Return to TAPC Home Page

Preventing and Curing Viruses on Web Servers

The exchange of documents as Word Processor files (normally Microsoft Word) on Web servers creates a substantial danger of spreading viruses, particularly Word Macro viruses. This is a special problem where all committee members have the ability to upload documents, and not all may take adequate measures to detect and cure viruses.

The purpose of this information is to:

What types of viruses can be spread?

Traditional viruses are normally spread only through diskettes and programme (.EXE) files. These viruses are unlikely to be spread through the use of Web servers provided that the manager of the web server maintains proper anti-virus measures.

The type of virus that is commonly spread through Web servers is the Word macro virus.

The macro virus works broadly as follows.

Some viruses do little more than propagate themselves. Others are altogether nastier, and will delete &/or corrupt files. At least one virus adds a password to files when saving!

How can Viruses be Detected and their Damage Limited?

General Protection

You are strongly recommended to get a good up-to-date anti-virus program. Regularly get updates to it, so that you can keep up with all the new viruses coming along. When you install the program, ensure that it is set up to check doc files. The default settings of some programs omit this.

You can download 30-day trial versions of the following general purpose anti-virus programs from the Web

It is essential that you use one of these systems for general protection.

These systems do contain some protection against macro viruses, but we recommend that you also take the following additional measures.

Specific Protection against Word Macro Viruses

In addition we strongly recommend that you should use additional specific protection against Word macro viruses. The main protection is to use one of Microsoft's template utilities that detects the presence of macros in any file that you attempt to open. There are the following versions:

Word 6 (all versions) and Word 7.0

Use Microsoft's SCANPROT.DOT template, which detects whether a file contains any macros and asks you if you want to disable them.

Word 7.0a and above

These versions contain the equivalent of SCANPROT.DOT built into the software, however you should ensure that the macro virus detection facility is enabled ???????????

Other measures and Tips

  1. Keep PERMANENT backups of your files, including your own templates. Do not rely just on regular tape streaming where you reuse the tapes, because you might not discover soon enough that you have been hit with a virus, and so you may need to go back far enough to recover clean files. CD writers are very useful for making permanent back-ups.
  2. If you do not alter toolbars and write macros frequently in Word yourself, we recommend that you make your NORMAL.DOT template READ ONLY. This will protect you own settings and prevent infections from spreading.
  3. If you just want to view &/or print a document safely whose source you are not sure of, then open it using the Word Viewer or WordPad. These two applications do not run macros, and so are immune to macro viruses.

Starting with Word 7.0a, as you open a file, Word now can detect whether the file contains a macro, and offers you the choice of opening the file with all macros deactivated. For any document whose origin is in any way suspect, take this option. If you have an earlier version of Word, it would be a good idea to upgrade to this version or later. (Quite apart from all the bug fixes you'll get!)

You can access Microsoft's own information on macro viruses at the following location.

http://www.microsoft.com/

The Microsoft information includes links to a list of anti-virus products and vendors.



Symptoms of having been hit by a Virus

Any of the following may be an indication of a virus attack.

The list above just gives examples from a few of the more common viruses. Any kind of unexpected behaviour, particularly when opening, saving or closing files, should be treated as a possible sign of a virus attack.

How to check if you have been infected

It is fairly straightforward to see if you have been infected. With any document open, on the Tools menu, select Macros. If there are any macros in the list which you didn't put there yourself, particularly if they have names beginning with "File" or "Auto", then they are very probably from a virus.

If your Tools menu has disappeared or the Macros command has disappeared from the menu, then this is also a sign that a virus has hit. Some viruses do this to try and make it harder to fix the problem.

 

Emergency repairs if you do not use macros yourself

While you are waiting for your anti-virus program, you can do some emergency repairs yourself.

Note that the following instructions assume that you have written no macros of your own. Ways of adapting this to retain your own macros are given afterwards.

  1. Close Word, and rename "normal.dot" as "oldnorm.dot".
  2. Restart Word. It will create a new normal.dot based on default settings. At this moment your copy of Word is clean. Now to keep it that way.
  3. Go to Tools Macro, and click the Organizer button.
  4. Using the Organizer, open oldnorm.dot, and transfer to normal.dot your toolbars, styles & AutoText entries, but not any macros! Now you can delete oldnorm.dot.
  5. Using Organizer, open each of your custom templates, and delete all macros in them.
  6. Before opening any file for editing, open it using Organizer. Proceed as follows

This last item is a useful check when you receive any document from someone else. It is completely independent of your anti-virus program, and should show up any virus, including one which the anti-virus people haven't found yet.

Cleaning up & retaining your own macros

This gets a bit more tricky, but the same basic principles apply. You need to take these precautions.

  1. Don't delete your own macros, but in the Organizer, rename any which have "Auto" names or names which intercept built-in Word commands.
  2. Before you run any of your macros, review the code in each of them, to be sure that nothing has been inserted by a virus. It would be a good idea to put a REM statement at the top of each macro when you have checked it.
  3. Once you are sure your own macros are clean, you can name them back and start using them again.

 

Acknowledgement

A large part of this advice has been written by Jonathan West of Integrated Information Solutions Ltd and is reproduced with permission.

Return to TAPC Home Page