New MS Access Macro virus

Posted on March 28, 2011 by John Hasib

A New Type of Virus?

We have seen (and announced here in the Stiller Research virus news pages) viruses written the macro language for MS Word and MS Excel. These viruses all use the built-in basic-like macro language common to these products. The most common viruses are the MS Word macro viruses since it’s fairly common to exchange MS Word documents. Excel viruses have been much less common since fewer people exchange spreadsheets with others.

There is a third major product in the Microsoft Office suite that uses a basic-like macro language (Visual Basic for Applications or “VBA”). This product is the database manager called Microsoft Access(r). It was only a matter of time before a macro virus would be written for MS Access and we’ve now seen the first samples of such a viruses.

The A97M/AccessIV Macro Virus
We’re tentatively calling these macro viruses A97M/AccessIV (this was name was selected by some CARO members). One anti-virus company is calling this virus “JETDB_ACCESS-1″ but this name is ill advised since it matches some characters found in MS access *.MDB (database) files, not just files infected by this virus.

In order to become infected by any MS Access macro viruses, you must receive an infected *.MDB files and loads it into MS Access. The existing MS Access macro viruses are somewhat buggy but can be coaxed to infect MS Access database files (*.mdb files).

AccessIV (the first such virus) consists of one macro, AUTOEXEC. The AUTOEXEC macro is automatically executed whenever an infected *.MDB file is loaded into Microsoft Access. The AUTOEXEC macro will automatically execute; its code checks for a file with the “mdb” extension and copies itself to this file (effectively spreading the infection to this other database). The AccesIV virus is very simple-minded and will repeatedly infect the same database file (*.MDB file). In the original A97M/AccessIV.A Virus, this search for *.MDB files is limited to database files (*.mdb files) in the current directory. This substantially limits the possibility that AccessIV.A will spread. AccessIV.A does not do any deliberate destructive action (beyond spreading itself) but we have seen a new variant that attempts (and fails) to spread another simple DOS virus.

Note, you can use File/Open Database with the SHIFT key held down to stop the AUTOEXEC macro from executing and thereby avoid becoming infected by this virus. (This does not work if the virus infects a database where the developer has specified AllowBypassKey. This is rare.).

New Versions of the A97M/AccessIV Macro Virus Appear
(See also our description of the TOX MS Access Macro Virus). The first version of AccessIV was specific to MS Access 97 (the version of MS Access that ships with MS Office 97). Only users of MS Access 97 could be infected by the original AccessIV macro virus but (as we predicted on this page), we have now seen two new versions of this virus. The first new variant of Accessed is a simple conversion to infect MS Access 2.0 .mdb files. (These files are used in earlier versions of MS Access.) Unlike the original, this virus isn’t written in VBA but was converted to use the earlier MS Access 2 macro language.)

This variant of the AccesIV macro virus also tries (unsuccessfully) to use the DOS debug program to insert a silly *.COM infecting virus on your PC. This variant (like the others) will repeatedly infect the same database (*.mdb file).

Hidden Virus Macros?
The AccessIV macro viruses contain no logic to conceal their viral macros so it’s normally quite easy to see if a database is infected by clicking on the “Macros” tab as described below. It’s possible for the AccessIV viruses to infect a file with hidden modules or macros. In this case the macros may not be visible. Fortunately, this is easy to circumvent by using Tools/Options/View in Access 97 to turn on view of hidden objects.

Should you be concerned about AccessIV?
There is no immediate threat from these viruses–they are not currently in the wild and may never be spreading in the wild. If you don’t accept .MBD files from other users, or don’t use MS Access, you are not vulnerable to this type of virus at all. If you *do* use MS Access and *do* need to accept databases (*.MDB files) from others, you can click on the “macros” tab of the database window and spot these viruses. This situation may change since; future MS Access viruses may not be so easy to spot and may contain destructive triggers. Since MS Access macro viruses can be easily written, we expect more of them to appear but we don’t expect them to become as wide-spread as current MS Word and Excel viruses. (We have recently seen the TOX MS Access Macro Virus)

At this point, AccessIV is not in the wild (although the author of the virus is posting Usenet messages in an attempt to spread the virus) but we will no doubt see further MS Access macro viruses patterned on this one.

This entry was posted in Antivirus Article and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>