COMMAND

    Bypassing Excel Macro Virus Protection

SYSTEMS AFFECTED

    MS Excel97

PROBLEM

    'rotaiv'  posted  following.   Info  is  concerning  Excel   macro
    viruses.  In Excel, if you  go to "Tools - Options -  General" you
    can check the "Macro  Virus Protection" check-box and  this should
    prevent any macro viruses  being executed without your  knowledge.
    This is true  is most cases  but it can  be bypassed with  several
    methods.

    Password Protected Spreadsheets
    ===============================
    If  a  file  is  password  protected,  Excel  assumes this to be a
    "trusted"  source  so  it  ignores  the  "Macro  Virus Protection"
    option.   This allows  any code  contained in  the document  to be
    executed without  the users  knowledge.   Here is  a scenario that
    should not be  to hard to  believe:  Someone  downloads a list  of
    passwords  for  pornographic  sites  from  alt.sex  and types in a
    disclaimer password such as "I AM AN ADULT".  This allows a  macro
    virus can be executed even if the "Macro Virus Option" is checked.

    Documents in the XLSTART Directory
    ==================================
    Any documents saved in the XLSTART directory are considered to  be
    a "trusted" source so once again, the "Macro Virus Protection"  is
    ignored.

    Disabling 'Macro Virus Protection'
    ==================================
    With Word,  the macro  virus protection  can be  disabled with the
    following command:

        Options.VirusProtection = False

    To my  knowledge, there  is no  such command  for Excel.  However,
    this option can be changed with a reg hack that could be initiated
    from a batch file  or from a VBA  macro Shell command.   On my PC,
    the "Macro Virus Protection" option is stored as a dword value  in
    the following registry key:

        [HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel]

    To enable the virus protection, use:

        "Options6"=dword:00000008

    To disable the virus protection, use:

        "Options6"=dword:00000000

    This  may  not  be  exactly  the  same  for every PC as "Options6"
    controls several options depending on the value of the first  four
    bits.  See below for details:

        bit 0    Show Name part of Chart Tips
        bit 1    Show Value part of Chart Tips
        bit 2    Intellimouse Roll action: 0 = scroll, 1= zoom
        bit 3    Macro Virus Protection
        bit 4-15 (Reserved)

    Many people  are under  the impression  that if  the "Macro  Virus
    Protection" option is  enabled in Excel  they are safe  from macro
    viruses.  However, if someone felt so inclined, they could  easily
    bypass  this  protection  and  execute  VBA code without the users
    knowledge.

SOLUTION

    The  solution  to  "Password  Protected  Spreadsheets"  is simple.
    Don't open any password documents  from a non trusted source.   If
    you really want to open the  file, type in the password then  hold
    down the SHIFT  key before you  click "OK" on  the password dialog
    box.   Holding  down  the  shift  key  will by-pass any macros and
    prevent them from being executed.  For more details, refer to  the
    following TechNet article:

        Q176640 - XL: No Macro Virus Warning Appears Opening Protected Workbook

    The solution for "Documents  in the XLSTART Directory"  is obvious
    but  no  so  easy  to   implement.   Don't  allow  any   documents
    (or shortcuts)  to be  saved in  this   directory.  Remember, many
    users may  have their  PERSONAL.XLS file  in this  directory which
    contains  macros  they  have  supposedly  created themselves.  The
    XLSTART directory in most PCs is as follows:

        C:\Program Files\Microsoft Office\Office\XLStart

    For more details, refer to the following TechNet article:

        Q180614 - XL: Workbooks in Startup Folder Are Not Scanned for Macros

    For enabling/disabling "Macro Visrus Protection" and more details,
    refer to the following TechNet article:

        Q169811 - XL97: Using the Policy Editor to Force Macro Virus Protection

    Microsoft  released  the   patch  to  allow   customers  to   take
    appropriate action to protect themselves against it.  These  fixes
    are already built into Excel  2000 and users of that  product will
    not need to download this patch.  Microsoft highly recommends that
    customers  evaluate  the  degree  of  risk that this vulnerability
    poses  to  their  systems  and  determine  whether to download and
    install the patch.  The patch can be found at:

        http://officeupdate.microsoft.com/downloaddetails/xl8p6pkg.htm

    With that  you will  now receive  the macro  warning on a password
    protected file but not on a file copied to the XLSTART  directory.
    You can  still enable  or disable  the macro  virus protected with
    a simple reg hack.   I guess that is  not so important because  if
    you can perform a reg hack, you can do a lot more than execute  an
    Excel macro.