[Previous] [Next] [Index]
[Thread]
Re: Winword Macro Viruses: unsafe to use Word as a viewer?
Regarding using macro-capable programs as web data viewers,
David M. Chess <chess@watson.ibm.com> writes:
DMC>
DMC> ... The Microsoft detection tool will warn you
DMC> if it finds macros in documents that wouldn't normally
DMC> be expected to contain macros, but it only works if a
DMC> document is opened in certain ways, ...
The MS-ScanProt.Dot protective macros should warn of any macros
found in a document, as long as the FileOpen macro is invoked.
This does depend on how the document was opened. I did some
tests opening a document infected with WordMacro.Concept, with
the MS-ScanProt Normal.Dot macros installed on Word 6.0.
Your Mileage May Vary, but here is what I found:
Document-opened-by Results Command Line (or comments)
------------------ ------- --------------------------
MS-Word File/Open Safe (Intended usage for ScanProt)
PC Mosaic 2.0.a.8 Infects Winword.exe %ls
FileManager, Run Infects Winword.exe Concept2.Doc
FileManager, DblClick Safe
Our Email User Agent Safe (Not a common one, YMMV)
Icon, Full Cmd Line Infects Winword.exe Concept.Doc
Icon, File Cmd Line Safe Concept.Doc
Maybe if you give a full command line then the FileOpen macro
is bypassed.
I've read that it is also unsafe to open documents:
o using a Recent Files menu or list.
o via Drag-and-Drop to the MS-Word program window.
o using the Macintosh Finder or Windows NT Find File.
o via "desktop scraps" in Windows NT or Win95.
DMC> You could also use a script that first runs a virus-checker
DMC> on the document, and then opens it if it passes, ...
The MS-ScanProt.Dot method is to copy the suspect document,
sans macros, to a safe document. It would be nice to have
this capability in a stand-alone program. You could then
use it in scripts to clean both incoming and outgoing email
and web documents.
DMC> It'd be better to use something that just doesn't include the
DMC> macro interpreter at all; I believe Microsoft's Word Viewer
DMC> is like that.
Yup. It does not let you disinfect documents as you can with
MS-ScanProt.Dot, but it is safe to use as a web viewer. AFAIK,
MS-WordView is the *only* safe web viewer for .Doc files.