What Is a Macro Virus and How Does it Work?
It’s a day like any other.
You’re going through your inbox.
You open an email from a friend and they’ve attached a Word document. Sounds interesting!
You download it, open it and…
This is how quickly you can be tricked into infecting your computer with a macro virus. Once on your computer, it can carry out any number of malicious actions such as infect your email contacts, steal your passwords, and even gain control over your webcam.
Macro viruses are particularly sneaky for two reasons.
Firstly, they use social engineering tactics to trick you into thinking you’ve received a legitimate file from someone you know, when you haven’t.
Secondly, they hide in the types of files you’re most familiar with and normally trust - such as your Microsoft Office programs.
This is why it’s so important to understand what micro viruses are, how they work and how to avoid falling victim to one.
What is a macro virus?
A macro virus is a computer virus written in a macro language. This is the same language used in software applications such as Microsoft Word, Excel or Powerpoint. This is why these types of documents are ideal places to hide malicious macro code.
When the malicious code infects one of your applications, it triggers malware designed to cause damage to your computer and further spread the virus.
The chances are, you’re probably quite familiar with the Microsoft Office suite. This is why macro viruses represent such a threat - they hide in programs many of us use every day and we take for granted as being safe.
How does a macro virus work?
First of all, let’s understand what a macro is.
A macro (short for “macroinstruction”) is a kind of code designed to instruct applications like Excel and Word to perform certain actions. Macros are intended to enhance the functionality of the application and make your life easier by speeding up or eliminating repetitive tasks.
However, macros can be created by anyone and malicious macros can be created just as easily as helpful ones. Therefore, it’s no surprise cybercriminals routinely create malicious code, insert it into documents, then trigger it to run as soon as macros are enabled.
You’ll notice this kind of virus runs on the application as opposed to the operating system. That means any computer running any operating system could be infected, even your Mac.
How do macro viruses spread?
Macro viruses spread in a few different ways.
The first thing it will usually do is infect other documents on your computer. When you send one as an attachment in an email, you will have inadvertently sent the virus to your recipient.
Secondly, macro viruses are known for quickly gaining access to your email contacts, then resending the infected document to your contacts on your behalf. This is known as a phishing email.
What is Microsoft doing about this problem with macros?
Macros in Microsoft Office used to be enabled by default. However, following increasing numbers of macro virus attacks, Microsoft made the decision to disable them.
Now, macros are disabled by default in all versions of Microsoft Office, from 2000 onwards. Should you open a document containing macros, Office will show you a dialog box asking you if you’d like to enable them.
This certainly helped to reduce the risk of being infected by a macro virus. However, cybercriminals are nothing if not persistent and still find ways to trick users into enabling macros and infecting their devices with malware.
What are some examples of a macro virus?
In 1995, a virus called Concept became the first macro virus to spread through Microsoft Word. It was accidentally included on a CD-ROM called “Microsoft Compatibility Test” and shipped by Microsoft to hundreds of businesses. From there, users inadvertently spread the virus via infected email attachments.
While Concept didn’t have the capability to send itself via email, it was a forerunner to the Melissa virus, which could do so very effectively indeed.
In 1999, the Melissa virus spread via an infected Word document through email. The email contained the message:
"Here is the document you asked for … don't show anyone else ;-).".
The attachment was usually called list.doc. When the recipient opened the document the virus infected their computer and sent itself to the first 50 people in the user’s email address book, causing the virus to spread rapidly. It’s estimated the virus infected more than a million computers.
In 2017, hackers created a macro virus specifically targeting Macs. The virus spread via email in a macro-infected Word document titled "U.S. Allies and Rivals Digest Trump's Victory -- Carnegie Endowment for International Peace.docm”.
When the user opened the document they would see the familiar dialogue box inviting them to enable the document’s macros. Doing so infected the user’s computer with malware, allowing hackers to access the user’s browser history, monitor webcams, steal passwords and encryption keys.
How do I know if I have a macro virus?
Once enabled, macro viruses spread fast. It’s possible the first you’ll know about being infected is when your contacts start calling you to ask about a strange email you supposedly sent.
Other things to look out for are:
- Your computer running slower than usual
- Strange changes being made to your documents
- Menu items missing from your software application
- The appearance of unusual dialog boxes you don’t normally see
- Your computer saving files as “templates”
- Your computer asking you for passwords to access files not usually password protected
How to prevent macro viruses
Removing a macro virus manually isn’t easy. So should you fall victim, the best way to detect and remove it is to use antivirus software.
Prevention is by far the most effective way to avoid being impacted. Here are some simple, yet highly effective actions you can take now:
- Use an antivirus
A trusted antivirus software will warn you if you attempt to access any suspicious files or links.
- Spam filter for phishing emails
The fewer spam emails you come across, the less chance you’ll be tricked into downloading something you shouldn’t.
- Update all software and patches
Always keep your operating system and programs up to date for maximum security.
- Don’t open attachments from unknown senders
Why would this person have your email address? Opening emails from people you don’t know is not worth the risk.
- Don’t open suspicious looking attachments, even if they’re from someone you know
This is a very common way for macro viruses to spread.
- Avoid clicking on banner ads
It’s possible you could download a document containing a macro virus by clicking on malicious links in ads. Be careful what you click.
- Check macros are disabled on your Microsoft Office programs
At this stage, these should be disabled by default unless you are running an incredibly old version. Just in case, here’s how you can check. Within the program:
- Choose File
- Click Options
- Click Trust Centre -> Trust Centre Settings
- Click Macro Settings
- Select Disable All Macros Without Notification
- Click Ok.
Staying alert and looking out for threats like macro viruses is key to avoiding harm online, as is the support of a dedicated antivirus software.
Clario is releasing its revolutionary cybersecurity software very soon. Sign up for updates and get all of your security needs covered in our subscription.
We’d like to stay in touch.
We’ve got something special to share! Enter your contact details below to be among the first to find out about the exciting changes we’ve got in the works as well as to receive special promotions.
Thanks for your subscription!
You’ll be the first to know about our updates. Please keep an eye on your mailbox.