F-MACRO - Scanner and disinfector for MS Word document macro viruses
Copyright (c) 1998 Data Fellows Ltd


OVERVIEW

F-MACRO is a DOS program which searches Word 6.x, 7.x and 97 documents
and Excel 6.x, 7.x and 97 documents for known Word and Excel macro
viruses. F-MACRO is able to disinfect them by disabling and
overwriting the viral macros. F-MACRO is able to parse the complex
OLE2 file structure of document files making it very fast and
accurate.


TECHNOLOGY

This scanning and disinfection technology was developed by Data
Fellows Ltd for the commercial F-Secure Anti-Virus and F-PROT
Professional package. F-Secure Anti-Virus for Windows, Windows 95,
Windows NT and OS/2 as well as the realtime Windows VxD scanners have
these macro scanning features built in to their normal scanners.

If you are running a VxD-based background protection from the F-Secure
Anti-Virus suite, you will be notified on infected document files as
soon as you try to open or copy them or when you are receiving such a
document as an e-mail attachment or downloading it from www.
Disinfection can also be done in realtime. A VxD-based solution
provides significantly better protection than antivirus systems
relying on the Word or Excel macro language.

For more information on the F-Secure Anti-Virus suite, see the web
site of Data Fellows at http://www.datafellows.com/


USAGE

Give scan path or drive as the first parameter.

Options:

 /ALL       Scan files with any extension
 /APPEND    Used with /REPORT - append to existing report
 /AUTO      Automatic disinfection, no prompting
 /DISINF    Disinfect infected documents
 /HARD      Scan all hard disk partitions
 /LIST      List all scanned filenames
 /NOBREAK   Do not abort scan if ESC is pressed
 /NOSUB     Do not recurse sub-directories
 /NOXLS     Do not scan Excel worksheets
 /REMNANTS  Remove all macros when a new or modified variant is found
 /REMOVEALL Remove all macros from documents - infected or not
 /REPORT=   Send the output to a file
 /RERENAME  Rename previously renamed infected files (e.g. *.VOC -> *.DOC)
 /SILENT    Do not generate any screen output.

Examples:

     F-MACRO C:
     F-MACRO C:\DOCS /ALL /DISINF /AUTO
     F-MACRO Z:\USER\INFECTED.DOC /DISINF

F-MACRO returns following errorlevels:

        0: No viruses found
        1: Error during execution - usually bad parameter
        2: Corrupted or old FSMACRO.DEF file
        3: Virus(es) found
        4: Not used
        5: Abnormal termination
        6: At least one virus was removed
        7: Not used
        8: Found something suspicious, but no viruses

Notes:

F-MACRO does NOT disinfect anything by default. You need to turn
disinfection on by specifying the /DISINF parameter.

We recommend you make a backup copy of important document files before
disinfecting them, just to be safe.

In order to be able to scan all document files, Word and Excel should
be closed down before running F-MACRO: otherwise it will keep
NORMAL.DOT and possibly other files locked. F-MACRO will give a
warning message on locked files.

If you have document files with non-standard extensions (something
else than DOC, DOT or XLS), use the /ALL parameter to check all files.

The difference between /REMOVEALL and /REMNANTS switch is that /REMOVEALL
will remove macros from any documents that has macros. /REMNANTS does
this only if it find a "New or modified variant" of a virus from the
document. /REMOVEALL is used as a stand-alone parameter, /REMNANTS has
to be used together with /DISINF. Do not run /REMOVEALL on all of your
hard drive: it will remove all macros from all documents.

IMPORTANT: If you find a new variant if macro virus, please send a
sample of it for closer analysis so we can add direct support for it
to future versions of F-MACRO. See part SUPPORT below for more
information.

Infected DOC files are always templates in structure, regardless of the
file extension (normal extension for templates is DOT). Only templates
can contain macros. A side-effect of this is that infected files can
usually be saved by Word only as templates and only to the default
template directory.

When disinfecting infected files, F-MACRO will normally change the file
back to a normal document. However, some files have originally been
templates so F-MACRO tries to determine this and preserve them as
templates after disinfection.

If the file contains extra macros after disinfection, it has probably
been a template in the first place and will not be changed to a
document by F-MACRO. The same will happen if:

- The document contains user-defined menus or toolbars
- The filename extension of the file was DOT
- The filename of the file was NORMAL

If you still get false alarms from another virus scanner after already
disinfecting the virus, or if the file is still a template and you want
to turn it to a normal document (templates can only be saved to the
template directory), you can follow these steps:

 1) Double-check that you have already cleaned the document
 2) Open it to Word
 3) Select all (Ctrl-A)
 4) Copy (Ctrl-C)
 5) Close the file
 6) Create a new file (Ctrl-N)
 7) Paste (Ctrl-V)
 8) Choose File/Save As and save the file over the original file


SUPPORT AND VIRUS SAMPLES

For general info on macro viruses, see the macro section at
http://www.datafellows.com/. For technical support, contact
F-MACRO-Support@datafellows.com. To send samples of new or suspected
viruses, send them to Samples@DataFellows.com or upload to our FTP
site at

        ftp://ftp.Europe.DataFellows.com/incoming


UPDATES

Updates, when available, can be downloaded from the Data Fellows WWW
and ftp sites at these locations:

        http://www.datafellows.com/gallery/
        http://www.europe/datafellows.com/gallery/
        ftp://ftp.datafellows.com/pub/anti-virus/tools/f-macro.zip
        ftp://ftp.europe.datafellows.com/pub/anti-virus/tools/f-macro.zip

Normally only the FSMACRO.DEF definition file is updated. Latest
FSMACRO.DEF is always inside the F-MACRO.ZIP file and is also
downloadable separately. Note that the old-style MACRO.DEF file is not
used any more.

The Data Fellows web site has up-to-date descriptions on the operation
and effects of these macro viruses, see

        http://www.datafellows.com/macro/
        http://www.datafellows.com/vir-info/


HISTORY

Use "F-MACRO /IDENTIFICATION" for a full list of viruses identified by
this version.

2.12a: Fixed a problem on scanning write-protected 97 documents.
Infected documents were reported as corrupted instead of infected.
Occasional "runtime error 6xxx":s were shown at the end of the scan.

   run-time error R6001
    - null pointer assignment

They were caused by the write-protected Office 97 documents.

2.12b: Switch /DOSREPORT was added to format the report
(/REPORT=filename) in DOS-mode ie. the lines are ended with
carriage return-line feed instead of current line feed only.

3.0a: Added support for the new-style FSMACRO.DEF definition file.
Old-style MACRO.DEF is not used any more.

Ctrl+C and Ctrl+Break cannot be used to stop the execution anymore
when command line parameter /NOBREAK is used.

Sharing violation errors should not be shown any more.

When some files were disinfected their size was multiplied at
disinfection. Fixed.

Scanning of directories with special characters (> ASCII 128) should
now work.

Scans inside encrypted Word 6/7 documents.

Heuristics added for Word 6/7 documents.

F-MACRO is now able to repair some corrupted Excel files ("module not
found" message) if run with the /REPAIRXLS switch. Do note that not
all corrupted files can be fixed.

Changed reporting strings from "WordMacro" to "WM, "ExcelMacro" to
"XM" etc.

3.0c: Random documents were reported as corrupted in 3.0a. Fixed.

RTF was added among the default extensions to scan.

Scanning any Excel file used to set the error level. Fixed.

Error level 2 is now returned in case of corrupted or old FSMACRO.DEF.


LEGAL

F-MACRO is protected by international copyright laws. F-MACRO is (c)
1998 Data Fellows Ltd, and it is not in public domain or freeware, but
you are free to use and share this software with no charges. You can
not get the source code of this program. You are not allowed to
decompile and reuse the program code of this application. You are not
allowed to resell this software for your own profit (normal copying
costs excluded) or claim to hold rights to this software. Although you
may have the right to use F-MACRO, it will remain the exclusive
property of Data Fellows. Data Fellows does not warrant that the
software is error free and we will not cover any costs created by
function or malfunction of this program. Data Fellows also disclaims
liability for possible consequential damages. To purchase a license
for the full F-Secure Anti-Virus product, contact your local
distributor listed in PRO.TXT. Please redistribute F-MACRO only with
this documentation. If you cannot agree to these restrictions, you
should not use F-MACRO.

Copyright (c) 1998 Data Fellows Ltd, Finland
