The Concept Virus: An Update
The Concept virus appears to be the first instance of an application-borne virus. Unlike other viruses, which attach themselves to programs (or DOS boot records, which are in fact programs), Concept attaches itself to Word documents. When you open an infected Word document, the virus deposits a copy of itself in with your Word macros, and takes control of Word's "Save As" function.
Once "Save As" has been subverted, the virus makes copies of itself, infecting any document saved with Word's "Save As" command. Because Word automatically uses the "Save As" command the very first time a new document is saved, all new documents created on an infected system are, themselves, infected.
Concept is an equal-opportunity infector: it travels freely between WinWord 6, Mac Word 6, Word NT, and Word 95 installations.
Until the appearance of Concept, PC viruses only traveled on the back of programs: you had to run a program (or start your computer with an infected diskette in the drive) to infect your computer. Concept represents a new breed of virus, one that can be spread simply by opening a document. That's why your current virus detection programs won't find it, and why entirely new approaches to detection and eradication must be developed. Concept is only the first.
There's no reason to be overly concerned about this incarnation of the Concept virus. The virus itself is harmless, in the sense that it doesn't destroy data. You may notice that your documents are a little larger, and that "Save As" takes a little longer. You might feel queasy knowing that your system is infected, just on general principals. Your correspondents, business associates and friends might get more than a little upset with you if one of your documents infects their system. But that's the extent of it.
It's more of a wake-up call. The same techniques used to create this virus could be used to manufacture a virus that will infect just about any advanced application - at least any application with a fairly capable macro language. We in the macro-writing biz have known since 1991, at least, that such things were possible. We just hoped that those who spent the time to learn enough about macro languages would forego this particular temptation. Alas, we were wrong. Very wrong.
Whoever knows isn't telling. All we know for sure is that the first acknowledged outbreak appeared on the Microsoft campus in late July. Since then, it's spread like wildfire. Infected systems have been reported all over the world. My personal belief is that this virus has spread faster than any other virus in history, and probably infects many times more machines right now than all other forms of viruses combined.
In a nutshell, your system can only get Concept by opening an infected Word document (or template) with Word. Period. You can't get infected by opening a text file in Word. You can't get the virus by opening an infected document with Windows 95's WordPad. You can't get the virus by importing a spreadsheet into Word, or by using OLE or Dynamic Data Exchange to link to Word.
The document could come from almost anywhere - a friend or co-worker, an on-line service, a network. And it's highly likely that the people who send you documents won't have the slightest idea if they're infected. It pays to be cautious.
You may have heard that the virus was contained in some Microsoft shrinkwrapped products. (I've seen accusations about everything from Windows 95 to Office 95 to Office 4.3!) Well, as of this date anyway, all of those rumors are wrong. Microsoft has never shipped a product with the virus on it. See Virus Update for comments
On the other hand, it appears that at least one infected document was posted on CompuServe, and downloaded many times before it was withdrawn. I've also heard reliable reports that some documents posted for downloading on Microsoft Network were infected. I've been assured that all of those episodes are strictly in the past tense - the sysops on CompuServe and MSN are now very aware of the virus, scan new postings rigorously, and have scanned all existing files.
If you are running Windows 95 and Word 95, you may have Word set up to act as your Exchange mail program; it's usually called WordMail. When Word is running as WordMail it disables the capability that lets Concept spread, so you cannot get infected by reading mail with WordMail. However, if an incoming message has an attached infected Word document, and you double-click on that document to open it in Word, you will get infected.
Start Word. Click on Tools, then Macro. Make sure the "Macros Available In" box shows normal.dot. Then look for macros called AAAZAO or AAAZFS. That's the "signature" for the Concept virus. If you discover macros with those names, don't create any new documents, use "Save As" on existing documents, or give out any of your documents to anyone else until you've had a chance to disinfect your Word installation.
Get over to the Microsoft Web page http://www.microsoft.com/msoffice and download a file called the Macro Virus Protection Tool. (On CompuServe or AOL, GO MS; on Microsoft Network, GO MACROVIRUSTOOL.) Follow the instructions to run the file. It will look for macro viruses, both among your macros, and within any documents you specify. It will also install special macros that will prevent any further infection.
If you are using SCAN.DOC, make sure that your copy of the "cleanall" macro is not one of the early releases which contained a typo! Look for the line Dlg.Pat$ = "*.doc;*.dot" used to set up the ".Name" argument for FileFind. There should be NO space between the semicolon and the second asterisk. A space here (found in early releases) prevents the iteration from looking for ".DOT" files.
Microsoft now has a new program that will detect other "prank macros" (official Microsoft-speak for Concept) and "alert users to their presence before the macro affects their program." You can be sure that the new program will find Concept. You can also be sure that, no matter how good this new program may be, somebody will find a way around it.
The best way to prevent Concept is to use SCAN.DOC or the new ScanProt Tool (which incorporates the same code) to "innoculate" your Word installation. You can do the same thing, if you're up to writing a Word macro, by clicking on Tools, then Macro, ensuring that "Macros Available in:" shows normal.dot, typing "Payload" (no quotes), click Create. You have to change the macro in some way to get Word to save it, so add a space after the MAIN in Sub MAIN, then click File, and Close. YES you want to save changes to Payload.
Preventing application-borne viruses in general, though, is a much more difficult question. As a first round of defense, if you hold down the Shift key when opening any document, you'll foil the less sophisticated viruses (of which winword.concept is an example).
Over the long term, somebody has to come up with a more complete solution. It is a very, very difficult problem - in fact, I believe that preventing application-borne viruses will prove to be far more difficult, technically, than preventing their more traditional program-oriented siblings. And, since people generally aren't aware of application-borne viruses, they'll probably spread much faster. Look for an entire industry to develop.
Vector: The virus (one could argue it's really a Trojan Horse) is spread by using Word to open an infected Word document. The virus attaches itself to normal.dot, the "global template" that is always open whenever Word is running. Once normal.dot is infected, every document saved with a "Save As" (including brand new documents which have no names, and documents the user is re-naming) will be infected. Infected documents are passed from machine to machine in almost any fashion (including over a LAN, or other network) and the virus multiplies. The virus is not destructive; the only apparent side-effect is that infected documents are somewhat larger than uninfected documents, and that a "Save As" on an infected machine will take a bit longer than it would otherwise.
Identification: You can easily tell if you have the Concept virus by starting Word, clicking on Tools, then Macro, making sure "Macros Available In:" shows normal.dot, and checking to see if you have a macro called AAAZAO or AAAZFS. (The virus also installs a macro called Payload, but the virus-killing programs mentioned below also install a completely harmless macro with the same name -- so don't be alarmed if you see Payload. The virus will not install itself on any system with a normal.dot macro called Payload. That's why the virus-killers put Payload there.)
Eradication: Microsoft has an anti-virus program called wd1215.exe that will eliminate the virus, both in normal.dot, and in any documents within a given folder. The program is available on http://www.microsoft.com. The National Computer Security Association is also distributing a virus killer called WVFIX.ZIP, on CompuServe, GO NCSA; it can also be found in the GO WOPR library (6). Both of those programs will be updated regularly - the situation seems to be changing daily -- so look around for the latest versions. There have been problems reported running winword.concept virus eradicators with Word 95 and Windows 95. Check the documentation that comes with the program for details.
Prevention: You can prevent infections of this specific Concept virus by creating a global macro called Payload. In general, though, viruses of this nature can only be thwarted by holding down the Shift key while opening any document.
Programming Details: An infected "document" is really a Word template, renamed with a .DOC extension. That's a common trick used widely in the business. When the user opens an infected document/template, Word automatically runs its AutoOpen macro, which "infects" normal.dot by copying four macros to it. One of those macros replaces the usual "File Save As" command; that's how the virus propagates.
An infected document/template contains four macros.
The macro called AAAZAO is installed in normal.dot, and becomes the AutoOpen macro of any "document" (actually, template) saved by an infected normal.dot's FileSaveAs. AAAZFS is carried by infected documents, and becomes normal.dot's FileSaveAs when normal.dot gets infected. AutoOpen spreads the virus to normal.dot. And Payload could contain destructive code, but doesn't. Very efficient design. There is no "trigger" to run the Payload macro. Thank heavens.
Whoever wrote this sucker knows his/her WordBasic. The dead giveaway that a user has been infected is the MsgBox in the AutoOpen macro, which displays a "1" the first time normal.dot is infected, but then would increment as the same file infects other peoples' normal.dot.
Conclusion: it's a virus, pure and simple - and not a badly constructed one at that. It's the first Autoexec virus I've seen, one that piggy-backs on an innocuous looking document, and takes advantage of "auto" macros. While this particular virus infects Word, that's mostly a matter of bad luck. Users of Windows and Mac applications should beware: any app with a macro language and an Autoexec capability (which includes all the major WinApps I can think of) is vulnerable to this kind of attack.
If Microsoft wants to call it a "prank macro", well... I would speculate that this virus has spread faster than any other virus in PC history. Unlike, say, Michelangelo, which only infected a few thousand machines, this one has spread all over the world in a matter of weeks. It will certainly infect many WinWord 6, Word 95, and MacWord sites.
We can thank our lucky stars that the originator was benevolent - in the sense that the macro doesn't destroy anything, the Payload is never deployed. Regardless, I'd still like to wring his/her neck. There are plenty of ways to demonstrate your programming prowess without releasing something like this into the wild.
The worst part? It's "clear." There was no attempt to encrypt the four macros. Anybody with this information and a nodding acquaintance with WordBasic could turn it into something really destructive - a stealth virus with almost unlimited capability.
The genie is out of the lamp.
Additional information, including the full text of the macros, is available to responsible parties. Contact woody@wopr.com.
(For your printed records: this document is at: http://www.csn.net/~woody/wwinfo/concept.htm)
Woody Leonhard 8/26/95, updated 10/05/95
