29-09-2012, 10:57 AM
Free Anti-Virus Tips and Techniques
Free Anti-Virus.pdf (Size: 939.62 KB / Downloads: 19)
Introduction
In the summer of 1995, the Word Concept virus was unleashed upon an unsuspecting
world, changing the scope of the virus problem forever. For the first time, viruses could reside in
common word processing and spreadsheet documents. Since that time,Word and Excel macro
viruses have become the most dominant virus threat to organizations and individuals alike,
appearing at a rate of over 200 new viruses per month. “In 1999 alone, $7.6 billion in damage was
done by viruses, many of them macro viruses affecting Word and Excel environments.”
Network Associates offers a comprehensive solution for all existing and new macro
viruses in its McAfee Total Virus Defense suite scanning engine. Part of any good virus
security policy, however, involves things you can do at no cost to reduce your exposure to
macro viruses.
The objective of this paper is to introduce a variety of free macro anti-virus techniques
and discuss the pros and cons of each. This paper concludes with the author discussing several
methods he personally uses to protect himself against macro viruses in his day-to-day work.
Introduction to Macro Viruses
Macro viruses take advantage of “macro” utility tools built into programs such as
Microsoft Word and Excel. By riding on data files exchanged through the application, macro
viruses infect great numbers of documents.While macro viruses are application-specific, they
are not operating system dependent, which means they can quickly travel in e-mail,
downloads, floppies and groupware applications.
Macro viruses can exist in any number of products that give a user the ability to write
macro scripts that can, in turn, write to the disk to propagate more macros. Because of its
widespread usage, the product with the most macro viruses today is Microsoft Word. Viruses
spread easiest in the MS Word environment because documents can contain both text and
macros. By combining both text and macros, the user has much more power and usability
features. The two go hand in hand.More power to the user.More potential for macro viruses.
Microsoft Excel is similarly afflicted. Excel macro viruses began appearing some time
after the original Word macro virus, but are being discovered at an alarming rate today. The
same dynamics that affect Word also affect Excel. Excel also uses OLE2 container files,
combining macros and all of the cell functions and data in the same file.
When Microsoft Office 97 was released, all macro languages converged upon Visual
Basic 5 (VB5), making cross-application viruses a theoretical possibility. This makes the
possibility of macro viruses for other platforms only a matter of time, especially as more and
more vendors independently support VB5.
Microsoft Word Macro Viruses
The Shift Key
Most macro viruses make use of Word's AutoOpen and AutoClose macros to operate.
Disabling these built-in macros can be an effective way of stopping such macro viruses from
spreading. Holding down the shift key during the startup of Word allows for a file to be
opened without allowing any Auto macros to execute. This will prevent viruses that use the
AutoOpen macro in order to spread. Similarly, if held down at exit, the AutoClose macro will
not be executed.
In order to correctly make use of this feature, one must be holding down either shift key
at the moment Word is activated, and continue holding throughout the startup process. To be
sure this occurs, you should hold the key down with one hand while the other hand is
double-clicking the Word icon. It might seem obvious, but it is not always easy to do, even if
you remember. The shift key must be held down for the duration of Word's startup process.
Letting go early may allow a macro to execute.
Menu Choices within Word
Macros are separate from the text and are not seen unless one goes looking for them.
The most common way to check for macros would be through Tools then Macro...
Unfortunately, viruses can intercept menu items. And the most commonly intercepted
function is... Tools/Macro. This makes it unwise in a suspect situation to use Tools/Macro to
determine if macros exist in documents. In the Customized Tools/Macro section below, you
will be shown how to create your own replacement to Tools/Macro.
It is safe, however, for you to view macros in document files through the use of the
Organizer function. The organizer function can be achieved through either
File/Templates/Organizer... or Format/Styles/Organizer... or by creating your own following
the instructions in the Customized Tools/Macro section below.
To see if macros exist in a document file without being affected by them, exit and restart
Word without opening any documents. If you suspect that the normal.dot file or the startup
environment may be infected, you need to rename the file and rename all the document files
in the startup directory to other than DOC or DOT so Word can be started in a pristine state.
To ensure that no virus affects your viewing of a suspect file, one must ensure that Word is
started in a pristine state by following the previous directions.
Using RTF (Rich Text Format) Files
The previous suggestions are mostly concerned with how to detect viruses. This section
addresses how to avoid sending out an infected document, and in so doing, possibly protect
your organization from being infected.
There is a rumor that says .RTF files cannot have macro viruses. First, let us specifically
define what that means:
When using the File/SaveAs... function, there is a box that allows you to choose what
type file you wish to save this file as (Save as type.When one chooses Rich Text Format, the
document is saved without macros. However, this does not apply to embedded documents.
Even though the top level may not contain macros, embedded documents may. But most
people do not use embedded documents, and this is one reason why they should not. Abiding
by the rule that if a file does not have macros, it cannot have macro viruses, this then
becomes a rather useful way to distribute one's finished work.
But just because a file has a .RTF extension does not mean that it is a Rich Text Format
file. First, any file can have any name you designate. But mostly, WM/CAP, one of the most
prevalent Word macro viruses, actually takes over the File/SaveAs... operation specifically to
fool a user who tries to take advantage of this fact.