Situation:
You have at least one Microsoft Word document that is infected with a macro virus. Norton AntiVirus (NAV) detects the virus, but it cannot repair the document, or if the document is repaired, then the infection later reappears.

Solution:
This document provides information on:

• How to ensure that NAV is correctly detecting and removing macro viruses from your computer or network
• How to remove a macro virus manually from a document
• How to submit a virus sample to the Symantec Security Response

What you need to do will depend on your situation. Some procedures, for example, are specific to networks. We recommend that you first read this document, and then follow the instructions, in the order given, that apply to your situation.

For stand-alone computers and workstations
The following are specific to stand-alone computers:

• Verify that the system is running one of the currently supported versions of Norton AntiVirus. Older version may not be able to repair current macro viruses. The latest version of NAV is Norton AntiVirus 2001. Follow these steps to determine your version:
  1. Start NAV (or Norton SystemWorks, if you have that product installed).
  2. Click the Help menu, and then click About Norton AntiVirus. If you have Norton SystemWorks, then click the Help menu, click About Norton SystemWorks, and then click the Norton AntiVirus tab.
• If you are running Windows 95 or 98, follow these steps to increase the Files= statement in the Config.sys file to 150.
  1. Click Start, then click Run. The Run dialog box appears.
  2. Type sysedit and then press Enter. The System Configuration Editor opens.
  3. Click the Config.sys window.
  4. Locate the line that begins with Files=. Change the line to read Files=150 (If the Config.sys file is blank, or if it does not contain a Files= statement, add it on a separate line.
  5. Save the changes, exit the editor, and then restart the computer.

For networks
The following are specific to a network environment:

• Make sure all NetWare servers have Real-Time Scanning enabled, and are scanning both incoming and outgoing files using the default options.
• Make sure all servers are running a supported version of Norton AntiVirus.

General
Please verify or perform all of the following before attempting to repair a macro virus:

• Run LiveUpdate or the latest Intelligent Updater to ensure that NAV is using the latest virus definitions.
  • Start NAV or SystemWorks and click LiveUpdate. For information on running LiveUpdate, see How to Run LiveUpdate.
  • For information about Intelligent Updater, see How to Obtain Virus Definition Files Using the Intelligent Updater.
• Ensure that all workstations and NT servers are running Auto-Protect with default options (or with Administrator approved changes).
• Run a scan of all hard drives on each workstation and each server. Make sure to scan all files. Please follow these steps for current workstation or stand-alone versions:
  
  NOTE: Scan all files is now the recommended setting. Previous versions of NAV scanned program files only as the default.
  
  1. Start NAV, and then click Options. If you are running Norton SystemWorks, then start SystemWorks, click the Options menu, and then click Norton AntiVirus.
  2. Click Manual Scans.
  3. Click All files for the File types to scan.
  4. Click Auto-Protect.
  5. Click All files for the File types to scan.
  6. Click OK.
     
     NOTE: These steps will vary slightly depending on your version of NAV. For more information, click Help, click the Index tab, then search for "scanner settings" and "Auto-Protect settings."
     
• Repair or remove all infected files.
• Search for and remove files with a .vir extension. These files are backup copies that NAV makes before attempting a repair. Verify that the original file (or a recent uninfected backup copy) is functional before deleting the .vir copy.
  1. Click Start, point to Find, and then click Files or Folders. The Find dialog box appears.
  2. Type *.vi? in the Named box.
  3. Select the drive on which NAV is installed in the Look in list box.
  4. Check Include subfolders.
  5. Click Find Now.
  6. Move the files to an external media such as a floppy disk. (If you are sure that you no longer need the backup file, then you may delete it.)

Disable password protection:
Failure to remove a macro may occur in some cases because the Microsoft Word document is password protected. Please follow these steps to remove the password protection:

1. Right-click the NAV Auto-Protect icon in the System Tray, and then click Disable Auto-Protect.
2. If the infected document is in Quarantine, start NAV, open Quarantine, and then restore the document.
3. Remove the password protection from the document. The exact procedure for removing the password will vary depending on whether the document is a Microsoft Word document or an Excel spreadsheet, and which version of those products you are using. See your Word documentation for details.
4. Close the document, and then close the associated program.
5. Start Norton AntiVirus, and then scan all hard drives.
6. Norton AntiVirus should detect the infected document and prompt you for a repair. Without password protection, NAV should be able to repair the file.
7. Right-click the NAV Auto-Protect icon in the System Tray, and then click Enable Auto-Protect.

If NAV still cannot repair the document, then go on to the next section. If you later decide to submit the file to the Symantec Security Response, then be sure that the password has been removed; please do not just send the password to Symantec Security Response.

NOTE: For additional information on password-protected documents, see the document How does Norton AntiVirus handle password-protected Microsoft Word and Excel documents?

How to remove macro viruses manually
If NAV cannot repair the infected document, then you can, in most cases, manually remove it and recover the text. Please follow these steps:

NOTE: These steps will remove the virus from infected documents and from the Normal.dot template. They should be performed only after performing the procedures in the previous sections. If the virus that is creating the infected macros is still on your system or network, the infection will recur the next time the infected document is opened.

WARNING: You will be making changes to Microsoft documents that are suspected of being infected with a macro virus. We recommend that you make a backup of the suspect documents to clearly labeled external media such as a floppy disk.

1. Rename the Normal.dot template file. The Normal.dot file contains formatting and toolbar settings. Renaming it will cause these settings to be lost when Word is restarted and the file is recreated.
   1. Click Start, point to Find, and then click Files or Folders. The Find dialog box appears.
   2. Type normal.dot and then click Find Now.
   3. Right-click the file name, and then click Rename.
   4. Type normal.old and then press Enter.
   5. Close the Find dialog box.
2. Open an infected document and remove all macros.
   1. Start Word.
   2. Click the File menu, and then click Open.
   3. Browse to the folder that contains the infected file, and select it.
   4. Press and hold the Shift key, then click Open. Continue to hold down the Shift key until the file opens. Holding down the Shift key while opening a file prevents any macros from running.
   5. Choose the Tools menu, point to Macro, and then click Macros. The Macros dialog box appears.
   6. Select all active templates and documents in the Macros in the drop-down list box.
   7. Select the viral macro, and then click Delete. Click Yes to confirm.
   8. Repeat Step 7 previous step for all macros.
   9. Click Close.
3. Copy and paste the text to a new document.
   1. Click the Edit menu and click Select All.
   2. Press Shift+Left Arrow to deselect the last paragraph marked in the document.
   3. Click the Edit menu, and then click Copy.
   4. Click the File menu, and then click New. The New dialog box appears.
   5. Select the template you want, and then click OK.
   6. Click the Edit menu, and then click Paste.
   7. Open the Macros dialog box and ensure that the viral macros have not replicated, (Steps 5 through 8 in the previous procedure "Open an infected document and remove all macros.")
   8. Save the document.
   9. Repeat the procedures in "Open an infected document and remove all macros" and "Copy and paste the text to a new document" for any documents that you think may contain a macro virus.

If your system still has a virus
If you have followed all procedures in this document and the virus still exists, we recommend you submit a sample to the Symantec Security Response. For complete information on how to submit a sample, see your NAV User's Guide or How to submit a file to Symantec Security Response using Scan and Deliver.

Document ID: 1999121609003806
Last Modified: 03/07/2005
Date Created: 12/16/1999
Operating System(s): Windows 95, Windows NT 4.0, Windows 98, Windows 2000, Windows Me, Windows 95B, Windows 98 SE, Windows XP Home Edition, Windows XP Professional Edition
Product(s): Norton AntiVirus 2003, Norton AntiVirus 2003 Professional Edition