Macro Virus: Wordmacro/Concept

Description of WordMacro/Concept is based on information received from Sarah Gordon, e-mail address: [email protected]. More information can be found in her paper, What A (Winword) Concept at the Virus Bulletin site.

WordMacro/Concept - also known as Word Prank Macro or WW6Macro - is a macro virus which was written in the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.

WordMacro/Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files. This is quite an ominous development - until now, people have only had to worry about infections in their program files. The situation is made worse by the fact that WordMacro/Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment "cross- platform" virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS.

The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro PayLoad or FileSaveAs already on the template, it assumes that the template is already infected and ceases to function.

If the virus does not find PayLoad or FileSaveAs in NORMAL.DOT, it copies the viral macros to the template and displays a small dialog box on the screen. The box contains the number 1 and an OK button, and its title bar identifies it as a Word dialog box. This function seems to have been a mechanism to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.

After the virus has managed to infect the global template, it infects all documents that are created with the Save As command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.

The virus consists of the following macros:

AAAZAO
AAAZFS
AutoOpen
FileSaveAs
PayLoad

Note that AutoOpen and FileSaveAs are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, PayLoad sounds very ominous.
It contains the text:

Sub MAIN
REM That's enough to prove my point
End Sub

However, the PayLoad macro is not executed at any time.
You can detect the presence of the WordMacro/Concept macro virus in your system by simply selecting the command Macro from Word's Tools menu. If the macro list contains a macro named AAAZFS, your system may be infected.

You could prevent the virus from infecting your system by creating a macro named PayLoad that doesn't have to do anything.

The virus will then consider your system already infected, and will not try to infect the global template NORMAL.DOT. This is only a temporary solution, though - somebody may modify the virus's AutoOpen macro to infect the system regardless of whether NORMAL.DOT contains the macros FileSaveAs or PayLoad.