Tag Archives: Macro Virus

Don’t ‘Enable Macro if Data Encoding is Incorrect’!

30 January 2016

If you open a word document attached to an email and you see the message ‘Enable macro if data encoding is incorrect’ you are well on the way to become the victim of a cyber-attack:

Dridex malware requests to lower macor security

Dridex malware requests to lower macro security

Word blocked the auto-open macro in the document to prevent its execution. In the case of document ‘Fax 49 2232949992120160128232732.doc’ it’s about the trojan ‘W2KM_DRIDEX.BM’. Besides other malicious activities the macro downloads and executes the program g545.exe from a server hosted in the Russian Federation.

So far everything went well. Word was well secured and blocked the auto-open macro from executing the payload. The best way to go ahead is to close word and drop the email and the downloaded attachment.

But if you comply with the request and lower the macro virus settings in word you will be definitely tricked.

As always the first line of defense is a well-trained user who follows the commandments

  • ‘Think twice before you click on whatever links or attachments’,
  • ‘Never lower your security settings upon requests of whatever sources’ and
  • ‘Disable all macros with notification’ in Word Trust Center, section Macro Settings.

In the worst case it may come to a blackout in a country, done in Ukraine 23 December 2015.

Have a good weekend.

Marco viruses on the rise – The Sleeping Beauty slumber is over

28 February 2015

For some month reports about macro viruses are constantly appearing in the IT press. Although the latest report, ‘Macro viruses reemerge in Word, Excel files’, published by Michael Heller on the TechTarget platform SearchSecurity at 24 February 2015, could make us feel somewhat insecure, there is in my opinion no reason to panic.

From the statistics created by security firm Kaspersky, we see that attackers used Microsoft Office in 1% of all cases for the distribution of exploits in 2014. In total Kaspersky products detected and neutralized 6.167,233,068 cyber-attacks in 2014. This means that Word or Excel were used in 61,763,330 cyber-attacks, 2.3 times more than in 2013.

Sounds anything but dangerous. Moreover, we are better prepared than 15 years ago, when macro viruses were most popular. Many protection measures are common sense, but sometimes it’s good to recap.

With that, I suggest:

  1. Please make sure that your anti-malware program is always up-to-date.
  2. Configure Macro Settings in Microsoft Office Trust Center. Choose ‘Disable all macros with notification’ as default:

    Disable Macros With Warnings Settings in Trust Center

    ‘Disable all Macros With Notifications’ in Trust Center

  3. Use Windows Update to keep Microsoft Office and Windows up-to-date with the latest patches.
  4. On 64 bit Windows please activate ‘enhanced Protection Mode’ in Internet Explorer. This will force Windows to run Internet Explorer in Container Mode at low integrity level. In addition, please download all files to the default download location.
  5. Enable SmartScreen Technology in Internet Explorer. Malicious files are downloaded from malicious sites. SmartScreen Technology supports you by blocking downloads from known malicious sites.
  6. Try working with standard user rights. This limits the impact of an attack to the operating system
  7. The last and perhaps the most important rule: Think twice before you click on a word or excel file stored in an untrusted site. As a rule of thumb the entire Internet is an untrusted site, and of course all email attachments.

There’s really no need to panic. Macro viruses are no rocket science. The available protection measures are enough to deal with this old stuff.

Have a good weekend!