"Data" File Viruses

Pure data files cannot propagate viruses, but with extensive macro languages in some programs the line between a "data" file and executable file can easily become blurred to the average user. Not all scanners automatically check these "data" files although most have a option to do so you can turn on. Finally, E-mail messages themselves can contain viruses! With or without attachments, and, some E-mail programs will automatically load and run these. Don't let them.

In order for a virus to do anything, first a program of some type must execute. A virus, no matter what type, is still a program and it must load into memory and run in order to do anything. Simply reading it into memory is not sufficient. Pure data files are not viruses simply because, by their nature, they do not execute.

The problem, however, is that some modern programs now contain some form of macro language; in some cases a very powerful macro language with commands that include opening, manipulating, and closing files. More and more, these programs allow a user to extend their capabilities by writing powerful macros and then attaching these to data files produced by that program. In many cases, in order to make things easy for users, the macros are set up to run automatically whenever the data file is loaded. It's in cases like this where the line between a data file and program starts to blur. 

Note: There are many triggers (other than loading the document) that viral code can exploit and, once running, various elements of the programs macro language can be exploited so that all future data files produced by that program version could contain the viral macro code.

Most scanners can be set to check every file instead of just files that normally execute; but most do not do this by default; that would make the scanning process too long for most people.

In order to know when to turn full scanning on you need to know something about the software you use. In particular, you need to make yourself aware of any software that uses the sort of "automatic macro" feature described here. Never use a piece of software until you've explored its manual for some time just to see its full capabilities. If these include some sort of "programming" (macro) language, be aware that there is an opportunity for problems. Common programs with macro capability that can be exploited by virus writers are Microsoft Word® and Excel®. Windows Help files can also contain macro code.

A second vulnerability exists on the Internet. Some E-mail programs and Internet browsers allow you to click on a data file or program that might be attached to a message or displayed on a web page and have that file or program load and/or run automatically. You should not allow this to happen. Always save the file or program to disk and then check it with 
anti-virus software before loading or executing it.

To protect yourself best you can also use integrity checking. While you may not be suspicious of detected changes to a file you just edited, you certainly should become suspicious if other files, not associated with the one you are editing, suddenly start to exhibit changes. Constant checking is important because the mutation rate of these virus types is quite high and they have been known to make it into the wild before scanners are updated.

Summary

With macro programming languages the line between pure data files and executable files is blurring for the average user.

Most scanners have to be told to scan data files. Even though it takes longer and you may get more false alarms, it's good to periodically scan all files.

A text E-mail message can contain a virus in the body of the message and/or an infected file might be attached. Don't let your E-mail program or web browser automatically run files it finds.

Macro viruses mutate quickly and scanners may not keep up. Build an integrity database of all files to help you check for undiscovered viruses.