VBA virus attacks not quite dead

In an article published last week by Virus Bulletin, there have been recent upsurges in VBA-based virus attacks through Microsoft Word documents.

Full story: https://www.virusbtn.com/virusbulletin/archive/2014/07/vb201407-VBA

Synopsis

There are people out there who still write malicious code. VBA is extremely versatile, and can change many things on your system. Those who really want to do bad things to other people can do so with VBA.

By default macros are always disabled in an Office file until you enable them, by clicking Enable Content when prompted, as seen in the figure below.

EnableMacros

 

Bottom line is: if you don’t know who the file is from, don’t enable macros. If you’re not sure you can always go onto one of the many free help forums on the internet and post the code. To do this (works with any Office desktop application):

  1. Hit ALT+F11 to open the Visual Basic Editor (VBE)
  2. Hit CTRL+R to open the Project Explorer (PE)
  3. Find the file in the PE, expand it to see all folders
  4. Expand the file object folder
    1. In Excel: Microsoft Excel Objects
    2. In Word: Microsoft Word Objects
  5. Double-click the ThisWorkbook or ThisDocument module
  6. Copy all code

There is a chance the VBProject has been password protected, in which case you’ll be prompted for a password when you try to expand the project. If you’re not sure if the file is legit and you get this, don’t open the file because there’s no way for you to check if it’s malicious or not. There are software programs out there to remove VBA passwords, but they’re not free.

The below figures show a Word document and an Excel spreadsheet in the PE.

ThisDocument ThisWorkbook

 

Free help forums you can post the code to:

There are many other forums to choose from, but the above list generally gets quick answers.

Leave a Reply

Your email address will not be published. Required fields are marked *