Preventing and Controlling Word Viruses

Macro viruses have become an unfortunate fact of life for millions of Word users. Whether you are responsible for Word running on only your computer, or for an entire workgroup or organization, you need to be aware of them, and you need to take precautions to minimize the risk of becoming infected.

Macro viruses are viruses written in a Word macro language?originally WordBasic, but now Visual Basic for Applications. Like other computer viruses, they have the capability to reproduce themselves and spread to other computers that share files. And, like other computer viruses, some macro viruses are merely annoying, whereas others can cause serious data loss. Because Visual Basic for Applications can take advantage of virtually all of Word's capabilities, including the capability to delete files, macro viruses can use these features as well.

Macro viruses take advantage of the remarkable flexibility provided by Word's architecture and macro languages. The classic macro virus, Concept, established a pattern followed by most macro viruses since. When you open a file infected with Concept, the macro virus copies itself into the template, and from there copies itself into new files.

To prevent your computer from becoming infected, start with the same common-sense precautions that smart computer users have always known: Open only those documents that come from sources you trust. In the age of the Internet, this is more of a challenge than ever?and more important than ever. Beyond using caution, you should take two steps to prevent virus infections:

  • First, use Word's built-in features, which deliver some protection against viruses but are not foolproof.

  • Layer on additional protection by using third-party virus protection software?and keeping it updated to keep pace with new viruses.

Understanding How Word Uses Trusted Publishers

Microsoft's approach to providing macro virus security focuses not on identifying viruses placed in macros but rather on providing tools for ensuring that users run macros from only those publishers that can be trusted. As already discussed, Word and Office 2003 support digital certificates, which are the electronic equivalent of ID cards for documents and templates that contain macros.

When a user opens a document or template that contains a digital certificate, Word responds differently depending on the security level set for it. Setting security levels in Word 2003 is covered in the following section.


It's important to note that, in theory, a virus author may obtain a digital certificate, or a legitimate macro author might inadvertently embed a virus in a file before applying a digital certificate to the file. However, using digital certificates and trusted publishers does reduce the risks of virus infections substantially.

Setting Security Levels for Word 2003

To specify a security level in Word 2003, chose Tools, Macro, Security. The Security dialog box opens, displaying the Security Level tab (see Figure 33.16).

Figure 33.16. The Security Level tab enables you to specify how Word should react when it encounters a file containing macros.


Here, you have three choices:

  • High? This is Word 2003's default setting. Word automatically opens documents that contain macros only if these documents have digital certificates from publishers the user has already precertified as trusted.

    If Word encounters a document with a digital certificate from another publisher, a dialog box appears, and the user is given the opportunity to add that publisher to the list of trusted publishers.

    If a document contains a digital certificate but verification fails, the document is opened with all macros disabled, and the user is warned that it could have a virus.

    In documents that contain macros without digital signatures, the document opens but the macros are disabled.

  • Medium? Word behaves the same as it would if you set High Security, with one exception. If you attempt to open a document or template containing macros and that file contains no digital signature, you are given a choice whether to enable or disable macros, or not to open the document at all.

    Often, the macro is perfectly benign?Word can't tell the difference. However, you're likely to receive some documents from people who don't normally embed macros in their files intentionally. In this case, you can contact them to see whether the macro is legitimate. In the meantime, you can open the document without activating the macros?or simply not work with it. (Medium Security is the same as Word 97's Macro Virus Protection option.)

  • Low? Word automatically opens all documents and templates with macros enabled.


Regardless of the setting you choose, Word always opens files that do not contain macros.

Reviewing Which Publishers Word Trusts

To see which publishers Word already trusts, display the Trusted Publishers tab of the Security dialog box (see Figure 33.17). If you want to remove a publisher from the list of trusted publishers, click Remove.

Figure 33.17. The Trusted Publishers tab shows which, if any, publishers of macros you have already stated that you trust.



To add names to this list, you must open a document or template that is digitally signed and then respond Yes to the query about whether to trust it.

By default, Word 2003 trusts any add-ins or templates you have already installed manually. If you prefer to apply your security settings to these as well, clear the Trust All Installed Add-Ins and Templates check box.


If you're an administrator for multiple computers, you can specify trusted publishers that all of them will recognize, using the Internet Explorer 6 Administration Kit.

How Word 2003 and Word 97 Handle Possible Viruses in WordBasic Macros

If you are upgrading to Word 2003 from Word 6 or Word 95, you need to understand how Word handles the WordBasic macros that may be stored in your data files. When you open a Word 6 or Word 95 template that contains a macro, Word converts the macro to Visual Basic for Applications. If it recognizes the macro as a virus, it simply refuses to translate the virus to VBA. You aren't notified of this decision; it takes place automatically.

Most Word 6/95 viruses are caught this way. However, a few have slipped through. In several cases, a virus mutated by being translated from WordBasic to Visual Basic in a beta version of Word 97 that didn't yet include macro recognition features. Having mutated, it later became established in Word 97?making Word 2003 potentially susceptible as well.

Third-Party Virus Prevention

None of the Microsoft virus protection solutions is foolproof. You need a third-party antivirus program that is updated regularly to reflect the growing number of new viruses. The leading third-party antivirus software packages are

  • Norton AntiVirus (

  • Network Associates' McAfee VirusScan (

Both companies now have packages designed specially for corporate use.


In Word 2003 and Office 2003, Microsoft has provided an Anti-Virus Application Programming Interface (API) that enables antivirus software to check files for viruses whenever users open them.


Although keeping your antivirus software up-to-date and avoiding opening files from untrusted publishers are the best precautions against virus infection, there are no certainties. New viruses are being written all the time, and each year fewer computers can be sufficiently isolated from the rest of the world.

Blocking Programmatic Access to Word and Office

In Office 2003, Microsoft provides an additional "brute force" solution for avoiding macro viruses: You can simply avoid using VBA at all. This is, in essence, equivalent to lobotomizing Word and Office: Features that require VBA?such as all of Word's wizards, many of its templates, and all of your custom commands?will simply no longer work. But if you have been suffering from ongoing virus infections and no other solution has been effective, you may want to consider this.

There are two ways to disable VBA:

  • You can install Office without VBA (or run a maintenance install that removes VBA). Run Setup, choose Add or Remove Features, right-click on Visual Basic for Applications, choose Not Available, and click Update.

  • You can centrally set system policies that disable access to VBA. Working with centralized system policies is beyond the scope of this book, but the system policies you are looking for can be found in Default Computer\Microsoft Office 2003\Security Settings. You can either disable VBA for all Office applications or set high security levels for Word and other individual Office applications. If you choose, you can instead disable VBA for a specific user, through Default User\Microsoft Office 2003\Security Settings\Disable VBA for ALL Office Applications.

    Part I: Word Basics: Get Productive Fast
    Part II: Building Slicker Documents Faster
    Part III: The Visual Word: Making Documents Look Great
    Part IV: Industrial-Strength Document Production Techniques
    Part VI: The Corporate Word