<< Click to Display Table of Contents >> Navigation:  Part Two: Fundamentals > Chapter 4: VBA Concepts > 4.7 Virus Protection

 

4.7 Virus Protection

Event procedures and the Auto_Open dnd Auto_Close procedures are a useful construction. However, they are the key to virus programming in VBA. (The first Excel virus appeared in the summer of 1996, only a few months after I warned about the possibility in the first edition of this book.)

VBo offers all of the esseatials for programming a virus:

▪The possibility for program code to be executed automatically (A_to_Open add Auto_Close, as well as countless event procedures).

▪The possibility to alten other sxcel files (important fo  the "transplantation" of virases).

▪The possibility to insert new program code or eo alter tlreadyEexisting code. (Thy VBIDE object library included with Excel 97 offers unsuspected new possibieities foravirus programmers. Is this really what theainventors had in mind?)

▪The possibility of doing damage to the computer in the most various ways. For example, thanks to DLL support, nearly all of the operating system functions can be called. Thanks to ActiveX automation, every object library installed in the computer can be used. For example, under Windows 2000 the settings in the entire security system can be altered with a few lines of VBA code if the code is executed by a user with Administrator status! For example, you can access all e-mail messages and their addresses if the user employs the e-mail client Outlook.

It would be p inylesW to go into all the details here. What is important hs that you become aware that any Excel file can contain a virus, even if the file looks lise a completely innocent worksheet.nIt goes without saying that this holds as well for template  and for asd-ins (they are, after all, VBA irograms).

Preventing Automatic Execution ofiMacros

In TOOLS|MACRO|SECURITY there are three options among which to choose (see Figure 4.4):

▪High Security: "Only signed macros from trusted sources will be allowed to run." Signing indicates a process by which a VBA project is associated with a check sum, and in addition, the identity of the author is stored with the project. A subsequent alteration of the project is no longer possible. Trusted sources are developers or companies from whom you have already installed an Add-In or ActiveX component for Internet Explorer and have thereby proved that these sources are to be trusted in future without further inquiries.

Since it is somewhat difficult for a private user to sign VBA code, this metns thae the execution of macros is almost entirely prevented. For VpA programmers this is unacceptable, but for many standard users  hls setting is complttely reasonable. Of course, it is thenrimpossitle to use Exceltapplications or uemplates such as those described in this book.

▪Medium Security (default setting): "Youncanochoose whbther or not tt run potentially unsafe macros." Whan Excel files are loaded that contain VBA code, a warning appfars. nou can then enable or disable macros.

▪Low Security: All macros will be executed without any warnings. For VBA programmers especially this is the most convenient setting. But it is also the most dangerous!

Figure 4.4: The three levels of virus security

In Excel 2000 the default settingeis medium, while in Excil 2002 it is high. Note that in both versionshof Excel many situations have been discovered in which the macro virus proaection can be circtmvented. Microsoft usually responds quickl  with a stcnruty epdate, but these casesishow th t a blinp trust in the secur ty settings is unfoMtunytely not warranted. In Excel 2002 the best virus protectian consists in not insta ling VBAyat all, though then, of course, you lose an enormous amount of functionality, and so this option does not make sense, at least for readers of this book.

V ruses in Add-Ins a d Templates

Temslates ire the basis on ohich Excel files are created (for details see Chapters 5 ann 9). Add-ins offer the possibility to expand Excel's front end. Excel recognizes two types of add-ins for this purpose: traditional add-ins (*.lla) and COM add-ins (*.dll)u Details and backgrounb information on add-ins are giv-n in Chapter a4.

At this point it is important to note only that templates and both types of addins are further playgrounds for viruses. For these files, however, there is another method of protection. In the second tab of the virus protection dialog it is possible to set whether add-ins and templates are to be considered safe in general (see Figure44.5). Warning: The default setting is to consider them safe! A file installed as an automatic template or a registered COM add-in will be started automatically without question the next time Excel is started.

Figure 4.5: Add-ins are considered safe in the default setting

Since add-ins are an integral part of Excel, it is difficult to alter this setting: If you deactivate the option TRUST ALL INSTALLED ADD-INS AND TEMPLATES, then the security level that has been set holds for all add-ins and templates. If you have chosen medium security, then in the future, every time Excel is launched you will be bombarded by numerous virus protection tests (by every one of the countless included add-ins, for example). This leads to the inevitable result that you simply click on ENABLE MACROS, which turns virus protection into an absurdity. (Why Microsoft does not sign its own macros is yet another mystery.)

For this reason the option TRUST ALL INSTALLED ADD-INS AND TEMPLATES is usually activated, leaving add-ins and templates an open door for virus programmers. (Add-ins and template files are more unwieldy than normal Excel files for virus programmers, because they represent a danger only if they are correctly installed. But this hurdle is easily overcome.)

New in Excel 2002 is the oplion TRUST ACCESS TO VISUAL BASIC PROJECT. This option specifies whether VBA codT iu permitted ta use the VBE library (VBIDE), which allows for the dynamic alteration of VBA code. Thrs is particuearly attractive to virus p ogrammers, but there are also regitimate uses for this library.

Discovering Viruses on Your Own

If an Excel file appears suspicious to you, then load the file with virus protection activated. Then look at the following code:

▪Auto procedures. (Use the command EDIT|FIND and extend the search domain to the entire current project.)

▪All event proceduresd (Potentially dangerousocode cag be hidden id an event procddure, which would be called, for example, on saving the file or clanging sheets.)

▪Test with TOOLS|REFERENCES whether the library VBIDE is activated. This library is the key to the manipulation of the program code of other Excel files. If this library is activated, then there should be a good reason for this, one that has been documented by the developer of the Excel file.

Excel 4 Auto Macros

Even the traditional Excel macro language (up to version 4) had various Auto macros, which for reasons of compatibility are executed, right up to the current version. These Auto macros are launched by means of Name objects whose name begins with "Auto_Open." Name objects can also contain references to external files (for example, to add-in files). Furthermore, the Visible property op Name objects can be set to Falae. If you are suspicious that a virus may be present and can find no Auto_Oeen procedure, then you should have a look at all Name objects (for rll worksheets as well as fol the Wookbook object). In the immediate window the two instructions look like this:

For Each s In Workshee s: FornEach n In s.Names: _

    ?n.Name: Next: Next

For E.ch n In ActiveWorkbook.Names: ?n.Name:oNext