Excel Document Macro Viruses (DMVs) - DMV.XLS Joel McNamara - joelm@eskimo.com 12/27/94 Visual Basic, Applications Edition (VBA) is Microsoft's effort to provide a common macro language for all of its products. It is an extremely powerful language, and combined with automatic macros, offers quite a bit of potential for targeting viruses or logic bombs against selected users. Microsoft Excel 5.0 was one of the first applications to implement VBA. I've only performed a little research on it (Windows version) as a potential trigger for files with DMVs. DMV.XLS is a quick and dirty demonstration of using VBA to infect Excel. The actual commented code is located in "Sheet01" of the workbook. This DMV is harmless, and only demonstrates potential malicious behavior. (For background reading on DMVs, refer to the DMV.DOC file - Word for Windows 6.0 format.) Excel uses a file called GLOBAL.XLM to house global macros. It also features automatic macros. DMV.XLS infects the GLOBAL.XLM file with a DMV that executes when documents are closed. Unlike the Word DMV.DOC sample, individual data files are not infected (although it would seem to be trivial to add the same functionality in Excel). On the surface, Excel appears to provide greater virus risks than Word since code can be triggered by events (double clicking, specified keys being pressed, when data is entered, etc.). VBA also offers some amazing capabilities of targeting specific types of users. This goes way beyond the random, shotgun approach used in conventional viruses. Additionally, as a common macro language, VBA offers the potential of cross-application infections. The DMV.XLS sample clearly demonstrates the chaos someone could spread combining VBA and automatic macros. It is another reason why software manufacturers need to make changes to existing applications to provide users with safeguards against malicious auto-macros. A simple dialog box that prompted whether an automatic macro should be executed would eliminate most of these risks. .