Macro Virus detection problem Vesselin Bontchev Translator Doomleo
The viral changes written in the macro programming language in the popular office application (such as Microsoft Word) are very common. Unlike only one entity MS-DOS virus, macro dexus usually consists of a single set of separate macros. This causes anti-virus software for specific viruses to try to accurately identify some interesting theoretical issues generated by this virus. The macro set of two viruses has the same subset --- or a macro set is another macro set. This article discusses the problems caused by this, which is also very difficult if it is not possible to solve it. The focus is how the virus authors develop these difficulties, as well as how anti-virus products should be increased to prevent such attacks, avoid damage caused by the virus within the error identification file and attempts to delete the wrong virus variant. 1. Identifying the needs of specific viruses Before we start processing macro virus identification, it is worth mentioning why usually specifically virus identification, especially specific macro-virus recognition. After all, from the historical, most scanner works by finding a small portion of the virus and treats it as a 'scan clue' to detect all other instances of the virus. However, there are several flaws in this approach. First, this method brings a true risk identified - that is, a virus (e.g., a destructive virus) and another virus (eg, a virus without destruction purposes). Over the past year, we have seen an anti-virus manufacturer's destructive virus (TEDIOUS) that is destructive by issuing a news warning. According to the conference, the virus spreads quickly - especially they urge people to buy which anti-virus manufacturers' anti-virus programs. Which news released at the beginning of the senior anti-virus researchers caught confusion. Even if we leave the ethical issues caused by fear tactics to convince the public to buy their products. All well known TEDIOUS viruses did not spread. The most important thing is that it does not have an outbreak date without an effective carrier. That is to say, there is no destruction attempt. The fact that the scanner of the virus manufacturer uses the scan string to distinguish Tedious and Bandung - the latter is to propagate and destructive viruses - thus caused confusion caused by the press release There is no doubt that there has been a negative impact on those who release news. Relatively speaking, this matter is not harmful to the user, but we can easily imagine the opposite mistakes brought about by error. That is, a devastating virus is reported to an anti-virus manufacturer as an anti-aggressive virus without alarming the user. Second, the precise identification of the discovered virus when removing the virus (anti-virus) is important. Error recognition can cause an attempt to remove errors --- Make a fatal damage that is infected and cannot be repaired. This is already important in the field of DOS virus. However, in the field of macro virus, even more important. Because, it is convincing that the method of proper removal of the DOS virus is to cover the infected bodies with unsuccessful backup copies. In this case, regardless of whether the virus in the dirt is accurately identified - there is no too much relationship ---- the infected body has been damaged in any case. However, macro-virus is usually present in the document - it is certainly often changed, and its unsuccessful backup copy is usually not available. Therefore, by removing macro viruses within the infected document, it is necessary to kill the macro virus --- and ultimately important is the correct completion of anti-virus, does not destroy the document and the internal existence user-defined macro. If there is no way to identify the virus accurately, this goal is completely unacceptable to stabilize. Third, accurate recognition of viruses for technical support is often necessary. Users often ask us "What is this or that virus is doing?" ---- Due to the problem in the problem in their machines and what they want to know about their data? If you find that the virus's scanner does not accurately identify viruses, the correct answer is usually impossible. Usually a virus with great destructive force (such as data defrauding virus WM / Wazzu.a) and its variants do not do anything is just one byte - or even a binary bit.
This level of identification is only impossible to scan a string actually. The only way to achieve this level is to calculate some of the checksums of all binary locations of the virus body. Fourth, accurate recognition of virus is necessary for the correct report and tracking computer viruses. A authoritative resource of this type of information is called WildList, which is maintained by the anti-virus researcher Joe Wells. Many testers use it for which viruses are included in the In-the-Wild test set. Recently, the fact that this list does not accurately identify some of the viruses of its columns, so that our scanner is adversely scored in a contrast comment. This list enumerates a Plagiarist virus. The facts show that there are several different viruses, which are members of the Plagiarist family, and our scanner can detect one of them - the real "in the wild" virus, which was initially reported to Joe Wells. However, it cannot detect another variant ---- this variant is not "in the wild". However, since WildList is mentioned is "Plagiarist" is not identified by specific variants. A tester uses a viral variant that our scanner cannot be detected and written in our product to our product cannot be 100% detected by the In-the-Wild virus set. People can imagine the same disaster of macro viruses. Fifth, accurately identify viruses can prevent absolute errors. It is well known that only single scan string is used to detect the virus scanning of the virus that is often caused by absolute errors - ie, the report is reported to have a virus in some clean files, which contain the same byte sequence for detecting the virus. In the same case, accurate virus detection will not lead to such a disaster - because if it detects a virus in the file, she only means there is a virus; this is undoubted, because each binary bit is recognized. And found it existed. In fact, the absolute error generated by the product that uses accurate viruses recognition is often much smaller than (almost no ---- unless it tries to detect new viral variants, the accurate virus identification is not used) rely on the anti-scan string Virus products. Finally, accurate virus identification is essentially a unique way to deal with VBA macro virus (both, macro-treated Excel and Office97 toolkit programming languages). This, because of its design, the VBA program contains many variable regions (which contains a pointer to the common identification area - all VBA modules in the document). As a result, the possible scan string is only two bytes - obviously not suitable for all practical applications. This problem can be partially resolved in a smaller wildcard scan string - i.e. Unfortunately, this is not a good solution, because different VBA code snippets can be compiled into exact identical images - different only after the identification pointer is parsed. Obviously, this will increase the danger of absolute mistakes or even the situation will be worse. Since all the reasons mentioned above, I think it is important to accurately detect the virus that can be detected to a virus product for specific viruses (for example, scanning software and anti-virus software). In the case of a macro virus, accurate identification is even more important, because the significant change in macro virus behavior is just the result of the minimal change in one of the macros. Typically, our own macroviral scanner strictly strives to accurately detect each individual macro virus that can be detected - and persuadally all other anti-virus products use the same method when performing its scanner. Fortunately, many manufacturers realize the benefits of accurate macrovirus recognition - we see many anti-virus products to start using this method. In many cases, even if the scanner does not apply a method of accurately detecting the virus on the DOS virus it detects, at least the method of accurately detecting the virus is detected by the macro virus detected.
2. Define each design a good anti-virus program should be based on a careful definition of issues it trying to solve. Therefore, it is a good definition for detection, identification, confirmation, and removal of macro viruses to be based on what is a macro virus. In the world of DOS viruses, it is sufficient to define a virus to replicate. In the world of macro viruses, however, the situation is not simple. Macro dexus does not have to be composed of a single program (ie, a single macro). It can be composed of many macros (for example, the virus WM / Xenixos.a: DE consists of two macros), some of which are more or less independent of each other. What is the independent meaning? This includes three aspects. First, since WordBasic is an interpretation language, it is highly fault tolerant. That is, some parts of a macro are damaged --- However, if it never receives control (or receives less control --- For example, if it is in the viral body), the error never (or Extremely occurred. (In fact, this can be used to attack some anti-virus programs; see [Bontchev96].) In addition, commands for copying (for example, macrocopy) usually occupy only a few lines (the number of rows is the same as the number of macros where will be copied) . That is to say, the error happens to occur in the part of the virus that is responsible for copying. Second, WordBasic has an efficient error-catching function - and is usually used by virus authors. For example, if a virus is in its macro's start to include ON Error Resume next Even if the control is converted into an incomplete row, the program will simply ignore the error and from it, the WordBasic interpreter explains the first line of certain meaning. Continue. Third, many macro viruses are used for huge redundancy. We tend to think that this is very like a lazy rather than the authors of the virus rather than it has a distance. If they want to make a virus to intercept several systems macros and therefore make copies in several possible user behavior (for example, Filesaves, FileSave, FileNew et al., Easy to do in all of these macro copy viruses Copy partial code instead of placing it in a single macro that is called by all of these macros. As a result, even if one of the virus macros is damaged, it cannot be used again (or even completely lost), the virus still has a reproductive ability - although its complete behavior seems to have some changes. All of this (other facts described in the next section) Force us to define the macro virus is not a single program --- but the collection of macros. Special We use the following definition: Definition: Macro virus is a collection of one or more macros that can cycle copy itself. Some of the above definitions are further illustrated. In particular, 'cycle replication' we refer to an infected file to spread viruses to another document, and another document can continue to spread viruses, and so on. If a macro collection can only be copied in other places, then it is not considered a virus. (We call it "intended '- because the virus authors often try to make viral programs, but due to errors, viruses cannot copy their own more than once --- Virus authors never discovered defects, because of most viral authors, It is afraid to run test it on your computer.) In addition, many macro viruses imitate the first macro virus WM / Concept.a, which consists of fewer macro sets that exist in the global template and infected files. Therefore, according to experience, it is considered that the macro virus is a pair of macro sets that can be copied.
The virus macro collection is in the infected document, and the other is in the infected global template. The main result of the above definition is that different macro sets have different viruses - even a macro set is another subset of another. Furthermore, even a macro set consists of some elements of two known macro sets, it is still the third new virus. This must be kept in mind when discussing different and new viruses. It is important to emphasize that many of the identification issues described herein are closely related to the definition of the term 'macro virus' given above. Even some of them seem to be unable to be resolved when selecting other definitions of the term. A very attractive definition is to believe that the macro virus is a macro that is completely independent without any relationship. For example, according to this proposal, there is no WM / Concept.A virus in the document. Instead, it is considered to contain macro WM / Concept.a # aaazao (two copies of this macro; second in autoopen) , WM / Concept.a # aaazfs and wm / concept.a # payload. Unfortunately, this definition still has other, very difficult practical applications. For example, the report 'document has WM / Concept.a # aaazfs virus' seems to be stupid - because this macro is only supported by this macro, but it is not a virus. In addition, two known viral macros meet in the same computer, which can cause viral hybridization to generate new self-replication macro sets. (Detailed description of this process, see [Botchev98].) This new self-replication macro set is usually very different from any of the features and behaviors of the original two macros ---- and Therefore, it is very meaningful to think that it is a new virus. For this reason, we have given the definition of the beginning of a section is very convenient and practical. We don't emphasize it is perfect - but it is obviously the best one we can discuss. Therefore, our anti-virus products (and other anti-virus products we recognize) are based on this definition. In the remainder of this article, we will consider some interesting macro disease recognition issues caused by it. 3. Easy Macro Toxic Identification Problem In this section we will discuss some relatively easy solution to macro disease recognition. These issues are given in the order of difficulty growth.
3.1. Degraded virus or RAPI virus problem As the so-called WM / RAPI.A virus, the first issue of macro-virus recognition is produced. This virus has the following macro:
Document: Global Template Autoopen RPAO RPFS RPFS RPFSA RPFSA RPFS RPFSA RPFSA RPTC ToolScustomize RPTM Toolsmacro Autoexec FileOpen Filesave Filesaveas
However, due to a macro of this virus, when the virus is copied by File / Save (corresponding File / Saveas), some of its macros have not been copied. This has led to a new macro collection - still a virus and is therefore a new virus. This new degraded virus looks like this:
Document: Global Template Autoopen RPAO RPAE RPAE RPFS RPFS RPFSA RPFSA RPTC RPTM AUTOEXEC FILESAVE FILESAVEAS
However, this new macro set is unstable. It is almost degraded again into a new, more streamlined macro set. The third degraded macro set of degradation still has the ability to copy its own, it is still different from the top two macro ---- therefore, it is a new virus. In addition, it has become stable - there is no longer continuing to degenerate. It becomes like this:
Document: Global Template Autoopen RPAO RPAE RPAE RPFS RPFS AutoExec Filesave This degradation is the main result of each WM / RAPI family that can potentially generate two new variants. For example, there is WM / RAPI.a generate WM / RAPI.A1 (second phase of degradation) and WM / RAPI.A2 (third phase of degradation). In addition, this new variant is relatively frequently produced. Due to the virus's autoexec / rpae macro relatively large and is not responsible for copying process (which contains viral entities), it is easily damaged or captured - that is, other viruses or legally macro kit The same name is replaced. (More information about macro seized, please refer to [Bontchev98].) In addition, since this macro is stored in all degraded three times, it means that the damage of a single main variant causes three new viruses. Changing some other macros (for example, ToolsMacro / RPTM) produce less than three new virus variants because these macros are lost in certain stages of degradation and degraded variants of degradation. For example, the WM / RAPI.C virus is only degraded to WM / RAPI.C1; in the third step, the previously known variant WM / RAPI.A2 is produced. This issue is first discovered by David Chess ([Chess96]). It is relatively easy to solve - the database of the scanner only contains almost every small modification of WM / RAPI virus. However, this will result in the rapid growth of the size of this database. In addition, it is sometimes confusing - some users are difficult to understand how documents containing a virus (WM / RAPI.A) use two different viruses (WM / RAPI.A1, WM / RAPI.A2 ) Infecting their documents, the most important thing is different from the original virus.
3.2. Macro loss, DZT virus, WM / DZT.A virus is discovered soon, the second question will appear. This virus consists of the following macros:
Document: Global Template Autoopen Filesave Filesaveas Filesaveas
So far, everything is normal. However, we quickly discovered a new WM / DZT variant, WM / DZT.B, which composition is as follows:
Document: Global Template Autoopen Filesave
That is, the second macro of the virus is lost --- New virus still has good self-replication capabilities! Worse, we quickly discovered that many scanners on the market can make WM / DZT.B, if they don't know where WM / DZT.A and it is in the following state: 1. A global template for the system is WM / Concept. AAAZAO, WM / Concept.a # aaazfs, wm / concepter. 2. The same global template is infected by Wm / dzt.a virus, resulting in the contents of WM / Concept.a # aaazao, wm / dzt.a # filesave, wm / dzt.a # filesaveas and wm / concept.a #PAYLOAD. It is worth noting that the macro FileSaves of virus WM / DZT.A covers the same name belonging to the virus WM / Concept.a. 3. Cannot detect the anti-virus anti-virus judgment system infection virus WM / Concept.a ---- because it does not know the virus Wm / dzt.a and the anti-virus discovers the virus WM /Concept.a scan string. Therefore, the anti-virus tries to remove the name of the virus WM / Concept.a through the name to remove the name (instead of identification). The result contains the global template for macro wm / dzt.a # filesave being retained - this is the WM / DZT.B virus! In other words, the anti-virus produces this new virus variant. This problem can be easily resolved by allowing the antideistory to completely accurately identify the macro collection of dye. That is, according to the fixed portion of the detection viral body rather than relying on the name of the macro, each of its true presence is a single macro. Thus, in the above case, the killizer will readily notice that it is considered to be a macro of the WM / Concept.A virus with different content. Therefore, this may be a new virus and should not be anti-virus - the opposite, should be required to provide a viral sample.
3.3. The problem described in this section of the CAP virus is more difficult than the previous problem. ---- and many anti-virus products have no power for the appropriate treatment of this virus, and this virus has caused this characteristic that this feature caused our attention. This is WM / Cap.A virus. This virus was made from a 14-year-old boy in Venezuela, spread throughout the world in a few weeks - it is still one of the frequent viruses reported. This result is caused by a reason. First, this virus is not related to the language version - it can run on all the world's language versions. Second, the document that is infected is not expressed in many other Word macro viruses ---- Word does not always save them to the template directory. Third, as described above, many anti-viruses cannot properly remove this virus, so this virus is upgraded to the anti-virus product to have a considerable time propagation before it can handle it. This virus is designed to consist of 10 or 15 macros. When infected with an English version of Word system, it consists of macro AutoClose, AutoExec, AutoOpen, Cap, FilePe, FileOpen, Filesave, Filesaves, FileTemplates, and Toolsmacro. Macro FileTemplates and Toolsmacro are empty. This manifestation is only for the macro of the same name of the system, so some limits of 'Steals' are avoided. The reserved macro is only called the macro CAP, and the macro CAP contains most of the viruses and is responsible for their own copy. When infected with a non-English version of Word, there is another 5 macros in addition to 10 macros. These five macros are inherently macro Filecolse, Filesave, Filesaveas, different names of different names, which determines the language version of the specific Word. In order to reach the Word language version, the virus cannot locate its macro through the name of the macro. Instead, it detects the structure of the menu, using the processing implementation file / close, file / save / save as, file / templates, and Tolls / Macro menu items as an additional 5 macro name. This actually makes the virus unrelated to the language version of Word. Of course it is also independent of the menu structure of the infected system. Furthermore, in order to determine its macro can be copied, they are not positioned with the name of the macro (this makes it unrelated to the language version of Word). The virus uses percent (%) in the macro description, and when copying all macro to the infected file, the description of the macro contains this symbol. Similarly, in order to completely determine that no other macro 'hybrid', the virus removes all macros from the document you want infection. Unfortunately, this technique did not achieve the purpose due to the quirks of Wordbasic's unpredictable Wordbasic. It turns out that the macro FOO that is not described is copied to cover the macro BAR with a description. The result is that the macro body of the macro FOO replaces the macro foo macroblore - however, the description of the macro is not encountered and maintained as a Macro BAR. (If the two macros have a description, the macro FOO alternative macro BAR.) Results The result is opposite to the expectations of the viral authors, the virus WM / Cap.a can exchange macro in the macro or macro kit of other viruses - if these Virus infection A system that has been infected with a WM / Cap.A virus (or if the macro tool is installed to this already infected system) and it contains a macro that is a macro with the virus WM / Cap.a but not described.
Finally, due to all replication code of the virus in the macro Cap and all other macros are just calling it, other macro damage, replacement or even deleting the result of removing the result is still a virus. The results of these features produce many different self-replication, depending on the user's menu structure, the user's computer infected with the virus and WM / Cap.a. The only constant seems to be a macro CAP. Another macro can have a strange name, which can be damaged, eliminated or even lost (one of the macro CAP and other seven non-empty macros is enough to affirm this macro set is poisonous), or some of them Multiple copies (of course, the name of the macro is different). It is obviously stupid to treat all these different macro sets as different viruses. Therefore, we were forced to revise our macro virus definition to apply to a malformation virus like WM / Cap.a. In fact, we now define the virus WM / Cap.a is one or several instances containing macro CAP, other eight macros (macro FileTemplates and ToolsMacro are empty, so they do not distinguish, at least one instance is non-empty Macro. If the above revisions look a bit complex because it is indeed complicated. Unfortunately, it is one of the best dealties in such viruses we have discovered so far. It is not easy to implement it in anti-virus products. As a temporary, filling blank solutions, some anti-virus products achieve viral detection by only detecting macro CAP, and if the macro CAP is found in the document, all of the macros in the document are deleted. This is not as bad as it sounds because this virus will delete all user macros in any way infected. Of course, this whole method (including revision definitions and its temporary partial solutions) have an annoying disadvantage. During its copy, it will try to capture a macro that will greatly change its behavior. For example, a automatic execution macro from other viruses will deliberately destroy some data - the original virus is not this. The user has just wondered the virus that is accurately identified by its anti-virus software, like WM / Cap.a, a known unintentional destructive virus that suddenly appears to display information on Friday and delete files. Unfortunately, if we decided to think that all possible different macro sets of this virus are different viruses, it will cause classification and identification chaos, which seems to solve this problem. We must pay such a price.
3.4. Block copy, the CEBU virus problem, for a while, one of our customers sent us a document, this document was suspected of infected a new virus. The fact is true. This virus is obviously consisting of four macros - AutoClose, AutoExec, AutoOpen, and Msrun. (Use 'obvious "The reason why this is not strict term will be clear.) Of course, only the macro AutoOpen is responsible for the copy of the virus. Macro AutoClose also attempted to copy viruses, but because of a stupid error, it always failed. The macro Autoexec is a fighter, macro msrun is used to make a mark that "this file has been infected". The problem is that the authors of the virus are obviously an unreportable programmer, which made some unfounded assumptions. In fact, it seems to determine that the macro of its virus is the only macro in the document. After all, there may be no dyed documents in it seem to contain any macros. Therefore, it makes such a confundment and is like a copy of a copy of the virus and pointed out whether the document or global template is infected. There is a very simple method ---- only writing a copy of all macros from the current document to the loop of the infected document (this only needs three lines of WordBasic code). Therefore, what happens if the infected file itself contains some macros? If this is the case, then these macros will become part of the virus and are propagated to all other infected documents. The facts show that the macro set of viruses can only increase the new member and will never decrease! The second question is that when our customers start suspect a macro virus can't be detected by its anti-virus programs, it will download Scanport ---- Microsoft's own anti-macro virus anti-virus tool. Unfortunately, in addition to ScanPort can only detect anything in addition to the fact that anything can only be detected, it is written by WordBasic and contains several macros. Therefore, when our customers are connected to us, all of its documents contain scanport's macro, it is very uncomfortable. Then we received another sample of the same virus. It snaps the macro from another macro kit, macro AutoExec and AutoOpen covered by an anti-virus macro and macro MSRUN is completely lost. However, this macro collection still has its own ability - that is, it is a virus. Now, we call this virus as 'block replicator'. WM / Cebu.a (the virus described above) is not the only one of such viruses; there is another pair. It looks to deal with their utility method is to detect only the least macro responsible for copying, and once they are detected, delete all macros of the infected document. After all, they have become part of the virus. This method contains the same defects mentioned above ---- Some of the trembled macros will lead to dramatic changes in viral behavior. However, this also seems to be the price of classification chaos that will happen to avoid annoying other definition methods. 4. Difficult Macro Disease Identification This section describes some more difficult macro-specific identification issues. The first question is only solved in several few anti-virus products. So far, the second question has no satisfactory solution.
4.1. Richard problem, this interesting question is Richard Ford caused us to pay attention - at that time it is an anti-virus researcher in Command software, so we named its name This virus. Let us assume a macro FOO we know, is a macro set {A1, B1, C1}. Then someone got this virus, modified the two macros, thus producing the second virus BAR, BAR is composed of macro set {A2, B1, C2}, where A1 is different from A2, C1 and C2 are different. . The virus cannot be identified by specific viral anti-virus products that can be killing known viruses. Anti-virus products can determine a variant of a viral BAR containing viral FOO, (that is, macro B1 is an antivirus product to be identified). It is very good to do this, however, if the anti-virus product is to kill the file, it can only remove the macro B1 - because this is the only identification macro. In this regard, we assume that the resulting macro set {A2, C2} can be copied (ie, is a virus). Of course, an error is generated during the replication process - because it is attempted copy macro B1 - a macro that does not exist because it has been removed by the anti-virus product, however, if the macro of the dyed Some forms of error traps (for example: ERROR RESUME NEXT), the replication process will succeed. The result is a new, completely different from existing viruses that are completely different from existing (ie foo and bar). Most anti-virus manufacturers are unwilling to know that their products will produce new viruses. There are several possible ways to solve this problem. First, it is possible to combine the scanner and a certain amount of summary analyzer and remove all possible macros from the discovered document that infected the known virus. Unfortunately, as shown in [Bontchev96], it is possible to use a large series of anti-collective attacks, and induce a "wrong denial" ---- that is, so that the virus cannot be sumulated by the analyzer. The detected. Second, an anti-virus software can delete all macros found in the document being infected by a certain virus (or a variant of a certain virus). Unfortunately, a lot of users have always been macro themselves, they find that this "solution" is very unsatisfactory. According to our experience, the solution is not working from a business perspective. Third, a possible approach is never to antilociate with documents containing viral degeneration. This method has a big defect, that is, in many cases, it is not realistic when it is fully feasible and safe. This class includes a virus that is erroneous (eg, when some macros are deleted by the user or some low-level anti-virus products), the macro is destroyed by Word and cannot reproduce the virus, and so on. Fourth, the action of "Deleting Viral Hand" can be an option (default is turned off), and the user opens it when necessary. Unfortunately, experience shows that most users lack the necessary anti-virus knowledge and expertise in dangerous circumstances. We can be sure that no matter what the developer gives a warning, tell users that unless you know what you do, don't open this option, many users use this option in inappropriate ways, or just "in case" That is open.
In fact, it is worth arguing that the user itself instead of anti-virus products should be responsible for the emergence of new viruses, and they even use the combination of Word to delete the macro of some viruses and produce new viruses. Despite this, anti-virus products do not push this responsibility to non-experienced users, but also better. The fifth method is checked. Ford proposed, this method is to determine the minimum macro set that must be presented by each particular macro to securely delete viruses (the smallest known as virus) Safety subset). For example, if the virus WM / Conceot.a is found in a document in addition to the macro of the macro WM / Conceot.a, it is clear that these macros are safe. That is to say, deleting them does not generate new viruses, regardless of whether the document contains other macros - because the macro PayloAd is no longer performed by WM / Conceot.a and does not have a virus characteristic. (Note. This is just an example; we can't say that three other macros in WM / Conceot.a make up the "minimum safety subset of this virus; it is entirely likely to exclude excess macro intentions that are not macro payload. Further shrinking.) This method exists in such a disadvantage, sometimes it is mistakenly destroyed with the residue of an old virus (therefore, it is "lost" for anti-virus researchers). For example, let us assume a variant of WM / Conceot.A virus, which is different from the original virus to its PayLoad macro. The anti-virus software produced by the algorithm described in the previous paragraph will be wrong to delete the virus from other macros of the virus. Although this behavior is "safe" (from it does not generate new viruses), files still cannot be properly repaired (file also contains a unwanted macro ---- payload, and this will make anti-virus Software cannot close their templates) and "lost" a new virus variant for anti-virus researchers. A slightly improvement to this method is to delete the name "the same" name "the same" with the macro of the virus, but not included in the "minimum safety subset" macro. However, first we believe that it is quite unsaile to identify the macro by name, quite unreliable (the length of the verification and macro, the length of the macro), secondly, this improvement is still unable to solve the problem of "loss" of new viruses. For the problem of check, based on the following observations, we have proposed a better solution. If all discovered macros in the file constitute a macro that makes a viral residue, then it is clear that they are safe. If there is any excess macro, there is a possibility of the following: 1, excess macrus is a new, not known by the virus variants. Deleting whether they can generate new viruses, whether new virus variants are intentional, or whether it is a known virus that is unrelated. In all these cases, we all have a new virus variant (although some destruction may result in a virus that cannot be run). Therefore, the correct method is not to kill the antivirus (even if the virus is residual - means that these macros can be identified as a variant of a known virus), and request the user to provide a viral sample. 2, excess macro is a user. This situation is almost impossible - only one file already contains a reasonable macro (which is very rare) file is infected by some known virus, and inappropriately trying to delete the virus ---- this practice Just delete a part of the macro of the virus. Since this situation is relatively rare, we believe that the document is not anti-virus and requesting a user to provide a viral sample. 3, the document is infected by different viruses, a known, a complete unknown, and we have made an inappropriate effort to delete a known virus, which only deletes a part of the virus.
In this case, the file contains a new virus. The request user provides a viral sample to analyze the new virus. Therefore, it is worth the anti-virus without the document. Most users can understand that the anti-virus programs of specific viruses cannot kill unknown viruses. The above-mentioned content we can use the following simple principles to write a summary: After deleting all macros of the macro virus that can be exactly identified, the macro in the infected document is just to know the virus, then delete them; otherwise do not delete Any macro within the document and requesting the user to provide a viral sample.
4.2. Igo (IgOR) problem in discussion verification issues and its possible solutions and the overall requirements for specific virus recognition, Igor Muuttik, an anti-virus researcher of Doctoral Solomon software In the natural extension of our attention to the problem of checks, hints this extension contains more dangers ([MUUTTIK98]). Therefore, we name this issue with its name. Let us imagine a known virus, FOO consists of macro set {aotoopen, payload}. When an infected document is opened in a clean Word environment, the macro aotoopen is executed. It detects yourself from a document (with respect to running from the global template), copy the macro AOTOOPEN and PALYLOAD to the global template from the infected document and then run Macro Palyload. When a clean document is opened in an infected system, the macro AOTOOPEN has mastered control. It detects yourself from the global template (with respect to running from a document), copy macro AOTOPEN and PALYLOAD to this document from the global template and run Macro Palyload. Now, let us assume that the author of a virus gets this disease and built another virus bar consisting of a macro set {aotoopen, palyload, aotoclose, newpalyload}. Macro AOTOOPEN and PALYLOAD are consistent with the same name in the virus FOO and operate in absolutely the same manner. In addition, when an infected document is opened in a clean Word environment, the macro aotoopen is running. It detects yourself from a document (with respect to running from the global template), copy the macro AOTOOPEN and PALYLOAD to the global template from the infected document and then run Macro Palyload. When the document is turned off, the macro AOTOCLOSE is controlled. It detects that there is a macro Aotoopen and PalyLoad and copied to the global template. So it also copies the macro AOTOCLOSE, NewpalyLoad to the global template and run the macro NewpalyLoad. Similarly, when an infected document is opened in a clean Word environment, the macro AOTOOPEN is executed. It detects yourself from a document (with respect to running from the global template), copy the macro AOTOOPEN and PALYLOAD to the global template from the infected document and then run Macro Palyload. When the document is turned off, the macro AOTOCLOSE is controlled. It detects yourself running from the global template, detects whether the macro AOTOPEN and PALYLOAD are exist and copied to the infected file, and then copy the macro AOTOCLOSE, NewpalyLoad to this document and run the macro Newpalyload. If a scanner who only knows the virus foo does not know the scanner of the virus bar, it is like a file that is infected by the virus Bar. It looks like a document that is infected with viral foo ---- Even if the scanner accurately identifies the virus it knows Macro of each two into force. (It should be noted that all specific virus anti-virus procedures for treating macroviruses are very fragile for this attack, whether it is accurate virus detection or depends on simple signature detection.) If running in anti-virus mode, it will Will delete the virus foo it think ---- is also a macro collection {aotoopen and payload}. Macro set {aotoclose, NewpalyLoad} will continue to remain in the document. However, it is very possible to build these macro sets in this way, these macro sets form third different viruses, we call SNAFU.
In fact, when the anti-virus program tries to remove the viral foo it thinks from the document infected with the virus bar, this third virus will be generated by the anti-virus program. Some people will argue that the virus bar is actually consisting of two viruses, foo and snafu. However, if the macro's macro complex method (detects if these macros exists, copy these macros, run these macro, etc.) Reference Hongji Foo macro, this macro collection BAR is divided into two macro set foo and Snafu's practice makes things ambiguous. Furthermore, the virus bar may consist of many macros and divide them into independent viral gatherings, and there is no significant difference between several different creatures. The attack method described above can be achieved with a very embarrassing method. The subset macro SNAFU may not be a virus. Conversely, its macro (i.e., Newpalyload) is only used to detect if the virus foo is exist. If they do not exist, a destructive "battle part" is triggered. From the user's perspective, the situation is like this: the user runs the scanner. The scanner reports a known specific virus (or even claims to be accurately identified) and deletes it. The user opens a "disinfected" document with Word, and the information on the hard disk is destroyed. Naturally, the user may condemn the scanner and fail to work. In this case, it is very difficult to argue this document is infected by two viruses Foo and Snafu because Snafu itself is not a virus. Because its macro appears in many infected documents, it is not even a "Troy" virus. It is just part of a new virus bar. However, there is no reliable method to make the scanner that does not know the viral BAR indicates that the document is not infected by viral FOO but is infected by viral BAR. This attack is easy to achieve this attack by obtaining a popular virus such as WM / Concept.a or WM / Wazzu.a, and set the trap as described above. Only this problem part of the solution seems to be feasible. The scanner should delete all macros in the infected file, and the user must know that this is the only way to kill the macrovirus. It is useful that if the specific viral scanner is combined with some of the inductors, all doubtful macros (can be copied to copy macros) should be removed from the documentation when including a virus. Unfortunately, such as [Bontchev96], there are many ways to attack the summary analyzer and forced them to generate an error or negation ----- that is, the virus cannot be detected by the virus.
4.3. Importance of macro name identification At first glance, a macro body that only recognizes the macro of the virus is enough for a macro virus scanner, it is not necessary to pay special attention to their names. Indeed, the name of changing a macro can convert a macro virus into a non-virus. For example, virus WM / Wazzu.a consists of a single macro named AutoOpen. If it is changed to other names, such as Butoopen, it will change (or even manual running - because the macro body is locked by the name "AutoOpen", that is, it is no longer a virus. However, this feature looks very beautiful. First, the macro name is easy to do, so the macro that is very easy to convert to a macro virus that is very easy to convert to the macro virus that can be copied. Second, the macro name looks in the environment of the virus rather than the virus itself. Similarly, an extension priority DOS virus is changed from COM to other extensions from COM, which will stop replication. Unfortunately, things are not as simple as they look. Imagine the following example ([Chess97]): A macro virus, FOO, composed of two macros, autoopen and bar. Macro AutoOpen copies yourself to the infected document (or global template). Then it detects the macro BAR exists. If the macro BAR exists, it will copy normally; otherwise the destructive battle is triggered. So far, everything is fine. The skill is the same as the macro BAR of the virus WM / WAZZU.A. Now, if a scanner that does not pay attention to the virus foo does not pay attention to the scanner of the virus macro, it encounters a document that is infected with this virus, it will produce Ig. It will "identify" virus WM / WAZZU.A and remove macro BAR, so there is a macro AutoOpen with good self-replication capabilities. Therefore, the scanner produces a new virus. On the other hand, such problems do not appear in the case where the macro names identified by the macrobium that recognizes the viral macro will not appear in the case described above. It will report documentation to be infected (because of the macro bodies of known viral macros) but will declare that it contains a new virus - because the macro name does not match and there are other macros in the document. 5. VBA5 Identification Problem Office 97 The arrival of Office 97 and a new macro programming language in its application, VBA5, bring us a lot of new macro disease recognition. Although many problems do not have the difficult macro-specific identification of difficulty in the previous section, anti-virus manufacturers should still know these problems. Most of these problems are caused by opening a Word macro virus and Excel macro virus that is automatically rewritten with VBA5 language when the document containing Word macro virus and Excel macro virus is opened with respective Office 97 applications. Unfortunately, as we have seen, this conversion is not straightforward, not logical, defective and unclear.
5.1. The fact that the flight facts indicate that, whether it is converted from WordBasic or from VBA3 to VBA5, the start of the program starts with a hollow line. It is not bad to it. Unfortunately, Excal97 contains two-way conversions. That is, it is converted to the VB5 module when it opens an Excal95 workbook containing the VB3 module. However, allowing Excal97's workbooks to be stored as Excal95 format --- and, not like Word97, then convert the VB5 module to VB3 modules. (When the Word97's document is Word6.x / 7.x, the Word97 transformation is just a simple ignore VB5 module.) In fact, you can convert a VBA3 module into a VBA5 module, which adds an empty in the beginning of the module Row. Then you can convert this VBA5 module back to the VBA3 module, and the blank line is still retained. If you now convert the converted VBA3 module to a VBA5 module, an additional space line is added at the beginning of the module. In the case of a macrovirus, an organization has just been converted to Office 97 and still has many Office 95 machines, such a "up / down" loop for many times (because users want to save files in the old format forces to be upgraded yet The machine is kept compatible) - therefore, there is a lot of space lines in the beginning of the virus. However, this is still the same virus. Therefore, the anti-virus program should be ignored when the VBA (3 or 5) virus is identified. Or at least seem to ignore the empty line of the Excel virus. Unfortunately, the situation is more complicated than this. The initial error signs were brought by virus W97M / AMBLER.A --- Word97 soil (ie, not a result of the resulting WM virus upward conversion) virus. This virus is designed to include many users in order to kid the Tools / Macro dialog box and secretly provide some basic tables. When we copy it, we noticed the verification of the virus code and contains the user's form, which different from different copies. As it performs, the virus is copied each time, an empty line is inserted into a code of a user table. Constant copy leads to constantly inserting new empty rows. Worse, the blank line is not inserted in the beginning of the code, but in any position in the code, the definition of the table and the designed to process different events related to different parts of the table (for example, click) of the mouse) The execution code is between. Why is there such a phenomenon that has exceeded us to understand. This should ask Microsoft. In short, it seems that it is wise to identify the VBA macro virus, whether it is written in VBA3 or using VBA5, whether it is an Excel virus or a Word virus, whether it is a space in the virus code.
5.2. Spaces Another WM virus-converted to the Identification of W97M viruses is caused by the converter using a method of general processing of spaces and dealing with table characteristics. The initial report comes from Dmitry Gryaznov, some suspicious information found in an anti-virus researcher at Ph.D. Solomon ([Gryaznov97]). According to the situation provided, the first reproduction of virus W97M / Appder.a (i.e., before the new virus acquisition opportunity, it is immediately generated by the converter) and is different from its replicant. A careful check revealed that this difference is caused by an operator containing a tab and the apostrophe under the end of it. This prompts us to study the Tabs WordBasic macro in different locations to VBA5 mode. The result is very interesting. It should be noted that the tab does not exist in VBA5. If you press the table key when editing a VBA5 program, you entered some spaces. The exact number of spaces determines the content of the current position of the cursor and the content set by the VBA5 editor tools / options / editor / tab. However, the tab can be used freely in WordBasic and is often used. Obviously, when a WordBasic program is sent to VBA5, the converter will process those tabs. It is very logical that it does ---- at least the first look. The current setting of the "Table Width" item described above is the corresponding number of spaces, so the program is at least substantially reserved. Unfortunately, the WM virus containing such a tab is incurred when converted up. In fact, this means that if a WM virus contains many tabs used for rising tabs, different computers for different gauge widths will produce different W97M viruses from one of the same WM viruses. Moreover, the user may not know the setting value of this item, or at all, do not know this setting. Obviously, if all of these W97M viruses are different, it is very inconvenient. Therefore, they are considered to be the same and considered to be a virus. Since we usually do not know, whether the WM virus contains some tabs for rising in the manufacturing, so the indentation of the row must be ignored when identifying a dyed VBA5 module. But this is not all. If it is expressed, the player can only be used indent. The only good news is that it can be used in other places. If the user inserts an extra space to an operator, WordBasic and VB5 will automatically discard it. Wordbasic Drops when the macro window is turned off (therefore, it is deleted as excess spaces when the second macro is turned on editing), and the VBA5 editor When the cursor leaves the row edited to delete these spaces (therefore, This change can be manifested immediately). For example, line x = 2 * 2 is converted to x = 2 * 2 but not always like this. There are several exceptions, given below. First, the space is in front of the apostrophy. That is, line x = 2 * 2 'this is a comment and x = 2 * 2' this is a comment produces different code. In VBA5, the position of the apostrophe is included in the operand of the first "aposus annotation" P code instruction. Second, space appears in the operator: ":". That is, line x = 2: y = 4 and x = 2: y = 4 produces different code. In VBA5, the start position of the second operator is included in the parameter of ":" P code. Third, the space appears before the AS keyword in the DIM declaration. DIM X AS INTEGER and DIM X AS INTEGER
Generate different code. This is a bit more complicated than the two situations. It seems that VBA5 can use two different DIM P code instructions, one for "DIM without space before AS", another DIM for "there is a space before AS". The second P code instruction contains an additional operand that contains the position of the AS key in the line. Fourth, spaces can be used to indent different parts of VBA5 rows that are written to a digital line (in the end of the line "_" indicates the continuation. This is the same as part of the WordBasic (here the character "/" is used to make the row). Therefore, when the checksum of the VBA5 module is calculated, the corresponding portion of the VBA5P code instruction for continuation should be ignored. Since all the cases described above have the same case in WordBasic, and WordBasic can be used as part of the tablet as part of space, which means that such row-up conversion is determined in the VBA5P editor gauge width. Settings. Therefore, the operator of the P code instruction related to the space-related P code instructions as mentioned above is identified as the VBA macro. Another problem related to space is caused by a contiguous space in VBA annotations. Simply put, VBA3 allows annotations to have continuous spaces, while VBA5 is not allowed (and deletes these spaces). The following example shows this problem. 1) Run Excel95, generate a new empty workbook, then insert a module page. 2) Enter the following short programs in the module page: 'The Following Comment Has Trailing Spaces:' Sub Test () MsgBox "this is a test.", Vbokonly Vbinformation, "Test" end Sub
In the second line, enter a few spaces after the beginning of the apostrophe. After the cursor leaves the row, if the cursor is returned to this line, press the END button, the cursor immediately returns to the apostrophe, as if there is no continuous space. I am afraid not this. In contrast, save a workbook to a file, check the generated P code, will find a continuous space (like the number you entered). 3) Exit Excel 95 and run the Excel 97 to open the document generated by the previous step. The VBA3 macro will be converted up to VBA5 macro. Use Excel 97 to save the converted document in an Excel 95 format (rather than Excel 97 format) to another file, this is also converted down to VBA3 format. Check the P code of the new file, it will find not only an empty line in the beginning, and the continuous space in the comment is not seen. Therefore, a continuous space in the annotation is ignored when a VBA virus is identified. In fact, there is a case where space is applied, however, it can be proven that this situation does not cause any macro virus identification problem. In particular, the tab can be used in a string. However, the converter handles this problem is very beautiful, it finds all of these characters in the string and replaces CHR (9). For example, WordBasic line
X $ = "this is a tab -> <-" is converted to the following VBA5 line: x $ = "this id a tab ->" chr (9) "<-"
5.3 Uncertain Up Conversion Since the above two problems have forced us to ignore spaces and spaces (for indentation or other) when identifying a VBA virus, this causes two (or more) different WM viruses that can be upward The true possibility of converting to the same W97M virus. For example, we have studied that three different viruses WM / WAZZU ---- q, W and ad --- will be converted to the same W97M / WAZZ virus. (If you are using an early Beta version of Word, of course the official release can identify WM / WAZZU viruses and refuse to convert them up.) This uncertain up conversion also occurs on some other WM virus. In this case, how to name these viruses that are converted up is unclear. Usually the specific WM virus is converted upwards and the same name and variant of the original virus and the prefix of the W97M platform are allocated. For example, the virus generated by the upward-converted virus WM / Wazzu.a to VBA5 virus is named W97M / Wazzu.a. However, the fact that the uncertainty of the upwards breaks this naming scheme. In order to make up for this problem, we recommend that in this case, the virus generated by it is labeled as the minimum variant name that it produces it. That is, in the above example, the obtained W97M / Wazzu virus is named W97M / Wazzu.k instead of W97M / Wazzu.q or W97M / Wazzu.ac. 5.4 Understand in the identifier As mentioned elsewhere herein, all VBAs (including VBA3 and VBA5) modules in the file share a shared identifier area (variable name, process name, etc.). But not all like this. In addition, when a new module is positioned, and its use identifier is the same as the existing module, no new identifier is added to the shared identifier area. The problem is that when the new identifier is detected and the existing "identical", the case of the letter is ignored. This is confused. For example, if you create a VBA module contains the downlink content
Foo = bar then build another module, contains the downlink content bar = foo and open the editing first module, and its contents are as follows foo = bar
Which one is that the user is first entered. It is not very clear. In fact, these two rows can be input to the same module, and when entering the second, the case of the first letter is changed. What should I do in the corresponding macro virus identification? This requires a pointer to the computing module to point to the pointer to the shared identifier area (these pointers must be decomposed because some different programs can be compiled as the same P code, but they are different from these pointers. Therefore, if these pointers are not decomposed, the recognition of macro viruses will not be accurately or even caused erroneous judgment), and the case of the identifier is ignored. Unfortunately, in the VBA5 environment, additional problems have been brought. Ignore the case of identifier letters is usually implemented in comparison to compare them to uppercase or lowercase. However, the identifier of VBA5 allows for foreign (ie, non-ASCII) characters. For example, FRANCAIS is an legitimate identifier here. Unfortunately, there is no simple and reliable method to convert foreign characters for uppercase or lowercase. The Windows API contains some functions (such as ANSIUPPER) for this purpose. However, they only apply to the Windows program (ie, the DOS viral scanner cannot be used). Furthermore, they can only work normally in the appropriate language version of the Windows environment. For example, function ANSIupper can only convert Czech characters to the corresponding Czech uppercase characters in the Czech Windows (or Windows Environment) environment. A problem that relies on these functions to identify the VBA5 virus, if the document is scanned in the wrong Windows version, a virus containing an identifier containing foreign characters is missed. Obviously, this situation cannot be accepted, especially the virus itself is composed in that environment. There is no problem. The best solution for this problem is to convert all non-ASCII characters contained in the identifier in all non-ASCII characters in the identifier before the transformation identifier is uppercase and generates the checksum (for example, "_"). The recognition algorithm caused by this solution cannot distinguish between two different differential viruses, but it is better than the complete missed a virus. 5.5 Other VBA5 Identification issues inexmined WordBasic, VBA contains not a layer but two levels of settings. The first layer is a module, just like a macro of Wordbaic. The second layer is the function and subroutine of the module. They are declared as public (default declaration) can be seen in the Tools / Macro dialog. The two-layer setting of the VBA virus functional components makes the problematic problem and the Igg problem may appear on both layers. Also, once the VBA virus is written to not only capture the module of its VBA package but also the independent functions and subroutines of these modules, this happens. Methods to solve these two problems seem to be similar (so the solution to the Iggers will not exist); they will be applied to both layers. In fact, the definition of macro virus is to be considered that the macro virus is a set of modules, each module consists of a set of functions and subroutines, and the module is used as a collection to identify but not only a whole, it is reasonable. Unfortunately, this may require some big redesign of some anti-virus products, before the facts (ie, before the VBA subroutine will be manufactured), this seems to not happen.
6. Artificial macro virus detection problems The macro-specific identification problem discussed above in the above section can be referred to as "nature". That is, their occurrence is not because of some of all macro viruses (for example, they are consisting of a single program, but consisting of a series of macros), because of some of the design disadvantages of the macro programming language and their environment. In this last section, we will consider some of the problems created by the viral authors in order to make the virus that identify their viruses. These problems are divided into polymorphisms (that is, macro viruses to modify their own capabilities during their own replication). We will achieve deliberate general description of different methods of polymorphism, as we want to reduce the useful part of this article to virus authors. Similarly, we only list the basic idea of processing these issues. Unfortunately, our solution is currently disclosed in detail to make them easily attacked. Therefore, unless we can make a more robust solution, we still rely on hidden to keep confidential, regardless of this protection. 6.1. The simplest form of polymorphism in insertion of the useless row macro disease is achieved by inserting the useless line in any location in the viral code. They are WordBaisc operators that do not have any effect on the operation of the virus and can be inserted to any position of the virus code and there is no harm (or modified). Usually many of these useless rows consist of random annotations - but they can almost any moving west, such as variable allocation, empty function calls. The easiest way to handle polymorphisms is to enable anti-virus programs to identify useful instructions for different polymorphic viruses while identifying the macrobility of the virus and skip them. Unfortunately, this approach has two serious shortcomings. First, useless operators have almost endless choices. Thus, different polymorphic viruses are used to use different operators to do "fillers". If a scanner knows a series of unwanted operators (polymorphic viruses known for scanners), a new polymorphic virus that uses different useless operators will enable the scanner to be upgraded. A new operator can be processed. We emphasize the scanner program will have to upgrade ---- only upgrade the virus detection information database is not enough. This requirement will prevent the scanner to drive at an attempt to drive through its database. Worse, in many cases, since the change algorithm is used to skip some of the operators that are added, all entries in the database-based database will have to fix or upgrade. This process is very time consuming and is easily erroneous. Second. Virus authors may directly target this method. For example, let us assume a known polymorphic macro virus using the following program segment as a useless filler.
IF
Here,
6.2. Modifying a string of variable string Another technique that is often used by polymorphic viruses is that the virus randomly changes the identifier used (usually used as a variable name). Of course, this random change is always in happening - the same identifier is always replaced by another random name. Similarly, the virus can also change the contents of some of the text strings used in a random manner. A relative to these two techniques are relatively easy. In order to solve the problem of the change of the text string, the text string for polymorphic viruses can be simply ignored when identifying the macro (or module) of the virus. Sustsence a random identifier is slightly complicated. The scanner should establish a table for macro or module identifier, and replace each identifier as any number (eg, 001, 1002, 1003, etc.) so that the same identifier is always replaced with the same number. Different identifiers are always replaced with different numbers. Once the viral body is encapsulated, its checksum can be calculated, and one of the only one, regardless of how the virus changes its identifier during replication. 6.3. Row-Exchange Another possible polymorphism can be achieved by exchange of code lines nearby, and the strict order of these rows is not important to the normal operation of the virus. As we know, there is no use of this trick now, but this is easy to implement. Fortunately, it is also easy to be counterattable. In order to solve this problem, the viral scanner identified using an exact virus should be based on the checksum of the calculated viral macro (or module) per line. The part of each line should then be different or to form a macro (or module) final checksum. When using this method, its checksum is not related to any row.
6.3. Note Return and non-press release lines are implemented by the next technique of polymorphic viruses to increase and delete the annotations prior to certain rows of virals. This method has completely changed the inherent performance of these rows, and thus change the performance of the virus. In known polymorphic macroviruses, WM / DAKOTA viruses use this polymorphism to a large extent. It saves the entire content of a macro as an annotation mode (which is accompanied by a random character, in order to make each copy of it look different). In operation, the virus deletes the comment so that this macro can run and execute its task. A simple way to solve the polymorphism This method is to ignore this comment line. Unfortunately, it has the disadvantage of reducing identification accuracy.
6.5. Encryption When the macro is used as a "only-acting body" to copy the macro body used by the macro body (with a word, the password is different; the password itself is saved in the document) is insignificant, and many macro on the market The viral scanner is easy to know. In addition, the viral author cannot control the specific encryption password used. Finally, this encryption is not available in Word 97 ---- In the protected project, it cannot be copied in the modules they all. Therefore, this encryption is not suitable for achieving polymorphism. However, for the virus authors, the encryption method of achieving some other viral body is possible. This processes them by treating the routine of the viral body as a text string and uses some disturbance string. This is a relatively slow process, but the virus authors are rarely interested in preparing efficient code. Virus WM / SLOW and WM / UGLYKID are examples of polymorphism macro virus that applies such a custom encryption method. There are several possible ways to counter polymorphism. Unfortunately, most of them rely on the specific implementation of the polymorphism mechanism in the virus - that is, relying on specific viruses. The easiest way is to use the viral encryption part as a text string and ignore them. This method is working very well when paid WM / SLOW. Unfortunately, it has the disadvantage of reducing identification accuracy. The more older method is to achieve at least part of the WordBasic (or VBA) simulator and simulate the part of the decryption of the virus - until the encrypted part is decrypted, and then it can be identified. This is very difficult to achieve it. However, we hope that there will be more polymorphic viruses soon, which is appropriate to handle the needs of such viruses. 6.6. Infection techniques used by parasitic infection currently existing viruses are basically similar to the write coverage of DOS viruses and accompanying viruses. However, as described in [Bontchev96], why the true parasitic infection is not implemented without practical reasons. Such parasitic viruses cannot be included; in contrast, they look for other macros in their documents to try infection, and modify these macros or completely contain their viral macros, or at least call them. Since fewer metals have been encountered, there is only a virus that uses this infection method. It is impossible to successfully spread. However, this technique can be combined with traditional methods to allow viruses to lack of infected user macros can be used in this conventional approach. This combined infection strategy guarantees that viral propagation is very difficult to make it recognition (sometimes delete). The known virus is not intentionally used by parasitic infections. However, some viruses (such as WM / Googles) can modify some special names (such as FileSaves) macros, if it tries to infect macros where these special names already exist in the documentation. Fortunately, although this is not intentional (), once this happens, the existing macro is only destroyed and the virus cannot work properly. However, the thorough implementation of parasitic infection techniques is very easy to imagine. In order to accurately identify these viruses, the macro viral scanner has to use a method similar to that identify parasitic viruses in DOS viruses. Alternatively uses a single checksum for the entire viral macrobium, the scanner will have to introduce an image containing a virus that consists of a byte range generated by the checksum within its database. Furthermore, the scanner will have to have some mechanism, which is designed to track instructions that can be transferred to the user macro that can be transmitted to the viral body, which tracks the initial JMP and positioning DOS program with the DOS scanner The mechanism of entry points is similar.
