Basics of Word Macro Viruses

Although we have generally had pretty good luck with viruses on the linguistics machines, the Power Macs in 404 have repeatedly been infected by a Word ("macro") virus. Although we have software on the Macs that tries to detect the viruses, new viruses are developed all the time that may not be detected by our current software.

The spread of Word viruses is easy to avoid; the main reason is cluelessness and indifference, hence here's a little summary of things you should know. If you already know about viruses, skip to the bottom of this page for information you might not know.

Microsoft provides a web page with detailed information on Word macro viruses, including a detection program you can download. It is recommended reading if you use Word to write your papers. Here's also a message from Alan with directions on how to use Microsoft's disinfecting program.

For Penn students, faculty and staff, there is free virus detection software that you can install on your computer at home. Be warned that the software is not fool-proof, and is no substitute for understanding how viruses work, so read on!

DISCLAIMER: This summary is based on incomplete and possibly incorrect information, and I can make no guarantees for your success if you follow my advice. Viruses are designed to inconvenience you, and they change all the time. Read Microsoft's page for more information. They won't take any responsibility for your problems either.

-Alexis

1. How do I know I have a virus?
If your Word document's icon shows an arrow on top of the usual W symbol, your document is infected. (The icon shows that your document has been converted into a "template", which has legitimate uses--Word comes with a folder full of templates that are not virused). If Word asks whether to save a document although you have not modified it, you probably have a virus. If you answer "No" and Word goes ahead and saves it anyway, you definitely have a virus. If you notice other strange behavior when you are opening or saving a document, you may have a virus. Not all viruses do all of these things, though. The template icon is the best way to know.
You can only see the Word icons on the Mac, and only if you select the View by Icon or View by Small Icon option in the finder.

2. Why should I care if I have a virus?
A Word virus may not let you save your document in Word 5 format, which is a big problem for people who don't have Word 6 at home. It may make it impossible to print your file. The latest virus we got disables the "Macros..." and "Customize..." menu options, making a ton of commands completely inaccessible. Viruses will in general cause erratic behavior, with things failing some times and not others. It may suddenly make it completely impossible for you to open your document. It COULD one day remove everything on your hard drive. (I have not heard of Word viruses that do that, but they CAN-- let's not wait for one).
The "Michaelangelo" virus (which infects DOS disk drives, not Word documents) appears harmless until the anniversary of Michaelangelo's birthday, on which day it wipes your hard drive clean.

3. What if I still don't care?
Even if you don't feel like worrying, remember that others depend on you to keep the Macs in 404 free of viruses. If you are seen using an infected document in the Macs, you could (and deserve to) suddenly become VERY unpopular.

4. Ok, ok, how does the virus spread?

If you open an infected document with Word, even just to print it, Word will become infected. If you open a clean Word document with an infected copy of Word, the document will become infected. The virus infects Word by saving itself in the "Normal" document template. Word viruses can't be spread by merely sticking your disk in the drive (other viruses can, however!). Only Word 6 documents can be infected by the virus. Documents edited with Word 5 are safe. But note that if you put a Word 5 document in Artemis or Venus and click on it, it will get opened by Word 6, not Word 5, and converted to a Word 6 document. (You can save it back as a Word 5 document--unless Word is infected at the time!).


5. How can I avoid getting a virus?
VIRUS DETECTION PROGRAMS: Penn's Computer Resource Center gives out free antivirus software, which is supposed to detect all types of viruses, including Word macro viruses. They will give you a version appropriate for your computer at home. The Computer Resource Center is located on Locust Walk, right across from the Penn bookstore.

Be warned that new viruses are developed all the time, so you should (a) go back every few months to get updates, and (b) keep your eyes open for problems and take precautions around high-risk machines.

You can also download a free virus protection program from Microsoft's page on Word macro viruses. However, this free program only detects one of the many viruses going around (the "Concept" virus).

Hopefully Vince can keep the virus detection on the Macs up to date; it helps if you complain (er, if you let him know) when bad things happen. Send email to manager@babel.ling.upenn.edu.


WRITE-PROTECT YOUR DISKS: If you push in the write-protect tab on your diskette (look for it if you don't know what I'm talking about, or ask someone to show you), it will be physically impossible for a virus, or anything else, to get on your diskette. Of course any viruses on your diskette can still infect the computer! Use this if you need to print out your document from a suspect or infected computer. I often do this just for my peace of mind. Obviously, if you will be editing your document you will need to write it back to your disk, so this method is of limited (although great) utility.

6. What do I do if I have the virus, or notice that a Mac has it?
First of all, DON'T SPREAD IT FURTHER. Files and programs can be disinfected, but it takes time that you'd rather spend on something else. If one of your files becomes infected, discard it or do not open it until someone In The Know shows you how to disinfect it.

If you notice that a Mac in 404 is infected, put a sign in front of it warning others of the problem. Send mail to manager@babel.ling.upenn.edu so Vince can maybe deal with the problem. And/or try to find someone that knows how to deal with it before the problem spreads.

Finally, you (or someone else) must clean up Word and your documents. Microsoft's web page provides detailed instructions, and is well worth a read. I won't give you the step-by-step here (and it differs slightly from virus to virus), but basically you must clean up Word by getting rid of the virus's macros, then save the contents of each infected document as a new file. See below for a few hints. You are also welcome to ask me to tell you more about it, it's just not worth typing it all up again when Microsoft paid someone big bucks to put it on their web page.

7. So, tell me something I don't know.
Because the virus infects Word by infecting the "Normal" document template (and possibly other templates, but that's the one most documents load in), you can gain a measure of protection by locking (write-protecting) an uninfected Normal template. Once you do that, there's a fair chance that if you quit Word and start it anew, it will not be infected until it reads an infected document.

To do this, first disinfect Word as follows:

  1. Quit Word, if it is running.
  2. Find the Word Templates folder (probably inside the Word folder, in the Applications folder), and trash the template Normal.
  3. Start up Word, create a new document, and save it. Make sure that this document is not infected (does not have the arrow icon).
  4. Quit Word again. It should now have created a new Normal template.

Once you have created a clean Normal in this way, select it in the finder, and select Get Info... from the File menu. Check the Locked box.

Once you've locked Normal, whenever Word is quitting it will likely complain about being unable to save the "Normal" template. This does not necessarily mean that it is virused; Word saves all sorts of settings in Normal. Anyway, just say no when it asks whether to save the template under a different name.

8. Gee, that was cool. Got anything else like it?
Glad you liked it. The following are detailed in Microsoft's page, so if they make no sense go there for the details.

Please get informed about viruses and avoid spreading them. Spreading viruses is risky for you and it is antisocial behavior. Plus they will probably end up causing you grief at the worst possible time.


[ up: Online Resources at Penn | Microsoft's Word virus page | Linguistics Home Page ]

alexis@ling.upenn.edu