Threat Description

Virus:​W32/Concept

Details

Aliases: Virus:​W32/Concept, Concept, WM/Concept
Category: Malware
Malware
Type: Virus
Platform: W97M

Summary



A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.



Removal



To salvage the infected document for further use, the user may instruct F-Secure Anti-Virus to disinfect the file.

Alternatively, if desired, the user may instruct the antivirus program to simply delete the document.

For more general information on disinfection, please see Removal Instructions.



Technical Details



Virus:W97M/Concept also known as Word Prank Macro or WW6Macro - is a macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.

WM/Concept used to be extremely widespread during 1995-1997. Nowadays, it is almost (but not completely) extinct.

Distribution

Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files.

The situation is made worse by the fact that Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS.

Execution

The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro "PayLoad" or "FileSaveAs" already on the template, it assumes that the template is already infected and ceases its functions.

If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, it starts copies of the viral macros to the template and displays a small dialog box on the screen. The box contains the number "1" and an "OK" button, and its title bar identifies it as a Word dialog box. This effect seems to have been meant to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.

After the virus has managed to infect the global template, it infects all of the documents that are created with the "Save As" command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.

The virus consists of the following macros:

  • AAAZAO
  • AAAZFS
  • AutoOpen
  • FileSaveAs
  • PayLoad

Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, "PayLoad" sounds very ominous and it contains these texts:

  • Sub MAIN
  • REM That's enough to prove my point
  • End Sub

However, the "PayLoad" macro is not executed at any time.

Variants

Concept.G

This is a Concept variant which displays a dialog box with this text: Parasite Virus V0.8

Concept.F

This is a Concept variant which displays a dialog box with this text: Parasite Virus V1.0

Concept.BZ

This variant has following renamed macros: AAZAO AAZFS AutoOpen FileSave PayLoad Every Friday the 13th Concept.BZ activates by setting documents to be protected with the password "haifa". The virus contains string "Neskati te".






SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More