WordMacro/Concept Virus Information

Home Page
Site Contents

Name: WordMacro/Concept
Type: Word Macro Virus

Description of WordMacro/Concept is based on information received from Sarah Gordon, e-mail address: [email protected]. More information can be found in her paper, What A (Winword) Concept at the Virus Bulletin site.

WordMacro/Concept - also known as Word Prank Macro or WW6Macro - is a macro virus which was written in the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.

WordMacro/Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files. This is quite an ominous development - until now, people have only had to worry about infections in their program files. The situation is made worse by the fact that WordMacro/Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment "cross-platform" virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS.

The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro PayLoad or FileSaveAs already on the template, it assumes that the template is already infected and ceases to function.

If the virus does not find PayLoad or FileSaveAs in NORMAL.DOT, it copies the viral macros to the template and displays a small dialog box on the screen. The box contains the number 1 and an OK button, and its title bar identifies it as a Word dialog box. This function seems to have been a mechanism to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.

After the virus has managed to infect the global template, it infects all documents that are created with the Save As command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.
The virus consists of the following macros:


Note that AutoOpen and FileSaveAs are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, PayLoad sounds very ominous.
It contains the text:

REM That's enough to prove my point
End Sub

However, the PayLoad macro is not executed at any time.
You can detect the presence of the WordMacro/Concept macro virus in your system by simply selecting the command Macro from Word's Tools menu. If the macro list contains a macro named AAAZFS, your system may be infected.

You could prevent the virus from infecting your system by creating a macro named PayLoad that doesn't have to do anything.

The virus will then consider your system already infected, and will not try to infect the global template NORMAL.DOT. This is only a temporary solution, though - somebody may modify the virus's AutoOpen macro to infect the system regardless of whether NORMAL.DOT contains the macros FileSaveAs or PayLoad.

There is also a anti-macro virus package called F-MACRO.EXE available. This package will detect if your copy of Word is infected, and will clean it if needed. It is a DOS utility and is executed from the command prompt.

If you are located in the United States, you might want to get the package from Command Software System's FTP site at ftp.commandcom.com. The F-MACRO package is also available from Data Fellows.

If you don't have F-PROT Professional which detects this virus, you can detect it manually with older F-PROT versions: you can do this by directly copying the following lines to a file called USER.DEF in your F-PROT for DOS directory:

CE WordMacro/Concept

To scan for the user-defined virus string, either configure F-PROT to scan all files, or add the filename extension ".DO?" to the list of files F-PROT should scan for. It is recommended that you simply scan all files in case your users use a non-standard filename extension for their documents. Under the Targets menu item turn on User-defined Virus Strings.

Isolate all documents or document templates that contain this search string and examine them for the virus. Do not assume any of the files are infected, as the strings required to identify it could occur in uninfected documents. Instead, check suspect files with the F-MACRO package mentioned above.

F-PROT Professional is able to the detect and disinfect the WordMacro/Concept macro virus.