![[This page is under construction]](const2.gif)
Abstract: Computer viruses written in the macro language of powerful office packages, particularly of Microsoft Word for Windows are a relatively new phenomenon. Most of the viruses of this kind known to date rely heavily on the availability of the so–called "auto" macros (macros which execute automatically when the document containing them is opened or closed) in order to spread. This has created, among some anti–virus producers, the illusion that macro viruses have to depend on the auto macros in order to replicate. Based on this erroneous assumption, some companies have developed inadequate antivirus products and protection schemes. This paper demonstrates that the assumption is false—that there are many other ways which a WordMacro virus can use to get control and replicate successfully. The paper describes all these methods known to the author, emphasizes that they pose a problem mostly to the anti–virus programs of the generic kind (i.e., not to the virus–specific scanners), and explains what measures have to be taken in order to block these attacks reliably.
2.1. Attacks Against Heuristic Analyzers
2.1.1. System Macros
2.1.2. Menu Replacement
2.1.3. Button Redefinition
2.1.4. Key Shortcuts
2.1.5. The FieldMacro Attack
2.1.6. On–the–Fly Macro Construction
2.1.7. Language Version–Independent Macro Viruses
2.1.8. Corrupted Macro Bodies
2.1.9. Dispersed Macro Viruses
2.2. Attacks Against Integrity Checkers
2.2.1. Infection of the STARTUP Directory
2.2.2. Add–In Global Templates
2.2.3. Companion Macro Viruses
2.2.4. Avoiding Infection of the Global Templates
2.2.5. Direct–Action Macro Viruses
2.3. Attacks Against Scanners
2.3.1. On–The–Fly Encryption of the Document
2.3.2. Document to Macro Conversion
2.3.3. Polymorphic Macros
2.3.4. Chained Macros
2.3.5. "Mating" Macro Viruses
2.3.6. Macro Virus Mutators
2.3.7. Parasitic Macro Viruses
2.3.8. Stealth Macro Viruses
2.3.9. Richard’s Problem
2.3.10. Igor’s Problem
2.4. Attacks Against Behavior Blocking
2.4.1. Bypassing the ReadOnly Attribute of the Global Template
3.1. The MACROBUTTON Attack
3.2. The Macro Name Conflict Attack
3.3. The OLE Attack
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
Back to the Table of Contents
[Bontchev92] Bontchev, V., Possible Virus Attacks Against Integrity Programs And How To Prevent Them, Proc. 2nd Int. Virus Bulletin Conf., September 1992, pp. 131–141.
[Bontchev94] Bontchev, V., Future Trends in Virus Writing, 4th Int. Virus Bull. Conf., 1994, pp. 65–82.
[Bontchev95] Bontchev, V., ‘Vircing’ the InVircible.
[Cohen89] Cohen, F., Computational Aspects of Computer Viruses, Computers & Security, 8 (1989), pp. 325–344.
[Ducklin96] Ducklin, P., personal communication.
[Ford96] Ford, R., personal communication.
[Highland89] Highland, H., A Macro Virus, Computers Security, 8 (1989), pp. 178–188.
[Jackson96] Jackson, C., personal communication.
[Muttik96] Muttik, I., personal communication.
[Peterson97] Peterson, P., personal comunication.
[Solomon92] Solomon, A., Mechanisms of Stealth, Proc. 5th Int. Comp. Virus and Sec. Conf., New York, March 1992, pp. 232–238.
[Solomon93] Solomon, A., False Alarms, Virus News International, February 1993, pp. 50–52.
[VB96a] Scary Monsters and Super Creeps?, Virus Bulletin, June 1996, p. 3.
[VB96b] When I’m Cleaning Windows, Virus Bulletin, June 1996, pp. 10–24.
Back to the Table of Contents
Back to the Table of Contents