AVG Signal Blog Security Viruses What Is a Macro Virus and How Do I Remove it?

Written by Ivan Belcic
Published on May 14, 2021

What is a macro virus?

A macro virus is a type of computer virus often written in Visual Basic, the programming language used by Microsoft Word and Excel. Macro stands for macroinstruction, a group of programming commands that automatically executes whenever a file is opened or when you perform a specified action.

This article contains :

    In most cases, macros are helpful. By automatically performing a given procedure, macros simplify complex processes and make things more convenient. A simple Microsoft Word macro might insert a table. In Excel, people use macros to perform calculations and autofill spreadsheets.

    A macro virus takes advantage of this automated system by disguising itself as a normal macro. When you open a file infected with a macro virus, the software executes the malicious macro as though it were a normal one. Along with ransomware, spyware, and other types of malware, macro viruses — especially MS Office viruses — can severely threaten you or your organization.

    How does a macro virus work?

    A macro virus works by using the programming language of a macro to fool a program into executing it. If you open a document infected with a Microsoft Word virus, and if macros are enabled on your computer, Word will execute the malicious macro just as it would any other, but with potentially harmful consequences.

    Because they work within programs, not operating systems, macros viruses can affect both PCs and Macs. If you have the targeted program on your computer, the virus can infect it. 

    Macro viruses are similar to Trojans in that they trick victims into installing them. But unlike Trojans, they can self-replicate and spread to other victims once activated.

    How do macro viruses spread?

    Many macro viruses spread as infected email attachments, while others spread across networks, through infected downloads, or through physical media like USB flash drives. Here are some common ways to get a macro virus on your device:

    • Opening an infected attachment, such as one in a phishing email.

    • Downloading infected files from a network.

    • Downloading an infected file from a malicious pharming website or P2P file-sharing service.

    • Inserting physical media, like a flash drive or CD, that contains an infected file.

    That’s why it’s important to never open email attachments you receive from people you don’t know or trust.

    What programs are most affected by macro viruses?

    Any widely used program that uses macros will be particularly vulnerable to macro viruses. Popular programs that use macros heavily include Microsoft Word, Excel, PowerPoint, and other apps in the Microsoft Office suite.

    Apps in the Microsoft office suite are particularly vulnerable to macro viruses.

    Microsoft Word, Excel, and PowerPoint are particularly vulnerable to macro viruses.

    What can macro viruses do?

    Once a macro virus is executed on your computer, it can deliver its payload, the portion of its code that carries out the attack. Because macro viruses are built with the same macro languages that your software uses, they can affect apps as well as files.

    Macro viruses can:

    • Infect other files.

    • Make unwanted changes to your files, like deleting or changing content and adding images.

    • Create new files.

    • Corrupt files and other data.

    • Send files and emails to others — this is how they spread from one victim to the next.

    • Reformat your drive.

    • Infect your computer with additional malware.

    Signs that your device may have a macro virus infection

    Macro viruses can slow down your computer, alter or destroy files, and change your device’s behavior. Here’s how to tell if there might be a macro virus on your computer.

    • Your computer suddenly runs a lot slower than usual — this can happen as the virus copies itself over and over again.

    • Files are password-protected when they didn’t used to be, and you didn’t set up the password protection yourself.

    • You’re noticing unexplained changes in your files.

    • Some files go missing.

    • Your contacts report receiving strange emails from you.

    • The menu options have changed in the programs you use.

    • You start noticing strange error messages when opening or working with certain files.

    Any of these symptoms can indicate the presence of malware. AVG AntiVirus FREE monitors your computer in real time to detect and remove macro viruses and other malware. And it uses advanced threat-detection technology to prevent malware infections before they happen.

    Example macro viruses

    The history of computer viruses is long. Macro viruses are a relatively old threat, but that doesn’t mean they’re dead. In fact, it’s just the opposite — cyberattackers and other hackers still use macro viruses to target today’s software. Here are three notable examples of macro viruses.

    The Melissa Virus (1999)

    The Melissa Virus made global headlines in 1999 as a rapidly spreading email virus targeting Microsoft Word and Microsoft Outlook. The attack started when its creator posted a list, supposedly containing passwords to several adult websites, in an online community. When victims downloaded and opened the file in Word, they triggered the virus instead.

    The Melissa Virus’s macros caused Microsoft Outlook to mass-mail the infected list to the first 50 contacts in the victim’s address list. When those people opened the file, the virus infected their computers, and the cycle repeated — ultimately inflicting an estimated $80 million in damages.

    Hancitor/Chanitor (2014–2017)

    Hancitor, also known as Chanitor, is another macro virus that spread via infected Word documents and emails. While initial Hancitor campaigns had victims click embedded links that opened Word documents with malicious macros, subsequent Hancitor campaigns sent emails with infected documents attached.

    Hancitor is a malware downloader that installs additional malware on your computer. Many Hancitor campaigns focused on data theft or ransomware installation, and Hancitor was still in use as recently as 2017.

    First known macOS macro virus (2017)

    Though it didn’t have much time to cause any worldwide harm, the first macOS-specific macro virus was discovered by security researchers in 2017 — indicating that Macs do get viruses, even if they’re not as common as Windows viruses.

    Embedded in a Word document, the unnamed macro automatically contacted a remote server to download and install a payload on victims’ computers. But since the server was no longer active when researchers discovered the virus, there’s no way to know what the payload might have been — though the code used in the macro was taken from a macOS exploit kit often used for spying and data theft.

    How to remove a macro virus

    Like other viruses, macro viruses can be removed by using a dedicated antivirus tool. Cybersecurity software like AVG AntiVirus FREE will not only remove viruses and other malware from your computer, it’ll also prevent malicious macros from downloading malware onto your computer in the first place.

    Here’s how to remove a macro virus from your PC:

    Step 1: Reboot your computer in Safe Mode

    1. Open the Start menu and click the power icon while pressing the Shift key. 

    2. Choose Restart from the options.

    3. Your computer will reboot into Troubleshooting mode. Choose the following options: Troubleshoot > Advanced Options > Startup Settings > Restart.

      The Startup Settings for troubleshooting problems in Windows 10
    4. On the next screen, press 4 to reboot your computer into safe mode. This prevents any nonessential apps from running, like the program that activated your macro virus.

    Step 2: Run an antivirus scan

    1. Open AVG AntiVirus FREE and click Run Smart Scan to scan your PC and remove malware.

      Running a smart scan with AVG AntiVirus FREE for Windows 10
    2. If AVG AntiVirus FREE finds any malware, it’ll begin the removal process. Otherwise, you’re good to go.

    And that’s it! Removing a virus or malware from your computer is simple when you have a robust antivirus tool.

    What’s the difference between a program virus and a macro virus?

    Most standard computer viruses are written in simple coding languages like C, and they usually target your computer’s operating system. Many viruses attack the boot layer, which governs your computer’s startup process, letting them activate every time you turn on your PC. 

    By contrast, macro viruses use advanced programming languages to co-opt the macro functionality found in Microsoft Word, Excel, PowerPoint, and similar programs. Though macro viruses target specific programs, once the macro is executed, the effects of the virus can be systemwide — especially if the macro virus downloads additional malware.

    How to scan for macro viruses

    If you’re noticing strange behavior in your programs, files, or settings, a quick virus scan will let you know if anything is wrong. When you’re using a specialized antivirus removal tool, scanning for macro viruses is the same as scanning for any other type of malware and potentially unwanted program (PUP). The same goes for removing malware from your phone — it’s safer and easier to let the experts handle it.

    AVG AntiVirus FREE scans your PC in real time to detect and block malware, including macro viruses, before they infect your computer. If you already have malware on your computer when you install our antivirus, it’ll detect and remove it during your first scan.

    AVG AntiVirus FREE scans your PC in real-time to detect and remove micro viruses before they infect your computer.

    How to prevent macro viruses

    Since macro viruses have become so common, Microsoft Office now disables all macros by default. If you open a file with macros, you’ll get a pop-up alert asking for your permission to enable those macros. Think carefully before doing so, and never enable macros in files you receive from unknown sources.

    Here are other ways to prevent macro viruses from infecting your computer:

    • Never open email attachments that you aren’t expecting to receive. Macro viruses can force people you know to email you, so it’s not enough to open attachments only from people you trust.

    • Don’t click links in suspicious emails, even if they’re sent from people you know. These can be phishing emails triggered by a macro virus.

    • Use an email service with a good spam filter. Filtering spam emails will prevent you from seeing as many phishing emails as you otherwise might.

    • Keep macros disabled. Macros can be useful, but keep them off by default. Only use them with files you create yourself or that you trust.

    • Again: never enable macros unless you’re 100% sure the file is safe.

    • Always update your software. Software updates often include security fixes to prevent malware from exploiting known vulnerabilities.

    • Use a trustworthy antivirus tool. If you use one of the best free antivirus software solutions out there, you’ll detect macro viruses and other malware before they can infect your computer.

    Thwart troublesome macro viruses with AVG AntiVirus FREE

    A strong and reliable antivirus is your best defense against not just macro viruses, but other viruses and malware as well. With AVG AntiVirus FREE, you’ll benefit from the protection of the world’s largest threat-detection network, so you’ll be defended in real time from any malware that tries to worm its way onto your computer. 

    AVG AntiVirus FREE monitors your devices 24/7 for any traces of malware, detecting and removing them while preventing future instances of malware from infecting your system.

    Block malware and prevent threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    Ivan Belcic