Virus and analysis of--word macro virus and manual Avira

"Experimental Purpose"

1) Learn about macro viruses

2) How to learn macro virus

"Experimental principle"

Macro viruses are malicious programs written in macro language (VBA) that exist in Word-processing documents, spreadsheets, databases and other data files, such as Office data Processing systems, which use the functions of the macro language to replicate and reproduce themselves in other data documents.

There are two types of macros: an inline macro that is contained in a document, such as a FileOpen macro, or a macro that belongs to a Word application that is common to all open documents, such as a AutoOpen macro.

Word macro virus is usually first hidden in a specified Word document, once opened the Word document, macro virus is executed, the first thing the macro virus to do is to copy themselves to the global macro lawlessness area, so that all open documents can use this macro. The name of this file is usually "Normal.dot", which is the generic template. In general, macro viruses propagate themselves by infecting Office documents or template documents.

After the virus obtains the first control, it writes itself to the Word template Normal.dot. This way, each time you perform an open operation in Word, the virus code is called and the virus code is written to the newly opened or newly created document for the purpose of infection propagation. In addition, the macro virus can also be transmitted via email attachments, such as the Melissa Virus.

"Experimental Environment"

Windows R2 (Standalone)

Word 2003

"Experimental Steps"

First, the relevant settings of the macro

1.1 Go to "tools"--"computer viruses" and "macro viruses" folder on the desktop, open "document 1.doc"

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M02/77/A7/wKioL1ZqnB_wETatAAC4dqtnDrg239.png "style=" float: none; "title=" 111.png "alt=" Wkiol1zqnb_wetataac4dqtndrg239.png "/>

1.2 You can see the Macro Security button by opening the menu bar, tools, options, and security.

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M00/77/A7/wKioL1ZqnCDhepSiAADD-JW9r_c188.png "style=" float: none; "title=" 222.png "alt=" Wkiol1zqncdhepsiaadd-jw9r_c188.png "/>

1.3 Click "Macro Security" to set the security level to "low"

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/77/A7/wKioL1ZqnCHxo5xLAADK84bghu4364.png "style=" float: none; "title=" 444.png "alt=" Wkiol1zqnchxo5xlaadk84bghu4364.png "/>

1.4 Click on "Trusted Publishers", tick "Trust all installed add-ins and templates" and "Trust access to Visual Basic projects"

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/A8/wKiom1ZqnCHhUbwSAADLzr1WuzI029.png "style=" float: none; "title=" 555.png "alt=" Wkiom1zqnchhubwsaadlzr1wuzi029.png "/>

Second, the macro virus implantation

2.1 Use the shortcut key "Alt+f11" or click "Tools"--"Macros"--"Visual Basic editor".

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/77/A8/wKiom1ZqnCOTpPsIAAH1Sn2Pboo045.png "style=" float: none; "title=" 666.png "alt=" Wkiom1zqncotppsiaah1sn2pboo045.png "/>

2.2 Visual Basic Editor main interface

2.3 Open "simple macro virus source. txt" in the same directory and copy all the code in the document to the "ThisDocument" of the Microsoft Word object under "Project (document 1)" In the Visual Basic editor.

650) this.width=650; "src=" Http://s5.51cto.com/wyfs02/M00/77/A8/wKiom1ZqnCWBfE7zAAFLnrWhYpk321.png "style=" float: none; "title=" 777.png "alt=" Wkiom1zqncwbfe7zaaflnrwhypk321.png "/>

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M01/77/A7/wKioL1ZqnCjDFfWlAAFlFIJSNJA433.png "style=" float: none; "title=" 888.png "alt=" Wkiol1zqncjdffwlaaflfijsnja433.png "/>

2.4 Click "Save". Notice that the "ThisDocument" of the Microsoft Word object under "Normal" does not have any code at this point.

2.5 Close the document, open "document 2.doc", will pop up the following window, indicating the success of macro virus implantation

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/77/A8/wKiom1ZqnCixy3SaAAB2Z8F1Ag8907.png "style=" float: none; "title=" 999.png "alt=" Wkiom1zqncixy3saaab2z8f1ag8907.png "/>

Third, the macro virus manual Avira

3.1 Two documents need to be open at the same time, open the macro "security", set "security level" to "very high".

650) this.width=650; "src=" Http://s4.51cto.com/wyfs02/M01/77/A7/wKioL1ZqnCuiL9TnAAEH4GeSGgg866.png "style=" float: none; "title=" 1000.png "alt=" Wkiol1zqncuil9tnaaeh4gesggg866.png "/>

3.2 Click on "Reliable publisher", cancel the tick below and click "OK" to save the document.

3.3 Open the Visual Basic Editor, remove the macro code, and click Save.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M00/77/A7/wKioL1ZqnC3w9FRGAADBaSfqXP4804.png "style=" float: none; "title=" 1002.png "alt=" Wkiol1zqnc3w9frgaadbasfqxp4804.png "/>

3.4 Search for "Normal.dot" in the C drive and delete it.

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/77/A7/wKioL1ZqnN7Q7HRGAACYXEbbr0g477.png "title=" 1003. PNG "alt=" Wkiol1zqnn7q7hrgaacyxebbr0g477.png "/>

3.5 Click the document to open it normally.

This article from "Hong Seven public" blog, please be sure to keep this source http://klmyoil.blog.51cto.com/10978910/1722143

Virus and analysis of--word macro virus and manual Avira