catch a macro virus

Exploits:

Articles

catch a macro virus

This is where the

Macro Virus Protection feature kicks in. If you have it disabled, our virulent

macros will be activated and taa taa.......you've activated the virus and

infected your Word environment. So, once again, I stress that you TURN ON

the macro virus protection feature in Word 97.Next, when our alert warning

prompts out, select Disable Macros. This would prevent all macros in the document

from running and opens the document in ReadOnly mode. Don't worry.....of course

the viral code won't be activated since you've disabled all macros.

After it's done and the document is opened, go to Tools-Macro-Visual Basic Editor.

This would launch the VB IDE. Double click ThisDocument.

And surprise.......you'll get to see the entire VBA code of the virus. If ThisDocument

is empty, find for any module within the project explorer window. This should

give the viral code of the doc. Also, if there are any forms, you can get to

view it too. There goes....my tutorial on catching a macro virus. This method

works even with unknown and undetected macro viruses.

Additional Tips & Tricks:

- To know whether your Word environment is infected by a macro virus, find for

Normal.dot file in your harddisk. Note it's size. The normal size is 26k-27k

(for Word 97). If the filesize is about this range, it's not infected.

However, if it's way above this range for example 40K or 50K, then, there's a

BIG possibility that it's infected.

- Also, when you get a large Normal.dot fiile, try viewing it in Notepad or a

Hex Editor. There's a chance that you could uncover viral code traces in clear text

Written on Saturday, 03 October 2009 19:42 by GSO

Viewed 153 times so far.
Like this? Tweet it to your followers!

Like this? Let your friends know now!

Bugtraq: Re: /proc filesystem allows bypassing directory permissions on Linux posted on Monday, 29 November 1999 16:00
Re: /proc filesystem allows bypassing directory permissions on Linux
Vuln: IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability posted on Monday, 26 October 2009 12:00
IBM Lotus Connections Mobile Activities Pages Cross Site Scripting Vulnerability
Bugtraq: Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow. posted on Monday, 29 November 1999 16:00
Adobe Acrobat Reader up to 9.1.1 ONLY Linux integer overflow to heap overflow.
Bugtraq: Rising Multiple Products Local Privilege Escalation Vulnerability posted on Monday, 29 November 1999 16:00
Rising Multiple Products Local Privilege Escalation Vulnerability
Bugtraq: {PRL} Rising Firewall 2009 Privilege Escalation posted on Monday, 29 November 1999 16:00
{PRL} Rising Firewall 2009 Privilege Escalation

Can I get a Hoot Hoot?! #HootSuite is my number one Twitter client. http://hootsuite.com Link Friday, 06 November 2009 06:03
@foadah Thas what Im talking about :) Link Friday, 06 November 2009 05:58
#security | Don't panic over the secret copyright treaty | latest-security-news | GSO - Network Security Resources http://bit.ly/1K63Sr Link Thursday, 05 November 2009 08:01
#security | Which country has the most bot-infected computers? | latest-security-news | GSO - Network Security Reso... http://bit.ly/HAeG9 Link Thursday, 05 November 2009 08:01
#security | Backdoor access for millions of Facebook and MySpace accounts | latest-security-news | GSO - Network S... http://bit.ly/3dwnmc Link Thursday, 05 November 2009 08:01