Virus:W32/Concept

Classification

Category :

Malware

Type :

Virus

Platform :

W97M

Aliases :

Virus:W32/Concept, Concept, WM/Concept

Summary

Virus:W97M/Concept also known as Word Prank Macro or WW6Macro - is a macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.

WM/Concept used to be extremely widespread during 1995-1997. Nowadays, it is almost (but not completely) extinct.

Removal

To salvage the infected document for further use, the user may instruct F-Secure Anti-Virus to disinfect the file.

Alternatively, if desired, the user may instruct the antivirus program to simply delete the document.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Distribution

Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files.

The situation is made worse by the fact that Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS.

Execution

The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro "PayLoad" or "FileSaveAs" already on the template, it assumes that the template is already infected and ceases its functions.

If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, it starts copies of the viral macros to the template and displays a small dialog box on the screen. The box contains the number "1" and an "OK" button, and its title bar identifies it as a Word dialog box. This effect seems to have been meant to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.

After the virus has managed to infect the global template, it infects all of the documents that are created with the "Save As" command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.

The virus consists of the following macros:

  • AAAZAO
  • AAAZFS
  • AutoOpen
  • FileSaveAs
  • PayLoad

Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, "PayLoad" sounds very ominous and it contains these texts:

  • Sub MAIN
  • REM That's enough to prove my point
  • End Sub

However, the "PayLoad" macro is not executed at any time.

Variants

Concept.G

This is a Concept variant which displays a dialog box with this text: Parasite Virus V0.8

Concept.F

This is a Concept variant which displays a dialog box with this text: Parasite Virus V1.0