Skip to main content

Word Macro Trojan Resurrects '90s-Style Attacks

The kind of '90s-style attack we prefer. Credit: Columbia Pictures

(Image credit: The kind of '90s-style attack we prefer. Credit: Columbia Pictures)

Say what you will about Millennials getting nostalgic about the 1990s, but it's much better than malicious hackers doing so. A new banking Trojan called DRIDEX makes use of Microsoft Word macros, an attack vector that peaked with the Melissa macro virus in 1999. Macro malware went out of fashion more than 10 years ago, but can be just as harmful to your computer (and your wallet) now as it was then.

Tokyo-based security firm Trend Micro shared its research about DRIDEX in a blog post. The Trojan tries to steal users' banking information, and while DRIDEX is quite easy to avoid, it takes advantage of perfectly legitimate settings that you might have activated in Microsoft Word.

MORE: 15 Best Mobile Privacy and Security Apps

A sample DRIDEX-infected email provided by Trend Micro.

A sample DRIDEX-infected email provided by Trend Micro.

Here's how the scam works: You get an e-mail that seems to come from a high-profile European company. Attached is an invoice in the form of a Word document. It goes without saying that if you're not expecting an invoice from anyone, you should leave it alone. It's not the most obvious scam in the world, however: There were no spelling errors or questionable e-mail addresses in the sample Trend Micro found, and the message could fool even those who frequently deal with European invoices.

The invoice looks innocuous enough, but here's the catch: It runs macros in Microsoft Word. Macros are automated commands that carry out complex operations in Microsoft Office programs and, in fact, are quite common for calculations in invoices.

Macros are disabled by default in Microsoft Word for security purposes, but many users turn them on. Documents that run macros also ask users if they want to enable them.

Assuming users let the macros run, DRIDEX logs their online banking transactions, takes screenshots and steals information from forms victims fill out. The malware targets accounts at Europe's largest banks, including Lloyds, Barclays, Santander and Bank of Scotland.

Running a standard antivirus sweep will get rid of DRIDEX, but since the program doesn't really make its presence known, you may be in trouble if you find you're already infected with it. If so, change your online-banking passwords and keep a close eye on your accounts.

Marshall Honorof is a Staff Writer for Tom's Guide. Contact him at mhonorof@tomsguide.com. Follow him @marshallhonorof and on Google+. Follow us @tomsguide, on Facebook and on Google+.