Date: Mon, 29 Mar 1999 12:51:09 -0500 From: rotaiv To: BUGTRAQ@netspace.org Subject: Bypassing Excel Macro Virus Protection -----BEGIN PGP SIGNED MESSAGE----- With the sudden attention macro viruses have received over the weekend, I thought I would share a couple of items I find concerning with Excel macro viruses. In Excel, if you go to "Tools - Options - General" you can check the "Macro Virus Protection" check-box and this should prevent any macro viruses being executed without your knowledge. This is true is most cases but it can be bypassed with several methods. Password Protected Spreadsheets ========================= If a file is password protected, Excel assumes this to be a "trusted" source so it ignores the "Macro Virus Protection" option. This allows any code contained in the document to be executed without the users knowledge. Here is a scenario that should not be to hard to believe: Someone downloads a list of passwords for pornographic sites from alt.sex and types in a disclaimer password such as "I AM AN ADULT". This allows a macro virus can be executed even if the "Macro Virus Option" is checked. The solution is simple. Don't open any password documents from a non trusted source. If you really want to open the file, type in the password then hold down the SHIFT key before you click "OK" on the password dialog box. Holding down the shift key will by-pass any macros and prevent them from being executed. For more details, refer to the following TechNet article: Q176640 - XL: No Macro Virus Warning Appears Opening Protected Workbook Documents in the XLSTART Directory ============================ Any documents saved in the XLSTART directory are considered to be a "trusted" source so once again, the "Macro Virus Protection" is ignored. The solution here is obvious but no so easy to implement. Don't allow any documents (or shortcuts) to be saved in this directory. Remember, many users may have their PERSONAL.XLS file in this directory which contains macros they have supposedly created themselves. The XLSTART directory on my PC is as follows: C:\Program Files\Microsoft Office\Office\XLStart For more details, refer to the following TechNet article: Q180614 - XL: Workbooks in Startup Folder Are Not Scanned for Macros Disabling 'Macro Virus Protection' ========================= With Word, the macro virus protection can be disabled with the following command: Options.VirusProtection = False To my knowledge, there is no such command for Excel. However, this option can be changed with a reg hack that could be initiated from a batch file or from a VBA macro Shell command. On my PC, the "Macro Virus Protection" option is stored as a dword value in the following registry key: [HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel] To enable the virus protection, use: "Options6"=dword:00000008 To disable the virus protection, use: "Options6"=dword:00000000 This may not be exactly the same for every PC as "Options6" controls several options depending on the value of the first four bits. See below for details: bit 0 Show Name part of Chart Tips bit 1 Show Value part of Chart Tips bit 2 Intellimouse Roll action: 0 = scroll, 1= zoom bit 3 Macro Virus Protection bit 4-15 (Reserved) For more details, refer to the following TechNet article: Q169811 - XL97: Using the Policy Editor to Force Macro Virus Protection Conclusion ======== I am sure many people are under the impression that if the "Macro Virus Protection" option is enabled in Excel they are safe from macro viruses. However, if someone felt so inclined, they could easily bypass this protection and execute VBA code without the users knowledge. I have tested all the above examples using Microsoft Office97 Professional with SR2. I found the references in TechNet but I have not searched Microsoft's Web-site to see if there are any patches or hot-fixes for these three items. 'nuff said ... rotaiv -£- -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.0.2 iQEVAwUBNv+9FwuGSvRTfa2rAQFFbgf/U5COtVp2xVU73ZuMRYL2QrBW/e4/18BR zUWqsE0nlQNDd+yuHN6Izkmdr30DaQaWHG4/Uxr79etDdWb2co9aUurWNlN/tFls Zog21KeDyuYPZ0PYrPstVjtV4dQlwyVnTzkNQiYFPH+a11Y6O5bKg2ri4nyciwMV he7suRG8HbX13awEjbcga9L/UR843N/Bh32IoaPK2fgsIrE4jFkUkyJtgX+ISYRO UMkTLosLJRpOlDThiy6pSa7aW1Fr7PmqbdeFOSEPFC7DFyJ99YwDSQEPY+hQu+pS U3xlDGrJUj2Ei52r1wrx+ioSGYAWcks0NUPS7Ey5EJoRMEsivfC9Iw== =42/h -----END PGP SIGNATURE-----