The heuristic scan examines the target object for signs of code fragments characteristic to viruses. The macro virus heuristic flags have an additional importance property:
important: the flag is characteristic to viruses
supplemental: tha flag is characteristic to malicious programs.
Informational: the flag itself is not virus-characteristic but in the presence of additional flags indicates a virus
Flags and explanations:
ID |
Name |
Explanation |
A |
MACRO COPY (important) |
Macro copy to other document or the global template. The primary mean for virus propagation. |
B |
ORGANIZER (important) |
Macro copy using the Organizer. |
C |
CREATE (important) |
Generated mostly by polymorphic viruses to create a mutated copy of the macro module. |
D |
ADD TEMPLATE (important) |
Attaching a new global template or WLL Word library. As this method is used by macro utility programs, false alarms are possible. |
E |
FORMAT (important) |
Converting a document to a template which is the first step in infecting documents. |
F |
COUNT MACRO (supplemental) |
Query of the total number of macros in the template. Used for macro enumeration by viruses. |
G |
MACRO NAME (supplemental) |
Query the names of the macros in the template. |
H |
DELETE (supplemental) |
Deleting macros. Used byy viruses to clean tracks but also used by virus protection templates. |
I |
SAVE AS (supplemental) |
Saving documents as templates. Not characteristic to viruses, unless found together with the FORMAT (E) flag. |
J |
FAST SAVE (supplemental) |
Turning on the fast save option. Often used by viruses. |
K |
AUTO MACRO (supplemental) |
Turning on the automacro execution that is necessary for virus activation. |
L |
SAVE WINDOW (supplemental) |
Query of the active window. Used by viruse for hiding activities. |
M |
SCREEN UPD. (supplemental) |
Turning off screen updating. Used by viruse for hiding activities. |
N |
GLOBAL SAVE (supplemental) |
Disabling the global template save prompt. Used by viruses to hide the signs of global template infection |
O |
DISABLE INPUT (supplemental) |
Disabling the interrupt of running macro code. |
P |
RENAME MENU (informational) |
Menu item rename, used by viruses to disable the macro-related application commands. |
# |
MACRO INSERT (important) |
Creating a mcaro and filling with text. Often used by polymorphic viruses to create the temporary or mutated images. |
a |
PASSWORD (supplemental) |
Protecting the documents with passwords. Often used in virus payloads. |
b |
INSERT TEXT (supplemental) |
Inserting text into documents. Often used in virus payloads. |
c |
SHELL (supplemental) |
Executing external program. Often used in virus dropper macros. |
d |
KILL (supplemental) |
Deleting files. |
e |
WRITE (supplemental) |
Direct sequnetial file write. |
f |
PRINT (supplemental) |
Direct sequnetial file write. |
g |
RMDIR (supplemental) |
Directory delete. |
h |
SETATTR (supplemental) |
Changing file attributes. |
I |
DECLARE (supplemental) |
Declaring external functions. |
j |
UNLOCK (supplemental) |
Unprotecting documents. |
k |
ONTIME (informational) |
Timed execution of macros. Often used in virus payloads |
I |
PROTECTION (informational) |
Protecting fields in the document. |
m |
REMOVE PROT (informational) |
Protecting fields in the document. |
n |
ENVIRONMENT (informational) |
Query environment variables. |
Q |
EXECUTE ONLY (supplemental) |
The document contains execute-only encrypted macros. Used in viruses to hide the macro content. |
R |
DOC-DOT (supplementary) |
Document extension in template internal format. All infected documents are converted to templates. |
S |
AUTO (supplementary) |
Using automacros, which is the primary activation method of viruses. However macro utility programs and wizards use the sam method. |
© VirusBuster Kft., 1988-2001