A macro virus is a malicious program that is written by using the macro language built into a software application such as Word. Since Microsoft Office allow macro programs to be embedded within documents, so that the programs may be run automatically when the document is opened, this provides macro viruses with a distinct mechanism to spread. The virus can infect other Word documents and propagate itself among data files and can even harm your computer's operating system.
A well known example of a macro virus is the Melissa Virus from 1999. The virus would infect a system through Word documents and then send itself by email to the first 50 people in the person’s address book. Since a macro virus depends on the application rather than the operating system, it can infect a non-Windows computer such as a Mac.
The first defense against any viruses and malicious program is your anti-virus software. But macro viruses are known to quietly pass through many security software. Fortunately, newer versions of Microsoft Office prevents macros from running when a user opens a Word document with a macro. Instead, users are presented with a warning and an option to open the document with the macro enabled. You should not open a document with the macros active, unless you are absolutely sure that the document contains no harmful macro viruses.
Symptoms of a Macro Virus
The following are some symptoms of Word macro viruses that are known to affect Word and Word documents:
- When you try to save a document, Word only lets you save the document as a template.
- The icon for the file looks like a template rather than a document.
- When you open a document, a dialog box showing the number 1 appears.
- The Macro and Customize commands no longer appear on the Tools menu.
- New macros appear in the list of macros. AutoOpen and FileSaveAs macros may also appear; if you already had macros by these names, their content may be modified by the macro virus.
- Unusual or unexpected messages appear when you open a Word document or template.
How to Delete the Macro and Recover the Document
If you experience the symptoms described above, or if you suspect that you have a macro virus that is not described in this article, follow these steps to delete the suspect macro and to correct affected document.
Open the infected document. Do not activate macro when prompted with the warning message.
Under the View tab in the ribbon, click on the Macro button and then choose View Macros. Next, click on Organizer
Under ‘Macro projects item available’ drop down menu, select the infected document. This will list all macros embedded within the document.
At this point, you can select which macros to delete and which to keep provided you can recognize the malicious macros. If not, delete all macros by using the Delete button. (Tip: to select the entire list, click the first macro, scroll to the bottom, press SHIFT and click the last macro.)
Your document is now free of macro viruses. Save the document as a new file and delete the infected document from your hard disk.
However, if you have opened the document before and turned on macros, it is possible that the macro has infected the Normal global template from which it will re-infect all Word documents that you open or create in Microsoft Word. So, before you close the Organizer, select Normal.dotm from the drop down menu and delete any macro from the Normal file you didn’t create.
If you have never created macros before and you see a number of macros in Normal.dotm, then you can be almost sure that those were added by the virus.
Another way to remove an infected Normal.dotm file is to simply delete it from the disk. Microsoft Word will recreate the normal file when you open a new Word document. This will however remove any macros you created.
The normal.dotm file is located in C:\Users\%username%\AppData\Roaming\Microsoft\Templates