This section of the chapter will cover how macro viruses work and the different technologies they use to spread. I will give more coverage to Word and Excel viruses because they represent the vast majority of macro viruses in the wild. Viruses for Access, PowerPoint, Corel Draw, etc. spread using similar concepts with different replication approaches and macro commands.
When Word opens any document, it looks for macros included in the document, or its associated template. All macros are loaded into memory and any automacros are executed, if allowed by security. If the document or template contains any macro viruses they can infect other documents and templates, including the global template. Now, Word is infected, and any new documents created are infected by default (see Figure 5-10).
Figure 5-10. Word macro virus infection pathway
Typically, menu options are rewritten by malicious macros to help the
infection process. For example, a macro with the name
FileSave will allow a programmer to redirect
what happens when a Word user chooses
Save from the menu bar. In most cases, it will trigger the virus to infect the new document during the saving process. In earlier versions of Word, macros could only be saved in templates. When the virus infected the document, Word automatically detected the macros and prompted the user to save the document ...