products cheap to produce and maintain, and performance was not a problem
However, that simply turned every Mac into a sort-of "Typhoid Mary",
cheerfully passing on viruses inherited from PCs.

The reason that article wants Normal template moved to the desktop is to
protect against VBA viruses. VBA viruses that are carefully coded can
self-replicate on either the PC or the Mac. When Word starts up, it
executes any code set to run on startup in Normal template, because Normal
template is a "trusted" source.

That's basically how Word viruses spread. If you quit Word then move
Normal.dot to the desktop, when Word starts up, it creates a fresh, totally
clean Normal.dot from its hard-coded defaults. This prevents the majority
of viruses from spreading while you deal with the problem.

You can then run a commercial AV product (Virex works well, but you can't
buy fewer than five copies...) to clean the rest of the system. I had an
unhappy experience with Norton AntiVirus (very unhappy: it crippled my
network...)

You can then safely use Organiser to copy back from the old Normal on the
desktop any things such as styles, toolbars, and AutoTexts that you value.

Hope this helps

Is there a more up-to-date version of that 2002 report?
How many of the viruses and workarounds are still effective in Word X
and Word 2004? It looks like the workarounds are good but a bit
heavy-handed. Why keep hiding normal? Won't organizer see all the
macros everywhere?

--

Please reply to the newsgroup to maintain the thread. Please do not email
me unless I ask you to.

John McGhie <[email protected]>
Microsoft MVP, Word and Word for Macintosh. Consultant Technical Writer
Sydney, Australia +61 4 1209 1410

 

[Elliott Roper]

Hi Elliott:

That article is still pretty current. The only difference is that Virex,
NAV and most of the other antivirus products will now find macro viruses on
the Mac.

There was a "fools paradise" period when Mac AV products looked only for
viruses that could infect the Mac. Since there were very few, it made the
products cheap to produce and maintain, and performance was not a problem
However, that simply turned every Mac into a sort-of "Typhoid Mary",
cheerfully passing on viruses inherited from PCs.

Heh! I *like* being a typhoid Mary

The reason that article wants Normal template moved to the desktop is to
protect against VBA viruses. VBA viruses that are carefully coded can
self-replicate on either the PC or the Mac. When Word starts up, it
executes any code set to run on startup in Normal template, because Normal
template is a "trusted" source.

So I should be able to inspect the macros and their source in normal
and see the virus sitting there any time I go to tools->macros... ? Or
can some of these viruses remove themselves from the 'running' normal?

That's basically how Word viruses spread. If you quit Word then move
Normal.dot to the desktop, when Word starts up, it creates a fresh, totally
clean Normal.dot from its hard-coded defaults. This prevents the majority
of viruses from spreading while you deal with the problem.

You can then run a commercial AV product (Virex works well, but you can't
buy fewer than five copies...) to clean the rest of the system. I had an
unhappy experience with Norton AntiVirus (very unhappy: it crippled my
network...)

Too true. The cure is worse than the disease. But why do I need to
clean up the "rest of the system" with a scanner. Is not the virus only
resident in Word templates?

Hope this helps

certainly does, thanks.

 

[Jeff Wiseman]

The reason that article wants Normal template moved to the desktop is to
protect against VBA viruses. VBA viruses that are carefully coded can
self-replicate on either the PC or the Mac. When Word starts up, it
executes any code set to run on startup in Normal template, because Normal
template is a "trusted" source.

I'm not real familiar with these issues with VBA and all but I
was curious about the normal temlate. If these things propagate
by infecting the normal template, assuming that you are starting
with a clean normal template that you don't need to modify your
self, could you lock brute-force protect the thing by changing
the file priviledges to read only for all? Word doesn't have any
bizzarre attributes where it absolutely HAS to write to normal
everytime it runs, does it?

I've been thinking that this might also be an easy way to avoid
general corruption of the normal template as well (which seems to
also be a frequent occurance).

 

[Elliott Roper]

JE McGimpsey has a way to solve that. Not so easy, in my opinion, but...
http://www.mcgimpsey.com/macoffice/word/globaltemplate.html

It is not that hard. Ages ago I did a global template a la JE's recipe
from a good normal I once had. It has probably helped my Word stay
sane.

I certainly worry less about normal going nuts.

 

[macwhiz]

Sophos & clamXav does a better job when it comes to catching/removing P
viruses than Virex 7 or NAV

 

[Jeff Wiseman]

PS. Yay, Friday, no looming deadlines!

Unless, of course, it was due on Thursday...



OK, so this Normal thing is not only a template, it's a
preferences file, environment control file, and temporary data
shuffling workspace all rolled into one. This is the very type of
incestuous relationship that crosscouples software systems to the
point of self destruction and that defies all attempts to improve
things short of tossing the application and starting over.

Well now I understand things a bit better

So I guess the real trick might be to just try and leave it as
much a "vanilla" flavour as possible--i.e., limited customizing
and use a separate custom template for styles and contents
related preferences. The suggested actions in the papers that you
pointed out are quite understandable to me in this recent light...

 

[John McGhie [MVP - Word and Word Macintosh]]

Hi Elliott:

So I should be able to inspect the macros and their source in normal
and see the virus sitting there any time I go to tools->macros... ? Or
can some of these viruses remove themselves from the 'running' normal?

*You* might be able to, but it's not an option I would suggest to a user who
does not have advanced VBA skills

It's trivial to "hide" code from Tools>Macro... It's a little more
difficult to hide them from Organiser. But to really know whether the thing
is clean, you need to open it in the VBA editor and inspect every line of
code.

Some of these viruses are NOT "AutoOpen" macros, they're Private procedures
in Private modules and they are fired by hooking the Document_Open event.
Unless you have a look at the VBA Project, you can't tell which Events and
which Modules are hooked.

But why do I need to
clean up the "rest of the system" with a scanner. Is not the virus only
resident in Word templates?

Most certainly NOT A virus can be in *any* kind of file. JPEGs and
GIFs are particularly suspect. An ordinary HTML email can getcha... Modern
Office Macro viruses typically infect the documents themselves. A Word
document has a VBA project within it, just like a template does.

An important problem is that people can lie about what kind of file they
have produced by changing the extension to something else. Mac users are
not accustomed to looking at extensions. They may not be alert for the
possibility that a file has an extension that does not correspond with its
icon in the Finder.

Hope this helps

--

Please reply to the newsgroup to maintain the thread. Please do not email
me unless I ask you to.

John McGhie <[email protected]>
Microsoft MVP, Word and Word for Macintosh. Consultant Technical Writer
Sydney, Australia +61 4 1209 1410

 

[John McGhie [MVP - Word and Word Macintosh]]

Hi Jeff:

As I just said to Elliott:

1) It doesn't really matter where a virus is these days. If the author of
the virus knows what they are doing, they can lodge it in literally any kind
of file, or cause literally any kind of file to impersonate any other kind
of file.

2) Yes. Word requires constant and exclusive write-access to the user's
Normal template. Word uses that as the persistent store of user
information. Word running with a read-only Normal template will last about
four or five hours before crashing because of all the pending writes to
Normal it has stacked in system memory.

Word's normal template is not as unstable as it might seem. My "work" one
was created in 2003 and is still going fine. The one on the Mac is a much
more recent vintage, because I am forever futzing with it to try things out
for posting in here.

The main problem tends to be "inconsistencies" that are written into the
template by users. Bullets and Numbering schemes are a particular source of
bother.

It's just a lot easier and quicker to advise users to "Rename Normal
Template" as part of trouble-shooting than it is to talk them through all
the steps it takes to find out what the problem really is, then remove it
from the existing Normal template.

Hope this helps

I'm not real familiar with these issues with VBA and all but I
was curious about the normal temlate. If these things propagate
by infecting the normal template, assuming that you are starting
with a clean normal template that you don't need to modify your
self, could you lock brute-force protect the thing by changing
the file priviledges to read only for all? Word doesn't have any
bizzarre attributes where it absolutely HAS to write to normal
everytime it runs, does it?

I've been thinking that this might also be an easy way to avoid
general corruption of the normal template as well (which seems to
also be a frequent occurance).

--

Please reply to the newsgroup to maintain the thread. Please do not email
me unless I ask you to.

John McGhie <[email protected]>
Microsoft MVP, Word and Word for Macintosh. Consultant Technical Writer
Sydney, Australia +61 4 1209 1410

 

[Elliott Roper]

Hi Elliott:

So I should be able to inspect the macros and their source in normal
and see the virus sitting there any time I go to tools->macros... ? Or
can some of these viruses remove themselves from the 'running' normal?

*You* might be able to, but it's not an option I would suggest to a user who
does not have advanced VBA skills

It's trivial to "hide" code from Tools>Macro... It's a little more
difficult to hide them from Organiser. But to really know whether the thing
is clean, you need to open it in the VBA editor and inspect every line of
code.

I need to learn a bit more VBA. That looks like a good motivator.

Some of these viruses are NOT "AutoOpen" macros, they're Private procedures
in Private modules and they are fired by hooking the Document_Open event.
Unless you have a look at the VBA Project, you can't tell which Events and
which Modules are hooked.

Where do private modules hide, if not in Normal and global templates?
Oh wait, you have just answered that. I can open any document and
inspect the VBA project. Aha! in there I see all the macros are in a
locked module which is my global normal template. Does this mean a
macro virus can't write to it even if I enable macros when opening a
Word document I received over the net from Wile R Coyote extolling his
bargain Rolex watches and containing a picture called
productlist.scr.gif?

Most certainly NOT A virus can be in *any* kind of file. JPEGs and
GIFs are particularly suspect. An ordinary HTML email can getcha... Modern
Office Macro viruses typically infect the documents themselves. A Word
document has a VBA project within it, just like a template does.

Hang on. Are you seriously suggesting a mechanism whereby Word on a Mac
can catch a macro virus from a jpg? I guess it could be a typhoid Mary,
but surely that's it. It's obvious that another Word document can be a
suspect, but only if you anable its macros surely?

An important problem is that people can lie about what kind of file they
have produced by changing the extension to something else. Mac users are
not accustomed to looking at extensions. They may not be alert for the
possibility that a file has an extension that does not correspond with its
icon in the Finder.

Tell me about it. My spam filter catches a hundred a day.

 

[John McGhie [MVP - Word and Word Macintosh]]

Hi Elliott:

Where do private modules hide, if not in Normal and global templates?
Oh wait, you have just answered that. I can open any document and
inspect the VBA project. Aha! in there I see all the macros are in a
locked module which is my global normal template. Does this mean a
macro virus can't write to it even if I enable macros when opening a
Word document I received over the net from Wile R Coyote extolling his
bargain Rolex watches and containing a picture called
productlist.scr.gif?

No. It simply means the VBA Editor can't write to it in that context. If
you were to close the Document VBA project, the Template VBA project should
unlock, depending on how you have Macro security set.

Hang on. Are you seriously suggesting a mechanism whereby Word on a Mac
can catch a macro virus from a jpg?

Yep. You will forgive me if I do not explain exactly "how" right here, but
yes, it is possible. Come to think of it, *I* do not know exactly "how".
One of the Network Security Analysts at the Commonwealth Bank of Australia
explained it to me one day, but my brain was out to lunch at the time...

It's obvious that another Word document can be a
suspect, but only if you anable its macros surely?

Yes and no. The original question was in the context of "User trying to
find a macro that has already infected the system." If it has, then every
file on the system, on the HDD, on any removable drive that has ever been
attached, and in memory, is suspect. Once these things get going, there is
no theoretical limit to what they can do.

In the context of "User attempting to prevent infection" things are
different. In the latest version of Word Mac, Macro Security is always on
and always set to "medium" (Prompt for Macros).

Knowledgeable users who know that while the free Rolex watch offer email is
perfectly valid, the .scr file attached is not, will have the brains to
click "No" when the thing offers to automatically fill in the form to apply
for the watch.

Users who want the free Rolex without all that typing just installed a virus
server on the corporate network that sits there quietly polling for IP
addresses and sending a copy of itself to anything that answers

Modern "Viruses" as opposed to VBA pranks coded up by pimply youths with
time on their hands, are capable of working around Word's Macro Virus
Protection. They come in from other applications (e.g. The picture exploits
come in through the OS filter )

I think virus-writing has now advanced to the point where it's a serious
threat, even on a Mac

Cheers

--

Please reply to the newsgroup to maintain the thread. Please do not email
me unless I ask you to.

John McGhie <[email protected]>
Microsoft MVP, Word and Word for Macintosh. Consultant Technical Writer
Sydney, Australia +61 4 1209 1410

 

[Clive Huggan]

On 4/11/05 11:08 PM, in article BF919A70.23DFE%[email protected], "John

Virex works well, but you can't buy fewer than five copies

<snip>

I have Virex, John -- licensed for only one copy. But I have had the licence
for a long time. Is the "minimum of five" a recent development?

Cheers,

Clive
========

 

[Sandy Foster]

On 4/11/05 11:08 PM, in article BF919A70.23DFE%[email protected], "John



<snip>

I have Virex, John -- licensed for only one copy. But I have had the licence
for a long time. Is the "minimum of five" a recent development?

Cheers,

Clive
========

I've had mine for only a couple of years, and it's a one-person version,
too.

 

[mmmmark]

It used to come as part of .Mac, but it doesn't any more.

 

[Sandy Foster]

You guys tell me where you bought it and I will be there tomorrow with my
credit card....

That product works really well, and I want it back

I bought mine online from MacWarehouse or MacConnection -- can't
remember which one.