F-MACRO - Scanner and disinfector for MS Word document macro viruses
Copyright (c) 1996 Data Fellows Ltd


OVERVIEW

F-MACRO is a DOS program which searches Word 6.x and 7.x documents and
Excel 6.x and 7.x documents for known Word and Excel macro viruses.
F-MACRO is able to disinfect them by disabling and overwriting the
viral macros. F-MACRO is able to parse the complex OLE2 file structure
of document files making it very fast and accurate.


TECHNOLOGY

This scanning and disinfection technology was developed by Data
Fellows Ltd for the commercial F-PROT Professional package. F-PROT
Professional for Windows, Windows 95, Windows NT and OS/2 as well as
the realtime Windows VxD scanners have these macro scanning features
built in to their normal scanners.

If you are running a VxD-based background protection from the F-PROT
Professional suite, you will be notified on infected document files as
soon as you try to open or copy them or when you are receiving such a
document as an e-mail attachment or downloading it from www.
Disinfection can also be done in realtime. A VxD-based solution
provides significantly better protection than antivirus systems
relying on the Word or Excel macro language.

For more information on the F-PROT Professional suite, see the web
site of Data Fellows at http://www.datafellows.com/ or the web site of
the US publisher, Command Software Systems at
http://www.commandcom.com/.


USAGE

Give scan path or drive as the first parameter.

Options:

     /IDENTIFICATION  Lists macro viruses this versions detects and cleans
     /DISINF          Disinfects infected documents
     /AUTO            Turns on automatic disinfection with no prompting
     /ALL             Scans files with any extension
     /REPORT=         Sends the output to a file
     /APPEND          Used with /REPORT - append to existing report
     /NOSUB           Do not recurse sub-directories
     /LIST            Lists all scanned filenames
     /BACKUP          Makes a copy of the file before disinfecting it
     /REMOVEALL       Removes all macros from documents - infected or not
     /REMNANTS        Removes all macros only if a new variant is found

Examples:

     F-MACRO C:
     F-MACRO C:\DOCS /ALL /DISINF /AUTO
     F-MACRO Z:\USER\INFECTED.DOC /DISINF

F-MACRO returns following errorlevels:

        0: No viruses found
        1: Error during execution
        3: Virus(es) found

Notes:

F-MACRO does NOT disinfect anything by default. You need to turn
disinfection on by specifying the /DISINF parameter.

We recommend you make a backup copy of important document files before
disinfecting them, just to be safe. This can easily be done with the
/BACKUP switch, which copies the original file to a .BAK extension
before starting cleaning.

In order to be able to scan all document files, Word and Excel should
be closed down before running F-MACRO: otherwise it will keep
NORMAL.DOT and possibly other files locked. F-MACRO will give a
warning message on such files.

If you have document files with non-standard extensions (something
else than DOC or DOT), use the /ALL parameter to check all files.

The difference between /REMOVEALL and /REMNANTS switch is that /REMOVEALL
will remove macros from any documents that has macros. /REMNANTS does
this only if it find a 'new or modified variant' of a virus from the
document. /REMOVEALL is used as a stand-alone parameter, /REMNANTS has
to be used together with /DISINF. IMPORTANT: If you find a new variant
if macro virus, please send a sample of it for closer analysis so we
can add direct support for it to future versions of F-MACRO. See
part SUPPORT below for more information.

Infected DOC files are always templates in structure, regardless of the
file extension (normal extension for templates is DOT). Only templates
can contain macros. A side-effect of this is that infected files can
usually be saved by Word only as templates and only to the default
template directory.

When disinfecting infected files, F-MACRO will normally change the file
back to a normal document. However, some files have originally been
templates so F-MACRO tries to determine this and preserve them as
templates after disinfection.

If the file contains extra macros after disinfection, it has probably
been a template in the first place and will not be changed to a
document by F-MACRO. The same will happen if:

- The document contains user-defined menus or toolbars
- The filename extension of the file was DOT
- The filename of the file was NORMAL

If you still get false alarms from another virus scanner after already
disinfecting the virus, or if the file is still a template and you want
to turn it to a normal document (templates can only be saved to the
template directory), you can follow these steps:

 1) Double-check that you have already cleaned the document
 2) Open it to Word
 3) Select all (Ctrl-A)
 4) Copy (Ctrl-C)
 5) Close the file
 6) Create a new file (Ctrl-N)
 7) Paste (Ctrl-V)
 8) Choose File/Save As and save the file over the original file


SUPPORT AND VIRUS SAMPLES

For general info on macro viruses, see the macro section at
http://www.datafellows.com/. For technical support, contact
F-MACRO-Support@datafellows.com. To send samples of new or suspected
viruses, send them to Samples@DataFellows.com or upload to our FTP
site at

        ftp://ftp.Europe.DataFellows.com/incoming


UPDATES

Updates, when available, can be downloaded from the Data Fellows WWW
and ftp sites at these locations:

        http://www.datafellows.com/gallery/
        http://www.europe/datafellows.com/gallery/
        ftp://ftp.datafellows.com/pub/f-prot/tools/
        ftp://ftp.europe.datafellows.com/pub/f-prot/tools/
        (the filename is fmacxxx.zip, where xxx is the version number)


The Data Fellows web site has up-to-date descriptions on the operation
and effects of these macro viruses, see

        http://www.datafellows.com/macro/


HISTORY

        Use "F-MACRO /IDENTIFICATION" for a full list of viruses identified
        by this version.


LEGAL

F-MACRO is protected by international copyright laws. F-MACRO is (c)
1996 Data Fellows Ltd, and it is not in public domain or freeware, but
you are free to use and share this software with no charges. You can
not get the source code of this program. You are not allowed to
decompile and reuse the program code of this application. You are not
allowed to resell this software for your own profit (normal copying
costs excluded) or claim to hold rights to this software. Although you
may have the right to use F-MACRO, it will remain the exclusive
property of Data Fellows. Data Fellows does not warrant that the
software is error free and we will not cover any costs created by
function or malfunction of this program. Data Fellows also disclaims
liability for possible consequential damages. To purchase a license
for the full F-PROT Professional antivirus toolkit, contact your local
distributor listed in PRO.DOC. Please redistribute F-MACRO only with
this documentation. If you cannot agree to these restrictions, you
should not use F-MACRO.

Copyright (c) 1996 Data Fellows Ltd, Finland
