Is there anything you don't know about macro virus

Many fans privately asked me about macro virus , Today, I'll write a little summary to interested partners , Bosses do not spray

0x00 Principle introduction

According to the routine, we still analyze it from the principle . First , What is macros? ？ It is written in a programming language that can work in its wider environment , It can be understood as a small program , Can run in larger programs , Can perform tasks automatically on behalf of users , It usually refers to a complex or time-consuming task , It's still a lot MMORPG（ Large multiplayer online role-playing games ） Used in the community and some search engine optimization software

Macro viruses rely on specific applications to work , And usually attack and use Microsoft programmatic Windows or Mac Computer , But in addition to Microsoft Other software programs will also be operated

If attacked , It will be propagated to other documents , You may encounter leakage of sensitive information , Files are encrypted and so on

At present Microsoft Office The macro is using Visual Basic for Applications（VBA） Compiling , yes Microsoft The popular Visual Basic A variant of the programming language specifically for Office Built

VBA But in most Office Used in program , for example Access,Excel,Outlook,PowerPoint,Project,Publisher,Visio and Word wait . It can also be applied to Windows and Macintosh Of Office Used in the latest version of

Because macros are programs written in programming language , Like other programs , It may also be damaged by malware .Microsoft Office Because of the large number of users ,Microsoft Claim to have 12 100 million users hahaha may also be the reason why they are often attacked

Macro virus through modification （* .DOC） and NORMAL.DOT Template to infect Microsoft Office file . It's infecting NORMAL.DOT Before that Microsoft Word When opening an infected document under , The virus will get AutoOpen Macro control , And infect the selected global default template, usually NORMAL.DOT

Then use File | SaveAS Every document saved by the command is infected by a virus . If there are any macros before infection , They will be covered

Macros are actually a good way to save time , Can save predictable tasks . For example, apply styles and formatting to text , Or communicate with the data source , Even click to create a new document

0x01 How to work

Macro viruses work by pretending to operate in a seemingly normal way , Some documents are embedded in the document and automatically opened at run time . Usually, macro viruses will destroy the computer by secretly replacing legal commands , When performing operations on a computer , The virus will take over and tell the computer to perform a completely different operation

Macro virus uses msf take shell, utilize msf Generate macro , The generated payload Put it into the created macro , utilize kali Turn on the listening mode ok 了 , Of course, you can also avoid killing . Please refer to this official account for the specific process utilize badusb Remote control , You can also use cs take shell

0x02 Macro virus example

Word.Macro.Concept

This is the most common macro virus .1995 year 8 month Microsoft To hundreds of OEM The name of the company is “Microsoft Compatibility Test” Of CD ROM There is this virus in . When opening an infected document , A with text... Will appear on the screen “ 1” The message box for

Word.Macro.Nuclear

All macros in the nuclear are protected , It cannot be viewed or edited . Infected NORMAL.DOC Contains the name AutoExec,AutoOpen,DropSuriv,FileExit,FilePrint,FilePrintDefault,FileSaveAs,InsertPayload Wait for nine macros

Word.Macro.Colors

The virus contains the following macros ：AutoOpen, AutoClose, Autoexec, Filenew, Fileexit, Filesave, Filesaveas, Toolsmacro wait

Word.Macro.Hot

This virus will WINWORD6.INI Create a configuration file that contains “hot date” The entry of . The “hot date” Is calculated from the current date 14 Days will trigger the virus

Word.Macro.DMV

This is a kind of “demonstration” Concept virus

Word.Macro.FormatC（TrojanFormat）

This is a Trojan horse , Not self replicating , Can format C：

0x03 Defensive measures

Most macro viruses do not need to be downloaded and installed on the computer , This is more difficult to detect than other viruses . It usually tries to infect more computers

Macro viruses can destroy data , Create a new file , Mobile text , Hard drive formatting , Send files and insert pictures , Sometimes there are missing menu items or passwords , If there are these situations, we should consider whether it is caused by macro virus

If you operate some files infected with macro virus （ Document or template ） It is possible to be infected with macro virus

Infection files are usually transmitted in the following ways ：

Share files over the network

Open the email attachment with virus

share USB Drive or other external / Share files on media

Open and download the virus Internet Documents, etc

To prevent macro virus infection , We can use malware removal tools to detect programs and remove macro viruses

And don't open email or email attachments immediately when using the computer , And keep the anti-virus software updated . Be careful when downloading new programs , In especial Windows System . Try not to click on pop-up ads

To sum up ： Disable macro