F-MACRO - Scanner and disinfector for MS Word document macro viruses Copyright (c) 1996 Data Fellows Ltd OVERVIEW F-MACRO is a DOS program which searches Word 6.x and 7.x document files for known Word macro viruses and disinfects them by disabling and overwriting the viral macros. F-MACRO is able to parse the complex OLE2 file structure of Word document files making it very fast and accurate. TECHNOLOGY This scanning and disinfection technology was developed by Data Fellows Ltd for the commercial F-PROT Professional package. F-PROT Professional for Windows, Windows 95, Windows NT and OS/2 as well as the realtime Windows VxD scanners have these macro scanning features built in to their normal scanners. If you are running a VxD-based background protection from the F-PROT Professional suite, you will be notified on infected document files as soon as you try to open or copy them or when you are receiving such a document as an e-mail attachment or downloading it from www. Disinfection can also be done in realtime. A VxD-based solution provides significantly better protection than antivirus systems relying on the Word macro language. For more information on the F-PROT Professional suite, see the web site of Data Fellows at http://www.datafellows.com/ or the web site of the US publisher, Command Software Systems at http://www.commandcom.com/. USAGE Give scan path or drive as the first parameter. Options: /DISINF disinfects infected document /AUTO automatic disinfection, no prompting /ALL scans files with any extension /REPORT= Send the output to a file /APPEND Used with /REPORT - append to existing report /NOSUB do not recurse sub-directories /LIST list all scanned filenames /COMPRESS removes unreferenced data from file /BACKUP makes a copy of the file before disinfecting it Examples: F-MACRO C: F-MACRO C:\DOCS /ALL /DISINF /AUTO F-MACRO Z:\USER\INFECTED.DOC /DISINF F-MACRO returns following errorlevels: 0: No viruses found 1: Error during execution 3: Virus(es) found Notes: We recommend you make a backup copy of important document files before disinfecting them, just to be safe. In order to be able to scan all document files, Word should be closed down before running F-MACRO: otherwise it will keep NORMAL.DOT and possibly other files locked. F-MACRO will give a warning message on such files. If you have document files with non-standard extensions (something else than DOC or DOT), use the /ALL parameter to check all files. If an another virus scanner still thinks that a document file is infected after being cleaned by F-MACRO, use the /COMPRESS option to remove unused slack areas from a DOC file. You can also use this option if a document has already been disinfected manually via Tools/Macro but you receiving a false positive from some scanner. /COMPRESS will compress all scanned files which have been 'Fast-saved' by Word. If you still get alarms from a cleaned file, open it Word and re-save with File/Save As. Infected DOC files are always templates in structure, regardless of the file extension (normal extension for templates is DOT). Only templates can contain macros. A side-effect of this is that infected files can usually be saved by Word only as templates and only to the default template directory. When disinfecting infected files, F-MACRO will normally change the file back to a normal document. However, some files have originally been templates so F-MACRO tries to determine this and preserve them as templates after disinfection. If the file contains extra macros after disinfection, it has probably been a template in the first place and will not be changed to a document by F-MACRO. The same will happen if: - The document contains user-defined menus or toolbars - The filename extension of the file was DOT - The filename of the file was NORMAL SUPPORT For general info on macro viruses, see the macro section at http://www.datafellows.com/. For technical support, contact F-MACRO-Support@datafellows.com. To send samples of new or suspected viruses, send them to Samples@DataFellows.com or upload to our FTP site at ftp://ftp.Europe.DataFellows.com/incoming . UPDATES Updates, when available, can be downloaded from the Data Fellows WWW and ftp sites. The Data Fellows web site has up-to-date descriptions on the operation and effects of these macro viruses. HISTORY Changes in F-MACRO 1.60 (August 2nd, 1996) from version 1.15 (May 30th, 1996): Enhancements: Only the viral macros are removed from the document at the disinfection. Variants are now identified in addition to the family (e.g. Concept.A, Concept.C, etc.) Double-byte documents are now scanned and disinfected in case of infection. A progress indicator showing the name of the file being currently scanned was implemented. Remnants of a previous infection are identified as well. This way F-MACRO can identify new variants in which one/some of the macros were modified. Also if only a part of the viral macros were removed leaving some, F-MACRO is able to detect this. Fixes in scanning: If option /COMPRESS was used on fast saved files, every now and then files were corrupted. This has been fixed. Also the problem at compression where the resulting files were corrupted to fixed 1536 bytes length was fixed. The macro parsing was enhanced to handle such documents as HTML.DOT, which were reported "Macros are corrupted". Another example of such document is WEBVIEW.DOT from MS Internet Assistant. Disinfection failed on some cases so that the document couldn't be opened in Word 7 anymore. In Word 6 these documents worked okay. This was true on documents that had macros, toolbars plus some other interface elements. Fixed. Logics of setting document back to normal document from a template were rewritten. Identification: Added detection for Guess, Doggie, KillDLL, Reflex, PCW, MDMA, Irish, Goldbug, Concept.E, Colors:C, NOP.B, Clock, NPad and Buero. Use "F-MACRO /IDENTIFICATION" for a full list. Infection names were standardized according to CARO naming standard (E.g. Pheew is reported as Pheew:NL). Reporting: Reporting after disinfection "Macros removed succesfully." changed to "File disinfected succesfully." as only the viral macros are removed. When finding corrupted documents "Document is corrupted" is reported in most cases instead of the old message "Document is corrupted or open in another application" Added additional checking not to crash on badly corrupted documents. Now the macro scanner survives even such documents that cause Word to crash. LEGAL F-MACRO is protected by international copyright laws. F-MACRO is (c) 1996 Data Fellows Ltd, and it is not in public domain or freeware, but you are free to use and share this software with no charges in non-commercial private use. Use of this software in other environments is not allowed in Europe, Asia and Africa without a license to F-PROT Professional or a current license from Frisk Software International. To purchase a license, contact your local distributor listed in PRO.DOC. Please redistribute F-MACRO only with this documentation. You are not allowed to resell this software for your own profit (normal copying costs excluded) or claim to hold rights to this software. Although you may have the right to use F-MACRO, it will remain the exclusive property of Data Fellows. Data Fellows does not warrant that the software is error free and we will not cover any costs created by function or malfunction of this program. Data Fellows also disclaims liability for possible consequential damages. If you cannot agree to these restrictions, you should not use F-MACRO. Copyright (c) 1996 Data Fellows Ltd, Finland