WD: What to Do If You Have a Macro Virus

ID: Q134727

The information in this article applies to:

SYMPTOMS

The first macro virus was discovered in the summer of 1995. Since that time, other macro viruses have appeared. This article describes what to do if you think you might have a Word macro virus, or if you want to ensure that your documents never become infected with one.

The following are some symptoms of a Word macro virus that are known to affect Word and Word documents:

RESOLUTION

To protect your existing and future documents from Word macro viruses, you must install software that is specifically designed to detect and remove macro viruses.

For information on anti-virus software vendors, including a list software capable of detecting and preventing macro viruses, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q49500
   TITLE     : Anti-Virus Software Vendors

WORKAROUND

Use the following workarounds as interim solutions only.

NOTES:

For a long-term solution to macro viruses, install anti-virus software that is specifically designed to detect macro viruses. For information on anti- virus software vendors, including software capable of detecting and preventing macro viruses, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q49500
   TITLE     : Anti-Virus Software Vendors

Method 1: Upgrade to Word 7.0a, Word 97, or Word 98 Macintosh Edition

Windows:

If you are using Word for Windows 95 version 7.0, obtain Word version 7.0a. Version 7.0a alerts you if you try to open a file that contains macros. If you are using any version of Word for Windows earlier than Word 95, upgrade to Word 97 for Windows.

Macintosh:

If you are using version 6.0, 6.0.1, or 6.0.1a, upgrade to Microsoft Word 98 Macintosh Edition.

To obtain pre-sales information about new or updated Microsoft products, call the Microsoft Sales Information Center at (800) 426-9400. If you are outside the United States, contact the Microsoft subsidiary for your area. To locate your subsidiary, see the Microsoft World Wide Offices Web site at:

   http://www.microsoft.com/worldwide/default.htm

Method 2: Obtain the "Macro Virus Protection Tool"

If you are using Word version 6.x (for Windows or Macintosh), obtain the Microsoft Application Note titled "Macro Virus Protection Tool." The Word for Windows version is WD1215, and the Word for the Macintosh version is MW1222.

These Application Notes contain a tool called Scanprot.dot that alerts you if you try to open a file that contains macros. It does not clean the macros from your system.

For more information about how to obtain these Application Notes, please see the following articles in the Microsoft Knowledge Base:

   ARTICLE-ID: Q134728
   TITLE     : WD1215: "Macro Virus Protection Tool" for Word for Windows

   ARTICLE-ID: Q133895
   TITLE     : MW1222: "Macro Virus Protection Tool" for Word for the
               Macintosh

The "Macro Virus Protection Tool" will install the following macros in your Normal (Normal.dot) template: AutoExit, FileOpen, InstVer, and ShellOpen.

Method 3: Press SHIFT When You Open a File

If you do not have any of the symptoms described in this article, but you do not want to be affected by a macro virus, hold down the SHIFT key when you open a file that might be affected by a macro virus. Pressing SHIFT will prevent any Auto macros from being run; if a macro virus is present, it will not be loaded.

Method 4: Delete the Macro and Recover the Document

If you have experienced the symptoms listed in this article, or if you suspect that you have a macro virus that is not described here, use the following steps to remove the offending macros and correct affected documents. (Remember, this is only a temporary solution; because new macros are being created, these steps may not work):

 1. Close Word and rename the Normal.dot file to Normal.xxx (Windows) or
    move Normal to the desktop.

 2. Make a back-up copy of an affected file.

 3. Open Word.

 4. On the File menu click Open.

 5. Navigate to the folder containing the affected file.

 6. Click to select the affected file.

 7. Press and hold the SHIFT key and click Open.

    Continue to hold the SHIFT key until the affected file is open
    in Word.

    NOTE: Holding the SHIFT key while opening a file keeps any automatic
    macros from running.

 8. To remove suspect virus containing macros, follow the steps below:

    a. On the Tools menu, click Macro.

    b. In the Macros Available In list, click All Active Templates.

    c. Select the suspect macro and click Delete. Click Yes.

    d. Repeat step c for all suspect macros.

    e. Click Close.

 9. To recover the text of an infected document:

    a. Select the entire document by pressing CTRL+A (Windows) or
       COMMAND+A (Macintosh), or by clicking Select All on the Edit
       menu.

    b. Do not include the final paragraph mark from the selection
       by pressing SHIFT+LEFT ARROW.

    c. On the Edit menu, click Copy.

    d. On the File menu, click New. Select the template you want to
       use, and click OK.

    e. On the Edit menu, click Paste.

    f. Repeat step 8 to ensure that the virus containing macros have not
       again replicated.

    g. Save the document.

10. Repeat these steps for any document you think may contain a macro
    virus.

NOTE: If this method does not work, try Method 5.

Method 5: Using the Organizer to Temporarily Clean Up Macro Viruses

Use the Organizer to clean up the macro virus. Keep in mind that if other files were opened after the infected file, they most likely will be infected as well.

To remove the virus from the Normal template, follow these steps:

1. Close all documents. If an infected document is open, it can easily

   reinfect Normal.dot (Windows) or Normal (Macintosh).

2. On the File menu, click Templates, and click the Organizer button.

3. Select the Macros tab. Rename or delete all of the following macros:

      AutoClose
      AutoExec
      AutoOpen
      FileExit
      FileNew
      FileOpen
      FileSave
      FileSaveAs
      Macros
      ToolsMacro

4. Close the Organizer.

5. On the File menu, click Save All to save the template.

To remove the virus from infected documents:

If a file is infected, use this method, but remove the macros from both the Normal template and also from the infected document (template) while in the Organizer. When you are done, click the File menu and click Save All and move on to the next file. Keep in mind that every time you open an infected file it will infect your Normal template, so you constantly need to remove the macros from the Normal template.

Method 6: Insert the File into a New Document

With this method, you will need to rename Normal.dot (Windows) or move Normal to the Desktop (Macintosh) and then on the Insert menu, click File to temporarily remove the macros. This method is particularly useful with the macro virus called "CAP" which removes Macro and Customize from the Tools menu.

NOTE: In this situation, the Templates command (Word 6.x and 7.x) may not work.

To insert the file into a new document, follow these steps:

1. Close Word and rename the Normal.dot file to Name.dot (Windows) or move

   Normal to the Desktop (Macintosh).

2. Open Word and verify that Macro And Customize are on the Tools menu.

3. Open a new document. On the Insert menu, click File.

4. Navigate to the folder containing the affected file.

5. Click to select the affected file.

6. Press and hold the SHIFT key and click Open.

   Continue to hold the SHIFT key until the affected file is open
   in Word.

   NOTE: Holding the SHIFT key while opening a file keeps any of Words
   automatic macros from running.

7. To see if there are any macros in the new document (there should not be
   any listed), click Macro on the Tools menu. In the Macros Available In
   list, click All Active Templates.

8. Save the file with a different file name.

9. Delete the infected file.

MORE INFORMATION

A macro virus is a program written in the macro language of a program, like Word. It propagates itself among data files and can harm your files or your computer's operating system.

Word macro viruses do not travel freely over the Internet or any other media; they can only be transferred when a user opens a document or template that contains the virus macro.

Microsoft Internet Assistant and documents created or read by it cannot be affected by such macros. Internet Assistant, by design, blocks the mechanism that distributes the macro virus.

Macro viruses cannot be transferred by WordMail unless an affected document is embedded in the e-mail message and the receiver opens the document.

Additional query words: virus disinfect protect protected corporate infect protection normal.dot saving opening saveas nuclear DMV prank concept WordBasic

Keywords          : kbtshoot wordnt word8 winword word97 ntword macword word6 word7 word95 kbfaq
Version           : MACINTOSH:6.0,6.0.1; WINDOWS:6.0,6.0a,6.0c,7.0,7.0a; winnt:6.0
Platform          : MACINTOSH WINDOWS winnt

Last Reviewed: June 1, 1999