Macro and Script Viruses

The advantage of this type of virus is obvious, but not many of them have been seen, because a multipartite virus has a downside, it is complex to design and implement. It requires a deep knowledge of the operating system internals in two areas, booting and executable files. Also, the final virus is large, which makes it harder to hide and may result in more programming bugs (generally, the bigger a program, the longer it takes to debug).

In order to propagate itself effectively, a multipartite virus has to be efficient. When it is executed, it should perform the following tasks:

It should establish itself in memory (if it is not located there already), like a BSI, by modifying one or more interrupt-handling routines, especially the routine that’s invoked when a removable disk is inserted. This way the virus will be able to infect the boot sectors of new disks inserted into the computer.

Once this is done, the virus should look for executable files that it recognizes and should try to infect as many of them as possible.

This short list of tasks is easy to read and understand, but difficult to program, which is why some multipartite viruses adopt a simple (but much less effective) spreading policy. If the virus is embedded in an executable file (i.e., if it is currently a file infector) it tries to infect the boot sector of new removable disks, whereas if the virus is a BSI (i.e., it came from a boot sector and is now located in memory), it tries to infect executable files.

Exercise 2.8: Show why this policy for spreading the virus is bad.

It is also possible to combine the features of a virus and a worm in one piece of malware. The MTX malware (Section 5.12), for example, propagates both as a worm and as a file infector.

2.10 Macro and Script Viruses

In the computer world, the termmacrorefers to a name or a symbol that stands for a list of commands or a string of characters. When using a word processor to write a letter, the heading with the date and our name, address, and telephone number is always the same. It makes sense to define a macro calledheader, such that typing the single wordheader typesets this information in the format we like (it expands or plays back the macro). If we want two headers in different styles, perhaps for personal and professional letters, we can either define two macros or write a single macro that depends on a parameter, such that the expansionheader perswill execute the commands for typesetting the header of a personal letter and header pro will do the same for a professional letter. The popular word processor Microsoft Word supports extensive macros (see, for example, [Roman 99]) that can, among other things, create, rename, save, and delete files, and typeset headers, footers, and section titles.

Exercise 2.9: The date is different each day, so how can we say that a header with the date is always the same?

Macro: A set of keystrokes and instructions that are recorded, saved, and assigned to a short key code. When the key code is typed, the recorded keystrokes and instructions execute (play back). Macros can simplify day-to-day operations, which otherwise become tedious. For example, a single macro keystroke can set up a connection using pcAnywhere.

—Fromsecurityresponse.symantec.com/avcenter/refa.html. A macro is useful, but it also introduces a security weakness; it may be a virus. A macro virus for Microsoft Word is a .doc file whose header section consists of the virus commands. When Microsoft Word opens such a file, it innocently executes the commands, which can insert unwanted text at certain points, change the current font or style, and also infect other.docfiles found in the computer. In principle, a macro virus is not limited to .doc files and has the potential to cause any type of damage. Most of the macro viruses that have been detected and analyzed were specifically written for Microsoft Word and Excel. A typical trigger for a Word macro virus uses the document’s version count. Microsoft Word keeps in the document file a counter that counts the version of the document. This counter is used by many macro viruses to trigger the virus’s payload when it equals the current date or time or when it is divisible by a certain prime number. A macro may be useful either in a certain document or in general. General macros for Microsoft Word are stored by the Windows operating system in the global template fileNORMAL.DOT, thereby making it easy for a macro virus to copy itself from an infected Word document to this file. Once there, the macro is always available. If the user accidentally types the macro’s name, it is expanded into the current document and infects it.

Some macros have a predetermined name, identical to the name of a command. Thus, if a macro FileSaveAsexists in Microsoft Word, it will be expanded every time the user selects the menu itemSave asfrom theFile menu.

A macro virus often spreads as an email virus. A well-known example is the Melissa virus of March 1999 (Section 5.5).

Virus detection software can identify macro viruses, but as a cautious user you should be familiar with the macros you use with any program, and check often for new, unfamiliar macros.

In principle, macro viruses can be eliminated (or at least greatly limited) by allowing only special-purpose macros. A word processor with restricted macros may allow one macro to enter text, another macro to analyze it, a third macro to print the result in a special format, but will not allow one macro to do the entire job. Such restrictions limit what a macro virus can do and thereby discourage virus authors. However, because of competition, software makers tend to implement powerful features in their programs and this trend, while helping the users, also makes the virus writer’s “job” easier.

Modern operating systems often support scripts. Microsoft VBA (visual Basic for applications) also supports powerful scripts. A script is a list of commands that’s assigned a name. When the name is typed, the commands are executed. A miscreant

2.11 Infected Images 59