ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
        ³          Heuristic Macro Virus Scanner/cleaner           ³
        ³                      (user's manual)                     ³
        ³                                                          ³
        ³           (c) Jan Valky & Lubos Vrtik, Slovakia          ³
        ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ

                          Last update: 25-jan-98

Sorry, this is only short version of DOX, because we're lazzy to
write full DOX :)

Excuse us our english plz, it is not our native language ;(

IF YOU WANT HELP US TO IMPROVE HMVS, PLZ SEND US ANY COMMENTS OR IDEAS,
NEW MACRO VIRUSES ARE WELCOMED TOO. SEND US PLZ ALL MACRO VIRUSES HMVS
CAN NOT DETECT BY NAME.

ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ
                               CONTENTS

1.   HOW TO USE HMVS
2.   METHODS USED IN HMVS
2.1  Available options, when virus was found
3.   WHAT IS MACRO VIRUS :)
4.   HEURISTIC FLAGS DISPLAYED BY HMVS
ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ

1.   HOW TO USE HMVS
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

If you run HMVS without paramaters it will display the following help:

Usage: HMVS drive:[\path] switches
switches:

/H,/?        - this help
/ALL         - scan all files (*.*)
/REP         - output to log file hmvs.log
/REP=file    - output to specified log file
/NOH         - disable heuristics, only scanning
/NOS         - disable scanning, only heuristics
/MAC         - prompt if file contains macros
/IA          - nonstop scanning without prompt
/CA          - automatically cleaning all infected files
/RA          - automatically renaming all infected files
/NOB         - disable user break with ESC key
/EXT         - decrypt execute only macros (reg. version only)
/FLG         - enables displaying heur. flags
/HLO /HHI    - use low or high heuristics instead of standard heuristics
/CV[+|-]     - force/disable converting to document
/SIMPLE      - use simplified output to screen
/OK          - display OK after file name if file is clean
/SOURCE      - generate source code of macros

Undocumented switches:
/EXPORT             - export binary images of macros to files
                      (reg. version only)
                      Usage: HMVS C:\BADVIR\Stragly.doc /EXPORT
/LST                - display known virus names from signature file
                      Usage: HMVS C:\ /LST (path is required)
/HEUREXP=filename   - export informations for neural network
                      (there is no benefit of using this switch for
                      users except authors)
                      Usage: HMVS C:\BADVIRS /HEUREXP=virii.dat

Short description of command line parameters:

/H
/?           Displays help about HMVS using
/ALL         All files will be scanned (*.*)
             Without this parameter only files *.DOC and *.DOT
             will be scanned.

/REP         Report will be logged to file HMVS.LOG

/REP=file    Report will be logged to user specified file

/NOH         Disables heuristic analysis. Only standard scanning
             method will be used.
             WARNING: If you disable heuristics, some polymorphic viruses
                      will not be detected by name !

/NOS         Disables standard scanning method. Only heuristics
             will be used.
             You can use both switch (/NOS /NOH) together :)
             This combination can save your time, if you want get
             informations about macros in file (use also /MAC
             or /REP switch)

/MAC         If this switch was entered program will stop at each
             file that contains one or more macros. Otherwise program
             will stop only when file is infected by known virus,
             when file is probably infected or suspected.
             We recommend to use this switch if you want to see
             the macros or the result of neural network.

/IA          With this option program won't stop on any file.
             You will use probably this option together with /REP
             switch.

/CA          If you want to automatically clean any infected
             or probably infected files, use this switch.
             Files will be cleaned only if creating of backup copy
             was succesfull.

             WARNING: ALL MACROS WILL BE REMOVED FROM INFECTED FILE

             After cleaning you should check if cleaned file is OK.
             If something went wrong, you can restore original
             file from backup copy. If HMVS fails plz send us file, that
             couldn't be cleaned.

/RA          With this switch HMVS'll automatically rename any infected
             or probably infected files.

/NOB         With this option HMVS can't be stopped with ESC key.
             Otherwise you can break program in any time with pressing
             the ESC key.

/EXT         This option allow you to decrypt execute only macros.
             (Available only for registered users).
             With this option you will be prompted at each file
             containing execute-only macro(s), if you want to
             decrypt it. If yes, program will first create a backup
             copy of file (*.VI?) and them decrypt all execute-only
             macros.
             This is nice option for AV researcher or experienced
             users.

             WARNING: If you use this option, scanning is disabled !

/FLG         Enable displaying heur. flags (disabled default)

/HLO         Switch to low heuristics. This options take in account
             the result of neural network.
             If this options hasn't been specified default heuristics
             will be used.

/HHI         Heuristics will be performed for whole macro. Without
             this switch only the first 32 kB of macro is analyzed
             If this options hasn't been specified default heuristics
             will be used.

/CV[+|-]     When files with DOC extension are cleaned, they are
             automatically converted from template back to document.
             You can disable this feature by using /CV- switch.
             Files with extension different than DOC are converted
             to document only if you'll use /CV+ switch

/SIMPLE      Use more user friendly output like this one:

             C:\Concept\A\CONC-A.DOC (Neural: 99.893942%) - <WinWord.Concept.A>
             C:\Concept\B\CONC-B.DOC (Neural: 99.893942%) - <WinWord.Concept.B>
             C:\Concept\C\CONC-C.DOC (Neural: 99.893942%) - <WinWord.Concept.C>
             C:\Concept\D\CONC-D.DOC (Neural: 99.908847%) - <WinWord.Concept.D>
             C:\Concept\E\CONC-E.DOC (Neural: 99.672042%) - <WinWord.Concept.E>

             If you use the /SIMPLE switch than the following switches
             will be ignored
             /FLG /CV+ /IA /CA /RA /EXT

             Simultaneously use of switches /NOH a /NOS is not allowed
             in this case.

/OK          Include clean files to the output and put OK after name of
             file.

/SOURCE      Use this switch to unpack or detokenize source code of macros.
             At the moment MS Word 6,7, Excel'97 and Word'97 files
             are supported.
             If you want to inspect incomming or suspected files just
             use this switch and check the contents of macros.

             For experienced users might be very precious !

             Usage: HMVS filename /SOURCE

             Note: This option doesn't work with long file names
                   (directories or files)

             PLEASE LET US KNOW IF THIS OPTION HELPED YOU :)

2.   METHODS USED IN HMVS
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

When MS Word documents or templates are scanned, HMVS do the following:
When scanned file contains a MS Word document or a Excel Sheet with
macros HMVS will:

- search for macros in document or template
- decrypt each macro (if it is encrypted)
- use standard scanning methods (so only macros are scanned, not whole file !)
- use algorithmic scanners
- use heuristics
  Each macro is analysed and checked for suspicious operations, that can
  be useful to discover an unknown virus. If heuristics found some
  suspicious actions in file it will inform the user.
- use neural network driven scanner

HMVS uses a few ways to determine that file is infected:

þ Standard 'pattern searching' method based on 'identifications strings'
  This is well know method frequently used in most virus scanners.
  Search string method is fast and reliable, but can search only for
  known viruses.

þ CRC16 method
  This is a good method for exact identification of static viral macros.
  However, this method is usable only for old generation of macro viruses.

þ Smart CRC16
  Intelligent checksumming driven by heuristics.
  This method is used for detecting such type of viruses like Hunter.C,
  Slow A/B and similar one.

þ Algorithmic scanner
  Is based on searching for some specific action for virus. This method
  is used to search for very polymorphic macro viruses (like Uglykid.A).

þ Heuristic analysis
  HMVS uses unique heuristic technology. HMVS uses special semi-emulator
  of word macro commands (something like length disassembler, if you
  know, what is it ...). It trace trough each command in macro,
  step by step, and try to understand the macro code. This is very
  reliable method and we hope, that we can detect with heuristics almost
  every virus.

þ Neural network driven scanner
  HMVS is probably the only one known scanner using this method for
  scanning MS Word 6.x, 7.x files.
  Results of neural network are strongly dependent on the amount of
  information about viruses and clean macros.
  Because the ratio viral macros to clean macros is too high and there
  is much more available viral macros then clean macros this method
  may leads to uncertain result. It is due to lack of information
  about clean method.
  At the moment neural scanner is used to eliminate false alarm caused
  by HMVS heuristics (it requires usage of /HLO switch)

  Math coprocessor is required to use this method !

Of course, each of these methods are usable in a little bit different
cases, but we think, these technologies are enough to identify any
virus. Standards method can detect macro virus exactly by its name,
heuristics can detect known and unknown viruses.

Good antivirus products should use several methods. With large virus
databases they can reach top hit-rate and they can detect unknown
viruses too.

Heuristics is not a 100% method of virus scanning so it may produce
false alarms in some cases. From the other side heuristics is only one
method that can discover new or unknow viruses. This is very great
feature and we think, this is a best solution of virus scanning. So when
HMVS detects unknown virus on one or two documents don't be afraid. They
needn't be a realy viruses. But when HMVS finds many infected documents,
you are probably infected.

We've checked HMVS with some files containing antimacros (for example
DOCGUARD.DOC). Because this file contains macros and it is doing some
operations typical for viruses, this file seems for HMVS to be infected
with a macro virus.

There is an example of false alarm (file DOCGUARD.DOC)

C:\FALSEPOS\DOCGUARD.DOC
Stream: WordDocument (MS Word)
* document contains 7 macros with total length 15065 bytes
{AutoOpen} {Remove} {Install} {AutoClose} {NormalAutoExec} {NormalAutoOpen} {NormalFileOpen} 
! Copies macros into the template ('MacroCopy') [3 x]
+ Contains execute-only (encrypted) macros
+ Detects if macro is execute-only ('IsExecuteOnly()')
+ Uses the 'FileSaveAs' macro command
+ Enables auto macro processing ('DisableAutoMacro')
+ Detects number of macros in template or document ('CountMacros()')
+ Detects macros names in template or document ('MacroName$()')
! Deletes other files ! ('Kill') [2 x]
+ Contains macros but is named *.DOC
! Creates or edits macro ('ToolsMacro .Edit')
+ Inserts text into document
+ Deletes macro ('ToolsMacro .Delete')
Result of heuristics: POLY.CRYPT.COMPANION.MACRO virus
Result of neural network: CLEAN (1.330692%)

PROBABLY INFECTED WITH A MACRO VIRUS !!!

2.1  Available options, when virus was found
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

If HMVS detect that file is infected, it displays something like
the following example:

Note: Macros enclosed in [] are unencrypted, macros enclosed in {} are
      encrypted.

      Flags used for result of heuristics:

      POLY        - might be polymorph or self modifying or antiheuristic
                    virus
      CRYPT       - encrypted virus
      STEALTH     - uses 'stealth' method
      COMPANION   - companion macro virus (links template with document)
      MACRO       - macro virus

C:\Xenixos\A\xenixos.doc
Stream: WordDocument (MS Word)
* document contains 11 macros with total length 31342 bytes
{Drop} {Dummy} {AutoExec} {AutoOpen} {DateiÖffnen} {ExtrasMakro} {DateiBeenden} {DateiDrucken} {DateiSpeichern} {DateiSpeichernUnter} {DateiDruckenStandard} 
! Copies macros into the template ('MacroCopy') [60 x]
+ Contains execute-only (encrypted) macros
+ Uses the 'FileSaveAs' macro command
+ Disables global template write access warnings
+ Enables auto macro processing ('DisableAutoMacro')
- Might prevent the ESC key from interrupting a macro ('DisableInput')
+ Detects number of macros in template or document ('CountMacros()')
+ Detects macros names in template or document ('MacroName$()')
- Gets parameters from WIN.INI or WINWORD6.INI ('GetProfileString$()')
! Executes other DOS or Windows programs ! ('Shell') [1 x]
! Writes directly to a sequential file ! ('Print #') [381 x]
+ Changes DOS attributes of other files ('SetAttr')
- Changes current directories ('ChDir')
- Opens a sequential file for input or output of text ('Open #')
- Closes an open sequential file ('Close #')
+ Contains macros but is named *.DOC
+ Inserts text into document
Contains viral macro: <WinWord.Xenixos.A> 
Result of heuristics: CRYPT.STEALTH.MACRO virus
Result of neural network: VIRUS (99.870585%)

INFECTED WITH A MACRO VIRUS !!!

1-Skip  2-Remove all macros  3-Rename file  4-Ignore all
5-Automatically remove all macros  6-Automatically rename all files  :

Now program waits for user input ...

Available actions:

1-Skip
  Program will ignore potentially infected file. HMVS will continue
  to scan other files.
2-Remove all macros
  HMVS will attempt to clean this file. All macros will be scotched.
3-Rename file
  Renames file to *.VI?
4-Ignore all
  Program will ignore any other infected file and will scan until ESC
  pressed or there isn't any file to process in scanned path.
5-Automatically remove all macros
  Like 2, but for any infected file
6-Automatically rename all files
  Like 3, but for any infected file

For experienced users it is recommended to inspect suspected file. Just
create the listing of macros by using /SOURCE switch and check its contents.

3.   WHAT ARE MACRO VIRUSES :)
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

If you don't know what is a macro virus, you have big chance to be a
potential victim of macro virus :) Don't worry, HMVS is here to solve
your troubles (we hope ...)

4.   HEURISTIC FLAGS DISPLAYED BY HMVS
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

Current version of HMVS can detect the following flags:
(Currently we do not plan to add new flags in next version)

! Copies macros into the template ('MacroCopy')
+ Might copy macros to template with using 'Organizer .Copy'
! Copies macros to template with using 'Organizer .Copy'
! Adds a template or WLL to the list of global templates ('AddAddIn')
+ Contains execute-only (encrypted) macros
+ Detects if macro is execute-only ('IsExecuteOnly()')
+ Uses the 'FileSaveAs' macro command
+ Disables global template write access warnings
+ Enables the fast save option 'FastSaves'
- Might enable auto macro processing ('DisableAutoMacro')
+ Enables auto macro processing ('DisableAutoMacro')
- Might prevent the ESC key from interrupting a macro ('DisableInput')
+ Prevents the ESC key from interrupting a macro ('DisableInput')
+ Detects number of macros in template or document ('CountMacros()')
+ Detects macros names in template or document ('MacroName$()')
- Sets up a background timer that runs a macro at the specified time ('OnTime')
- Gets parameters from WIN.INI or WINWORD6.INI ('GetProfileString$()')
- Sets parameters in WIN.INI or WINWORD6.INI ('SetProfileString$()')
- Gets parameters from initiating file ('GetPrivateProfileString$()')
- Sets parameters in initiating file ('SetPrivateProfileString$()')
+ Removes document protection ('LockDocument')
- Manipulates with protection for form fields
- Removes protection for form fields
- Renames menu items ('RenameMenu')
! Executes other DOS or Windows programs ! ('Shell')
! Deletes other files ! ('Kill')
! Writes directly to a sequential file ! ('Write')
! Writes directly to a sequential file ! ('Print #')
+ Removes directory ('RmDir')
+ Changes DOS attributes of other files ('SetAttr')
- Detects number of subdirectories ('CountDirectories')
- Changes current directories ('ChDir')
- Opens a sequential file for input or output of text ('Open #')
- Closes an open sequential file ('Close #')
+ Makes available a routine stored in DLL or WLL 4 use in a macro ('Declare')
- Detects environment variable ('Environ$')
+ Contains macros but is named *.DOC
- Detect whether the active document was changed ('IsDocumentDirty()')
+ Converts document to the template ('FileSaveAs .Format = 1')
+ Sets a password for opening the document ('FileSaveAs .Password = ')
! Creates or edits macro ('ToolsMacro .Edit')
+ Inserts text into document
+ Uses an AutoText entry ('EditAutoText ...')
+ Uses variable of document ('Get|SetDocumentVar ...')
+ Deletes macro ('ToolsMacro .Delete')
+ Removes virus protection ('ToolsOptionsGeneral .VirusProtection')


!   means dangerous operation
+   means warning (suspect)
-   only for your information

Sorry, we haven't time to explain these messages. We thinking for AV
researchers and experienced users it is sufficient.

We can add detailed descriptions in the next release, if we'll get lot of
requests and questions.

5.   MACRO VIRUS CLEANING
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
The main aim of HMVS authors was to write really safe anti-macro virus
program so HMVS tries to create a backup copy before any modifications
of document. This copy will be named *.VI? (e.g. CONCEPT.DOC will be
backuped as CONCEPT.VIC). If this action fails, HMVS will not clean
document. After that HMVS will wipe macro and finally delete links to
macro (if MS Word macro). Cleaned file will contain dummy areas but they
will be physicaly deleted after document is saved in MS Word.

At the moment HMVS can safely remove all macros from MS Word version 6,7,
Excel version 5/7, Word'97 and Excel'97.

     ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ   that's all    ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

BTW, We don't like writting user's manual  ...