Killing Word Macro Virus (W97M.Thus.A) On MacOS X
This blog entry contains instructions on how to clean up your system if you have a little outbreak of a Microsoft Word macro virus called W97M.Thus.A. It's also rife with commentary. If you want to skip straight to the step-by-step instructions, click here. Otherwise, read on.
Welcome New Visitors
It seems this post has gotten a kind of second life of sorts. That's cool. I just want to reply to this commentary from my most prodigal new linker: "This ends the myth that switching to MACs will make computing life any easier." I take exception to "any easier." If you meant "completely without hassle or danger," then you'd be right. But I think there's a little hyperbole at work here. Anyway, I'm glad people are finding this information useful. On with the show!
One of the great things about Apple software is its general security. The operating system has always been developed by a tight team of engineers (compared to Microsoft's assembly-line methodology) and now with a firm basis in the UNIX-like BSD system -- Apple's flavor is called Darwin -- the core system code is not only extremely efficient and well-documented, but also highly secure because of the number of people constantly vetting it all over the world.
Also, because the user-base is small compared to Windows, there's not as much incentive to create spyware/malware or viruses. However, the flip side of that is that most Mac users assume they don't need to worry about viruses, and if they do have a problem, not as much is known about how to fix it.
Case in point: sometime over the past year, I picked up the W97M.Thus.A, a macro-virus which uses Microsoft Word's internal scripting language to self propagate. It is harmless on Macs, but it can spread to PCs where it will attempt to delete files every December 13th. Annoying, but I really didn't want to spend $100 on some software just to clean my MS Word files. I don't like MS Word and very rarely use it, so I started looking around for another solution. Here's what I found.
Thanks to the aforementioned BSD-base, Mac users and developers can make effective use of the wide world of open source libraries and tools. There's a collaboratively maintained and updated database of virus definitions and engine for checking files called ClamAV. Pretty cool.
Cooler still, British systems analyist Mark Allen has packaged for MacOSX as clamXav. Google eventually brought me that piece of code, which in turn informed me as to the name of the virus I was having problems with.
A little experimentation confirmed that some of the proposal files I was working with were infected with W97M.Thus.A. Since the folks I send these to are often PC users, there's a risk that the virus could negatively impact their system. I'm also asking them to employ me based in part at least on my technological acumen, so sending a virus with my proposal is embarrassing, perhaps livelihood-imperiling.
However, ClamAV/clamXav are virus detection programs. They don't deal with removing the bad stuff. I knew what I had, but not how to get rid of it without dropping ducats on MacAffee or Symantec.
I figured out that brand new Word files were infected, so I ran clamXav on the application itself, wanting to see if the virus code was somehow inside Word, or maybe living elsewhere. Turns out the only place it appears is in the "Normal" template, which is what all new documents start out as. I deleted the template and relaunched Word, and lo and behold I could create new clean documents. However, as soon as I opened any old infected document, my Normal template was hosed immediately.
Then I discovered through a little more googling that part of the action of the virus is to disable "macro virus protection" within Word. This is a feature that has Word warn you when a macro-embedded document is being opened, and allows you to disable macros while working on it if this is unexpected or suspicious. I was able to turn it back on simply by selecting Preferences from the Word menu and hitting the Enable Macro Virus Protection checkbox.
Now when I open infected files, I can disable macros and prevent my "Normal" template from picking up the bug. All that's left is to clean up the files I'm working on, which becomes as simple as opening them, taking the option to disable macros, selecting all, copying, opening a new document, pasting and saving.
- Get a copy of clamXav, and run it on your documents. See what's infected. Maybe move them all into one quarantine folder for the sake of keeping order.
- Find your "Normal" template. It's in the Microsoft Office X folder, in the templates sub-folder. Trash it. Word will auto-generate a new one.
- Go into your Preferences (in the Word menu) and hit the Enable Macro Virus Protection checkbox.
- Go through your infected files. When you open them, accept the option to disable macros. Select all, copy, create a new document, paste and then save the new document wherever you want to start storing clean files.
If you ever get another MS Word document which brings up the bit about macros, odds are you've found or received another infected file. Virtually no one uses Word's macro tools these days. Do not enable macros unless you are expecting a macro-dependent file! This is as basic a precaution as not downloading strange and unexpected email attachments.