Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

random curiosity about MS Word macro viruses and why (thank the Lord), they don't work in Word 2007/2010


  • Please log in to reply
3 replies to this topic

#1 chromebuster

chromebuster

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:10:37 PM

Posted 05 February 2011 - 10:15 PM

Hi,
Don't mind the curious ones, but I'm one of them. So anyway, almost one year ago now, the Word macro virus W97M/Marker.C was running rampant around Gordon College, with many teachers and students alike being infected. I was even infected with it thanks to one of my professors posting an assignment description document that had it. I was running AVG 9.0 at the time, and it was flagged many a time over. I think there were like six or so instances. My memory may be flaky, as my laptop has undergone many reformats since then, but what I do remember is trying to ignore AVG's warning, due to the fact that AVG has given me many false positives when I used it. The message Word gave me was that the document couldn't be opened because it wasn't available. But the strange part of that is that AVG had not removed anything from the file. I can think of two reasons why the file wouldn't run with the virus in it. Tell me which, if either, is correct. One is that Microsoft has since changed the macro format from 2003 and earlier versions of Word simply due to the many viruses that once existed for it, or two, that message was a very convoluted way of telling me that Windows 7 no longer supports Virtual device Drivers (*.vxd) as I was able to open the file after it had been cleaned up by Eset NOD32. Any knowledge you folks have would be very interesting, as I have always been curious about the very odd weekend of February 12, 2010. Now don't get me wrong. I was glad that Word errored me out and didn't allow the virus to run!

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 07 February 2011 - 07:02 AM

I don't know the particulars of the macro virus you mention, but with Microsoft Office 2003, a significant change was implemented that effectively stopped the propagation of macro viruses.

Prior to Office 2003, macros were enabled by default, and opening a document with macros and auto-execute meant the macros were automatically executed (and thus the virus could infect and propagate).

With Office 2003, macro security was introduced. With a Microsoft Office 2003 default install, macros need to be signed with a certificate issued by a trusted root CA. Macros that are not signed will not be executed. Users have to explicitly lower the macro security level for unsigned macros to execute. Almost all macro viruses were unsigned.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 chromebuster

chromebuster
  • Topic Starter

  • Members
  • 899 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:the crazy city of Boston, In the North East reaches of New England
  • Local time:10:37 PM

Posted 09 February 2011 - 01:29 AM

That's good to know. But I also think that it had something to do with the fact that Marker.C (that's Eset's name for it), used the virtual device driver (I think the file was called netlvxd.vxd, or close to that), to store logs of what it took from the users machines on which it was running. And now that you tell me about the macro signing thing, you also make me laugh since I was smart enough to not change anything pertaining to Word 2007 macros. Now the one thing I find interesting is that evidently, if Microsoft's principles hold true for both their Mac products and Windows ones, then they made a huge blunder. The teacher who gave me and all the rest of the students in my class the virus was running Mac Office 2004. was that rule added in there too? And the other thing I wonder, and nearly checked one day at home, is if the FTP server that was used to upload the stolen information is still alive. I begin to doubt that one though. Now, from the perspective of a security expert like you, how often usually do the mechanisms that those types of viruses use stay open and available for more data harvested? I'm not saying I'm going to go look, LOL!

Chromebuster

The AccessCop Network is just me and my crew. 

Some call me The Queen of Cambridge


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,754 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:37 AM

Posted 09 February 2011 - 05:05 AM

But I also think that it had something to do with the fact that Marker.C (that's Eset's name for it), used the virtual device driver (I think the file was called netlvxd.vxd, or close to that), to store logs of what it took from the users machines on which it was running.


VxD is Windows 9x technology. It's not supported on Windows client OS derived from Windows NT, like Windows XP and later.
https://secure.wikimedia.org/wikipedia/en/wiki/VxD

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users