Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00


                                            `Date: Mon, 29 Mar 1999 12:51:09 -0500  
From: rotaiv <rotaiv@USA.NET>  
To: BUGTRAQ@netspace.org  
Subject: Bypassing Excel Macro Virus Protection  
With the sudden attention macro viruses have received over the  
weekend, I thought I would share a couple of items I find concerning  
with Excel macro viruses.  
In Excel, if you go to "Tools - Options - General" you can check the  
"Macro Virus Protection" check-box and this should prevent any macro  
viruses being executed without your knowledge. This is true is most  
cases but it can be bypassed with several methods.  
Password Protected Spreadsheets  
If a file is password protected, Excel assumes this to be a "trusted"  
source so it ignores the "Macro Virus Protection" option. This allows  
any code contained in the document to be executed without the users  
Here is a scenario that should not be to hard to believe: Someone  
downloads a list of passwords for pornographic sites from alt.sex and  
types in a disclaimer password such as "I AM AN ADULT". This allows a  
macro virus can be executed even if the "Macro Virus Option" is  
The solution is simple. Don't open any password documents from a non  
trusted source. If you really want to open the file, type in the  
password then hold down the SHIFT key before you click "OK" on the  
password dialog box. Holding down the shift key will by-pass any  
macros and prevent them from being executed.  
For more details, refer to the following TechNet article:  
Q176640 - XL: No Macro Virus Warning Appears Opening Protected  
Documents in the XLSTART Directory  
Any documents saved in the XLSTART directory are considered to be a  
"trusted" source so once again, the "Macro Virus Protection" is  
ignored. The solution here is obvious but no so easy to implement.  
Don't allow any documents (or shortcuts) to be saved in this  
directory. Remember, many users may have their PERSONAL.XLS file in  
this directory which contains macros they have supposedly created  
The XLSTART directory on my PC is as follows:  
C:\Program Files\Microsoft Office\Office\XLStart  
For more details, refer to the following TechNet article:  
Q180614 - XL: Workbooks in Startup Folder Are Not Scanned for Macros  
Disabling 'Macro Virus Protection'  
With Word, the macro virus protection can be disabled with the  
following command:  
Options.VirusProtection = False  
To my knowledge, there is no such command for Excel. However, this  
option can be changed with a reg hack that could be initiated from a  
batch file or from a VBA macro Shell command. On my PC, the "Macro  
Virus Protection" option is stored as a dword value in the following  
registry key:  
To enable the virus protection, use:  
To disable the virus protection, use:  
This may not be exactly the same for every PC as "Options6" controls  
several options depending on the value of the first four bits. See  
below for details:  
bit 0 Show Name part of Chart Tips  
bit 1 Show Value part of Chart Tips  
bit 2 Intellimouse Roll action: 0 = scroll, 1= zoom  
bit 3 Macro Virus Protection  
bit 4-15 (Reserved)  
For more details, refer to the following TechNet article:  
Q169811 - XL97: Using the Policy Editor to Force Macro Virus  
I am sure many people are under the impression that if the "Macro  
Virus Protection" option is enabled in Excel they are safe from macro  
viruses. However, if someone felt so inclined, they could easily  
bypass this protection and execute VBA code without the users  
I have tested all the above examples using Microsoft Office97  
Professional with SR2. I found the references in TechNet but I have  
not searched Microsoft's Web-site to see if there are any patches or  
hot-fixes for these three items.  
'nuff said ...  
rotaiv -£-  
Version: PGP Personal Privacy 6.0.2