Virus to infect PowerPoint files

The computer underground continues its assault on Microsoft Office applications, which fall victim one after another. Just over six months have passed since the appearance of the first Microsoft Access virus, and now developers of antivirus programs have come up against yet another problem: the first virus to infect Microsoft PowerPoint presentation files was identified at the beginning of December 1998.

As with other viruses that infect MS Office applications (Word, Excel, and Access), the new virus is a macro program based on the Visual Basic for Applications (VBA) programming language that is built into MS Office, and uses the same methods of reproduction: the virus intercepts some system events, upon which the virus code is activated. Next, uninfected MS PowerPoint presentation files are sought on the disk and the virus code is copied into them.

Since presentation files are relatively rarely transferred from computer to computer, it is most likely that macro viruses that infect PowerPoint files will not be the cause of global virus epidemics, as was the case with epidemics of the "Concept" and "CAP" Word viruses and the "Laroux" Excel virus. However, this type of virus should not be ignored: since VBA is common to all Office applications, the appearance of viruses that infect not only PowerPoint, but also Word documents and Excel worksheets, is completely feasible. As a result, if such a virus penetrates a system, removing the virus from infected Word and Excel files will not be sufficient since, if it has infiltrated a PowerPoint file, the virus will be activated and the system will become reinfected every time the presentation is run.

In addition, MS PowerPoint permits Word documents and Excel worksheets to be inserted in their entirety into presentation files, from first byte to last. Obviously, if an inserted document or worksheet was already infected with a Word or Excel virus, then when the presentation is run, such a macro virus will be "free to roam."

Particular attention should also be devoted to the complexity of storage formats for macros in PowerPoint files. Despite the fact that PowerPoint viruses employ the same reproduction principles as the long- familiar Word and Excel viruses, developers of antivirus programs will have to significantly modify procedures for searching for and deactivating macro programs, since the format for storing macros in MS PowerPoint differs significantly from the formats used in Word and Excel. Macro storage formats in PowerPoint files have a more complex structure than Word or Excel macros, whose code is located in a special data stream that is one of the standard data blocks in document and worksheet files. PowerPoint macros are stored in a data stream (similar to Word and Excel macros) that has been compressed using a ZIP-like method, and the compressed result is located in a special PowerPoint data stream. Thus, in order to get to the infected macro, antivirus programs will have to perform, step by step, the three "onion-peeling" operations described above: first, "extract" the compressed data from the PowerPoint file, then uncompress the data, and only then proceed with analyzing the data streams containing the macro code.

It should also be noted that the appearance of a PowerPoint virus was not unexpected. The possibility of the existence of such a class of virus was discussed over a year ago. It should be noted, however, that the procedures required to search for PowerPoint viruses were developed and included into AVP long before the appearance of the first PowerPoint virus, and the next update already permits this new class of virus to be detected without problem.

About the KasperskyLab:
Kaspersky Lab as independent company was found at July, 1997. Now it has 38 employees and an office in Moscow, Russia. The main direction of the company is a development and distribution of antivirus software. Kaspersky Lab' product AntiViral Toolkit Pro has received many referrences and awards last year as one of the best in the world detection-desinfection tool against computer viruses.