System, apparatus and method for the detection and removal of viruses in macros

US 5,951,698 A
Filed: 10/02/1996
Issued: 09/14/1999
Est. Priority Date: 10/02/1996
Status: Expired due to Term

First Claim

Patent Images

1. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:

obtaining comparison data including information for detecting a virus;

retrieving a macro;

decoding the macro to produce a decoded macro; and

scanning the decoded macro for a virus by comparing the decoded macro to the comparison data;

wherein the comparison data includes a first suspect instruction identifier and a second suspect instruction identifier;

wherein the scanning the decoded macro comprises;

determining whether the decoded macro includes a first portion which corresponds to the first suspect instruction identifier;

determining whether the decoded macro includes a second portion which corresponds to the second suspect instruction identifier;

determining that the decoded macro includes the virus if the decoded macro includes the first and second portions; and

wherein the first suspect instruction identifier identifies a macro virus enablement instruction.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Reexaminations

Accused Products

Abstract

The detection and removal of viruses from macros is disclosed. A macro virus detection module includes a macro locating and decoding module, a macro virus scanning module, a macro treating module, a file treating module, and a virus information module. The macro locating and decoding module determines whether a targeted file includes a macro, and, where a macro is found, locates and decodes it to produce a decoded macro. The macro virus scanning module accesses the decoded macro and scans it to determine whether it includes any viruses. Unknown macro viruses are detected by the macro virus scanning module by obtaining comparison data that includes sets of instruction identifiers from the virus information module and determining whether the decoded macro includes a combination of suspect instructions which correspond to instruction identifiers. The macro treating module locates suspect instructions in the decoded macro using the comparison data and removes the suspect instructions to produce a treated macro. The file correcting module accesses a targeted file with an infected macro and replaces the infected macro with the treated macro produced by the macro treating module.

Citations

25 Claims

1. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
- obtaining comparison data including information for detecting a virus;
  
  retrieving a macro;
  
  decoding the macro to produce a decoded macro; and
  
  scanning the decoded macro for a virus by comparing the decoded macro to the comparison data;
  
  wherein the comparison data includes a first suspect instruction identifier and a second suspect instruction identifier;
  
  wherein the scanning the decoded macro comprises;
  
  determining whether the decoded macro includes a first portion which corresponds to the first suspect instruction identifier;
  
  determining whether the decoded macro includes a second portion which corresponds to the second suspect instruction identifier;
  
  determining that the decoded macro includes the virus if the decoded macro includes the first and second portions; and
  
  wherein the first suspect instruction identifier identifies a macro virus enablement instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - removing the virus from the macro to produce a treated macro if the scanning the decoded macro indicates that the macro is infected with the virus.
  - 3. The method of claim 1, wherein the retrieving a macro comprises:
    - accessing a targeted file;
      
      determining whether the targeted file is a template file;
      
      if the targeted file is not a template file, determining whether the targeted file includes an embedded macro; and
      
      if the targeted file includes an embedded macro, locating the embedded macro.
  - 4. The method of claim 1, wherein the second suspect instruction identifier detects a macro virus reproduction instruction.
  - 5. The method of claim 1, wherein the removing the virus comprises:
    - locating a first suspect macro instruction in the decoded macro which corresponds to the first suspect instruction identifier; and
      
      removing the first suspect macro instruction.
  - 6. The method of claim 5, wherein the removing the first suspect macro instruction includes replacing the first suspect instruction with a benign instruction.
  - 7. The method of claim 5, wherein the removing the virus comprises:
    - locating a second suspect macro instruction in the decoded macro which corresponds to the second suspect instruction identifier; and
      
      removing the second suspect macro instruction from the decoded macro to produce a treated macro.
  - 8. The method of claim 1, wherein the comparison data includes a plurality of sets of suspect instruction identifiers.

9. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
- obtaining comparison data including information for detecting a virus;
  
  retrieving a macro;
  
  decoding the macro to produce a decoded macro;
  
  scanning the decoded macro for a virus by comparing the decoded macro to the comparison data; and
  
  removing the virus from the macro to produce a treated macro if the step of scanning the decoded macro indicates that the macro is infected with the virus;
  
  verifying the integrity of the treated macro; and
  
  replacing the infected macro in a targeted file with the treated macro dependent upon the integrity verification of the treated macro.

10. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
- obtaining comparison data including information for detecting a virus;
  
  retrieving a macro;
  
  decoding the macro to produce a decoded macro;
  
  scanning the decoded macro for a virus by comparing the decoded macro to the comparison data;
  
  wherein the comparison data includes a first suspect instruction identifier and a second suspect instruction identifiers; and
  
  wherein a first set of respective first and second suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 67 C2 80.
- View Dependent Claims (11)
- - 11. The method of claim 10, wherein a second set of respective first and second suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 64 6F 02 67 DE 00 73 87 01 12 73 7F, a third set of respective first and second suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 6D 61 63 72 6F 73 76 08, a fourth set of respective first and second suspect instruction identifiers comprises the strings 12 6C 01 00 and 64 67 C2 80 6A 0F 47, and a fifth set of respective first and second suspect instruction identifiers comprises the strings 79 7C 66 6F 72 6D 61 74 20 63 6A and 80 05 6A 07 43 4F 4D.

12. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
- retrieving a macro;
  
  obtaining comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier;
  
  scanning the macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier;
  
  scanning the macro to determine whether the macro includes a second portion which corresponds to the second suspect instruction identifier; and
  
  determining that the macro is infected with the virus if the macro includes the first and second portions;
  
  wherein the first suspect instruction identifier includes the string 73 CB 00 0C 6C 01 00 and the second suspect instruction identifier includes the string 67 C2 80.
- View Dependent Claims (13, 14, 15, 16, 17)
- - 13. The method of claim 12, further comprising:
    - treating the macro to produce a treated macro if it is determined that the macro includes the first and second portions.
  - 14. The method of claim 13, wherein the treating the macro comprises:
    - locating a first macro instruction in the infected macro which corresponds to the first suspect instruction identifier; and
      
      removing the first macro instruction from the infected macro to repair the infected macro.
  - 15. The method of claim 14, wherein the treating the macro comprises:
    - locating a second macro instruction in the infected macro which corresponds to the second suspect instruction identifier; and
      
      removing the second macro instruction from the infected macro to repair the infected macro.
  - 16. The method of claim 12, wherein the retrieving a macro comprises:
    - accessing a targeted file; and
      
      determining whether the targeted file is a template file;
      
      if the file is not a template file, determining whether the targeted file includes an embedded macro; and
      
      if the file includes an embedded macro, locating the embedded macro.
  - 17. The method of claim 12, wherein the comparison data includes a plurality of sets of suspect instruction identifiers.

18. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
- retrieving a macro;
  
  obtaining comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier;
  
  scanning the macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier;
  
  scanning the macro to determine whether the macro includes a second portion which corresponds to the second suspect instruction identifier;
  
  determining that the macro is infected with the virus if the macro includes the first and second portions,wherein the comparison data includes a plurality of sets of respective first and second suspect instruction identifiers; and
  
  wherein a first set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 67 C2 80, a second set of suspect instruction comprises the strings 73 CB 00 0C 6C 01 00 and 64 6F 02 67 DE 00 73 87 01 12 73 7F, a third set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 6D 61 63 72 6F 73 76 08, a fourth set of suspect instruction identifiers comprises the strings 12 6C 01 00 and 64 67 C2 80 6A 0F 47, and a fifth set of suspect instruction identifiers comprises the strings 79 7C 66 6F 72 6D 61 74 20 63 6A and 80 05 6A 07 43 4F 4D.

19. In a computer system comprising a processor and a memory, a method for detecting viruses in macros, the method comprising:
- retrieving a macro;
  
  obtaining comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier;
  
  scanning the macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier;
  
  scanning the macro to determine whether the macro includes a second portion which corresponds to the second suspect instruction identifier;
  
  determining that the macro is infected with the virus if the macro includes the first and second portions; and
  
  treating the macro to produce a treated macro if it is determined that the macro includes the firs and second portions, further comprising;
  
  accessing a targeted file;
  
  locating a macro within the targeted file;
  
  removing the macro from the targeted file; and
  
  adding the treated macro to the targeted file to produce a corrected file.

20. An apparatus for detecting viruses in macros, the apparatus comprising:
- a virus information module, for storing comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier;
  
  a macro virus scanning module, in communication with the virus information module, for receiving the comparison data and scanning a macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier and a second portion which corresponds to the second suspect instruction identifier;
  
  a macro locating and decoding module, in communication with the macro virus scanning module, for accessing a targeted file, determining whether the targeted file is a template file, determining whether the targeted file includes an embedded macro, and decoding the macro to produce a decoded macro;
  
  a macro treating module, in communication with the virus information module, for accessing the decoded macro and removing a first macro instruction which corresponds to the first suspect instruction identifier and a second macro instruction which corresponds to the second suspect instruction identifier to produce a treated macro; and
  
  a file correcting module, in communication with the macro treating module, for accessing the targeted file, locating the macro within the targeted file, removing the macro from the targeted file and adding the treated macro to the targeted file to produce a corrected file.
- View Dependent Claims (21)
- - 21. The apparatus of claim 20, wherein the comparison data includes a plurality of sets of suspect instruction identifiers.

22. An apparatus for detecting viruses in macros, the apparatus comprising:
- a virus information module, for storing comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; and
  
  a macro virus scanning module, in communication with the virus information module, for receiving the comparison data and scanning a macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier and a second portion which corresponds to the second suspect instruction identifier, wherein the first instruction identifier includes the string 73 CB 00 0C 6C 01 00 and the second suspect instruction identifier includes the string 67 C2 80.

23. An apparatus for detecting viruses in macros, the apparatus comprising:
- a virus information module, for storing comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier; and
  
  a macro virus scanning module, in communication with the virus information module, for receiving the comparison data and scanning a macro to determine whether the macro includes a first portion which corresponds to the first suspect instruction identifier and a second portion which corresponds to the second suspect instruction identifier;
  
  wherein the comparison data includes a plurality of sets of respective first and second suspect instruction identifiers; and
  
  wherein a first set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 67 C2 80, a second set of suspect instruction comprises the strings 73 CB 00 0C 6C 01 00 and 64 6F 02 67 DE 00 73 87 01 12 73 7F, a third set of suspect instruction identifiers comprises the strings 73 CB 00 0C 6C 01 00 and 6D 61 63 72 6F 73 76 08, a fourth set of suspect instruction identifiers comprises the strings 12 6C 01 00 and 64 67 C2 80 6A 0F 47, and a fifth set of suspect instruction identifiers comprises the strings 79 7C 66 6F 72 6D 61 74 20 63 6A and 80 05 6A 07 43 4F 4D.

24. An apparatus for detecting viruses in macros, the apparatus comprising:
- means for obtaining comparison data for detecting a virus, the comparison data including a first suspect instruction identifier and a second suspect instruction identifier;
  
  means for scanning the macro to determine whether a macro includes a first portion which corresponds to the first suspect instruction identifier;
  
  means for scanning the macro to determine whether the macro includes a second portion which corresponds to the second suspect instruction identifier;
  
  means for determining that the macro is infected with the virus if the macro includes the first and second portions;
  
  means for accessing a targeted file and determining whether the targeted file includes a macro; and
  
  means for correcting a file, the means for correcting a file including means for accessing the targeted file, means for removing the macro from the targeted file and means for adding the treated macro to the targeted file to produce a corrected file.
- View Dependent Claims (25)
- - 25. The apparatus of claim 24, further comprising:
    - means for locating a first macro instruction and a second macro instruction within the macro which respectively correspond to the first suspect instruction identifier and the second suspect instruction identifier; and
      
      means for removing the first macro instruction and the second macro instruction from the macro to produce a treated macro.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Ro, Jonny T., Deng, Ming M., Chi, Leta M., Chen, Eva Y.
Primary Examiner(s)
BADERMAN, SCOTT T

Application Number

US08/724,949
Time in Patent Office

1,077 Days
Field of Search

395/183.14, 395/183.15, 395/183.13, 395/183.08, 395/183.09, 395/704, 395/186, 395/188.01, 395/187.01, 380/3, 380/4
US Class Current

714/38.1
CPC Class Codes

G06F 21/563 by source code analysis

System, apparatus and method for the detection and removal of viruses in macros

First Claim

2 Assignments

0 Petitions

Reexaminations

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System, apparatus and method for the detection and removal of viruses in macros

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Reexaminations

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links