Security

What Is a Macro Virus and How to Stop it?

By Sydney Butler / January 4, 2021

The term "virus" actually refers to a wide variety of malicious software. For something to be a virus, it only has to be self-spreading and self-replicating. However, when it comes to programming languages or other aspects of software, viruses can come in many shapes and forms.

Macro viruses are a particularly interesting type of virus that takes advantage of macro language. These languages only work within the confines of other applications, but it solves one of the biggest hurdles for a virus creator: How to get people to execute your virus.

Viruses Have an Execution Problem

source code

For a virus to work, the computer it's stored on has to execute it. That's harder than it sounds. Only programs that have been authorized to run will execute on the processor. That permission has to come from the operating system. When it comes to non-system code, the OS will need permission from the user (or the administrator) before running any code.

When you double-click on an application, you tell the operating system that you want that code to run. A large part of writing a successful virus is about tricking the computer or the user into executing the code.

These days it's much harder to do because there are many fail-safes in place to limit malicious code, such as requiring administrator passwords to perform tasks that could potentially damage data. Users have learned not to simply run executable files that they don't know, such as those in email attachments. So one basic trick is to disguise the files as something else, such as an image or document. Something like "sexypicture.jpg.exe."

As users and antivirus software become smarter, these sorts of tricks are becoming obsolete. However, macro viruses can be carried in documents that aren't executables. Such as Word or Excel files. Which makes the problem of execution much easier.

Macros Explained

Right, so far, we know that macro viruses are carried in non-executable files such as Word or Excel documents. However, that doesn't explain what a "macro" is or what a macro programming language is.

A macro is a form of automation. It's basically a set of steps that saves the user or a programmer from having to tediously redo the same actions over and over again. In an application such as Microsoft Word, you can record a series of actions in the software as a macro and then replay it with a single click of a button. This can save a lot of time in cases where the same thing has to be done to documents over and over again. For example, adding a signature or formatting the document in a specific way.

While recording macros is a modern and convenient way of creating them, you can actually write a macro in code. Different applications will have their own macro languages, but the principle is the same. The macro is a list of instructions that are carried out by the main application.

That sounds innocent enough, but clever coders have found various ways in which to write macros that can actually harm the system they run on. They do this by finding exploits in what the host program (such as a word processor) can legitimately do. By combining these normal operations in specific ways, the main application becomes malicious.

What Do Macro Viruses Actually Do?

Broken computer

Since macro viruses simply consist of mundane commands, such as moving or clicking the mouse and manipulating text, they might not seem particularly dangerous. However, using the simple basic set of commands that a macro can execute, hackers have used macro viruses to do real damage. These viruses can format hard drives, corrupt data, create new files, send emails, ransom data, manipulate images, and more. So they are every bit as dangerous as more traditional executable viruses.

It's also possible for macro viruses to act as a way to execute other types of malware, running them when a user wouldn't have. That's pretty scary! Not only can a macro virus mess your computer up all by itself, but it can also load it full of other malware.

How Macro Viruses Spread

Emails Laptop Phone

One of the things that make macro viruses particularly nasty is the fact that they are operating system agnostic. They run on applications, not operating systems. So it doesn't matter if you're using Windows or Mac - if the targeted application uses the same macro language, then both systems can be infected.

Whenever you open an infected document or template file and the macro runs automatically, the infection spreads. Some macro viruses will write copies of themselves to network drives or any attached USB storage. One very common way they spread themselves is by emailing copies to the people in your email address book.

Signs and Symptoms of a Macro Virus Infection

So how would you even know that a macro virus has infected your computer? Because these viruses vary so much in what they do and how they work, there aren't really universal symptoms, but sometimes you can tell something is up.

One of the major signs that you've been infected will actually come from other people. If several people complain that they've received a weird email from you with an attachment, that's pretty much a guarantee that you've been hit with one of these viruses, especially if you remember opening a document from such a strange email yourself recently.

Any other strange behavior can also mean that a macro virus has its claws in you. For example, your computer may suddenly become unusable slow. You might see weird error messages pop up rapidly and then go away. New files and folders might appear on your disks, and so on.

How to Remove Macro Viruses

How To Permanently Remove Antivirus Software

Macro viruses exist within the infected documents themselves. So if you delete all of the files containing the macro virus, it will be gone. However, this is harder than it sounds since, as part of its payload, a macro virus may hide copies of itself all over the place. So, as you've probably guessed that the most effective way to get these viruses off your system is to use antivirus software - just make sure that macro viruses are a type of virus that package covers.

This is a particular issue on macOS and Linux systems, which can be affected by macro viruses since they are OS agnostic. However, the amount of potential damage may be more limited due to Unix-like operating systems' nature and how they handle user permissions.

In Microsoft Office apps such as Word, you can manually delete infected files and their macros as well. Just go to View>Macros>Organizer, and you can select and delete any files with macros you don't want.

Preventing Macro Viruses

The best way to prevent macro virus infection is to avoid opening documents that you aren't expecting, even if they come from someone you know. It's also helpful that most modern office suites have built-in protection against macro viruses. They'll open documents downloaded from the internet in read-only mode. That's why you see the "enable editing" button in Word when opening an attachment. You can also disable macros in each application's settings if you don't use them.

Macro viruses can be particularly difficult to prevent. Still, if you just keep in mind that spreadsheets or word processing documents can also be infectious, you'll at least stop to think before opening those attachments.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari