|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
Version 2.26b/rev.19 (02/11/97)
Warning: this is a pretty old document
Concept was the first macro virus for MS Word that became widely dissimulated. It has taken the whole would by surprise. AV vendors were totally unprepared to this type of threat and before they catch up Concept became one of the most widely distributed viruses in history. It is functional in MS word 6.0 and Word 95. It spread via infected attachments. These attachments or files are regular MS Word documents that contain additional macros of the MS Word Concept virus. This virus is able to spread because the user sending the attachment across the network doesn't know that it is infected. The result is the recipients become infected just by opening the attachment or file on their PC when using MS Word.
As of the end 1997 the virus is sharp decline and no longer represent a significant threat.
It is important that you know more about macro viruses in general and the MS Word Concept Virus specifically so that you can successfully detect and prevent them on your PC . Although the next section will mostly concentrate on the Concept virus, much of the information can also be applied to other macro viruses.
All macro viruses use a macro language to distribute themselves. Unlike previous viruses, macro viruses do not infect programs; instead, they can infect documents or spreadsheets. Macro viruses are not limited to just MS Word. There are possibilities for writing viruses in other macro languages (for example, using VBA for EXCEL 5.0 or writing with the Ami Pro macro language).
Concept virus is costly to remove but has no destructive payload. In late 1995 and early 1996 Concept has become the most common of all virus occurrences. The costs associated with Concept's detection and removal have been quite high because infected attachments are being sent to multiple designations.
The Concept virus will infect MS Word documents by adding a set of macros to them. The infected document is sent as an email attachment or a file on a diskette. The virus remains dormant until you, the recipient, opens the attachment or file using MS WORD. Upon opening the document, the virus installs itself and tries to infect the NORMAL.DOT template as well as other loaded documents and templates.
If you do not open the document with MS Word, your PC will not become infected. However, the infected document will still be present in your mailbox or on diskette until you delete the email message containing the attachment or delete the file located on the diskette.
If you open an infected document and do not have any protective tools installed, the Concept macro virus will install its macros and try to replicate and distribute itself through MS Word documents. Usually, the NORMAL.DOT template will be infected first.
For Word 6.0 only it make sence to install special set of protective macros called SCANPROT and may be for some time even to set the READ ONLY attribute for the NORMAL.DOT file.
Identification of infected documents is easy. Open the document in MS Word. Click on the menu item named TOOLS on the upper tool bar. This expands into a list of options. Click on MACRO. You will see a list of macros that are loaded into MS Word. If Concept virus is present that there will be the names AAAZAO, AAAZFS, FileSaveAs, and PayLoad on the list. If you see these names in the list of macros currently loaded, your MS Word document is infected with the Concept virus.
The first time you open a document containing the Concept macro virus, you will see a dialog box that only contains the number "1" and an "OK" button. At this point, you have become infected and the Concept virus will attach its set of macros to all opened documents.
Prior to sending out electronic mail messages with MS Word 6.0/7.0 attachments, you must check each document for potentially infected macros before sending. Instructions on how to perform this task are listed in the next section. Anyone sending attachments to a wide distribution (e.g. many people and /or many sites) needs to be especially careful and use RTF instead of native Ms Word format. See RTF2DOC for details.
MS Word. After displaying a list of macros; if AAAZAO, AAAZFS, FileSaveAs, and PayLoad are present, highlight each of the virus' macros and select the Delete option. This removes the virus, and you save files loaded. That does not solve the problem of other infected files on the system. Any AV scanner can be used for that.
Ms Word environment resemble mini-operating systems. MS Word has its own programming language, WordBasic. Ms word document resemble a floppy and can have executable components and files in it. Programming with WordBasic is described in the on-line help facilities and in the MS Word Developer's Kit.
So every document in native MS Word format can carry macros. In its default configuration, whenever Word opens a document, it execute a macro named AutoOpen, if it's present without asking or alerting the user. Usually the AutoOpen macro is used set up the working environment required by the document or the user much like AUTOEXEC.BAT in DOS. The idea of Concept is to use this macro as the base macro for a virus.
The Concept virus AutoOpen macro first checks to see if the virus is already active on this computer, by searching macro PayLoad. If this is present, execution aborts. Then it search macro 'FileSaveAs. If found virus aborts. If these tests are passed, the virus adds four new macros to the user's NORMAL.DOT. Macros in NORMAL.DOT are loaded each time you open MS Word. Also, unless user select another template when he/she creates a new document, Word
will base any new document on the Normal template. Concept adds four macros to the NORMAL.DOT: AAAZAO, AAAZFS, PayLoad and FileSaveAs (identical to the virus' macro AAAZFS).
The virus displays a dialog box upon infection, containing what appears to be an infection counter, but which displays the number '1' no matter how many infections you generate.
Once this message box is clicked on, the virus is activeresident, and execution of its 'bootstrap' macro finishes. Once resident, the virus code is activated whenever the user attempts to save a file using 'File/Save As', as this function has been ‘enhanced’ by the addition of a FileSaveAs macro. Whenever the user selects this option, the virus creates an AutoOpen macro in the new document, and copies the contents of the macro AAAZAO into it. The macros AAAZFS, AAAZAO and PayLoad are also created and copied into the new document.
The macro called 'PayLoad' is never executed, and it contains only the following text:
Sub MAIN
REM That's enough to prove my point
End Sub
The techniques used by this virus are simple to understand that any it can be easily modified to construct similar viruses. So one needs a generic solution. Currently only SCANPROT is such a solution, so it is recommended to intall and use it. Those who have MS Word 95a or Word 97 should activate built it macro protetion which is similar to SCANPROT but more effective.
Copyright 1997, Nikolai Bezroukov. Standard disclaimer applies. As long as this copyright notice is preserved, and any changes are clearly marked as such, the author gives his consent to republish and mirror this text.
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Last modified: February 28, 2008