JSI Tip 1202. Protecting Windows NT from a Word Macro virus.

Word Macro viruses disable virus protection as part of their attack.

To disable their ability to do this, first turn on the virus protection. Run regedit /s macrovirus.reg, where macrovirus.reg contains:

REGEDIT4

\[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\]

\[HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options\]
"EnableMacroVirusProtection"="1"

\[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\]

\[HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\]
"Level"=dword:00000002

Then use Regedt32 / Security / Permissions to grant Read access to the Everyone group, Full Control to SYSTEM, and Full Control to Administrators on the Word/Options and Word/Security keys.

NOTE: If you logon as a member of the Administrators group, grant it Read.

You can use REG and RegDACL to do this in batch.

If you granted Read to Administrators, running these tools under the Schedule Service (AT command), when it is set to use the default LocalSystem account, will allow you to make subsequent changes.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish