A macro virus is a computer virus written in the same macro language used for software programs, including Microsoft Excel or word processors such as Microsoft Word. When a macro virus infects a software application, it causes a sequence of actions to begin automatically when the application is opened.
Since a macro virus centers on an application and not an operating system, it typically can infect any computer running any operating system, even those running MacOS and Linux.
How macro viruses work
Macro viruses work by embedding malicious code in the macros that are associated with documents, spreadsheets and other data files, causing the malicious programs to run as soon as the documents are opened. Typically, macro malware is transmitted through phishing emails containing malicious attachments. The macro virus spreads quickly as users share infected documents.
Once an infected macro is executed, it will typically infect every other document on a user's computer. Some macro viruses cause irregularities in text documents, such as inserting or deleting words. Other macro malware accesses email accounts and sends out copies of infected files to all of the users' contacts, who then open and access these files because they come from trusted sources.
Examples of macro viruses
The first macro virus to be spread in the wild through Microsoft Word was Concept, which was discovered in July 1995. The virus was accidentally included on a CD-ROM called "Microsoft Compatibility Test" shipped by Microsoft to hundreds of corporations in August 1995.
Concept spread to computers in infected Word documents with a .doc extension attached to email messages. From there, the virus infected the English version of Word 6.0 or Word 95 documents that had been saved using the command Save As. Concept did not carry out any damaging actions in affected computers; it just displayed a message on screen when it infected a document.
Another classic example of a macro virus was the Melissa virus first found in March 1999. Melissa was a macro virus that was distributed as an email attachment and spread quickly across the globe. The subject of the email indicated that the message contained a file that the user had requested. When the user opened the attachment, the virus infected the user's computer and spread to other email messages using macros in Microsoft Word 97, Microsoft Word 2000 files, as well as Microsoft Excel and Outlook.
Although Melissa didn't destroy files or other resources, it caused Microsoft to shut down all incoming email on March 26, 1999, and it disrupted over 1 million email accounts worldwide and cost businesses an estimated $80 million.
Discovered in September 1995, the Nuclear macro virus was similar to Concept, but because the malicious macros in Nuclear were designated ExecuteOnly, they were encrypted by Word and couldn't be viewed or edited, though they were visible in the macro list. The message carried by the Nuclear virus was only displayed on the last page of a document when it was printed, but only if it was printed during the last four seconds of any minute, i.e., 56, 57, 58, 59.
The message that the Nuclear macro virus added to documents was, "And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC." This virus would also cause error messages to appear when a user selected from File > Print or File > Save As.
First observed in 2014, Hancitor (also known as Chanitor) was a macro-based malware downloader hidden in Word documents that were delivered via phishing email. The main purpose of Hancitor was to download malicious payloads such as banking Trojans and ransomware on contaminated machines.
The Dridex banking malware and Locky ransomware also made use of malicious macros to hijack systems. And the Rovnix Trojan used macros embedded in Microsoft Word documents to infect computers and steal data. Vawtrak was another Trojan that was distributed to victims in malicious Word documents and could take screenshots, hijack webcams and log keystrokes. Rovnix and Vawtrak typically targeted financial organizations.
Until recently, most macro viruses targeted the Windows operating system, but in early 2017 MacDownloader, the first Word macro virus for Apple's MacOS, was found in the wild. Hackers were using malicious macros in Word documents to install malware on Mac computers to steal users' data. Once the malware is installed, hackers can access browser history logs, monitor webcams, as well as steal password and encryption keys.
One malicious Word file carrying the MacDownloader macro virus was titled "U.S. Allies and Rivals Digest Trump's Victory -- Carnegie Endowment for International Peace.docm."
Preventing macro viruses
Since macro viruses are usually spread in application files that have been shared across the internet by email, especially in phishing email, macro virus defenses include strategies for scanning inbound email attachments, preventing users from opening dubious files and preventing macros from running at all when documents are opened.
Some techniques for preventing the spread of macro viruses include:
- Use a spam filter. The fewer phishing email messages users get in their inboxes, the less chance their computers will be infected by malware.
- Use a strong antivirus program. Antivirus software will warn users when they attempt to download suspicious files or open harmful links.
- Ensure that computers are running current software versions and that all security patches are installed.
- Do not open attachments from unknown senders.
- Do not open attachments in suspicious email messages, even when they appear to be from known senders.
- Activate the macro security function on Microsoft Word and Excel, and exercise extreme caution about enabling macros.
- Disable macro scripts entirely.
Removing a macro virus
It is important to remove all files infected with a macro virus to prevent it from spreading.
The first step in removing macro malware is to reboot the infected computer in Safe Mode.
Deleting all temporary files will help speed up virus scanning, as well as freeing up disk space and removing any malware-infected temp files.
Finally, do a virus scan of the infected computer. If a real-time antivirus program is already running on the machine, use a different, on-demand scanner to run a macro malware check because the running antivirus program may not have detected the malware. In this case, use the on-demand scanner first followed by a full scan using the real-time antivirus. This should detect and quarantine any macro malware found on the system.