F-MACROW F-MACROW is a program for detection, recognition, identification and removal of macro viruses ONLY. It does NOT detect DOS or Windows viruses. For those you must use the scanner F-PROT, which should be in the same archive where the file SETUPFM.EXE was. F-MACROW is a 16-bit Windows application. It has been tested successfully under Windows 3.1, Windows for Workgroups 3.11, Windows 95 and Windows NT (3.51 and 4.0). It does not work under DOS - but then, if you do not run Windows then you do not have to worry about macro viruses anyhow. 1. Using F-MACROW. Once you have installed the required files you can launch the program by double-clicking the F-MACROW icon. Windows 95 and Windows NT 4.0 users can also launch it from the DOS prompt in a DOS box. The program interface is very simple. The user clicks on the Scan button to start the scanning. This brings up a dialog box, where the user can select scanning options. The following options are available: Scan all drives - Selects scanning of all drives (except floppy drives), all local drives, or all network drives. Optionally, the user can disable the scanning of CD-ROM drives when scanning all drives or all local drives. Don't scan CD-ROMs - Enables and disables the scanning of CD-ROM drives. This option is available only if the scanning of all drives has been selected. Scan directory - Selects the directory to be scanned. What to scan - Selects whether or not to scan files with standard extensions for Word and Excel (*.DOC, *.DOT, *.XL? by default; configurable by the user by clicking on the "Word/Excel files" button), or whether to scan files with any extension. Scan Subdirectories - Whether or not to scan the subdirectories of the specified directory. If a virus is found - Specifies what action should be taken if a virus is found. The following options are available: - Report only. Just reports the virus. - Ask each time. Each time a virus is found, the user will be asked whether the file should be disinfected. - Disinfect automatically. The viruses found will be removed automatically. Remove all macros from the infected documents - If this checkbox is checked, F-MACROW will remove all macros from the infected documents when disinfecting them - not just the macros that belong to the virus. This is the MOST SECURE way of removing macro viruses - anythIng less means running the risk of creating a new virus variant during the disinfection. However, most users don't like the idea of having their own macros removed from the infected documents, so this option is turned off by default. If a new variant is found, remove all macros - Normally, when F-MACROW finds a new variant of a known virus, it refuses to disinfect and the user must send a sample to us, so that the virus can be analysed and a proper identification record for it can be added to MACRO.DEF. Checking this checkbox will force F-MACROW to disinfect the virus. Since the program has no way of knowing which particular macros belong to the virus, the disinfection is performed by removing all macros from the document. This option should be used when the user is in a hurry and needs to resume their work before we can send a MACRO.DEF update. Report all scanned documents - Normally the program will report only the files in which a virus is found. If this option is checked, all scanned files will be reported. Report file - Check this option if you wish to save the report to a file, and use the next two fields to specify the name of the report file and whether the new report should overwrite an already existing file or be appended to it. When the desired options have been selected, press the OK button to start the scan. The scanning can be stopped by pressing ESC or by clicking on the Stop button. Clicking on the Virus List button will display a list of all macro viruses, Trojans, and other malicious macro programs detectable by F-MACROW and its current virus definition database (MACRO.DEF). The dialog box will also display the date of the current virus definition database. If you suspect that you have a new macro virus which is not detected by F-MACROW, first make sure that you have the latest available virus definition database. You can get it from ftp://ftp.complex.is/pub/macrdef2.zip This archive is updated every time we get a new macro virus - which usually means several times per day. The archive contains a single MACRO.DEF file. Copy it to the same directory where F-MACROW.EXE resides, replacing the old file with the same name. This will make your F-MACROW able to detect, recognize, identify and disinfect all the newest macro viruses we have seen. To exit the program click on the Exit button. 2. Running the program unattended. Many users have requested the capability of running the program unattended (i.e., without requiring any user input) and/or of scanning their files automatically when Windows is started. This is now possible. In order to run F-MACROW automatically when Windows is started, create an icon for it in the AutoStart group of the Program Manager (Windows 3.x) or a shortcut for it in the StartUp menu (Windows 95 and Windows NT 4.0). You have to use command-line options and arguments in order to tell the program what to do. To specify these under Windows 3.1, click on the program's icon, then press Alt-Enter and add the options and arguments after the name of the executable file. Under Windows 95, right-click on the shortcut to the program, select Properties/Shortcut/Target and add the options and arguments after the name of the executable file. The program accepts the following options (must be separated by at least one space on the command line): /ALLDRIVES - Scan all drives (local and remote but not the floppy disk drives). /HARD - Scan all local drives (except the floppy drives). /NET - Scan all network drives. /NOCDROM - Do not scan the CD-ROM drive(s) when using /ALLDRIVES or /HARD. /CDROM - Scan the CD-ROM drive(s) when using /ALLDRIVES or /HARD. /DEFDIR - Proceed with scanning the directory saved in F-MACROW.INI. /DOC - Scan only files with the default extensions for Word and Excel (*.DOC, *.DOT and *.XL? by default; can be changed with the /EXT option). /EXT= - Specify the extensions of the files which are to be scanned, separated by dots. The default is /EXT=.DOC.DOT.XL?. /ALLFILES - Scan all files, regardless of their extension. /SUB - Scan the subdirectories of the specified directory. /NOSUB - Do not scan the subdirectories of the specified directory. /SCAN - When a virus is found, only report it - do not attempt disinfection. /DISINF - Each time a virus is found, ask the user whether to disinfect it. /AUTO - Disinfect automatically all infected documents without asking the user. /SAFEREMOVE - When disinfecting, remove all macros from the infected documents - not just the macros belonging to the virus. This option is equivalent to checking the "Remove all macros from the infected documents" checkbox in the Scan dialog. /REMOVENEW - If a new virus is found, disinfect it by removing all macros from the infected document. This option is equivalent to checking the "If a new variant is found, remove all macros" checkbox in the Scan dialog. /REMOVEALL - This option forces the scanner to remove all macros from the documents it scans - regardless of whether any virus is detected in them or not. This is an EXTREMELY DANGEROUS option, since it can easily cause destruction of all user macros. This option SHOULD NOT be used during routine scans - and it has no equivalent from the menus. The option should be used only for repairing documents which contain heavily corrupted macros, so that they are not viral and even not detected as a "new variant". The option has no effect on Excel workbooks. /REPORT= - Name of the report file. Must follow immediately after the '=' sign. Do NOT put any spaces between the '=' sign and the name of the report file! It is advisable to specify the full and absolute path of the report file - e.g., /REPORT=D:\FOO\BAR\REPORT.TXT. If only a file name is specified (without a path - e.g., /REPORT=F-MACROW.REP), the report file will be created in the same directory where the program F-MACROW.EXE resides. /APPEND - If a report file with the name specified by the /REPORT= option already exists, append the new report to it. /OVERWRITE - If a report file with the name specified by the /REPORT= option already exists, overwrite it with the new report. /LIST - List all scanned files in the report - not just the infected ones. /NOLIST List only the infected files in the report. /MINI - Run the program minimized. /HIDDEN - Run the program completely hidden. /DONTQUIT - Normally, if the program is instructed to scan a specified directory (or if one of the /ALLDRIVES, /HARD, or /NET options is used) and if no infections have been found, F-MACROW will automatically exit when the scanning is finished. The /DONTQUIT option prevents it from doing so. If the user does something stupid, like specifying both the /HIDDEN and the /DONTQUIT options, the program will "unhide" itself when it has finished scanning. /AUTOQUIT - Specifying this option on the command line means that if a path has been specified for scanning, the program always quits after the scan has finished - even if viruses have been found. /NOBREAK - Disable the ability of the user to stop the scanning in process. /NOHEUR - Disable the macro heuristics during scanning. /ONLY - Use only heuristics. @FILE - FILE is the full path to an ASCII text file, which contains command-line options. These options are listed one per line, with the '/' sign at the first position of the line (i.e., no leading blanks). Besides the above options, the user can specify one command-line argument - the directory or the file to be scanned. This is not necessary if any of the options /ALLDRIVES, /HARD, /NET, or /DEFDIR are used. If a directory or a file is specified (or if one of these four options is used), F-MACROW will immediately proceed with scanning the specified file, directory or drives. If, after the scanning is finished, any infections are found, F-MACROW will stop and display the results. If the program has been run in minimized or hidden mode, it will restore its main window, so that the results are clearly visible. If no infections are found, the program will exit - unless the /DONTQUIT option has been specified. If only a drive letter is specified, the entire drive will be scanned. To instruct the program to scan only the current directory of a drive, append a dot after the drive specification (e.g., "D:."). The directory (or file name) and the options can be listed in any order. If the name of the specified directory (or file) contains spaces (e.g., in Windows 95), it has to be surrounded by double quotes (e.g. "C:\My Documents\My Speech.doc"). It is advisable to specify the full absolute path of the directory or file to be scanned - i.e., D:\SOME\NAME and not just NAME. If a relative path is used, F-MACROW assumes that it is relative from the directory where F-MACROW resides - which usually isn't what the user means. 3. Known problems. - F-MACROW causes a GPF when scanning some documents. This is not our problem. The documents are corrupted and Word (or any other OLE2-enabled application) will crash when opening them too. The bugs are in Microsoft's libraries STORAGE.DLL, OLE2.DLL (or OLE32.DLL) and COMPOBJ.DLL. A future version of F-MACROW will avoid using these DLLs. This problem occurs only under Windows 3.x and Windows 95 - Microsoft seem have fixed the Windows NT versions of these DLLs. - A "Sharing violation" occurs when scanning some files - usually NORMAL.DOT. This happens if the documents are kept open by some other program - usually Word. Therefore, you should exit Word before scanning your disk with F-MACROW. Some other products do not produce such an error message even if Word is running. However, some of them simply do not scan the file and do not tell the user that an error has occurred and, therefore, the file has not been scanned. Even those that actually scan the file are insecure - the image of the file on the disk might be virus-free, yet its image in memory (in Word's memory) might be already infected and the scanner will not be able to detect this - because it scans only the image of that file on the disk; not in memory. Even if the image on the disk is clean, if the memory image is infected, the virus will be saved on the disk when Word exits. Therefore, you should always exit Word before scanning for macro viruses. - If a macro virus exists in both WordMacro and Word97Macro form, it is listed twice in the virus list. The Word97Macro form is preceded by "W97M/" (or "X97M/" in the case of Excel97). Detection is implemented only for those W97M "upconversions" of the WM viruses which are known to exist. We have decided not to create such upconversions ourselves - because it would mean creating new viruses and we don't do such things as a matter of principle. Furthermore, it is not completely clear how the upconversion process works and the upconversions created by us are not guaranteed to be the same as the ones which would occur naturally. So, even if we ignore our ethical beliefs that anti-virus people should not create viruses, we are still not guaranteed to be able to detect the upconversions if they occur naturally. Therefore, we have decided to wait until an upconverted W97M virus is sent to us before we implement detection of it. - F-MACROW scans only OLE2 files. As a consequence, it will not detect WordMacro viruses or Trojans in Word 2.0 documents. The format of these documents is different than the format of the documents produced by Word 6.0 and above, especially concerning the macro structures. Microsoft still has not provided us with information about these differences. If you don't like that F-MACROW cannot scan for Word 2.0 viruses - complain to Microsoft. Word 2.0 viruses like Polite can migrate to Word 6.x documents, however. Once this happens, F-MACROW will be able to detect the virus. The opposite is not true - viruses written for Word 6.0 and above cannot migrate naturally to Word 2.0. - F-MACROW does not scan embedded documents - it scans only the main document; the one containing the embedded documents. However, the embedded documents can be infected. Some scanners scan embedded documents too, so they might report a file as infected when F-MACROW insists that it is clean. The infected embedded documents are usually unable to release the virus contained in them, but we are working on implementing support for such documents in the scanner. - F-MACROW can scan encrypted Word97 documents and Excel97 workbooks but cannot disinfect them. - The user interface of F-MACROW is still rather rough and simplistic. It cannot be told to scan more than one subdirectory tree at a time, its window cannot be resized horizontally, the on-line help has not been implemented yet and so on. All this will be gradually fixed in the future versions. - F-MACROW is a Windows application. It does not run under DOS. Please use F-MACROW to scan and disinfect macro viruses - *NOT* F-PROT. If F-PROT and F-MACROW disagree on whether a document is infected or not - trust F-MACROW, not F-PROT. Please stop asking us to implement F-MACROW's capabilities in F-PROT - this is not going to happen. The OLE2 files in which Word 6.0 and above stores its documents have an incredibly complex structure - in fact, they are whole file systems in a file; with their FATs, root directory, subdirectories (called "storages") and files (called "streams"). F-MACROW uses the standard DLLs available in every Windows installation to parse the structure of these files. Microsoft has provided us with the source of most of the important functions in these DLLs but they are huge - about 150 Kb when compiled. There is simply no space to put them in F-PROT. This is why F-PROT does not understand the format of these files and simply scans them for a scan string. This is slow, insecure, and troublesome. It is slow because F-PROT cannot use its modern virus locating algorithms which are applicable only for executable files. It is insecure because a stream in the OLE2 file system can become fragmented just like a file in the DOS file system - parts of it which are logically consequent can be physically scattered all over the OLE2 file. In practice this means that, if the fragmentation occurs in the middle of the code which F-PROT uses as a scan string, the scanner will not detect the virus. Admittedly, the probability for this to happen is extremely low - but it is greater than zero nevertheless and we cannot permit ourselves to provide an insecure anti-virus program to our customers. Finally, F-PROT's method of handling macro viruses is troublesome, because when some scanners (e.g., Microsoft's SCANPROT) delete the macros of a macro virus, they just mark them as deleted but leave the "dead body" of the virus lying on the unused parts of the OLE2 file. Since F-PROT has no knowledge of the OLE2 file structure, it cannot figure out that these parts are unused and the virus in them is never executed. Therefore, it can cause ghost positives - if it finds the scan strings of some deleted macro virus there. All this will force us to remove macro virus support from F-PROT.EXE in the near future. The users should use F-MACROW instead. If they consider using two scanners instead of one too much of an inconvenience, they should buy the Professional version of F-PROT for Windows - it has no memory problems, so it can have scanning for both kinds of viruses in the same program. If you need a macro virus scanner and disinfector which is not a Windows application and runs under DOS, you can get one from ftp://ftp.datafellows.com/f-prot/tools/f-macro.zip If any bugs are found, please report them to bontchev@complex.is, and if you have any suggestions for improvements - feel free to e-mail to the above address. If you find what you believe to be a new macro virus, first make sure that you are using the latest version of F-MACROW and MACRO.DEF (the latter can be obtained as described above). If the virus is still not identified properly, please send a sample (an infected document) to bontchev@complex.is. If the infected document contains some confidential information, feel free to delete the text and graphics from it before sending it - this has no effect on the macros contained in it. 4. To-do list. - Implement the cability of handling viruses in embedded documents. - Implement the capability of using scan strings for detection of new variants of the known viruses. - Improve the disinfection of VBA5 viruses, so that only the viral modules are removed. - Implement smart checksums for detection of truly polymorphic macro viruses. - Implement custom OLE2 handling routines (instead of using the buggy DLLs in Windows), so that Windows doesn't crash when the program is scanning corrupted documents. - Improve the handling of CAP-like viruses. - Implement the capability of handling Word 2.0 documents. - Implement the ability of the program to scan multiple paths. - Implement the capability of using a second, "update", database which is in text form that can be sent by e-mail or fax. - Create a 32-bit Windows 95-specific version of the program (in addition to the 16-bit Windows 3.x version). - Implement a script language for controlling the behaviour of the program - what to scan, how to disinfect, etc. - Improve the user interface - more options, horizontal window resizing, context-sensitive help, etc. - Implement some kind of self-checking. 5. Version history. Version 1.06: - Implemented handling of VBA3 (Excel 5/7) macro viruses from the virus definitions database (MACRO.DEF) and exact identification and removal of them. - Implemented heurstics. Now F-MACROW should detect approximately 93% of all new WordMacro viruses, while causing virtually no false positives. However, some documents containing non-viral macro malware (e.g., Trojans or Intended viruses) might be reported by the heuristics as containing a virus. If the heuristics trigger on a document containing macros, it will be reported as "Possibly infected with an unknown virus". F-MACROW will be able even to disinfect it, if the "If a new variant is found, remove all macros" checkbox of the Scan dialog is checked. - Implemented the capability of scanning inside encrypted Word 6/7 documents and Excel 5/7 workbooks and disinfecting them. The password is NOT removed during disinfection, because there is no reliable way of knowing whether the document has been encrypted by the user or by a virus. For the latter cases, we are providing a separate Word 6/7 document decryption utility, available from ftp://ftp.complex.is/pub/wdc-100.zip. No such utility for decrypting Excel 5/7 workbooks is available yet. - Implemented the capability to define which file extensions should be scanned when "Scan only the Word and Excel documents" option is selected. - Made the window of the program vertically resizable. Making it horizontally resizable is more difficult and will be implemented in some future version of the program. - F-MACROW now remembers the postition and the size of its window from the last time it has been run. - The on-screen report window of F-MACROW now can handle more than 8,000 reports before beginning to scroll up. Before this window could handle only about 800 reports. - Implemented drag-n-drop capabilities. Now the user can drag the icon of a folder or a file from the Program Manager (or Explorer in Windows 95) and drop it onto F-MACROW's window. This will cause F-MACROW to scan the directory in question. - Implemented the /NOBREAK, /ONLY and /NOHEUR options. - Implemented the capability to specify the options in a custom configuration file (e.g., @FILE). Since F-MACROW remembers its last configuration settings every time it is run, some system administrators wanted to be able to specify the configuration settings in a way which guarantees that they are not changed every time the users run the scanner on their own - and listing all the necessary options on the command line was unsatisfactory. - When a WordMacro virus is found in a document which is not a Template, it is now reported as "(Inactive)" instead of as "(Exact)" as it was before. Such a document is not infectious and the macros in it cannot be seen with Tools/Macro, so it makes sense to report such documents in a different way. However, such documents are still dangerous - if they are saved as Templates or become infected by another macro virus, the viral macros in them will suddenly activate (and may cause damage). Therefore, it is better to locate and disinfect such documents - regardless that they are not immediately infectious. - When F-MACROW was instructed to scan a CD-ROM drive but there was no CD-ROM in the drive, a critical error would occur. Fixed. - The following viruses were renamed in order to make the program fully conformant with the CARO virus naming scheme: Balrog.A:Sp -> Balrog.A:Es Chaos.A -> Temple.F Chaos.B -> Temple.G Emperor.A:Tw -> Trap.A:Tw Emperor.B:Tw -> Trap.B:Tw Emperor.C:Tw -> Trap.C:Tw Emperor.D:Tw -> Trap.D:Tw DMV.D -> Helper.I DMV.H -> DMV.D Veneno.A:Sp -> Veneno.A:Es - Added detection, recognition, identification and removal of the following 393 new WordMacro viruses, Trojans and other macro malware: Alex (A:Tw, B:Tw, C:Tw, D:Tw and E:Tw) Alliance (C, D and E) Alien (G and H) Ammy.A:Tw Anak (B and C) Angus.A Appder (J, K, L, M, N and O) Archer (A and B) Bandung (AX, AY, AZ, BA and BC) CAP (X, Y, Z, AA, AB, AC, AD, AE, AF, AG, AH, AI, AJ, AK, AL, AM, AN, AO, AP, AQ, AR, AS, AT, AU, AV, AW, AX, AY, AZ, BA, BB, BC, BD, BE, BF, BG, BH, BI, BJ, BK, BL and BM) Cheat (A and B) Clock (J:De, K:De and L:De) Colors (BO, BP, BQ, BR, BS, BT, BU, BV and BW) Concept (BB1, BE, BF, BG, BH, BI, BJ, BK, BK1, BL, BM, BN, BM, BO, BP, BQ, BR, BR1 and BS) CountTen.E Crema.A Dark.E Date (C and D) Divina (I and J) DMV (G and H) Dracula.B Dzt (G and H) Easy.B EMT.A ENFK.Kit Eraser.S:Tw FormatS.A Four.A Friday (D:De, E:De and F:De) Friendly.B:De Gas (A and B) Gnomo.A Goodnight (C, D, E, F, G, H and I) Header.A Hitman.A Horn.A Hou.A:Tw Hybrid (I, J, K, L and M) Incarnate.A1 India.A Inexist.A:Fr Irish (R, S and T) Jerm.A Johnny (O, O1 and P) KillDOS.A:Tw KillLuf (A and B) KillProt.B Kompu.G Lamah.A:Br Lord.A Lox.B Lucy.B Lunar (A and A.Drp) Lunch (F and G) Macaroni.B:De Malice.A MDMA (X, Y, Z, AA, AB, AC and AD) Mess.A MG (A and B) Minimal (Q, R, S, T, U and V) Muck (I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Z, AA, AB, AC, AD, AE, AF, AG and AH) NiceDay.N Niknat.A NJ-WMDLK1.M NJ-WMVCK2.C NOP (M:De, N, O:De and P:De) Nottice.A No_va.A Npad (CM, CN, CO, CP, CQ, CR, CS, CT, CU, CV, CW, CX, CY, CZ, DA, DB, DC, DD, DE, DF, DG, DH, DI, DJ, DK, DL, DM, DN, DO, DP, DQ, DR, DS, DT, DU, DV, DW, DX, DY, DZ, EA, EB, EC, ED, EE, EF, EG, EH, EI, EJ and EK) Nuclear (O, P, Q, R, S, T and U) Obay.A Oblom (A, B, C, D and E) OldPad (A and B) PayCheck (E, F, G and H) Plushad.A Pwd.A Ramses.A:It Rapi (AL2, AM, AM1, AN2, AO, AO1 and AO2) Razer.A Saver.B Schumann (B, C:De and D:De) Screw.A Setmd.B:Tw Shadow.A ShowOff (BV, BW, BX, BY, BZ, CA, CB, CC, CD, CE, CF, CG, CH, CI, CJ and CK) Silly.A Spooky (B:De, C:De, D:De and E:De) Spy.A Superstitious.A Surabaya.B Switcher (C, D, E, F, G, H and I) Swlabs.G Tamago.A Tear.B Temple (C, D, E, H and I) Toten.B:De Trash.A Twno (AA:Tw, AB:Tw and AD:Tw) TwoLines (R, S and S1) Uka.A Vampire (G:Tw, H:Tw and I:Tw) Veneno.B:Es VHDL.A:Tw Vicinity.C:De Vicis.A.Drp Viva.A Vivat (A and A.Drp) Want.A:Tw Wazzu (CK, CL, CM, CN, CO, CP, CQ, CR, CS, CT, CU, CV, CW, CX, CY, CZ, DA, DB, DC, DD, DE, DF, DH, DI and DJ) Wiederoeffnen.A Yaka.A - Added detection, recognition, identification and removal of the following 26 new Word97 macro viruses, Trojans and other macro malware: W97M/Appder.I W97M/Box.D W97M/Chance.A W97M/Concept.BB W97M/Eraser (Q and R) W97M/Imposter.A W97M/Kompu (E and H) W97M/MadDog.A W97M/MDMA.D W97M/Muck.Y W97M/RatsAss.A W97M/Slot.A W97M/Swlabs (B and E) W97M/Tamago.A W97M/Temple.A W97M/Twno.A W97M/Vampire.J W97M/Wazzu (D, AE, BA, BJ, CW and DH) - Added detection, recognition, identification and removal of the following 44 new Excel 5/7 macro viruses, Trojans and other macro malware: XM/Delta (A, B and C) XM/DMV (A and B) XM/Don.A XM/Emperor (A and B) XM/Format.A XM/Hit (A, B, C and D) XM/Laroux (A, B, C, D, E, F, G, H, I, J, K, M, N, O, P, Q, R, S, T, V and AD) XM/Legend.A XM/LMV (A, B, C and D) XM/Robocop.A XM/Sofa.A XM/Team.A XM/Tjoro.A XM/Yohimbe.A - Added detection, recognition and identification and removal of the following 6 new Excel 97 macro viruses: X97M/Import.A X97M/Laroux (D, E, L, U and X) Version 1.05: - Implemented partial Long File Name support when the program is run under Windows 95 or Windows NT. The fact that the program's window is not resizable (yet) does not allow us to display the long file names on the screen. However, now they are used in the report file. - Improved the speed of scanning Office 97 documents more than three times, due to better understanding of the structure of the Office 97 documents. Also, reduced the memory requirements of the program a bit. - Improved the reporting of macro viruses to conform better to the CARO virus naming scheme and have the form /.. The short form (e.g., "W97M") of the platform is used for the reports on the screen, while the long form (e.g., "Word97Macro") of it is used in the report file. - Introduced some new types of macro malware (e.g., "Dropper", "Kit", etc.). They used to be reported generically as "Trojan", with a suffix added to the name to indicate the type. They are reported properly now. - All the text strings used by the program are now grouped as a resource. This will make multi-language support easier. - A silly bug prevented us from extending the database above certain size. Fixed. Unfortunately, the new database is no longer compatible with the old versions of F-MACROW.EXE. - Made the program complain if it is used with a MACRO.DEF file which is too much out-of-date. - Under Windows 95, if "Large Fonts" were used in the Display Properties, the text on F-MACROW's buttons didn't fit on some of the buttons. Fixed. - When the name of the file currently being scanned (displayed just beneath the buttons) contained the "&" character, that character was not displayed - instead, the next character of the file name was displayed underlined. Fixed. - When used with the options /HARD or /ALLDRIVES and there were SUBSTed drives, F-MACROW would scan some directories twice - once when scanning the main drive and once when scanning the logical drive SUBSTed to these directories. This is fixed now - under Windows 3.x and Windows 95 SUBSTed drives are not scanned when the /HARD or /ALLDRIVES options are used. The SUBSTed drives are still scanned under Windows NT, because we couldn't figure out how to determine that a logical drive is SUBSTed on this platform. If you know how - please tell us. - Many people found annoying that F-MACROW asks for confirmation when the user attempts to close it, so we removed the request for confimation completely. Respectively, the /ALWAYSQUIT command-line option was removed too, as no longer necessary. - When an invalid path is specified as a directory to scan or as a report file in the Scan dialog, the focus is now correctly put on the path causing the problem. - The stream named ThisDocument (present in Word97 documents) was not inspected for malicious code - because we didn't know that it could contain any code. We know better now, and now F-MACROW scans this stream too. - Plugged a silly memory leak when scanning Word97 documents - after scanning about 4,000 of them, the program would begin reporting "General OLE2 error" on each subsequent document. Fixed. - Changed the accelerator keys on the buttons to conform better to the de facto standard for Windows applications. Now they are Enter or Alt-S for Scan, Alt-L for Virus List and Alt-X or Alt-F4 for Exit. - Made more clear the messages which inform the user that the database is no longer compatible with the scanner. - Fixed some spelling mistakes in the documentation. - The following viruses were renamed in order to make the program fully conformant with the CARO virus naming scheme: Beeper.A -> NJ-WMDCK1.K Beeper.B -> NJ-WMDCK1.L DMV.F -> MDMA.R Eraser.Q:Tw -> Ant.B:Tw - Added detection, recognition, identification and removal of the following 234 new WordMacro viruses, Trojans and other macro malware: Alien.F Alliance.B Anarchy.6093 Angel.A Ant (C:Tw and D:Tw) Appder (F, G, H and I) Balrog.A Bandung (AJ, AK, AL, AM, AN, AO, AP, AQ, AR, AS, AT, AU, AV and AW) Barbaro.A:It Box.C:Tw Black.A CAP (N, O, P, Q, R, S, T, U, V and W) Chaos.B Childish.A Clock.I:De Colors (U, BA, BB, BC, BD, BE, BF, BG, BH, BI, BJ, BK, BL, BM and BN) Concept (AS, AT, AU, AV, AW, AX, AY, AZ, BA, BB, BC and BD) CountTen.A1 CVCK1.I Divina (G and H) DMV.F Dracula.A Dzt (E and F) Emperor.D:Tw Goldfish.C GoldSecret (A and B) Helper (F, G and H) Hybrid (D, E, F, G and H) Illiterate.A Imposter (D and E) Incarnate.A Irish (N, O, P and Q) Johnny (B1, C1, M, M1, N and N1) Killok.C Kompu (D, E and F) Lox.A Lucifer.A Lunch (D and E) Malaria.A:Tw MDMA (S, T, U, V and W) Monday.A:Tw Muck (F, G and H) NiceDay (G, H, I, J, K, L and M) NJ-WMDLK1.J NOP.L:De Npad (BM, BN, BO, BP, BQ, BR, BS, BT, BU, BV, BW, BX, BY, BZ, CA, CB, CC, CD, CE, CF, CG, CH, CI, CJ, CK and CL) Nuclear.N Nuker.A Panjang.A PayCheck.D Pesan.B Pig.F:Tw Rapi (M1 and AJ2) Rats.D Red.A:De Rehenes.A Schumann.A ShowOff (AY, AZ, BA, BB, BC, BD, BE, BF, BG, BH, BI, BJ, BK, BL, BM, BN, BO, BP, BQ, BR, BS, BT and BU) Since.A Smiley.C:De Socks.A Switcher.B Swlabs (C, D, E and F) Temple.B Twno (Y:Tw and Z:Tw) TwoLines (J, J1, K, K1, L, L1, M, M1, N1, O, O1, P, P1, Q and Q1) Underground.A Vampire (A:Tw, B:Tw, C:Tw, D:Tw, D1:Tw, E:Tw and F:Tw) Veneno.A:Sp Vicinity (A:De and B:De) Volcano.A Wazzu (CD, CE, CF, CG, CH, CI and CJ) Zmb.A:De - Added detection, recognition, identification and removal of the following 17 new Word97 macro viruses, Trojans and other macro malware: W97M/AntiConcept.A1 W97M/Bismark.E W97M/Calendar.A W97M/Cmd.A W97M/DWMVCK1 (Kit, A and B) W97M/Gable.A W97M/Kompu.B W97M/Minimal.D W97M/Rapi (F2 and AK2) W97M/Rehenes.A W97M/Setmd.A W97M/Sparkle.A W97M/Talon.K W97M/Wazzu.AM - Added detection, recognition and identification (no removal) of the following 1 new Excel 97 macro virus: X97M/Yohimbe.B Version 1.04: - Added Office97 support - now F-MACROW can detect, recognize, identify and disinfect Word97Macro and Excel97Macro viruses. Unfortunately, this is done by removing all VBA5 modules (not just those belonging to the virus), user menus, buttons, toolbars, key shortcuts and so on from the infected document. The reason for this is because so far Microsoft has failed to provide us the information necessary for proper removal of only thodr elements from the above list which belong to the virus. F-MACROW warns the user that all such elements will be deleted. If you don't like the fact that they are deleted - complain to Microsoft. As a matter of fact, none of the other anti-virus products we tried was able to handle the situation properly - although the least bad solution we saw only disables the user VBA5 modules when disinfecting - so that they are still visible to the VBA Editor but are not accessible via the Tools/Macro/Macros dialog, but at least aren't lost completely. - The file MACRO.DEF can be updated even if F-MACROW is running, provided that F-MACROW isn't currently in the process of scanning anything but is staying idle. This way the database of virus definitions can be updated from a server across all workstations even if the users on those workstations have not terminated F-MACROW. The next time a scan is requested, F-MACROW will detect that its database has changed and will use the new database. - F-MACROW is now distributed with a default F-MACROW.INI file. The file is copied to the user's WINDOWS directory only if it doesn't already exist there. - The installation program now does not refuse to install the components of F-MACROW if files with these names already exist. Now it simply updates those of them which are older than the files with the same names carried in SETUPFM.EXE. - Added some accellerator keys to speed up the control of F-MACROW from the keyboard. From F-MACROW's main window, pressing Enter will bring up the Scan dialog (and, as before, pressing Enter from there will start the scanning with the default parameters - so, once F-MACROW is launched, pressing Enter twice is a quick way to start the scanning). Pressing Ctrl-S will have the same effect - it will bring up the Scan dialog. Ctrl-L brings up the virus list; Ctrl-X (and the usual Alt-F4) exits the program. - F-MACROW wouldn't process its command-line arguments until at least one option (e.g., /SCAN) was given. Fixed. - When the installation program finished installing F-MACROW, it launched it in "scan all files" mode to check the user's disk for viruses. Changed to scan only files with DOC, DOT and XL? extensions. - When producing a report file, F-MACROW would put a zero byte just before the date. Fixed. - F-MACROW's window does not appear to be resizable any more when the mouse cursor is moved over its borders. We will make it resizable in the future, but there is no reason for it to appear resizable when it is not. - Added detection, recognition, identification and removal of the following 575 new macro viruses, Trojans and other macro malware: Alien (C, D and E) Anak.A Andry.A Ant (A:Tw and B:Tw) AntiConcept.A1 Appder (B, C, D and E) Armadillo.A Atom (I and J) Attack.A Baby.A Bandung (M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, AA, AB, AC, AD, AE, AF, AG, AH and AI) Beeper (A and B) Bertik.A CAP (D, E, F, G, H, I, J, K, L and M) Cebu (A and B) CeeFour.B Chaka.A Chandigarh.A Clock (F:De, G:De and H:De) Colors (N, O, P, Q, R, S, T, U, V, W, X, Y, Z, AA, AB, AC, AD, AE, AF, AG, AH, AI, AJ, AK, AL, AM, AN, AO, AP, AQ, AR, AS, AT, AT1, AU, AV, AW, AX, AY, AZ and BA) Concept (AB, AC, AD, AE, AF, AG, AH, AI:Jp, AJ, AK, AL, AM, AN, AO, AP, AQ and AR) CountTen (C and D) Cult.A CVCK1 (Kit, A, B, C, D, E, F, G, H) Czech.A Dakota.A Dance.A Dark (B, C and D) Date.B Dave.A Dedicato.A:It Defender.A Demon.A Dishonor.A:De Divina (D, E and F) DMV (D, E and F) Doggie (C, D and E) Drugs.A:De Dub.A Dzt (B, C and D) Emperor (A:Tw and B:Tw) Envader.A Epidemic (B:Tw and C:Tw) Eraser (A:Tw, A1:Tw, B:Tw, C:Tw, D:Tw, E:Tw, F:Tw, F1:Tw, G:Tw, H:Tw, I:Tw, J:Tw, K:Tw, L:Tw, M:Tw, N:Tw, N1:Tw, O:Tw and P:Tw) Fire.A:De Friday (B:De and C:De) Fuzzy.A Goggles.A Glodfish.B Goodnight (A and B) Haggis.A Hark.A Helper (B, C, D and E) Hiac.A Hider.A Hilight.A Hunter (A:De and B:De) Hybrid.C Hyper (A and A1) Imposter.C InsideOut.A Irish (D, E, F, G, H, I, J, K, L, M, N and O) Jaja.A Johnny (C, D, E, E1, F, F1, G, H, I, I1, J, J1, K, K1, L and L1) Junkies.A.Drp Killok (A and B) Kompu.C Lazy.A Lemon (A and B) Look.D:Tw Lunch.C Macaroni.A:De Mark (A:Tw and B:Tw) MDMA (H, I, J, K, L, M, N, O, P and Q) Mercy (A and B) Messenger.A:De Mind (A and A1) Minimal (D, E, F, G, H, I, J, K, L, M, N, O and P) Mota.A Mtf.A Muck (A, B, C, D and E) MVDK (1.Kit and 2.Kit) NiceDay (C, D, E, F, G and H) NJ-WMDLK1 (A.Kit, B.Kit, C.Kit, D.Kit, E.Kit, E, F, G, H and I) NJ-WMVCK2 (A.Kit and B.Kit) No-F (A and B) NOP (F:De, G, H:Fr, I, J:De and K) NoPrint.A Npad (W, X, Y, Z, AA, AB, AC, AD, AE, AF, AG, AH, AI, AJ, AK AL, AM, AN, AO, AP, AQ, AR, AS, AT, AU, AV, AW, AX, AY, AZ, BA, BB, BC, BD, BE, BF, BG, BH, BI, BJ, BK, BL and BM) Nuclear (I, J, K, L and M) Ordo.A Orhey.A Oval.A PayCheck (A, B and C) Pesan.A Phardera (D and E) Pig (A:Tw, B:Tw, C:Tw, D:Tw and E:Tw) Quick.A Randomic.A Rapi (J, J1, K, L, L1, L2, M2, N, N1, N2, O, O1, O2, P, Q1, Q2, R2, S2, T, T1, T2, U2, V2, W2, X, Y, Y1, Z2, AA2, AB2, AC, AC1, AC2, AD2, AE1, AE2, AF1, AF2, AG, AG1, AG2, AH, AH1, AH2 and AI2) Rellik.A:Tw Safwan.A Sam.A:Tw Satanic.B Setmd.A ShareFun.B ShowOff (G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X Y, Z, AA, AB, AC, AD, AE, AF, AG, AH, AI, AJ, AK, AL, AM, AN, AO, AP, AQ, AR, AS, AT, AU, AV, AW, AX and AY) Shuffle.A.Drp Simple (A and B) Spiral.B Strezz.A Sunbeam.A Surabaya.A Switcher.A Swlabs (1.Kit, 2-3.Kit, A and B) Sword.A Talon (A, B.Drp, B, C, D, E, F, G, H, H1 and H2) Tear.A Temple.A Terror.A TestArea.A TestDot (A:Tw and A1:Tw) Toten.A:De Twno (K:Tw, L:Tw, M:Tw, N:Tw, O:Tw, P:Tw, Q:Tw, R:Tw, S:Tw, U:Tw, V:Tw, W:Tw and X:Tw) TwoLines (B, C1, D, D1, E, E1, F, F1, G, G1, H, H1, I and I1) Varmint.A:Tw Wallpaper.A Wazzu (N, AY, AZ, BA, BB, BC, BD, BE, BF, BG, BH, BI, BJ, BK, BL, BM, BN, BO, BP, BQ, BR, BS, BT, BU, BV, BW, BX, BY, BZ, CA, CB and CC) Weather.D:Tw Why (A.Drp and A) WMVH1 (Kit:Tw, B:Tw and C:Tw) Zoolog.A - Added detection, recognition, identification and removal of the following 38 new Word 97 and Excel 97 macro viruses, Trojans and other macro malware: W97M/Appder (A, B and C) W97M/Bismark (A, B, C and D) W97M/Concept W97M/Frenzy.A W97M/Gambler (A, A.Drp, B, B.Drp, C and C.Drp) W97M/Kompu (A and B) W97M/Lunch (A and B) W97M/Minimal (A, B, C and D) W97M/Muck (D and E) W97M/NiceDay.A W97M/NightShade.A W97M/Opim.A W97M/Rapi.A2 W97M/Talon (I, J and K) W97M/Wazzu (A, C and X) X97M/Laroux (A, B and C) - Added detection, recognition and identification (no removal) of the following 5 new Excel 97 macro viruses, Trojans and other macro malware: X97M/Delta.A X97M/Legend.A X97M/Robocop.A X97M/Tjoro.A X97M/Yohimbe.A Version 1.03: - Added a new button to display in a dialog box the list of macro viruses that the current database (MACRO.DEF) can handle. Since this dialog box allows the list to be saved in a file, this eliminated the need of listing the viruses in the documentation. - Implemented two new command-line options - /AUTOQUIT and /ALWAYSQUIT. - The meaning of the /CDROM and /NOCDROM options was reversed. Sorry about that. Fixed now. - When installed for the first time on a new machine, F-MACROW could display some garbage in the "directory to scan" field of the Scan dialog box - due to an uninitialized variable. Fixed now to use "C:\" as default. - It wasn't possible to select for scanning a directory, the name of which contained accented (non-ASCII) characters. Fixed. - Excel workbooks in Windows 95 files with long names containing accented (non-ASCII) characters could be scanned but not disinfected. Fixed. - It wasn't possible to specify a name of the report file that didn't contain a backslash (e.g., "A:F-MACROW.REP"). Fixed. - The /REPORT= option caused an "Invalid directory" message when the path of the specified report file contained a drive letter. Fixed. - The scanner couldn't detect Laroux in workbooks created by the Japanese version of Excel. Fixed. - Some files containing menu definitions and key shortcuts were not disinfected properly. Nasty bug that one. Fixed now. - F-MACROW would crash when attempting to disinfect the Outlaw viruses. Fixed. - The timer indicating the time elapsed since the beginning of the scan could handle up to 99 minutes and 59 seconds. This turned out to be insufficient for some people scanning large networks. Now the timer handles up to 99 hours, 59 minutes and 59 seconds. - F-MACROW counted each disinfected file twice - once when displaying it on the screen and once in the report file. As a result, the report file would display a number for the disinfected files that was two times larger than the number of infected files, resulting in a negative number of "still infected" files. Stupid bug. Squished now. - When scanning a write-protected diskette in disinfection mode an error occurs when the program attempts to disinfect the virus. That's normal. What was not normal was that if the user decided to ignore the error, the report file did not contain a list of the infected files. It does now. - According to the new CARO naming scheme for macro viruses, all names have been converted to the form Family.Variant, even when the family consists of a single variant. - Added detection, recognition, identification and removal of the following 145 new macro viruses, Trojans and other macro malware: ABC.A Alien.B Appder.A Atom (G:De and H) BadBoy (A, A.Drp and B) Balu (A and A1) Bandung (G, H, I, J, K and L) Boom.B:De Box (A:Tw and B:Tw) CAP (A and B) CeeFour.A Chaos.A Clock (B:De, C:De, D:De and E:De) Colors (I, J, K, L and M) Concept (T, U, V, W, X, Y, Z and AA) Daniel.C DMV.C Dzt.A Epidemic.A:Tw Friday.A:De Fury.A:It Gable.A Hellga.A Irish (B and C) Johnny (A1 and B) Kerrang.A KillProt.A Kompu.A MDMA (E, F and G) Minimal.B MVDK2 (A and B) NF.B NiceDay.B Nikita (A and A1) NJ-WMDLK1 (A, B, C and D) Nomvir (A:De and B:De) NOP (C:De, D and E:De) Npad (G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U and V) Nuclear (F and G) Phardera (B and C) Random.A Rapi (F, F1, F2, G, G1, H2, I, I1 and I2) Rats (A, B and C) ShareFun.A ShowOff (B, C and D) Smiley.B Snickers.A Spiral.A Theatre.C:Tw Twno (E:Tw, F:Tw, G:Tw, H:Tw, I:Tw and J:Tw) TwoLines (A and A1) Wazzu (AC, AD, AE, AF, AG, AH, AI, AJ, AK, AL, AM, AN, AO, AP, AQ, AR, AS, AT and AU) WMVH1.A:Tw Xenixos.B:De Zero.A:De Version 1.02: - F-MACROW is now distributed as a single, self-installing executable. - F-MACROW was made compatible with Gatekeeper for Windows 3.x, so that alerts are not displayed twice when scanning infected documents. Similar compatibility with Gatekeeper for Windows 95 is not possible yet. - F-MACROW would crash when scanning a directory, the full path of which was longer than 64 characters. Fixed. - Implemented the ability of the program to run unattended. - Implemented removal of the key shortcuts and menu items associated with the viral macros deleted on disinfection, in order to handle viruses like Gangsterz. - Implemented compression the macro table on disinfection, in order to reduce the probability of false positives caused by scanners which do not understand the OLE2 format (e.g., F-PROT.EXE). - Implemented better handling of virus remnants. - The timestamp of the files was not preserved when a macro virus was removed from them. Fixed. - Wordbooks disinfected from the Laroux virus would cause Excel to crash when selecting PrintPreview. Fixed. - Added the ability to process documents produced by the Asian versions of Word (Chinese, Taiwanese, Japanese and Korean). - F-MACROW could not open, under Windows 95, files, the long file names of which included non-English characters. Fixed. - The following viruses were renamed in order to make the program fully conformant with the CARO virus naming scheme: Guess -> Phantom.A LBYNJ:De -> Tele.A:De Pheeew:NL -> Concept.K:NL PCW:De -> Birthday.A:De - Added detection, recognition, identification and removal of the following 116 new macro viruses and Trojans: Alien.A AntiConcept.A Atom (C, D, E and F) Bandung (B, C, D, E and F) Colors (F, G and H) Concept (I, J, L, M, N, O:Tw, P, Q, R and S) CountTen (A and B) Daniel (A and B) Divina (B and C) DMV.B Easy.A Helper.A Hybrid.A Johnny.A Look (A:Tw, B:Tw, C:Tw and D:Tw) Lunch (A and B) Magnum.A MadDog.B MDMA (B, C and D) Minimal.A NiceDay.A Niki.A:It NJ-WMVCK2 (A and B) Npad (B, C, D, E and F) Nuclear (D and E) Olympic (A:Tw and B:Tw) Outlaw (A, B and C) Paper.A Phardera.A Rapi (A, A1, A2, B, B1, B2, C, C1, D, D1 and E2) Saver.A:De ShowOff.A Smiley.A:De Spooky.A:De Stryx.A:De Switches.A Target (A:De and B.De) Theatre (A:Tw and B:Tw) Twister.A Twno (A:Tw, B:Tw, C:Tw and D:Tw) Wazzu (G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V, W, X, Y, Z, AA and AB) Weather (A:Tw, B:Tw and C:Tw) Version 1.01: - The report file changed to indicate how many infected files are still left, how many files have been disinfected, and whether the user has aborted the scanning process. - A newer version of CTL3DV2.DLL included and the documentation describing the installation process - updated. - Some documents were reported as causing "Critical error". Fixed. - Added detection, recognition, identification and removal of the following 8 new macro viruses: Atom.B Bandung.A Colors.E Gangsterz.A Hassle.A Nuclear.C Wazzu (E and F) Version 1.00 (Beta): First version released for public testing.