There have been many types of malware, ever since the dawn of computers. While initially, it was for fun, back in the days of QDOS, malware creating and distribution is now a full-time business, with the end gains being the same as any other for-profit business. This article looks at the Macro Virus and talks about how to stay safe from macro-targeted malware. Please note that both “macro virus” and “macro targeted malware” refer to the same thing.
What is Macro Virus in Office
Macro virus takes advantage of Macros that run in Microsoft Office applications such as Microsoft Word or Excel. Cybercriminals send you a macro-infested document via email and use a subject line that interests or provokes you into opening the document. When you open the document, a macro runs to execute whatever task the criminal wants.
By macro-infested document, I mean macros specially designed to download malware or perform certain other tasks. The macro can create malware that is resident on your computer, duplicate itself, and send itself to all the people on your contact list.
After finding out about the vulnerability, Microsoft disabled the macro functioning by default. That is, no macro would run in Microsoft Word until you turn macros on or run it manually. The same is the case with macros in other applications from Microsoft. There are certainly other programs that too make use of macros, but they are not as popular and hence may not be targeted by cybercriminals.
Enable or Disable Macros in Office
In case you do not know, a macro in Office refers to a series of commands and instructions that you group together as a single command to accomplish a task automatically.
Microsoft has now set the default settings in Office to Disable all macros with notification. Now, since the default setting of Macros is OFF or DISABLED, the cybercriminals program the documents in a way that you are compelled to turn on the malicious macro. For example, you get a mail saying your package is ready and that you should open the attached document for details of shipping, etc. When you open the document, you will see a message saying Macros have been disabled. Enable Content.
As you turn on the macro, it is executed to meet the purpose for which, it was designed and runs the malicious code.
Incidentally, the Macro settings in Word are available here. Open Word document > Options > Trust Center > Trust Center Settings > Macro Settings.
Here you will see the four settings available:
- Disable all macros without notification
- Disable all macros with notification (This is the default)
- Disable all macros except digitally signed macros
- Enable all macros.
Read: Block Macros from running in Office files using Registry or Group Policy.
How to stay safe from Macro Virus
The first thing to remember is to use your own reasoning skills. If you receive a document as an attachment, it would always be safe to open it in read-only mode. If you open documents via Outlook or any other popular email client, they open the documents in read-only mode and disable macros, etc. so that you are not affected.
If you get a message asking you to turn on the macros, understand why the message is there and if macros really need to be enabled. For example, if it looks like an invoice, there is nothing programmable, so there is no need for macros. In that case, you can be sure that the document is just bait.
Anyway, you should never open attachments from untrusted sources. If you receive a message saying your parcel is ready, and you know you never ordered any parcel, there is no need to open the attachment. The online e-commerce companies seldom use attachments to let you know about the position of your orders. Most of such communication is in the email body and not in attachments.
It may happen that one of your contacts has been prey to such a macro virus and his infected computer has sent out emails to everyone in his contact list. In that case, you may feel confident about the file and open it. But if it has only an attachment without any message in the email body, it is better to check with your friend if he or she has indeed sent it. I have seen emails that have nothing in the body except for “See the attachment” subject line or message. The attachment is usually a Word document and in most cases, it is best to Junk such mail. A contact of yours will definitely tell you what the attachment is about. If there is no message or only a message saying “Open the attachment”, it is better to ask your contact for details of the attachment.
Macro targeted malware can be easily acquired if you are not cautious. Your regular antivirus cannot be of much help here – unless the attachments also include malware or downloads it subsequently.
How to remove Macro Virus
To remove macro virus, the first thing Microsoft suggests is to use a good antivirus to prevent macros from downloading malware or sending unintended information out of your computer. Run the antivirus software if you feel the need to.
While opening Word documents that you think may contain Macro Virus, press Shift while opening the document. That will prevent any macros from running, as Office documents start in Safe Mode when you press Shift and open them. You can then check out what all macros are present in the document. If anything looks suspicious, you can remove it before using the document.
Microsoft has in recent times seem a jump in the incidence of Macro Virus, using email as well as social engineering. In fact, the once-deadly VBA macro malware too has made a resurgent comeback in recent times.
Stay safe – exercise caution!