excel.macro.virus.protect.txt

1999-08-17T00:00:00
ID PACKETSTORM:12111
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `Date: Mon, 29 Mar 1999 12:51:09 -0500  
From: rotaiv <rotaiv@USA.NET>  
To: BUGTRAQ@netspace.org  
Subject: Bypassing Excel Macro Virus Protection  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
With the sudden attention macro viruses have received over the  
weekend, I thought I would share a couple of items I find concerning  
with Excel macro viruses.  
  
In Excel, if you go to "Tools - Options - General" you can check the  
"Macro Virus Protection" check-box and this should prevent any macro  
viruses being executed without your knowledge. This is true is most  
cases but it can be bypassed with several methods.  
  
  
Password Protected Spreadsheets  
=========================  
  
If a file is password protected, Excel assumes this to be a "trusted"  
source so it ignores the "Macro Virus Protection" option. This allows  
any code contained in the document to be executed without the users  
knowledge.  
  
Here is a scenario that should not be to hard to believe: Someone  
downloads a list of passwords for pornographic sites from alt.sex and  
types in a disclaimer password such as "I AM AN ADULT". This allows a  
macro virus can be executed even if the "Macro Virus Option" is  
checked.  
  
The solution is simple. Don't open any password documents from a non  
trusted source. If you really want to open the file, type in the  
password then hold down the SHIFT key before you click "OK" on the  
password dialog box. Holding down the shift key will by-pass any  
macros and prevent them from being executed.  
  
For more details, refer to the following TechNet article:  
Q176640 - XL: No Macro Virus Warning Appears Opening Protected  
Workbook  
  
  
  
Documents in the XLSTART Directory  
============================  
  
Any documents saved in the XLSTART directory are considered to be a  
"trusted" source so once again, the "Macro Virus Protection" is  
ignored. The solution here is obvious but no so easy to implement.  
Don't allow any documents (or shortcuts) to be saved in this  
directory. Remember, many users may have their PERSONAL.XLS file in  
this directory which contains macros they have supposedly created  
themselves.  
  
The XLSTART directory on my PC is as follows:  
C:\Program Files\Microsoft Office\Office\XLStart  
  
For more details, refer to the following TechNet article:  
Q180614 - XL: Workbooks in Startup Folder Are Not Scanned for Macros  
  
  
  
Disabling 'Macro Virus Protection'  
=========================  
  
With Word, the macro virus protection can be disabled with the  
following command:  
Options.VirusProtection = False  
  
To my knowledge, there is no such command for Excel. However, this  
option can be changed with a reg hack that could be initiated from a  
batch file or from a VBA macro Shell command. On my PC, the "Macro  
Virus Protection" option is stored as a dword value in the following  
registry key:  
  
[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft  
Excel]  
  
To enable the virus protection, use:  
"Options6"=dword:00000008  
  
To disable the virus protection, use:  
"Options6"=dword:00000000  
  
This may not be exactly the same for every PC as "Options6" controls  
several options depending on the value of the first four bits. See  
below for details:  
  
bit 0 Show Name part of Chart Tips  
bit 1 Show Value part of Chart Tips  
bit 2 Intellimouse Roll action: 0 = scroll, 1= zoom  
bit 3 Macro Virus Protection  
bit 4-15 (Reserved)  
  
For more details, refer to the following TechNet article:  
Q169811 - XL97: Using the Policy Editor to Force Macro Virus  
Protection  
  
  
  
Conclusion  
========  
  
I am sure many people are under the impression that if the "Macro  
Virus Protection" option is enabled in Excel they are safe from macro  
viruses. However, if someone felt so inclined, they could easily  
bypass this protection and execute VBA code without the users  
knowledge.  
  
I have tested all the above examples using Microsoft Office97  
Professional with SR2. I found the references in TechNet but I have  
not searched Microsoft's Web-site to see if there are any patches or  
hot-fixes for these three items.  
  
'nuff said ...  
  
rotaiv -£-  
  
-----BEGIN PGP SIGNATURE-----  
Version: PGP Personal Privacy 6.0.2  
  
iQEVAwUBNv+9FwuGSvRTfa2rAQFFbgf/U5COtVp2xVU73ZuMRYL2QrBW/e4/18BR  
zUWqsE0nlQNDd+yuHN6Izkmdr30DaQaWHG4/Uxr79etDdWb2co9aUurWNlN/tFls  
Zog21KeDyuYPZ0PYrPstVjtV4dQlwyVnTzkNQiYFPH+a11Y6O5bKg2ri4nyciwMV  
he7suRG8HbX13awEjbcga9L/UR843N/Bh32IoaPK2fgsIrE4jFkUkyJtgX+ISYRO  
UMkTLosLJRpOlDThiy6pSa7aW1Fr7PmqbdeFOSEPFC7DFyJ99YwDSQEPY+hQu+pS  
U3xlDGrJUj2Ei52r1wrx+ioSGYAWcks0NUPS7Ey5EJoRMEsivfC9Iw==  
=42/h  
-----END PGP SIGNATURE-----  
  
`