Softpanorama
May the source be with you, but remember the KISS principle ;-)

Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13


Chapter 5: Macro Viruses

Version 2.26b/rev.19 (02/11/97)

CONCEPT virus

Warning: this is a pretty old document

Concept was the first macro virus for MS Word that became widely dissimulated. It has taken the whole would by surprise. AV vendors were totally unprepared to this type of threat and before they catch up Concept became one of the most widely distributed viruses in history. It is functional in MS word 6.0 and Word 95. It spread via infected attachments. These attachments or files are regular MS Word documents that contain additional macros of the MS Word Concept virus.  This virus is able to spread because the user sending the attachment across the network doesn't know that it is infected.  The result is the recipients become infected just by opening the attachment or file on their PC when using MS Word.

As of the end 1997 the virus is sharp decline and no longer represent a significant threat.

General Information

It is important that you know more about macro viruses in general and the MS Word Concept Virus specifically so that you can successfully detect and prevent them on your PC .  Although  the next section will mostly concentrate on the Concept virus, much of the information can also be applied to other macro viruses.

All macro viruses use a macro language to distribute themselves.  Unlike previous viruses, macro viruses do not infect programs; instead, they can infect documents or spreadsheets.  Macro viruses are not limited to just MS Word. There are possibilities for writing viruses in other macro languages (for example, using VBA for EXCEL 5.0 or writing with the Ami Pro macro language).

Concept virus is costly to remove but has no destructive payload. In late 1995 and early 1996 Concept has become the most common of all virus occurrences.  The costs associated with Concept's detection and removal have been quite high because infected attachments are being sent to multiple designations.

The Concept virus will infect MS Word documents by adding a set of macros to them.  The infected document is sent as an email attachment or a file on a diskette.  The virus remains dormant until you, the recipient, opens the attachment or file using MS WORD.  Upon opening the document, the virus installs itself and tries to infect the NORMAL.DOT template as well as other loaded documents and templates.

If you do not open the document with MS Word, your PC will not become infected.  However, the infected document will still be present in your mailbox or on diskette until you delete the email message containing the attachment or delete the file located on the diskette.

If you open an infected document and do not have any protective tools installed, the Concept macro virus will install its macros and try to replicate and distribute itself through MS Word documents.  Usually, the  NORMAL.DOT template will be infected first.

For Word 6.0 only it make sense to install special set of protective macros called SCANPROT and may be for some time even to set the READ ONLY attribute for the NORMAL.DOT file.

How To Detect the MS Word Concept Macro Virus

Identification of infected documents is easy.  Open the document in MS Word.  Click on the menu item named TOOLS on the upper tool bar.  This expands into a list of options.  Click on MACRO. You will see a list of macros that are loaded into MS Word.  If Concept virus is present that there will be the names AAAZAO, AAAZFS, FileSaveAs, and PayLoad on the list.  If you see these names in the list of macros currently loaded, your MS Word document is infected with the Concept virus.

The first time you open a document containing the Concept macro virus, you will see a dialog box that only contains the number "1" and an "OK" button.  At this point, you have become infected and the Concept virus will attach its set of macros to all opened documents. 

How to disinfect the Concept virus

Prior to sending out electronic mail messages with MS Word  6.0/7.0 attachments, you must check each document for potentially infected macros before sending.   Instructions on how to perform this task are listed in the next section.  Anyone sending attachments to a wide distribution (e.g. many people and /or many sites) needs to be especially careful and use RTF instead of native Ms Word format. See RTF2DOC for details.

Tools available for detection and disinfection

MS Word. After displaying a list of macros; if AAAZAO, AAAZFS, FileSaveAs, and PayLoad are present, highlight each of the virus' macros and select the Delete option. This removes the virus, and you save files loaded. That does not solve the problem of other infected files on the system. Any AV scanner can be used for that.

Technical Overview

Ms Word environment resemble mini-operating systems. MS Word has its own programming language, WordBasic. Ms word document resemble a floppy and can have executable components and files in it. Programming with WordBasic is described in the on-line help facilities and in the MS Word Developer's Kit.

So every document in native MS Word format can carry macros. In its default configuration, whenever Word opens a document, it execute a macro named AutoOpen, if it's present  without asking or alerting the user. Usually the AutoOpen macro is used set up the working environment required by the document or the user much like AUTOEXEC.BAT in DOS.  The idea of Concept is to use this macro as the base macro for a virus.

The Concept virus AutoOpen macro first checks to see if the virus is already active on this computer, by searching macro PayLoad. If this is present, execution aborts. Then it search  macro 'FileSaveAs. If found virus aborts. If these tests are passed, the virus adds four new macros to the user's NORMAL.DOT. Macros in NORMAL.DOT are loaded each time you open MS Word. Also, unless user select another template when he/she creates a new document, Word will base any new document on the Normal template. Concept adds four macros to the NORMAL.DOT: AAAZAO, AAAZFS, PayLoad and FileSaveAs (identical to the virus' macro AAAZFS).

The virus displays a dialog box upon infection, containing what appears to be an infection counter, but which displays the number '1' no matter how many infections you generate. 

Once this message box is clicked on, the virus is active resident, and execution of its 'bootstrap' macro finishes. Once resident, the virus code is activated whenever the user attempts to save a file using 'File/Save As', as this function has been ‘enhanced’ by the addition of a FileSaveAs macro. Whenever the user selects this option, the virus creates an AutoOpen macro in the new document, and copies the contents of the macro AAAZAO into it. The macros AAAZFS, AAAZAO and PayLoad are also created and copied into the new document.

The macro called 'PayLoad' is never executed, and it contains only the following text:
 

The techniques used by this virus are simple to understand that any it can be easily modified to construct similar viruses. So one needs a generic solution. Currently only SCANPROT is such a solution, so it is recommended to install and use it. Those who have MS Word 95a or Word 97 should activate built it macro protection which is similar to SCANPROT but more effective.


Copyright 1997, Nikolai Bezroukov. Standard disclaimer applies. As long as this copyright notice is preserved, and any changes are clearly marked as such, the author gives his consent to republish and mirror this text.



Etc

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Haterís Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Last modified: May, 08, 2017