My Mac has become a host for infected Windows office documents. I have hundreds of Office documents with other people's Windows viruses on them. Help!
January 11, 2012 6:01 AM   Subscribe

My Mac has become a host for infected Windows office documents. I have hundreds of Office documents with other people's Windows viruses on them. Help!

I regularly receive and send Word and Powerpoint files to colleagues. I have a Mac, but occasionally log into dropbox from a PC or plug my USB stick into a PC.

Recently, I started getting alerts when using my USB on a PC about possible viruses. I scanned my drives using ClamXav today and sure enough, something called CVE-2012-0013 has been found in hundreds of Word and Powerpoint files.

I am finding it really hard to work out where the virus came from, and how serious it is, but in the meantime, I need to clean up these files because I need to send them out to other Windows users.

So far I have tried several free and trialware options:
ClamXav - this is the only program that is detecting the problem, but this software can't clean files
Sophos Anti-Virus, VirusBarrier, Avast can't even detect the problem.
I also tried a PC. Spybot Norton 360 and AVG can't detect the problem.

Please, no suggestions to just delete the files or stop sharing with Windows users - there's no way around it for work! Ideas on how to prevent this happening again in the future would be appreciated - I often work with people who don't have antivirus or have outdated versions of Windows that could be vulnerable to viruses.
posted by wingless_angel to Computers & Internet (12 answers total) 1 user marked this as a favorite
 
Best answer: Send the documents as attachments in a Gmail to yourself. Google's software will try to clean the files of any detected viruses. No guarantees, but it is one way to clean infected files.

As to how you automate sending a bunch of files as attachments in Gmail emails, that's something you'd have to sort out. Google doesn't make command-line automation available for Gmail. Others have written scripts, so that might be worth investigating if you have some scripting skills.
posted by Blazecock Pileon at 6:20 AM on January 11, 2012


To get rid of the viruses for now, assuming the files are relatively simple, you could save them in another format (for Word, rtf and for PowerPoint, the oldest version of PowerPoint you can), reopen them and then save them again in the usual format.

Dealing with people who send out infected files is as much as social issue as a technological one. The goal is to get them to sort out their computer security, but whether gentle encouragement, firm orders, passive-aggressive refusal of infected files, helpful pointers towards security software or another technique is best depends on the individuals concerned.
posted by Busy Old Fool at 6:23 AM on January 11, 2012


Best answer: CVE-2012-0013 was released yesterday and anti-virus makers need some time to update definitions. It also describes a vulnerability, not a virus. If you know a file that Clam says is infected, make a copy of it and use Avast to move it to the quarantine and submit it to the labs for further review. If they detect something that should help the definitions get updated faster.

As far as what to do on an on-going basis, we've literally run realtime virus protection on servers and scheduled nightly scans. Sometimes that's all you can do. It'll slow the response time down, FYI. Linking to free AV would be a good idea too.
posted by jwells at 6:25 AM on January 11, 2012 [1 favorite]


Best answer: I'm not a computer expert, but based on the link you posted I'm pretty sure that's not actually a virus but rather a "vulnerability" in MS Word that could allow hackers to use Word documents to access your computer. In other words, ClamXav isn't telling you that these documents are infected with viruses; it's telling you that there are security loopholes in them that could theoretically be exploited.

Hopefully someone who knows more about this can confirm this and tell you what to do, but I wanted to alleviate your panic.
posted by enlarged to show texture at 6:25 AM on January 11, 2012


Response by poster: Some great tips here, thanks.

Gmail has identified the files as having a virus but it not able to clean them.

The weird thing about it is that ClamXav is detecting CVE-2012-0013 on files I haven't opened for months.
posted by wingless_angel at 7:21 AM on January 11, 2012


You don't mention what Windows machines you're plugging your USB stick into. If they're unsecured machines, that alone can cause an infection.

Also...

I have hundreds of Office documents with other people's Windows viruses on them.

Those aren't other people's viruses; they're yours. And if you're sharing these documents, you're infecting others.
posted by coolguymichael at 8:06 AM on January 11, 2012


Also, you can run ClamWin via portable apps directly on your USB stick, and you should if you plug into strange computers.
posted by coolguymichael at 8:07 AM on January 11, 2012


The weird thing about it is that ClamXav is detecting CVE-2012-0013 on files I haven't opened for months.

If this is indeed a vulnerability and not a virus this isn't weird at all. The vulnerability has been present in MS Word documents for a long time. It's just recently been discovered.
posted by alms at 8:25 AM on January 11, 2012


Seems like if it is a security vulnerability it makes sense that AV programs can't fix it. What you need to do is get the latest version of Word with this security problem fixed (probably isn't out yet if this vulnerability is so newly discovered) and resave all of the files. Or just save them in Pages but that may present a problem to unsavvy Windows users you send them to.
posted by catatethebird at 8:52 AM on January 11, 2012 [1 favorite]


I have used Intego's VirusBarrier6 and found it very good at detecting and fixing Windows malware. I use the full package from the Intego site, not their lighter app store product.
posted by PickeringPete at 10:04 AM on January 11, 2012


Best answer: Something else to bear in mind is that Clam's false positive rate is really high anyway, and that some of the things it flags as infections are in fact not infections but vulnerabilities. Any file that Clam tells you is infected should be submitted to one of the online scanning services (I like Jotti's Malware Scan); if Clam is the only engine that reports finding anything, submit it again in a week.

I run Clam on our school server, and I regularly find it alerting me to new "infections" in perfectly kosher executables (often program installers) that I know have not been modified for years. These alerts will generally go away again after a few weeks, as people keener than me submit false-positive reports to the Clam devs.
posted by flabdablet at 6:09 PM on January 11, 2012


Best answer: Those aren't other people's viruses; they're yours.

That's harsh.

If they came pre-infected from elsewhere, and they're being held on a machine that cannot spread a Windows-based infection because it's not running Windows, then describing them as "other people's viruses" sounds perfectly legitimate to me.

I often work with people who don't have antivirus or have outdated versions of Windows that could be vulnerable to viruses.

Policy should be absolutely clear that if you do detect a genuinely infected incoming file, you will delete it and notify the source that until they send you a clean copy you can't possibly distribute it. But this is quite a different thing from finding that hundreds of previously unproblematic files are suddenly considered dodgy just because Clam has invented a new class of false positive.
posted by flabdablet at 6:16 PM on January 11, 2012


« Older small potatoes tax question   |   Need to rent a house in a tight market. Seeking... Newer »
This thread is closed to new comments.