Spyware and virus on Macs

[AHunter3]

Quote: Originally Posted by cwtnospam Just so we're clear, here's an easy way to stop 99% or more of Word macro viruses.

And here's an easy way to stop 100% of Word macro viruses

[cwtnospam]

Quote: Originally Posted by AHunter3 And here's an easy way to stop 100% of Word macro viruses

I like it!

Quote: Originally Posted by JDV Steps like this are, of course, just as effective in Windows as on the Mac,

Somehow, I doubt it's every bit as effective. It doesn't stop the macro from running when the infected file is opened, and privilege escalation seems to be a trivial matter on Windows.

You're right, this horse has been well flogged, but I know I can't resist chiming in whenever it's suggested that Macs should run AV. That's especially true if the purpose is to protect PCs.

[JDV]

I'm not at all sure that the Mac prevents the macro from running when the file is opened, either. Why would it? It isn't running is OS X, it's running in Word's VB macro scripting language. That seems to me to be questionable, and a red-herring. Now, whether Windows is more vulnerable to privilege escalation is a far more interesting point. It might be, but possibly not if the Mac user is running as an administrative user. I don't think chmod requires authentication if the user has administrative access for normal files not owned by root. (I could test this, but I'm sure I'll be corrected if I'm wrong--but it doesn't seem to from Finder, at least). So, a terminal script from a virus could probably defeat the setting of the read-only mode in that Mac, as well. Don't run in Admin mode, of course, is good advice. But does anyone believe that more than a tiny fraction of Mac users have even thought about that?

Just not USING Office in order to avoid macro-viruses...clever and effective. And you could also just unplug your computer from the internet to prevent anyone from trying to hack in through any open ports. And lock your computer in a vault. But you give up a little something with every step like this you take--my exaggeration notwithstanding.

Please understand me: I don't urge people to go out and buy anti-virus programs for their Mac; I don't run one on mine. I simply find some of the responses to legitimate concerns from users to be a little smug.

Joe VanZandt

[Craig R. Arko]

Quote: Originally Posted by JDV Just not USING Office in order to avoid macro-viruses...clever and effective. And you could also just unplug your computer from the internet to prevent anyone from trying to hack in through any open ports. And lock your computer in a vault. .... I simply find some of the responses to legitimate concerns from users to be a little smug.

Some of the responses to the responses don't seem all that well considered either. The suggestion about making normal.dot read-only was a pretty reasonable one.

Curiously, the release of the next version of Office for Mac may solve this problem indirectly when they eliminate support for VBScript altogether.

[AHunter3]

The macro executes under OS X, but the only portion of its code that executes meaningfully is the replication part: planting a copy of itself into other Word files.

The destructive payload is hardwired to the path-structure of a PC, if I recall correctly, and therefore doesn't do a damn thing on a Mac.

So if the world consisted exclusively of Mac users, they all ran Word, and none of them turned off auto-execution of macros or used antivirus, the world would soon be rife with infected Word files, but except for a tiny interval of processor-attention diverted to copying the macro into more Word files, no one would be any the worse off.

OK, maybe, possibly, it makes Word itself more unstable. (Would anyone notice?) Even "harmless" viruses, like the ancient System 6 era virus that popped up a "DON'T PANIC" dialog as its only viral payload, can introduce accidental instability. Seems somewhat unlikely though: the syntax and behaviors of Word macros is native to Word, after all. (Which takes us back to the baseline question and the question of whether anyone would notice).

[cwtnospam]

Quote: Originally Posted by JDV I'm not at all sure that the Mac prevents the macro from running when the file is opened, either.

It doesn't. That's why privilege escalation is an important difference. I'm sure it's possible, with a great deal of effort and knowledge, to escalate privileges on the Mac too. The difference is that it's been often demonstrated to be easy on a PC.

Locking the Normal file also won't stop the virus from affecting another open file. That's why I didn't claim 100% protection.

Quote: Originally Posted by JDV Don't run in Admin mode, of course, is good advice. But does anyone believe that more than a tiny fraction of Mac users have even thought about that?

I don't use an admin account unless I need to, and I have encouraged others to do the same. This is an area where Mac users could do without some of that smugness you mention and learn to use a standard account.

Quote: Originally Posted by JDV I simply find some of the responses to legitimate concerns from users to be a little smug.

Part of that is a natural result of going nearly (more than?) 6 years with no known viruses in the wild. Part of it is from illegitimate concerns. Most of these "does a Mac need AV software" questions come from recent switchers, and as a long time Mac user, it does get frustrating that people still don't seem to know there's no such thing as a "computer virus." These things don't target computers, they target software, and most (all?) of the successful viruses target Windows software, and not because it has more users.

[Quentin123]

Nice to know, that the Word virus cannot affect my mac, but I cannot send any mails to PCs with an attached Word-Document, because they will reject it.

Following different forums, I haven't found a good way to clean up my mac from the virus, attached to hundreds of Word documents. It would be great, to find a way to solve this problem, without loosing all the documents.
And if there is a way, how can I protect myself from further infections?

My MacBook Pro runs on MacOSX 10, I have got Word2004 and this nice little macro Virus called "W97M.THUS.A".

Would be great if anyone could help me. Thanks.

[yellow]

Quote: Originally Posted by Quentin123 Nice to know, that the Word virus cannot affect my mac, but I cannot send any mails to PCs with an attached Word-Document, because they will reject it.

That's not entirely true.. a Word macro virus that infects other word documents CAN infect your Mac. It's just pretty unlikely in this day and age.

Have you tried using an anti-viral application?

[Quentin123]

I have tried ClamX. But it breaks down after a while (and finding hundreds of infected Word documents). Which AV software would you comment, or is there another way to eliminate the virus?
How can the virus infect the Mac?

[JDV]

This is a fairly old virus and one that any decent anti-virus program CAN detect and repair. It will -not- damage your Mac, but (as you've noticed) it will be detected by anti-virus programs and your attachment blocked. I haven't seen any instructions on manual cleaning of this virus; you may HAVE to invest in an anti-virus program to handle this one if you don't want to just delete the documents and re-install Word.

Joe VanZandt

[yellow]

Quote: Originally Posted by Quentin123 How can the virus infect the mac?

It "infects" the Word documents via Word 2004.

[Quentin123]

Good to know. But I still wonder, how to get rid of the virus, without deleting all documents.

[JDV]

I repeat: You're going to have to invest in an anti-virus program if you hope to achieve this, unless someone knows how to manually clean the virus. I do not and I have not seen any instructions for doing a manual clean of the virus on any of the websites where this is mentioned. But it IS indicated that it is "easily cleaned" so there is good reason to think that one of the Mac anti-virus programs can do it.

Joe VanZandt

[yellow]

Virex or it's now called Virusscan now.

[AHunter3]

Download either OpenOffice or NeoOffice/J; open the Word file. Select All, copy, new document, paste, save.

Neither program supports macros. As long as YOU don't open the new document in Word, it should be virus-free.

[JDV]

That suggestion may well work, with two caveats:

I THINK you have to install X11 to use those programs. That's not a serious matter, but you likely didn't do that installation initially. The installation package is on your installation disk.

and secondly, implicit (and possibly intended!) in this suggestion is that you will never really be able to use Microsoft Word again, because it will remain infected. Many people urge abandonment of Word for these other programs (and AHunter3 may be one such person), but they are NOT entirely equivalent, and the differences don't just boil down to whether one is more prone to Macro viruses or not, so you do have to choose a somewhat less powerful program than Word.

I'm not arguing AGAINST that, for Word has so many features that hardly -anyone- I know has any idea how to use them all, but you do need to make the switch with your eyes open.

Otherwise, opt for an anti-virus program.

Joe VanZandt

[ThreeDee]

NeoOffice runs as a native app. It's a tad bit slow sometimes, but it does not require X11 at all. Just Java.

[doggmann]

Okay,
I realize this thread is a year old, but I just encountered the W97M. Thus. A virus on my wife's new MacBook. We scanned with ClamXav and found 42 infected files.

With research, there IS a way to clean Word as well as the infected files. Unfortunately, the infected files need to be copied and pasted, as suggested in previous posts on this thread. Text edit works just fine, actually.

BUT FIRST you've got to clean your copy of Word. Open a blank document,
Go to Tools>Macro>Visual Basic Editor

This opens a new palette, listing some file elements - expand the "Normal" file, then expand the "Microsoft Word Objects" file, and double-click on ThisDocument. If your copy of Word is infected with this virus, all the virus text will be displayed - if you're clean, it'll be an empty window that pops up. All ya gotta do is select all that text, delete it, then SAVE THAT FILE. Quit word, open text edit, open one of your infected files (moved to a quarantine file using ClamXav), copy all the text (formatting is saved, too, thankfully), and paste into a blank Word document - save to your heart's content.

IF YOU OPEN AN INFECTED FILE, YOUR COPY OF WORD WILL AGAIN BE INFECTED. Then you'll have to go through those steps again to clean your copy of Word.

It's a pain in the butt, but a lot easier than re-installing Word or installing some freakin' AV software. ClamXav is worth it, but won't clean the files, just quarantine them.

good luck.
Cheers,
doggmann

[cwtnospam]

Quote: Originally Posted by doggmann IF YOU OPEN AN INFECTED FILE, YOUR COPY OF WORD WILL AGAIN BE INFECTED. Then you'll have to go through those steps again to clean your copy of Word.

Read post #14. If you lock the Normal file, Word can't save macros to it, so the only way to infect other files is if you open them at the same time as an infected file. That will limit most macro viruses to the one infected file.