Macro:
An executable program(e.g.
instructions opening a file, starting an application)
embedded in a word processing document, e.g. MS Word
A common technique for spreading
-A virus macro is attached to a word document
– document is loaded and opened in the host system
– When the macro executes, it copies itself to macro file
– The global macro can be activated/spread when new documents are opened
Rootkit
Resides in opening systems
– Modifies OS code and data structure
Helps user-level malware
– E.g., hide it from user(not listed in “is” or “ps” command)
Inspect all files
FindFisrtFile()
{checkfile, FindNextFile, repeat -> windows API, NTQueryDirectoryObject -> Kernel Native Interface -> Device drive functions <-> Drivers
Worms
– Use network connections to spread from system to system
