WD: What to Do If You Have a Macro Virus

• Microsoft Word for Windows, versions 6.0, 6.0a, 6.0c
• Microsoft Word for Windows 95, versions 7.0, 7.0a
• Microsoft Word for Windows NT, version 6.0
• Microsoft Word for the Macintosh, versions 6.0, 6.0.1

SYMPTOMS

The first macro virus was discovered in the summer of 1995. Since that time, other macro viruses have appeared. This article describes what to do if you think you might have a Word macro virus, or if you want to ensure that your documents never become infected with one.

The following are some symptoms of a Word macro virus that are known to affect Word and Word documents:

• When you try to save a document, Word only lets you save the document as a template.

      -or-
  

• The icon for the file looks like a template rather than a document.

      -or-
  

• When you open a document, a dialog box showing the number 1 appears.

      -or-
  

• New macros appear in the list of macros. AutoOpen and FileSaveAs macros may also appear; if you already had macros by these names, their content may have been changed by the macro virus.

      -or-
  

• The Winword6.ini file contains the following line:

        ww6=1
  

      -or-
  

• Unusual or unexpected messages appear when you open a Word document or template.

RESOLUTION

To protect your existing and future documents from Word macro viruses, you must install software that is specifically designed to detect and remove macro viruses.

For information on anti-virus software vendors, including a list software capable of detecting and preventing macro viruses, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q49500
   TITLE     : Anti-Virus Software Vendors

WORKAROUND

Use the following workarounds as interim solutions only.

NOTES:

• Word version 7.0a for Windows 95, and the Macro Virus Protection Tool are designed to alert you if you open a file that contains macros, regardless of what the macros do. For a permanent solution, you must use anti-virus software that is specifically designed to detect and prevent macro viruses.
• Word 7.0a doesn't look for or remove any macro viruses from existing documents and templates. It will simply warn you if the document you are opening contains macros. The warning lets you either open the document with the macros active or open it with the macros disabled. You should not open a document with the macros active unless you are absolutely sure that the document contains no harmful macro viruses.
• The Macro Virus Protection Tool (available for Word 6.0 users only) includes the ability to look for Word files that contain the Concept Virus and to remove the Concept Virus if it is found. However, it looks ONLY for the Concept Virus and not for any other type of macro virus. Since the development of the Macro Virus Protection Tool, many other macro viruses have been discovered, and the tool is not capable of searching for these viruses.

   ARTICLE-ID: Q49500
   TITLE     : Anti-Virus Software Vendors

Method 1: Upgrade to Word 7.0a, Word 97, or Word 98 Macintosh Edition

Windows

If you are using Word for Windows 95 version 7.0, obtain Word version 7.0a. Version 7.0a alerts you if you try to open a file that contains macros. If you are using any version of Word for Windows earlier than Word 95, upgrade to Word 97 for Windows.

Macintosh

If you are using version 6.0, 6.0.1, or 6.0.1a, upgrade to Microsoft Word 98 Macintosh Edition.

To obtain pre-sales information about new or updated Microsoft products, call the Microsoft Sales Information Center at (800) 426-9400. If you are outside the United States, contact the Microsoft subsidiary for your area. To locate your subsidiary, see the Microsoft World Wide Offices Web site at:

   http://www.microsoft.com/worldwide/default.htm

   http://www.microsoft.com/

Method 2: Obtain the "Macro Virus Protection Tool"

If you are using Word version 6.x (for Windows or Macintosh), obtain the Microsoft Application Note titled "Macro Virus Protection Tool." The Word for Windows version is WD1215, and the Word for the Macintosh version is MW1222.

These Application Notes contain a tool called Scanprot.dot that alerts you if you try to open a file that contains macros. It does not clean the macros from your system.

For more information about how to obtain these Application Notes, please see the following articles in the Microsoft Knowledge Base:

   ARTICLE-ID: Q134728
   TITLE     : WD1215: "Macro Virus Protection Tool" for Word for Windows

   ARTICLE-ID: Q133895
   TITLE     : MW1222: "Macro Virus Protection Tool" for Word for the
               Macintosh

Method 3: Press SHIFT When You Open a File

If you do not have any of the symptoms described in this article, but you do not want to be affected by a macro virus, hold down the SHIFT key when you open a file that might be affected by a macro virus. Pressing SHIFT will prevent any Auto macros from being run; if a macro virus is present, it will not be loaded.

Method 4: Delete the Macro and Recover the Document

If you have experienced the symptoms listed in this article, or if you suspect that you have a macro virus that is not described here, use the following steps to remove the offending macros and correct affected documents. (Remember, this is only a temporary solution; because new macros are being created, these steps may not work):

1. Close Word and rename the Normal.dot file to Normal.xxx (Windows) or move Normal to the Desktop.

2. Make a back-up copy of an affected file.

3. Open Word.

4. On the File menu click Open.

5. Navigate to the folder containing the affected file.

6. Click to select the affected file.

7. Press and hold the SHIFT key and click Open.

   Continue to hold the SHIFT key until the affected file is open in Word.

   NOTE: Holding the SHIFT key while opening a file keeps any of Words automatic macros from running.

8. To remove suspect virus containing macros, follow the steps below:

   a. On the Tools menu, click Macro.

   b. In the Macros Available In list, click All Active Templates.

   c. Select the suspect macro and click Delete. Click Yes.

   d. Repeat step c for all suspect macros.

   e. Click Close.

9. To recover the text of an infected document:

   a. Select the entire document by pressing CTRL+A (Windows) or COMMAND+A (Macintosh), or by clicking Select All on the Edit menu.

   b. Delete the document's final paragraph mark from the selection by pressing SHIFT+LEFT ARROW.

   c. On the Edit menu, click Copy.

   d. On the File menu, click New. Select the template you want to use, and click OK.

   e. On the Edit menu, click Paste.

   f. Repeat step 8 to ensure that the virus containing macros have not again replicated.

   g. Save the document.

10. Repeat these steps for any document suspect of containing a macro virus.

Method 5: Using the Organizer to temporarily clean up macro viruses

Use the Organizer to clean up the macro virus. Keep in mind that if other files were opened after the infected file, they most likely will be infected as well.

To Remove the virus from the Normal template:

1. Close all documents. If an infected document is open, it can easily reinfect Normal.dot (Windows) or Normal (Macintosh).

2. On the File menu, click Templates, and click the Organizer button.

3. Select the Macros tab. Rename or delete all of the following macros:

         AutoClose
         AutoExec
         AutoOpen
         FileExit
         FileNew
         FileOpen
         FileSave
         FileSaveAs
         Macros
         ToolsMacro
   

4. Close the Organizer.

5. On the File menu, click Save All to save the template.

If a file is infected, use the same method as above, but remove the macros from both the Normal template and also from the infected document (template) while in the Organizer. When you are done, click the File menu and click Save All and move on to the next file. Keep in mind that every time you open an infected file it will infect your Normal template, so you constantly need to remove the macros from the Normal template.

Method 6: Insert It into a New Document

With this method, you will need to rename Normal.dot (Windows) or move Normal to the Desktop (Macintosh) and then on the Insert menu, click File to temporarily remove the macros. This method is particularly useful with The macro virus called "CAP" that removes Macro and Customize from the Tools menu.

NOTE: In this situation, the Templates command (Word 6.x and 7.x) may not work.

1. Close Word and rename the Normal.dot file to Name.dot (Windows) or move Normal to the Desktop (Macintosh).

2. Open Word and verify that Macro and Customize are on the Tools menu.

3. Open a new document. On the Insert menu, click File.

4. Navigate to the folder containing the affected file.

5. Click to select the affected file.

6. Press and hold the SHIFT key and click Open.

   Continue to hold the SHIFT key until the affected file is open in Word.

   NOTE: Holding the SHIFT key while opening a file keeps any of Words automatic macros from running.

7. To see if there are any macros in the new document (there should not be any listed), click Macro on the Tools menu. In the Macros Available In list, click All Active Templates.

8. Save the file with a different file name.

9. Delete the infected file.

MORE INFORMATION

A macro virus is a program written in the macro language of a program, like Word. It propagates itself among data files and can harm your files or your computer's operating system.

Word macro viruses do not travel freely over the Internet or any other media; they can only be transferred when a user opens a document or template that contains the virus macro.

Microsoft Internet Assistant and documents created or read by it cannot be affected by such macros. Internet Assistant, by design, blocks the mechanism that distributes the macro virus.

Macro viruses cannot be transferred by WordMail unless an affected document is embedded in the e-mail message and the receiver opens the document.