The Macro Virus: What It Is and How to Remove It

Opening that innocent email attachment can do more harm that you think

A conceptual illustration of a macro virus destroying a laptop computer.

Theresa Chiechi / Lifewire

Have you ever opened an email with a spreadsheet or word processing application document (like Word or Excel) and later discovered it contained a virus? Whether or not you actually opened the attachment, you were a victim of a macro virus attack.

Macro viruses rely on specific applications to work and typically attack Windows or Mac computers that use Microsoft programs. However, any kind of software program can be manipulated so don't be lulled into thinking you're safe if you don't use Microsoft programs.

What Is a Macro Virus?

To understand macro viruses, you must first understand how macros work. A macro in and of itself can be a very useful part of a program that you use daily. Essentially, it's a repetitive series of mouse and keyboard actions that make it faster and easier to use program like Visual Basic, Microsoft Excel or Word. It is also used in the MMORPG (Massively Multiplayer Online Role-Playing Games) community and for some search engine optimization software.

You can run a macro as many times as you want, which is why hackers like using them. When a macro is created, it records mouse clicks and keystrokes. Macros can be assigned to run by pressing a combination of shortcut keys, clicking a button, graphic, or another simple object. A macro virus, then, is a computer infection that you can contract and spread simply by opening an email, opening an attachment in an email, or performing some other normally innocent action, such as clicking a graphic to enlarge it in an email you receive.

When used properly, a macro is a terrific way to save time on predictable, repetitive tasks. They can apply style and formatting to text, for instance, or communicate with data sources and even create entirely new documents with a single click.

How Does a Macro Virus Work?

Macro viruses work by luring you into performing normal actions in seemingly normal ways. Some are embedded into documents and run automatically when the document is opened. Often, a macro virus can infect your computer by secretly replacing legitimate commands so that when you do something you would normally do on your computer, the virus takes over and tells you computer to do something completely different.

For example, you might typically open an email attachment to read it and then close it without saving it. Or maybe you simply open the email to see what's in it. A macro virus, however, could thwart either process to force your computer to instantly send the attachment to 50 other people from your email program as soon as you open the email. That's because, once triggered, a macro virus can infect a computer by embedding itself into other documents, files, templates, etc. The triggers occur in as many different ways as there are hackers.

Macro viruses can infect any application that uses a programming language. This allows them to spread across platforms independent of operating systems, specifically targeting documents and templates on your computer. While Microsoft programs and documents are preferred targets, macro viruses can infect almost any type of program and any kind of computer.

How Do I Know if I Have a Macro Virus?

Most macro viruses are not downloaded and installed onto your computer, which makes them more difficult to detect than other viruses. Instead, it typically spreads itself by trying to infect as many computers as possible. You probably won't know you have a macro virus until your friends or coworkers start complaining that you have sent them an oddly formatted or worded email. Someone might also trace a macro virus to you if they contract it and do some detective work to figure out where it came from.

A macro virus can corrupt data, create new files, move text, format hard drives, send files, and insert pictures so if you notice something unusual on your system, pay attention.

Because these viruses are so prolific, it's not possible to list every type of file format or name a macro virus might use. Some macro virus name examples include AutoOpen, FileSaveAs, Payload, NORMAL.DOT, and more.

Other things to look for include:

  • Strange messages that appear in a dialog box you're not used to seeing.
  • Missing menu items.
  • Unusual or unexplained behavior when using a program. For example, you might be prompted for a password when opening a file that has never needed a password before. You might also see documents suddenly saved as templates, too.

How Did I Get This Macro Virus?

You contracted a macro virus by somehow interacting with a file (document or template) that was infected with a macro virus. Infected files are usually spread in the following ways:

  • Sharing files over a network.
  • Opening an email attachment.
  • Sharing files on USB drive or other external/shareable media.
  • Downloading a file via the internet or an intranet and then opening it.

How Do I Get Rid of This Kind of Virus?

The best way to both detect if you have a macro virus and remove it is to use antivirus software. It's also worth using a malware removal app to double check for any kind of malware or adware that a hacker may have deliberately installed on your computer. Malware removal tools are a useful addition to your arsenal, especially if a hacker has installed extra malware without you realizing it.  

Antivirus and malware scanning software can sometimes take several hours to complete a scan, depending on the speed of your computer, but it's a highly effective way of checking your PC is secure. 

It's also possible to use System Restore to return to an earlier time period on your computer. Be sure to choose a date when you know you definitely didn't already have the virus on your computer otherwise you'll re-infect yourself. This process is not for the faint of heart and should only be performed by someone with strong knowledge of computers and operating systems.

How Can I Avoid Getting This Virus Again?

There are several key ways in which you can lower your chances of being re-infected with a macro virus or other types of malicious programs. Plus, always remember these tips:

  • Don't instantly open emails or email attachments. Unless you are expecting an attachment from someone via email, never open one until you can confirm with the sender that they did indeed knowingly send you the file.
  • Keep your antivirus software and malware protection updated. New viruses are created regularly so it's important to keep your PC informed on what to look for with the latest virus and malware-based threats. 
  • Be careful when you download new programs. Always confirm the legitimacy of the source of the programs and apps you download.
  • Stick to well known websites. Malware can infect your computer through the suspicious websites you might accidentally access.
  • Don't click on banner ads. When a pop-up banner appears as you browse a website, resist the urge to click on it. If a site inundates you with pop-up advertisements, leave the site immediately.