Excel Document Macro Viruses (DMVs) - DMV.XLS Joel McNamara -
joelm@eskimo.com 12/27/94

Visual Basic, Applications Edition (VBA) is Microsoft's effort to
provide a common macro language for all of its products.  It is an
extremely powerful language, and combined with automatic macros, offers
quite a bit of potential for targeting viruses or logic bombs against
selected users.

Microsoft Excel 5.0 was one of the first applications to implement VBA.
I've only performed a little research on it (Windows version) as a
potential trigger for files with DMVs.  DMV.XLS is a quick and dirty
demonstration of using VBA to infect Excel.  The actual commented code
is located in "Sheet01" of the workbook.  This DMV is harmless, and only
demonstrates potential malicious behavior.  (For background reading on
DMVs, refer to the DMV.DOC file - Word for Windows 6.0 format.)

Excel uses a file called GLOBAL.XLM to house global macros.  It also
features automatic macros.  DMV.XLS infects the GLOBAL.XLM file with a
DMV that executes when documents are closed.  Unlike the Word DMV.DOC
sample, individual data files are not infected (although it would seem
to be trivial to add the same functionality in Excel).

On the surface, Excel appears to provide greater virus risks than Word
since code can be triggered by events (double clicking, specified keys
being pressed, when data is entered, etc.).  VBA also offers some
amazing capabilities of targeting specific types of users.  This goes
way beyond the random, shotgun approach used in conventional viruses.
Additionally, as a common macro language, VBA offers the potential of
cross-application infections.

The DMV.XLS sample clearly demonstrates the chaos someone could spread
combining VBA and automatic macros.  It is another reason why software
manufacturers need to make changes to existing applications to provide
users with safeguards against malicious auto-macros.  A simple dialog
box that prompted whether an automatic macro should be executed would
eliminate most of these risks.