catch a macro virus

Exploits:

Articles

catch a macro virus

This is where the

Macro Virus Protection feature kicks in. If you have it disabled, our virulent

macros will be activated and taa taa.......you've activated the virus and

infected your Word environment. So, once again, I stress that you TURN ON

the macro virus protection feature in Word 97.Next, when our alert warning

prompts out, select Disable Macros. This would prevent all macros in the document

from running and opens the document in ReadOnly mode. Don't worry.....of course

the viral code won't be activated since you've disabled all macros.

After it's done and the document is opened, go to Tools-Macro-Visual Basic Editor.

This would launch the VB IDE. Double click ThisDocument.

And surprise.......you'll get to see the entire VBA code of the virus. If ThisDocument

is empty, find for any module within the project explorer window. This should

give the viral code of the doc. Also, if there are any forms, you can get to

view it too. There goes....my tutorial on catching a macro virus. This method

works even with unknown and undetected macro viruses.

Additional Tips & Tricks:

- To know whether your Word environment is infected by a macro virus, find for

Normal.dot file in your harddisk. Note it's size. The normal size is 26k-27k

(for Word 97). If the filesize is about this range, it's not infected.

However, if it's way above this range for example 40K or 50K, then, there's a

BIG possibility that it's infected.

- Also, when you get a large Normal.dot fiile, try viewing it in Notepad or a

Hex Editor. There's a chance that you could uncover viral code traces in clear text

Written on Saturday, 03 October 2009 19:42 by GSO

Viewed 205 times so far.
Like this? Tweet it to your followers!

Like this? Let your friends know now!

Bugtraq: Re: /proc filesystem allows bypassing directory permissions on Linux posted on Monday, 29 November 1999 16:00
Re: /proc filesystem allows bypassing directory permissions on Linux
Vuln: IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability posted on Monday, 26 October 2009 12:00
IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability
Bugtraq: Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow. posted on Monday, 29 November 1999 16:00
Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow.
Bugtraq: Rising Multiple Products Local Privilege Escalation Vulnerability posted on Monday, 29 November 1999 16:00
Rising Multiple Products Local Privilege Escalation Vulnerability
Bugtraq: {PRL} Rising Firewall 2009 Privilege Escalation posted on Monday, 29 November 1999 16:00
{PRL} Rising Firewall 2009 Privilege Escalation

News Update: Cyber war is coming, the impact could be huge: CBS News reports that cyber.. http://bit.ly/1tx1kr | #Security Link Monday, 09 November 2009 07:35
News Update: Tenable Network #Security Podcast - Episode 11: Welcome to the Tenable Netw.. http://bit.ly/2Iqd6G | Security Link Monday, 09 November 2009 07:35
News Update: Consent will be required for cookies in Europe: EDITORIAL: A law that dema.. http://bit.ly/3JYgip | #Security Link Monday, 09 November 2009 07:35
News Update: CBS 60 Minutes tackles cyber-terrorism: Could hackers get into the compute.. http://bit.ly/2d5Y21 | #Security Link Monday, 09 November 2009 07:35
Blog Update: We have launched the new GovernmentSecurity.org: We decided to launch th.. http://bit.ly/2G1SSF | #Security Link Saturday, 07 November 2009 17:38