Generic detection and elimination of marco viruses
First Claim
1. A computer-implemented method for detecting a macro virus in code adapted for use on a digital computer, said method comprising the steps of:
- analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment;
when the code contains instructions causing a macro to be moved to a global environment, flagging said macro;
analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; and
when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus.
5 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented method, apparatus, and computer readable medium for detecting publicly identified and publicly unidentified macro viruses within code (15) adapted for use on a digital computer (1). A detection module (17) analyzes the code (15) to determine whether the code (15) contains instructions causing a macro (8) to be moved to a global environment (13), and whether said code (15) also contains instructions causing the same macro (8) to be copied to a local document (11). When these two conditions are satisfied, detection module (17) declares that a macro virus is present within the code (8). A repair module (19) can be coupled to the detection module (17) and to the code (15) for deleting the code (15) when the detection module (17) declares that the code (15) contains a macro virus. If the user of the detection module (17) is willing to accept a slight penalty in terms of increased detection time, detection module (17) can be made to handle string concatenation operators, proxied variable names, program calls, and/or substituted object names.
113 Citations
16 Claims
-
1. A computer-implemented method for detecting a macro virus in code adapted for use on a digital computer, said method comprising the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus. - View Dependent Claims (2, 3, 4, 11, 12)
-
-
5. A computer-implemented method for detecting a macro virus in code adapted for use on a digital computer, said method comprising the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus;
wherein;the code is written in the Visual Basic language; and the step of analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment comprises determining whether a SaveAs command is present in the code.
-
-
6. A computer-implemented method for detecting a macro virus in code adapted for use on a digital computer, said method comprising the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus;
wherein;the code is written in the Visual Basic language; and the step of analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document comprises determining whether a Copy command is present in the code.
-
-
7. A computer-implemented method for detecting a macro virus in code adapted for use on a digital computer, said method comprising the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus; wherein each analyzing step concatenates strings when said analyzing step encounters a concatenation operator within the code.
-
-
8. A computer-implemented method for detecting a macro virus in code adapted for use on a digital computer, said method comprising the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus; wherein each analyzing step makes substitutions for variable names when the code contains variable names that are proxied.
-
-
9. A computer-implemented method for detecting a macro virus in code adapted for use on a digital computer, said method comprising the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus; wherein each analyzing step traces the values of parameter variables when the code contains instructions that are invoked by other code.
-
-
10. A computer-implemented method for detecting a macro virus in code adapted for use on a digital computer, said method comprising the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus; wherein each analyzing step substitutes object names when the code is written in an object oriented programming language and when the code contains substituted object names.
-
-
13. A computer-implemented method for detecting publicly identified and publicly unidentified macro viruses in code adapted for use on a digital computer, said method comprising the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code does not contain instructions causing a macro to be moved to a global environment, declaring that no macro virus is present; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether said code contains instructions causing the flagged macro to be copied to a local document; when the code does not contain instructions causing the flagged macro to be copied to a local document, declaring that no macro virus is present; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus.
-
-
14. Apparatus for detecting publicly identified and publicly unidentified macro viruses, said apparatus comprising:
-
a digital computer having at least one storage device; associated with said digital computer, code containing computer instructions; an application program associated with said computer; a global environment associated with said application program; at least one local document generated by said application program and located within said storage device; and a detection module coupled to said code, said detection module analyzing said code and making the determination that a macro virus is present when said code contains instructions causing a macro to be moved to a global environment and said code also contains instructions causing the same macro to be copied to a local document. - View Dependent Claims (15)
-
-
16. A computer readable medium containing a computer program for detecting a macro virus in code adapted for use on a digital computer, said program containing instructions for performing the steps of:
-
analyzing the code to determine whether said code contains instructions causing a macro to be moved to a global environment; when the code contains instructions causing a macro to be moved to a global environment, flagging said macro; analyzing the code to determine whether the code contains instructions causing the flagged macro to be copied to a local document; and when the code contains instructions causing the flagged macro to be copied to a local document, declaring that said flagged macro contains a macro virus.
-
Specification