Detecting Macro Viruses

Macro viruses, because they are contained in frequently shared datafiles, are good at spreading, and this accounts for the reason why they are currently the most popular malicious mobile code type on the planet. However, there are dozens of symptoms, beyond your virus scanner going off, that should make you suspect a macro virus. Most of these apply to Word macro viruses, but others apply to any type.

Macro Warnings

Most of the newer versions of Office (97 and later) will warn you if a document, workbook, or datafile contains macros with the following message:

C:\<path>\<filename> contains macros. Macros may contain viruses. It is always safe to disable macros, but if the macros are legitimate, you might lose some functionality.


Office 2000’s default security level, High, will disable macros and not display a warning.

Office then offers to disable the macros by default. A use need only hit Enter or accept the default action to disable the macro virus. Most people do not utilize files with macros, and thus, such a warning usually means a virus is present. If more end users understood the importance of this warning, macro viruses would not be the problem they are today. If you see a macro warning, you are probably opening an infected document unless your normal Office environment includes macros.

Ways viruses can get around macro warnings

Unfortunately, there are many ways a virus can get around Office’s inspection of macros. Some are caused by technology ...

Get Malicious Mobile Code now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.