Catch A Macro Virus

GovernmentSecurity.org > The Archives > General Network Security

GSecur

Aug 18 2003, 04:28 AM

By unknown
So, you wanna catch a macro virus ? Here, I'll show you a simple method of how to

catch a macro virus and obtain the source code. After all, with sooo many macro

viruses out there, it's pretty exciting if we get to catch one, and even those

unknown and undetected ones. This trick would work on Word 97. I'm not sure if

it works on Word 2000 coz I've never tested it on Word 2000. Also, don't bother

trying it on Word XP/2002 coz it won't work.

First thing's first, what you'll need: an infected document (*.doc) and MS Word 97.

Getting started:

Make sure that you turn off any AV software coz it'll interfere with our tasks.

Also, before doing anything, ensure that the Macro Virus Protection feature in

Word 97 is on (activated). This is extremely important as we'll see later.

First......run the infected document by double clicking it. This is where the

Macro Virus Protection feature kicks in. If you have it disabled, our virulent

macros will be activated and taa taa.......you've activated the virus and

infected your Word environment. So, once again, I stress that you TURN ON

the macro virus protection feature in Word 97.Next, when our alert warning

prompts out, select Disable Macros. This would prevent all macros in the document

from running and opens the document in ReadOnly mode. Don't worry.....of course

the viral code won't be activated since you've disabled all macros.

After it's done and the document is opened, go to Tools-Macro-Visual Basic Editor.

This would launch the VB IDE. Double click ThisDocument.

And surprise.......you'll get to see the entire VBA code of the virus. If ThisDocument

is empty, find for any module within the project explorer window. This should

give the viral code of the doc. Also, if there are any forms, you can get to

view it too. There goes....my tutorial on catching a macro virus. This method

works even with unknown and undetected macro viruses.

Additional Tips & Tricks:

- To know whether your Word environment is infected by a macro virus, find for

Normal.dot file in your harddisk. Note it's size. The normal size is 26k-27k

(for Word 97). If the filesize is about this range, it's not infected.

However, if it's way above this range for example 40K or 50K, then, there's a

BIG possibility that it's infected.

- Also, when you get a large Normal.dot fiile, try viewing it in Notepad or a

Hex Editor. There's a chance that you could uncover viral code traces in clear text

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.