WordMacro/Concept
is a new type of virus which is transmitted by Microsoft Word documents.WordMacro/WordConcept
Introduction
The virus exploits the commonality of the Word platform which makes it spread under Windows, Windows 95 and on Macintoshes. The virus is quite easy to detect and carries no destructive payload.The virus has been reported in the USA, United Kingdom, Finland, France, Germany and Canada, and also in Czech Republic. The virus is also known as WW6Macro and Prank Macro.
Overview
We assume a default Word installation, with all necessary security holes open...Infected documents contain a set of viral WordBasic macros, one of which is automatically invoked by Word when the document is loaded (hole 1).
The virus infects the Word environment by copying its macros into the global macro environment thus effectively "going resident". One of these viral macros is automatically invoked by Word when a document is saved (hole 2) and allows the virus to replicate itself into previously clean files when they are saved.
Lastly, when Word exits, it automatically saves any changes to its global environment (hole 3). This means that the viral macros will automatically be resident and active during future Word sessions.
Detection and Cleaning
There is an obvious giveaway of Concept's actuation. When an infected document is loaded a dialogue box titled "Microsoft Word", containing the string "1" and an OK button, pops up. Note that this giveaway applies only to Concept; don't rely on it as a generic antimacrovirus measure!Start a new document based on the Normal template, then choose Tools/Macro. If you see (inter alia) the macros AAAZAO, AAAZFS, AutoOpen, PayLoad and FileSaveAs, then you probably have Concept. Delete each of these macros to clean the current environment. By default, Word will save this cleaned environment for you when you exit.
A document is infected if it contains these same macros. Clean infected files as above, by going into Tools/Macro and deleting the offending macros. Be sure to save the cleaned document. Once you have loaded, cleaned and saved an infected document, three of the viral macros will be left behind in your global environment. Although they will no longer replicate, you might want to remove them before exiting Word, to leave your global template totally clean.
An interesting observation is that the "PayLoad" macro contains the following text:
Sub MAIN REM That's enough to prove my point End Sub
Prevention
The Word for Windows manual claims that if you hold down <Shift> whilst doubleclicking the Word icon in Program Manager, then Word will start up with filerelated "autoexecute" macros disabled. This ought to inhibit the actuation of Concept, which relies on this feature; it didn't work in our test setup. Starting up WinWord with the command line "WINWORD.EXE /m" is supposed to achieve a similar effect, but failed similarly.You can also hold down <Shift> whilst opening a document to disable any automatic macros in that file, though this too failed during our trials.
A Concept specific fix is to create a macro in your global template called "PayLoad". If this macro is present, the virus assumes it is already active and aborts without infecting. Once again, this is not a generic antimacrovirus fix.
To prevent the transparent permanent modification of your global environment,
go to Tools/Options/Save and switch on "Prompt to save NORMAL.DOT". Malicious
macros could easily change this setting back, of course, but this is
a safety measure which you might as well take.
Finally, you might wish to use one of Word's autoexecute macros
to your advantage. Under Tools/Macro, create a macro called AutoExec that
looks like this:
Sub MAIN DisableAutoMacros MsgBox "AutoMacros off!", "Safety First!", 64 End SubThis macro is triggered whenever WinWord starts (a serious potential hole!), and serves to disable the feature which Concept uses to actuate.
