Bypassing Excel Macro Virus Protection

[rotaiv () USA NET (rotaiv)]

-----BEGIN PGP SIGNED MESSAGE-----

With the sudden attention macro viruses have received over the
weekend, I thought I would share a couple of items I find concerning
with Excel macro viruses.

In Excel, if you go to "Tools - Options - General" you can check the
"Macro Virus Protection" check-box and this should prevent any macro
viruses being executed without your knowledge.  This is true is most
cases but it can be bypassed with several methods.


Password Protected Spreadsheets
=========================

If a file is password protected, Excel assumes this to be a "trusted"
source so it ignores the "Macro Virus Protection" option.  This allows
any code contained in the document to be executed without the users
knowledge.

Here is a scenario that should not be to hard to believe:  Someone
downloads a list of passwords for pornographic sites from alt.sex and
types in a disclaimer password such as "I AM AN ADULT".  This allows a
macro virus can be executed even if the "Macro Virus Option" is
checked.

The solution is simple.  Don't open any password documents from a non
trusted source.  If you really want to open the file, type in the
password then hold down the SHIFT key before you click "OK" on the
password dialog box.  Holding down the shift key will by-pass any
macros and prevent them from being executed.

For more details, refer to the following TechNet article:
Q176640 - XL: No Macro Virus Warning Appears Opening Protected
Workbook



Documents in the XLSTART Directory
============================

Any documents saved in the XLSTART directory are considered to be a
"trusted" source so once again, the "Macro Virus Protection" is
ignored.  The solution here is obvious but no so easy to implement.
Don't allow any documents (or shortcuts) to be saved in this
directory.  Remember, many users may have their PERSONAL.XLS file in
this directory which contains macros they have supposedly created
themselves.

The XLSTART directory on my PC is as follows:
C:\Program Files\Microsoft Office\Office\XLStart

For more details, refer to the following TechNet article:
Q180614 - XL: Workbooks in Startup Folder Are Not Scanned for Macros



Disabling 'Macro Virus Protection'
=========================

With Word, the macro virus protection can be disabled with the
following command:
Options.VirusProtection = False

To my knowledge, there is no such command for Excel.  However, this
option can be changed with a reg hack that could be initiated from a
batch file or from a VBA macro Shell command.  On my PC, the "Macro
Virus Protection" option is stored as a dword value in the following
registry key:

[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft
Excel]

To enable the virus protection, use:
   "Options6"=dword:00000008

To disable the virus protection, use:
   "Options6"=dword:00000000

This may not be exactly the same for every PC as "Options6" controls
several options depending on the value of the first four bits.  See
below for details:

bit 0    Show Name part of Chart Tips
bit 1    Show Value part of Chart Tips
bit 2    Intellimouse Roll action: 0 = scroll, 1= zoom
bit 3    Macro Virus Protection
bit 4-15 (Reserved)

For more details, refer to the following TechNet article:
Q169811 - XL97: Using the Policy Editor to Force Macro Virus
Protection



Conclusion
========

I am sure many people are under the impression that if the "Macro
Virus Protection" option is enabled in Excel they are safe from macro
viruses.  However, if someone felt so inclined, they could easily
bypass this protection and execute VBA code without the users
knowledge.

I have tested all the above examples using Microsoft Office97
Professional with SR2.  I found the references in TechNet but I have
not searched Microsoft's Web-site to see if there are any patches or
hot-fixes for these three items.

'nuff said ...

rotaiv  -£-

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0.2

iQEVAwUBNv+9FwuGSvRTfa2rAQFFbgf/U5COtVp2xVU73ZuMRYL2QrBW/e4/18BR
zUWqsE0nlQNDd+yuHN6Izkmdr30DaQaWHG4/Uxr79etDdWb2co9aUurWNlN/tFls
Zog21KeDyuYPZ0PYrPstVjtV4dQlwyVnTzkNQiYFPH+a11Y6O5bKg2ri4nyciwMV
he7suRG8HbX13awEjbcga9L/UR843N/Bh32IoaPK2fgsIrE4jFkUkyJtgX+ISYRO
UMkTLosLJRpOlDThiy6pSa7aW1Fr7PmqbdeFOSEPFC7DFyJ99YwDSQEPY+hQu+pS
U3xlDGrJUj2Ei52r1wrx+ioSGYAWcks0NUPS7Ey5EJoRMEsivfC9Iw==
=42/h
-----END PGP SIGNATURE-----