F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Legal Notices
Contact Us

F-Secure Virus Descriptions : Concept





NAME:Concept
ALIAS:Prank, WW6Macro

WM/Concept used to be extremely widespread during 1995-1997. Nowadays it is almost (but not completely) extinct.

WordMacro/Concept - also known as Word Prank Macro or WW6Macro - is a macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.

WordMacro/Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files. The situation is made worse by the fact that WordMacro/Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS.

The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro "PayLoad" or "FileSaveAs" already on the template, it assumes that the template is already infected and ceases its functioning.

If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, it starts copies the viral macros to the template and displays a small dialog box on the screen. The box contains the number "1" and an "OK" button, and its title bar identifies it as a Word dialog box. This effect seems to have been meant to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.

After the virus has managed to infect the global template, it infects all documents that are created with the "Save As" command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.

The virus consists of the following macros: 

     AAAZAO
     AAAZFS
     AutoOpen
     FileSaveAs
     PayLoad

Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, "PayLoad" sounds very ominous. It contains the text: 

     Sub MAIN
             REM That's enough to prove my point
     End Sub

However, the "PayLoad" macro is not executed at any time.

VARIANT:Concept.F
ALIAS:Parasite

This is a Concept variant which displays a dialog box with this text: 

    Parasite Virus V1.0

VARIANT:Concept.G

This is a Concept variant which displays a dialog box with this text: 

    Parasite Virus V0.8

VARIANT:Concept.BZ
ALIAS:Haifa

This variant has following renamed macros: 

     AAZAO
     AAZFS
     AutoOpen
     FileSave
     PayLoad

Every Friday the 13th Concept.BZ activates by setting documents to be protected with the password "haifa".

The virus contains string "Neskati te".

[Analysis: Mikko Hypponen and Katrin Tocheva, F-Secure Ltd]