ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Heuristic Macro Virus Scanner/cleaner ³ ³ (user's manual) ³ ³ ³ ³ (c) Jan Valky & Lubos Vrtik, Slovakia ³ ÀÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÙ Last update: 24-sep-96 Sorry, this is only short version of DOX, because we're lazzy to write full DOX :) Excuse us our english plz, it is not our natural language ;( IF YOU WANT HELP US TO IMPROVE HMVS, PLZ SEND US ANY COMMENTS OR IDEAS. NEW MACRO VIRUSES ARE WELCOMED. SEND US PLZ ALL MACRO VIRUSES HMVS CAN'T DETECT BY NAME. ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ CONTENTS 1. HOW TO USE HMVS 2. METHODS USED IN HMVS 2.1 Available options, when virus was found 3. WHAT IS MACRO VIRUS :) 4. HEURISTIC FLAGS DISPLAYED BY HMVS ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ 1. HOW TO USE HMVS ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Without paramaters will HMVS scan only *.DOC and *.DOT files in current directory and all its subdirectories. Usage: HMVS drive:[\\path] switches switches: /H,/? - this help /ALL - scan all files (*.*) /REP - output to log file HMVS.LOG /REP=file - output to specified log file /NOH - disable heuristics, only scanning /NOS - disable scanning, only heuristics /MAC - prompt if file contains macros /IA - nonstop scanning without prompt /CA - automatically clean all infected files /RA - automatically rename all infected files /NOB - disable user break with ESC key /EXT - decrypt execute only macros (reg. version only) Short description of command line parameters: /H /? Displays help about HMVS using /ALL All files will be scanned (*.*) Without this parameter only files *.DOC and *.DOT will be scanned. /REP Report will be logged to file HMVS.LOG /REP=file Report will be logged to user specified file /NOH Disables heuristic analysis. Only standard scanning method will be used. /NOS Disables standard scanning method. Only heuristics will be used. You can use both switch (/NOS /NOH) together :) This combination can save your time, if you want get informations about macros in file (use also /MAC or /REP switch) /MAC If this switch was entered program will stop at each file, that contains one or more macros. Otherwise program will stop only when file is infected by known virus, when file is probably infected or suspected. /IA With this option program won't stop on any file. You will use probably this option together with /REP switch. /CA If you want to automatically clean any infected or probably infected files, use this switch. Files will be cleaned only if creating of backup copy was succesfull. WARNING: ALL MACROS WILL BE REMOVED FROM INFECTED FILE After cleaning you should check if cleaned file is OK. If something went wrong, you can restore original file from backup copy. If HMVS fails plz send us file, that couldn't be cleaned. /RA With this switch HMVS'll automatically rename any infected or probably infected files. /NOB With this option HMVS can't be stopped with ESC key. Otherwise you can break program in any time with pressing the ESC key. /EXT This option allow you to decrypt execute only macros. (Available only for registered users). Only macros with size bellow 64000 bytes will be decrypted. This is nice option for AV researcher or experienced users. 2. METHODS USED IN HMVS ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ When MS Word documents or templates are scanned, HMVS do the following: - searches for macros in document or template - decrypts each macro (if encrypted) - uses standard scan method (only macros are scanned, not whole file !) Some antiviral product have problem to detect how and where macros are placed, so they must scan whole file :) - uses heuristics Each macro is analysed and checked for some operations. If heuristics found some checked operation, it set flag for it. After these operations HMVS displays results of scanning and heuristic analysis. HSMV uses two methods to detect macro viruses: þ Standard method based on 'identifications strings' This is well know method frequently used in most virus scanners. Search string method is fast and reliable, but can search only for known viruses. þ Heuristic analysis HMVS uses unique heuristic technology. HMVS uses special semi-emulator of word macro commands (something like length disassembler, if you know, what is it ...). It trace trough each command in macro, step by step, and try to understand it. WE THINK NO OTHER PRODUCT CAN'T DO THAT YET. Both methods are good. Standard method can detect macro virus exact by its name, heuristics can detect known and unknown viruses. Good antivirus products can use both methods. With large virus databases they can reach top hit-rate and they can detect unknown viruses too. Heuristics may produce false positive alarms in same cases. We'we checked HMVS with some files containing antimacros (for example SCANPROT.DOT). Because this file contains macros is doing some operations typical for viruses, this file for HMVS seems to be infected by a macro virus. There is an example of false alarm (file SCANPROT.DOT) Scanning c:\ANTIMACR\SCANPROT.DOT * document contains 10 macros with total length 46730 bytes [AUTONEW] [TOOLVER] [AUTOOPEN] [CLEANALL] [AUTOCLOSE] [AUTOEXITSCAN] [AUTOOPENSCAN] [FILEOPENSCAN] [SHELLOPENSCAN] [INSERTAUTOTEXTINTOMACRO] ! Copies macros into the template ('MacroCopy') + Uses the 'FileSaveAs' macro command + Enables auto macro processing ('DisableAutoMacro') - Might prevent the ESC key from interrupting a macro ('DisableInput') + Detects number of macros in template or document ('CountMacros()') + Detects macros names in template or document ('MacroName$()') - Sets up a background timer that runs a macro at the specified time ('OnTime') - Gets parameters from WIN.INI or WINWORD6.INI ('GetProfileString$()') - Gets parameters from initiating file ('GetPrivateProfileString$()') - Sets parameters in initiating file ('SetPrivateProfileString$()') ! Executes other DOS or Windows programs ! ('Shell') ! Deletes other files ! ('Kill') ! Writes directly to a sequential file ! ('Print #') - Changes current directories ('ChDir') - Opens a sequential file for input or output of text ('Open #') - Closes an open sequential file ('Close #') + Makes available a routine stored in DLL or WLL 4 use in a macro ('Declare') PROBABLY INFECTED WITH A MACRO VIRUS !!! 2.1 Available options, when virus was found ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If HMVS detect that file is infected, it displays something like the following example: Scanning c:\HMVS\WORDMAC\XENIXOS.DOC * document contains 11 macros with total length 31342 bytes [DROP] [DUMMY] [AUTOEXEC] [AUTOOPEN] [DATEIÖFFNEN] [EXTRASMAKRO] [DATEIBEENDEN] [DATEIDRUCKEN] [DATEISPEICHERN] [DATEISPEICHERNUNTER] ... ! Copies macros into the template ('MacroCopy') + Contains execute-only (encrypted) macros + Uses the 'FileSaveAs' macro command + Disables global template write access warnings + Enables auto macro processing ('DisableAutoMacro') - Might prevent the ESC key from interrupting a macro ('DisableInput') + Detects number of macros in template or document ('CountMacros()') + Detects macros names in template or document ('MacroName$()') - Gets parameters from WIN.INI or WINWORD6.INI ('GetProfileString$()') ! Executes other DOS or Windows programs ! ('Shell') ! Writes directly to a sequential file ! ('Print #') + Changes DOS attributes of other files ('SetAttr') - Changes current directories ('ChDir') - Opens a sequential file for input or output of text ('Open #') - Closes an open sequential file ('Close #') + Contains macros but is named *.DOC Contains virus pattern: INFECTED WITH A MACRO VIRUS !!! 1-Skip 2-Remove all macros 3-Rename file 4-Ignore all 5-Automatically remove all macros 6-Automatically rename all files Now program waits for user input ... Available actions: 1-Skip Program will do nothing. It skips this file and will continue searching for the next files 2-Remove all macros At first backup copy will be created. Then ALL macros from file will be removed (each macro will be overwritten with nice text :) 3-Rename file Renames file to *.VI? 4-Ignore all Do nothing with all files. Like 1, but for any next file 5-Automatically remove all macros Like 2, but for any next file 6-Automatically rename all files Like 3, but for any next file 3. WHAT ARE MACRO VIRUSES :) ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ If you don't know what are macro viruses, you have big chance to be a potential victim of macro viruses :) Don't worry, HMVS is here to solve your problems (we hope ...) 4. HEURISTIC FLAGS DISPLAYED BY HMVS ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Current version of HMVS can detect the following flags: (in next version we plan to add few new flags) ! Copies macros into the template ('MacroCopy') + Might copy macros to template with using 'Organizer .Copy' ! Copies macros to template with using 'Organizer .Copy' ! Adds a template or WLL to the list of global templates ('AddAddIn') + Contains execute-only (encrypted) macros + Detects if macro is execute-only ('IsExecuteOnly()') + Uses the 'FileSaveAs' macro command + Disables global template write access warnings + Enables the fast save option 'FastSaves' - Might enable auto macro processing ('DisableAutoMacro') + Enables auto macro processing ('DisableAutoMacro') - Might prevent the ESC key from interrupting a macro ('DisableInput') + Prevents the ESC key from interrupting a macro ('DisableInput') + Detects number of macros in template or document ('CountMacros()') + Detects macros names in template or document ('MacroName$()') - Sets up a background timer that runs a macro at the specified time ('OnTime') - Gets parameters from WIN.INI or WINWORD6.INI ('GetProfileString$()') - Sets parameters in WIN.INI or WINWORD6.INI ('SetProfileString$()') - Gets parameters from initiating file ('GetPrivateProfileString$()') - Sets parameters in initiating file ('SetPrivateProfileString$()') + Removes document protection ('LockDocument') - Manipulates with protection for form fields - Removes protection for form fields - Renames menu items ('RenameMenu') ! Executes other DOS or Windows programs ! ('Shell') ! Deletes other files ! ('Kill') ! Writes directly to a sequential file ! ('Write') ! Writes directly to a sequential file ! ('Print #') + Removes directory ('RmDir') + Changes DOS attributes of other files ('SetAttr') - Detects number of subdirectories ('CountDirectories') - Changes current directories ('ChDir') - Opens a sequential file for input or output of text ('Open #') - Closes an open sequential file ('Close #') + Makes available a routine stored in DLL or WLL 4 use in a macro ('Declare') - Detects environment variable ('Environ$') + Contains macros but is named *.DOC - Detect whether the active document was changed ('IsDocumentDirty()') + Converts document to the template ('FileSaveAs .Format = 1') + Sets a password for opening the document ('FileSaveAs .Password = ') ! means dangerous operation + means warning (suspect) - only for your information Sorry, we haven't time to explain these messages. We thinking for AV researchers and experienced users it is sufficient. We can add detailed descriptions in next release, if we'll get lot of requests and questions. ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ that's all ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ BTW, We don't like user's manual writting ...