PS Consultants - ideas & solutions

Word Macro Viruses - we may know who you are
June 1999

The mass media coverage surrounding the Melissa virus neatly illustrates the level to which IT has become the dominant commercial force where once heavy industry and mining ruled the roost.

IT is still reported with a high degree of inaccuracy and hype as befits those whose journalistic education was never quite honed for the modern e-world, but with the stock boom examples of the businesses that are being punted as the leaders of the “new way” of doing business uppermost in even the most luddite news editor’s mind, they have little choice left but to pay attention. And even more so because I would guess that any organisation that uses MS Word will have been afflicted by one or more of the so-called “word-macro viruses” that are by now, utterly endemic.

But blaming Microsoft is like blaming gun makers when folks get shot. Word has a powerful inbuilt programming language that allows the users to lots of good things, and by the same token, allows the miscreants to do many bad things. For example, I have here a word document where an embedded macro tunes the Winradio radio tuner card installed in the system.

There is a simple way to tackle word macro viruses – don’t open any word document attachments. Anything that turns up here with the file extension .doc gets wiped immediately unless I am very, very certain of the source. I then virus check it (using the supremely simple to use Mijenix FixIt 99 virus checker – just right click on the file in explorer) , and if you have a mail client that is stupid enough to auto-open attachments, throw it away immediately.

Sending files in the alternative Rich Text Format (.rtf) loses very little content-wise but the macro virus. So if anyone send you a doc file, then ask them to send it as an .rtf file instead (one of the numberous “save as” options).

Word macro viruses tend to operate in the relatively closed loop of the MS Word environment, but other now endemic email parasites are to be found as attachments of html documents that keep on spawning themselves unless you ALT-F4 them quickly enough.

In terms of classic infections at the system level, for example, mail attachments in the form of executables (.exe) – well anyone daft enough to run those without first virus checking AND being absolutely certain of the origin, deserves what they get. Would you eat your dinner off the toilet floor..?

I should like to remind you all that thanks to the way that Unix manages files and permissions, a virus is an unlikely thing, as Charles Stross, Linux guru of this parish advises:

“To infect a program, a virus must append itself to a program file or do something similar, such as load itself into memory and scribble over the boot sector of a hard disk.

However, it's pretty damned hard for a virus to live on a system that has a user/group access permission system. If it can't open an executable file and write to it, how's the thing going to replicate itself? And it can't infect other programs in memory because the UNIX or Linux kernel is _really_ fascist about not giving programs access to one another's working memory. All it can do is hope that the victim is silly enough to execute a virus-infected program as root so that it gets privileged access to the system.

Thus, virus source code for Linux has been written -- but to date, in nine years of Linux and twenty eight years of UNIX, there have been NO viruses detected in the wild.”

So here we have one PC operating system that costs around £70-100 and can result in the entire email productivity of a PC-based nation grinding to a sudden halt; and the other costs £0 and doesn’t. So which one does everyone use..?

It’s a funny old world, isn’t it..?


From all the fuss around Melissa also comes the news that Word .doc and .dot file format saves the details of the user’s unique MAC (media access control) number that every ethernet card includes. Now, MAC addresses are issued to ethernet card manufacturers in a similarish sort of way to the way that IP addresses are handled.

This is the closest thing to a fingerprint for a specific PC that existed before the hoo-haa that erupted around the Intel Pentium 3 “serial number” malarkey. Network managers have known for a long time (over twenty years…) that users of ethernet apparatus leave a lovely trail of the whereabouts courtesy of the unique MAC address.

But neither the MAC address of the Pentium serial number are of any use until someone ties the unique number together with the details of the user of the equipment. It’s then that the fun starts, and the news that this information is potentially being stored by Microsoft is grist to the security and privacy lobby.

As someone pointed out in the letters column of a US trade magazine, lawyers everywhere should start subpoenaing Microsoft to produce evidence of who they know owns which MAC address, since this would very quickly lead a trail back to a number of miscreants, not least the originators of the various word macro viruses!