Macroviruses are languages \u200b\u200b(macro-languages) embedded in some data processing systems (text editors, spreadsheets, etc.). For its reproduction, such viruses use the capabilities of macro-languages \u200b\u200band with their help transfer themselves from one infected file (document or table) to others.
For virus existence in a specific system (editor), it is necessary to have a built-in macro-language system with capabilities:
1. Binding programs on the macro language to a specific file;
2. Copy macro programs from one file to another;
the ability to receive the management of the macro program without user intervention (automatic or standard macros).
Network computer viruses .
Network includes viruses that are actively using protocols and possibilities of local and global networks for their distribution. The main principle of the network virus is the ability to independently transfer your code to a remote server or workstation. Network viruses have also the ability to start their code on a remote computer or push the user to launch an infected file.
There are a large number of combinations - for example, file-boot viruses that infect both files and boot sectors of the disks. Such viruses, as a rule, have a rather complex work algorithm, often apply the original methods of penetration into the system, use stealth and polymorphic technology. Another example of such a combination is a network macro virus that does not only infect editable documents, but also sends its copies by email.
Infected operating system (More precisely, OS, objects of which are susceptible to infection) is the second level of viruses in classes. Each file or network virus infects any or more operating systems files.
Macro viruses infect Word, Excel, Office formats. Boot viruses are also focused on specific system data location formats in the boot sectors of the disks.
Features of the work algorithm Computer Viruses:
1. Residences.
2. The use of stealth algorithms.
3. Self-sewing and polymorphicity.
4. Using non-standard techniques.
Under the term residence It is understood by the ability of viruses to leave their copies in the system memory, intercepting some events (for example, access to files or disks) and call the procedures for infection of detected objects (files and sectors). Thus, resident viruses are active not only at the time of the infected program, but after the program has finished its work. Resident copies of such viruses remain viable up to the next reboot, even if all infected files are destroyed on the disk. Often it is impossible to get rid of all copies of files from distribution disks or backups from such viruses. A resident copy of the virus remains active and infects newly created files. The same is true for the loading viruses - the formatting of the disk if there is no disk in memory, the disk does not always cure, since many resident viruses infect the disk after it is formatted.
Non-residentviruses, on the contrary, are active enough short time, only at the time of launching an infected program. For its distribution, they are looking for unreleased files on the disk and recorded in them. After the virus code transfers the control of the carrier program, the effect of the virus to work the operating system is reduced to zero until the next launch of any infected program.
Stels virusesthose or in other ways hide the fact of their presence in the system.
TO polymorphic viruses These are the detection of which is impossible (or extremely difficult) to carry out with the help of the so-called viral masks - sections of a constant code specific to a particular virus. This is achieved by two main ways - encryption of the basic virus code with a non-permanent key and a random set of a decryr command or a change in the very virus code.
Various non-standard techniques Frequently used in viruses in order to hide themselves as deeply in the OC kernel.
Destructive opportunities Viruses can be divided into:
1. Harmless , in no way affecting the computer's work (except for reducing free memory on the disk as a result of its distribution).
2. Non-hazardous whose influence is limited to a decrease in free memory on disk and graphic, sound and other effects.
Macroviruses are potentially unwanted utilities written on microlls that are embedded in graphic and text processing systems. What files infect macro viruses? The answer is obvious. The most common versions for Microsoft Excel, Word and Office programs 97. These viruses are often found quite often how to create them easier than simple. That is why when downloading documents from the Internet, it is worth being extremely attentive and neat. Most users underestimate them, thereby making a roughest mistake.
How is PC infection occurs
After we have decided what Macroviruses are, let's see how they penetrate the system and infect the computer. A simple way to reproduce them allows you to hit the maximum number of objects as soon as possible. Thanks to the possibilities of macro-languages, when closing or opening an infected document, they penetrate the programs to which the appeal is.
That is, when using a graphic editor, Macroviruses infect everything related to it. Moreover, some are active all the time while a text or graphic editor work, or at all until the PC is completely turned off.
What is the principle of their work
Their action takes place on the following principle: working with documents, Microsoft Word performs a variety of teams that are in the macro. First of all, the program penetrates the main template through which all files of this format opens. In this case, the virus copies its code into macros, which provide access to the main parameters. Going out of the program, the file in automatic mode is stored in DOT (applied to create new documents). After that, it falls into standard macros, trying to intercept the team sent by other files, infecting them.
Infection is carried out in the following cases:
- If there is an auto macro in the virus (it is carried out automatically when you turn off or start a program).
- The virus has the main system macro (often associated with menu items).
- Activates automatically if you click on specific keys or combinations.
- It is multiplied only when it starts.
Such viruses usually affect all files created and tied to programs on macro-language.
What harm they bring
Do not underestimate macroviruses, as they relate to full viruses and carry computers significant harm. They can easily delete, copy or edit any objects containing, including personal information. Moreover, it is also available to transmit information to other people using email.
Stronger utilities can generally format hard drives and control the operation of the entire PC. That is why the opinion that this kind of computer viruses carry a danger solely for graphic and text editors, erroneous. After all, such utilities like Word and Excel work in cooperation with a number of others, which in this case are also danger.
Recognize infected file
Often the files infected with macroviruses and their impact, it is not difficult to determine. After all, they function at all as other utilities of the same format.
Danger can be determined by the following features:
In addition, the threat is often easily detected visually. Their developers usually indicate the "Summary" tab of such information as the name of the utility, category, the subject comments and the name of the author, so that you can get rid of the Macrowire much faster and easier. You can call it using the context menu.
Ways to remove
Having found a suspicious file or document, first turn it out with antivirus. If the threat is detected, antiviruses will try to cure it, and in case of failure, they will completely close access to it.
If the entire computer has been infected, you should use an emergency loading disk that contains antivirus with the last database. He will hold the hard drive and will delete all the threats found them.
If it does not work in this way, your antivirus can do nothing, but there is no emergency disk, then you should try the "manual" treatment method:
Thus, you remove the macrow with an infected document, but this does not mean that it has not remained in the system. That is why it is recommended when you first scan the entire personal computer and all its data with antivirus or (their advantage is that they do not require the installation).
The process of treating and cleaning a computer from the contamination of the macro discovered is quite complex, so it is better to prevent infection in the initial stages.
Thus, you will protect yourself, and macroviruses will never be imbued in the relevant files.
A computer virus is called a program that has the ability to create its own copies and introduce them to various objects and resources of computer systems, networks, etc. Without user knowledge. At the same time, the copies retain the ability of further distribution.
Infection of the program is usually performed in such a way that the virus will receive control before the program itself. For this, it is either embedded at the beginning of the program, or implanted into its body so that the first team of the infected program is an unconditional transition to a computer virus, the text of which ends with a similar command of the unconditional transition to the team of the virus carrier, the former first before infection. Having received the control, the virus selects the next file, infects it, perhaps performs any other actions, after which the virus monitoring is controlled.
The initial infection occurs in the process of the onset of infected programs from the memory of one machine in memory of the other, and as a means of moving these programs can be used as carriers of information (optical disks, flash memory, etc.) and channels of computing networks. Viruses that use network tools for reproduction, network protocols, computer network and email commands, is customary to be called network.
The cycle of life of the virus usually includes the following periods: the introduction, incubation, replication (self-magazum) and manifestations. During the incubation period, the virus is passive, which complicates the task of its search and neutralization. At the stage of manifestation, the virus performs the target features characteristic of it, for example, irreversible correction of information in a computer or on external media.
The physical structure of the computer virus is quite simple. It consists of a head and possibly tail. Under the head of the virus is understood by its component receiving control of the first. The tail is part of the virus located in the text of the infected program separately from the head. Viruses consisting of one head call non-nonsense , while the viruses containing head and tail, - segmented .
The most significant signs of computer viruses allow you to carry out the following classification.
There are several approaches to the classification of computer viruses by their characteristic features:
- on the habitat of the virus;
- according to the method of infection;
- on destructive capabilities;
- According to the features of the algorithm of work.
By habitat, viruses are divided into:
File viruses - Viruses affecting executable files written in various formats. Accordingly, depending on the format in which the program is written, these will be EXE or COM viruses.
Boot viruses - Viruses affecting the boot sectors (boot sectors) of the discs or the sector containing a system bootloader (Master Boot Record) of the hard drive.
Network viruses - Viruses extending in various computer networks and systems.
Macro viruses - Viruses affecting Microsoft Office files
Flash Viruses - Viruses affecting BIOS Flash microcircuations.
By a method of infection, viruses are divided into:
Resident viruses - Viruses that, when infected with the computer, leave their resident part in memory. They can intercept the interruption of the operating system, as well as access to infected files from the program and the operating system. These viruses can remain active up to shutdown or restarting the computer.
Non-resident viruses - Viruses that do not leaving their resident parts in the computer's RAM. Some viruses leave some of their fragments that are not capable of further reproduction, such viruses are considered not resident.
According to destructive capabilities, viruses are divided into:
Harmless viruses - These are viruses as not affecting the work of the computer for the exception, perhaps, to reduce the free disk space and the amount of RAM.
Non-hazardous viruses - Viruses that manifest themselves in the withdrawal of various graphic, sound effects and other harmless action.
Dangerous viruses - These are viruses that can lead to various disasters in computers, as well as their systems and networks.
Very dangerous viruses - These are viruses leading to the loss, destruction of information, loss of program performance and the system as a whole.
According to the features of the work algorithm, viruses can be divided into:
Satellite Viruses (Companion) - These viruses are affected by the EXE files by creating a twin COM file, and therefore, when the program starts, the COM file with a virus will start, after performing its work, the virus will start the EXE file. With this method of infection "infected", the program does not change.
Worms Viruses (Worms) - Viruses that apply to computer networks. They penetrate the computer's memory from the computer network, calculate the addresses of other computers and send their copies to these addresses. Sometimes they leave temporary files on the computer but some may not affect the computer resources except for RAM and of course processor.
Stels Viruses (invisible viruses, stealth) - representing very perfect programs that intercepting DOS circulation to affected files or disk sectors are substituted instead of unreleased sections of information. In addition, such viruses when accessing files uses sufficiently original algorithms that allow you to "deceive" resident antivirus monitors.
"Polymorphic" (self-spinning or ghost viruses, PolyMorphic) - viruses, quite difficult to detect viruses, not having signatures, i.e. not containing a single permanent section of the code. In most cases, two samples of the same polymorphic virus will not have a single coincidence. This is achieved by encrypting the basic body of the virus and the modifications of the program-decipher.
"Macro viruses" - Viruses of this family use macro-language capabilities embedded in data processing systems (text editors, spreadsheets, etc.). Currently the most common macro viruses infecting the text documents of the Microsoft Word editor.
By mode of functioning:
- resident viruses (viruses that, after activation, are constantly in the computer's RAM and control access to its resources);
- Transit viruses (viruses that are performed only at the time of launching an infected program).
By the object of implementation:
- File viruses (viruses infecting files with programs);
- Boot viruses (viruses, infecting programs stored in system regions of disks).
In turn, file viruses are divided into viruses infecting:
- executable files;
- command files and configuration files;
- Compiled on programming macro languages, or files containing macros (macroviruses - a type of computer viruses developed on macro-languages \u200b\u200bembedded in software packages such as Microsoft Office);
- files with devices drivers;
- Files with libraries of source, object, loading and overlay modules, dynamic layout libraries, etc.
Boot viruses are divided into viruses infecting:
- system loader located in the boot sector and logical disks;
- Available loader located in the boot sector of hard drives.
By degree and method of disguise:
- viruses that do not use masking means;
- Stealth viruses (viruses trying to be invisible based on controlling access to infected data elements);
- Mutant viruses (MTE viruses containing encryption algorithms that provide distinction from different copies of the virus).
In turn, MTE viruses are divided:
- to ordinary mutants viruses, in different copies of which only encrypted bodies differ, and the decoded bodies of viruses coincide;
- polymorphic viruses, in different copies of which not only encrypted bodies differ, but also their decoded bodies.
The most common types of viruses are characterized by the following main features.
File transit virus It is entirely located in the executable file, due to which it is activated only if the virus carrier is activated, and it returns the control of the program itself to fulfill the necessary actions. In this case, the choice of the next file for infection is carried out by the virus by searching by the catalog.
File resident virus It differs from a non-resident logic structure and a common functioning algorithm. The resident virus consists of a so-called installer and interrupt handling programs. The installer receives control when activating the virus carrier and infects the RAM by placing the control part of the virus and replacing the addresses in the elements of the interrupt vector to the addresses of its programs that process these interrupts. On the so-called tracking phase, following the described installation phase, if any interrupt occurs, the control receives the corresponding routine of the virus. Due to significantly more universal compared to non-resident viruses, the general scheme of operation, resident viruses can implement a variety of infection methods.
Stealth viruses Enjoy the weak security of some operating systems and replace some of their components (drivers of disks, interrupts) in such a way that the virus becomes invisible (transparent) for other programs.
Polymorphic viruses Contain an algorithm for the generation of decoded bodies of viruses, unlike each other. At the same time, in the algorithms of decryption, there may be an appeal to all the commands of the Intel processor and even the specific features of its real functioning mode are used.
Macrowurus Applied under the control of application programs, which makes them independent of the operating system. The overwhelming number of macroviruses functions under the control of the Microsoft Word text processor. At the same time, macroviruses are known running applications such as Microsoft Excel, Lotus Ami Pro, Lotus 1-2-3, Lotus Notes, in Microsoft and Apple operating systems.
Network viruses Also called autonomous replicative programs, or, for brevity, replicators, are used to reproduce the network operating systems. The most simply reproduction in cases where network protocols are also possible in cases where the specified protocols are oriented only to messaging. A classic example of implementing the e-mail process is the Morris replicator. The text of the replicator is transmitted from one computer to another as a regular message, gradually filling the buffer allocated in the RAM of the ECM addressee. As a result of the buffer overflow, the return address to the program that caused the message reception program is replaced by the address of the buffer itself, where the text of the virus is already located by the time of return. Thus, the virus receives control and begins to function on a computer address.
Lazakes Similar to those described above due to the features of the implementation of certain functions in the software are an objective prerequisite for creating and implementing replicators by intruders.
The effects caused by viruses in the process of implementing target functions, it is customary to divide into the following groups:
- distortion of information in files or in the file posting table (FAT table), which can lead to the destruction of the file system as a whole;
- imitation of hardware failures;
- Creating sound and visual effects, including, for example, displaying messages entering the operator to delust or impede it;
- initiating errors in user programs or operating system.
The above classification cannot be considered complete, since progress does not stand still, all new and new intelligent devices appear and, accordingly, viruses running on them, for example, have already appeared viruses affecting mobile phones.
There are such programs that in their work use their own programming language, called macro-language. Such macro languages \u200b\u200bare usually embedded in text and tabular editors. For example, in Microsoft Word and Excel programs have their own macro languages. Viruses that are written and use for their own purposes macro-languages \u200b\u200bare called macro. In other words, Macroviruses are viruses written on programming macro languages.
What are macros?
Macro, or macro, is the commands recorded by the user. When calling a macro, the process will be performed that is invested in them. On a peaceful front, such macros can be nice to ease long, tedious, routine work. It is worth prescribing the corresponding algorithm and the machine will do everything herself. For example, in Word` And Excel`e, there are macros to open, save the file and so on. Such macros can rather significantly increase the speed of the user.
Principle of work Macrovirus
Since editing the macro of a separate file, if there are appropriate knowledge, it does not seem difficult, then the creation of macrovirus problems should not arise. After that, the infected document is delivered by the victim. Opening the document and launching an infected macro (that is, performing a specific action that was predetermined), the user activates the malicious code. First of all, many macroviruses will try to rewrite the macros of the main document template, for example, the main Word file template, which is used to open any file of the corresponding format. This will provide a virus in that when opening any document, the virus will be loaded with it. As I said in the article about that, each virus first is trying to ensure its widespread distribution. Well, then the case of technology: copy the malicious code to all newly opened documents. And since we exchange the documents quite often, the breeding of the virus will be pretty good.
Harm from Macrowurus
Front of the work of Macrovirus - Documents. And in principle, they can make anything with your documents. But besides this, macroviruses are able to harm both the computer itself, that is, with a special desire, macroviruses can get control over the computer themselves. So it is not necessary to consider macroviruses by pests exclusively documents.
First in the history of Macrovirus
The very first documented Macrowuro became the Concept virus, which saw the light in 1995. He did nothing particularly terrible. It was not harmful from him, but the CONCEPT virus showed all the digital world as the files could carry malicious code.
Macro family viruses
Macro family viruses use macro-language capabilities embedded in data processing systems (text editors, spreadsheets, etc.).
To exist viruses in a specific system, it is necessary to have a close-up macro language with the capabilities of the program binding on the macro language to a specific file, copying macrogrograms from one file to another, receiving a control macro program without user intervention (automatic or standard macros).
These conditions satisfy the editors of Microsoft Word and Amipro, as well as an Excel spreadsheet. These systems contain macro-languages \u200b\u200b(Word - Word Basic, Excel - Visual Basic), while macroprograms are tied to a specific file (AMIPRO) or are inside the file (Word, Excel), macro language allows you to copy files (AMIPRO) or move macro programs to service System files (Word, Excel), when working with a file under certain conditions (opening, closing, etc.), macroprograms are called (if any), which are defined in a special way (AMIPRO) or have standard names (Word, Excel).
So, today there are three systems for which there are viruses - Microsoft Word, Excel and Amipro. In them, viruses receive control when opening or closing an infected file, intercept standard file functions and then infect files to which in any way appeal. By analogy with MS-DOS, it can be said that macroviruses are resident - they are active not only at the time of opening / closing the file, but also until the editor itself is active (system).
Viruses for Microsoft Office "97
Macro.office97.frenzy
It consists of a single FRENZY macro containing Autoopen auto-feature. Infects the system when opening an infected file. After that, it is written to documents when they are opening. Depending on the system date and the system random counter displays text
Word97.frenzy by Pyro.
Macro.office97.minimal
Pretty primitive macrow for Office 97. Contains the only AutoPen macro. It infects the system while opening an infected file, documents are also recorded when opening them. Contains a commented text
Vesselin Bontchev
Macro.office97.nightshade.
It consists of a single Nightshade macro containing AutoClose auto-feature, and infects the system and documents when closing files. Turns off the built-in protection against viruses and allows the startup of autofuncts. Depending on the current date and the system random counter displays the text.
Word97.nightshade by Pyro.
On the 13th Saturdays sets the Nightshade password in the documents.
Viruses for Microsoft Excel
Macro.Excel.Laroux
EXCEL spreadsheets (XLS files). Contains two macros: AUTO_OPEN and CHECK_FILES. When you open an infected Excel file automatically executes the AUTO_OPEN macro. In the virus, this macro contains only one command that defines the Check_FILES macro as executed when any table is activated (SHEET). Thus, the virus is intercepting the table opening procedure and when activating the table, the infected Excel calls the Check_Files macro, that is, the virus code.
After receiving the control, the Check_Files macro is looking for the Personal.xls file in the Excel Start directory and checks the number of modules in the current Workbook. If you actively have a workbook with a virus and the Personal.xls file does not exist (first infection), then the virus using the SaveAs command creates an Excel file with this name in the launch directory. As a result, the virus code from the current file is recorded in it. With the next download, Excel downloads all XLS files from the start directory, an infected Personal.xls file is also loaded into memory, the virus again receives control and when opening the tables will again be called the Check_Files macro from Personal.xls.
If the number of modules in the current Workbook is 0 (infected Workbook is not active) and the Personal.xls file already exists, the virus rewrites its code into an active workbook. After that, the active workbook becomes infected.
Check the system for the virus is easy. If the virus is already penetrating into the computer, then the Personal.xls file must be present in the Excel directory, in which the Laroux string (small letters) is visible. The same line is present in other infected files.
Macro.excel.legend.
Macrobrus, infecting Excel files. Contains one module (macro) with the name Legend. This module includes two procedures - AUTO_OPEN and INFECT. AUTO_OPEN is an Excel procedure automatically called when opening a file. When you start AUTO_OPEN sets the second virus procedure (infect), as the SheetActive Event handler, that is, when opening any Excel table, it will call the INFECT procedure.
When calling the INFECT procedure infects either the Personal.xls file (when an infected file is open) or the current file (if it is not yet infected). After infection, the virus removes from the Tools / Macro menu. If the username \u003d "pyro" and organizationName \u003d "VBB", the virus immediately stops and does not infect files. Depending on the current day and the system random counter, the virus displays MessageBox:
You "Ve Bean Infected by Legend!
Macro.excel.robocop
Macrowurus, striking Excel files. Includes two modules (macro): COP and ROBO. The ROBO module contains an automatically called AUTO_OPEN procedure, which, when opening an infected document, records the virus code to the Personal.xls file and sets the address processing address of the table to the virus (SheetActive). Then the virus infects files when opening tables.
Robocop Nightmare Joker.
Macro.excel.sofa.
Excel infects tables. Contains one module (macro) whose name consists of 11 spaces and therefore cannot be seen in the macro list in the Tools / Macros menu. The module contains four macrofunction: AUTO_OPEN, AUTO_RANGE, CURRENT_OPEN, AUTO_ CLOSE. All virus functions are returned to NULL as a result.
When opening an infected file, AUTO_OPEN macrofunction is trimmed, which "renames" Excel - Microsofa Excel appears in the title row instead of the Microsoft Excel inscription. If the STARTUP PATH directory does not have a Book.xLT file (the system is not yet infected), the message is displayed:
Microsoft Excel Has Detected A Corrupted Add-in File.Click Ok to Repair This File.
Regardless of the user's response in the Startup PATH directory, the Book.xlt file is created containing the virus code. After infection is displayed
FILE SUCCESSFULLY REPAILED!
When loading Excel automatically loads XLT files from Startup Path and, accordingly, activates the virus. The virus assigns its AUTO_RANGE function to the onsheetactIVate function and, with each activation of the table, checks the active file on the infection and, if the file is not infected, infects it.
The virus does not allow you to unload yourself from Excel - when you close each file, assigns the other AUTO_RANGE function to the onwindow function, that is, re-activated when you open a new file.
Macro.excel.yohimbe.
Consists of one module (macro) with the EXEC name. This module contains three subroutines: AUTO_OPEN, DIPDING, PAYLOAD and SHEETEXISTS feature. The AUTO_OPEN subroutine is automatically invoked when opening an infected file - the virus infects Personal.xls. In case of any error, the virus is written to all open files (books). Before returning the AUTO_OPEN control, installs the Dipding subroutine on the Excel timer. This subroutine is called from 16:00 and infects open files.
The virus records the Yohimbe string in the table title. He also sets the timer on the PAYLOAD subroutine - it is called at 16:45 and inserts a picture and text to the current table.
