current position：Home>Is there anything you don't know about macro virus
Is there anything you don't know about macro virus
2022-05-15 07:50:47【Irteam - Industrial Safety】
Many fans privately asked me about macro virus , Today, I'll write a little summary to interested partners , Bosses do not spray
0x00 Principle introduction
According to the routine, we still analyze it from the principle . First , What is macros? ？ It is written in a programming language that can work in its wider environment , It can be understood as a small program , Can run in larger programs , Can perform tasks automatically on behalf of users , It usually refers to a complex or time-consuming task , It's still a lot MMORPG（ Large multiplayer online role-playing games ） Used in the community and some search engine optimization software
Macro viruses rely on specific applications to work , And usually attack and use Microsoft programmatic Windows or Mac Computer , But in addition to Microsoft Other software programs will also be operated
If attacked , It will be propagated to other documents , You may encounter leakage of sensitive information , Files are encrypted and so on
At present Microsoft Office The macro is using Visual Basic for Applications（VBA） Compiling , yes Microsoft The popular Visual Basic A variant of the programming language specifically for Office Built
VBA But in most Office Used in program , for example Access,Excel,Outlook,PowerPoint,Project,Publisher,Visio and Word wait . It can also be applied to Windows and Macintosh Of Office Used in the latest version of
Because macros are programs written in programming language , Like other programs , It may also be damaged by malware .Microsoft Office Because of the large number of users ,Microsoft Claim to have 12 100 million users hahaha may also be the reason why they are often attacked
Macro virus through modification （* .DOC） and NORMAL.DOT Template to infect Microsoft Office file . It's infecting NORMAL.DOT Before that Microsoft Word When opening an infected document under , The virus will get AutoOpen Macro control , And infect the selected global default template, usually NORMAL.DOT
Then use File | SaveAS Every document saved by the command is infected by a virus . If there are any macros before infection , They will be covered
Macros are actually a good way to save time , Can save predictable tasks . For example, apply styles and formatting to text , Or communicate with the data source , Even click to create a new document
0x01 How to work
Macro viruses work by pretending to operate in a seemingly normal way , Some documents are embedded in the document and automatically opened at run time . Usually, macro viruses will destroy the computer by secretly replacing legal commands , When performing operations on a computer , The virus will take over and tell the computer to perform a completely different operation
Macro virus uses msf take shell, utilize msf Generate macro , The generated payload Put it into the created macro , utilize kali Turn on the listening mode ok 了 , Of course, you can also avoid killing . Please refer to this official account for the specific process utilize badusb Remote control , You can also use cs take shell
0x02 Macro virus example
This is the most common macro virus .1995 year 8 month Microsoft To hundreds of OEM The name of the company is “Microsoft Compatibility Test” Of CD ROM There is this virus in . When opening an infected document , A with text... Will appear on the screen “ 1” The message box for
All macros in the nuclear are protected , It cannot be viewed or edited . Infected NORMAL.DOC Contains the name AutoExec,AutoOpen,DropSuriv,FileExit,FilePrint,FilePrintDefault,FileSaveAs,InsertPayload Wait for nine macros
The virus contains the following macros ：AutoOpen, AutoClose, Autoexec, Filenew, Fileexit, Filesave, Filesaveas, Toolsmacro wait
This virus will WINWORD6.INI Create a configuration file that contains “hot date” The entry of . The “hot date” Is calculated from the current date 14 Days will trigger the virus
This is a kind of “demonstration” Concept virus
This is a Trojan horse , Not self replicating , Can format C：
0x03 Defensive measures
Most macro viruses do not need to be downloaded and installed on the computer , This is more difficult to detect than other viruses . It usually tries to infect more computers
Macro viruses can destroy data , Create a new file , Mobile text , Hard drive formatting , Send files and insert pictures , Sometimes there are missing menu items or passwords , If there are these situations, we should consider whether it is caused by macro virus
If you operate some files infected with macro virus （ Document or template ） It is possible to be infected with macro virus
Infection files are usually transmitted in the following ways ：
Share files over the network
Open the email attachment with virus
share USB Drive or other external / Share files on media
Open and download the virus Internet Documents, etc
To prevent macro virus infection , We can use malware removal tools to detect programs and remove macro viruses
And don't open email or email attachments immediately when using the computer , And keep the anti-virus software updated . Be careful when downloading new programs , In especial Windows System . Try not to click on pop-up ads
To sum up ： Disable macro
author[Irteam - Industrial Safety],Please bring the original link to reprint, thank you.
The sidebar is recommended
- Which securities company does qiniu school recommend? Is it safe to open an account
- Hyperstyle: complete face inversion using hypernetwork
- What activities are supported by the metauniverse to access reality at this stage?
- P2P swap OTC trading on qredo
- Google | coca: the contrast caption generator is the basic image text model
- SIGIR 2022 | Huawei reloop: self correcting training recommendation system
- Whether you want "melon seed face" or "national character face", the "face changing" technology of Zhejiang University video can be done with one click!
- Sorting of naacl2022 prompt related papers
- Servlet create project
- "Chinese version" Musk was overturned by the original: "if it's true, I want to see him"
guess what you like
[network security] web security trends and core defense mechanisms
[intensive reading] object detection series (10) FPN: introducing multi-scale with feature pyramid
007. ISCSI server chap bidirectional authentication configuration
plot_ Importance multi classification, sorting mismatch, image value not displayed
[intensive reading] object detection series (XI) retinanet: the pinnacle of one stage detector
How to install MFS environment for ECS
[intensive reading] the beginning of object detection series (XII) cornernet: anchor free
Open source sharing -- a record of students passing through time
MOT：A Higher Order Metric for Evaluating Multi-object Tracking
- How to develop a distributed memory database (1)
- Reverse engineers reverse restore app and code, and localization is like this
- One line command teaches you how to export all the libraries in anaconda
- Bi tools are relatively big. Let's see which one is most suitable for you
- Read the history of database development
- Self cultivation of coder - batterymanager design
- Technology application of swift phantom type phantom in Apple source code learning
- Swiftui advanced skills: what is the use of the technology of swift phantom type phantom
- Swiftui advanced animation Encyclopedia of complex deformation animation is based on accelerate and vector arithmetic (tutorial includes source code)
- What problems remain unsolved in swiftui in 2022
- I'll set the route for fluent
- Flutter drawing process analysis and code practice
- Emoji language commonly used icon collection (interesting Emoji)
- 5.14 comprehensive case 2.0 - automatic induction door
- How to deploy redis service on k8s top?
- Importance of data warehouse specification
- Idea automatically generates serialization ID
- Why is it recommended not to use select * in MySQL?
- Let's talk about why redis needs to store two data structures for the same data type?
- Domain lateral move RDP delivery
- [learn slam orb_slam2 or slam3 from scratch] summary of all blog articles
- 20000 + star ultra lightweight OCR system pp-ocrv3 effect increased by 5% - 11%!
- A configurable canvas clock - Super multi style
- The pp-ocrv3 effect of 20000 + star ultra lightweight OCR system is further improved by 5% - 11%
- MySQL's golden rule: "don't use select *"
- True interview question: why does redis store a data type twice?
- High threshold for large factories? Five exclusive PDFs inside Alibaba will take you forward and win the offer
- Is it really hard to find a job? How on earth can I find a job with high salary without worrying about being laid off
- How to design knowledge center? (code attached)
- OWASP top 10 vulnerability analysis
- Are you still writing comment templates manually? Idea can generate annotation templates of classes and methods with one click. Click in if you don't know
- Numpy core syntax and code sorting summary!
- Can you believe that the swoole timer can realize millisecond task scheduling?
- Detailed explanation of art template engine
- Telephone subsystem of openharmony source code analysis -- call flow
- Yixin Huachen: how to do a good job in digital transformation in the power industry?
- One stop collaboration is really delicious - apipost
- Notes on modern algebra and series of questions: Chapter 1 (introduction of algebraic system)
- Notes on modern algebra and serialization of question types: Chapter 2 (properties of binary operation)