Virus:W97M/Concept also known as Word Prank Macro or WW6Macro - is a macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.
WM/Concept used to be extremely widespread during 1995-1997. Nowadays, it is almost (but not completely) extinct.
To salvage the infected document for further use, the user may instruct F-Secure Anti-Virus to disinfect the file.
Alternatively, if desired, the user may instruct the antivirus program to simply delete the document.
For more general information on disinfection, please see Removal Instructions.
Find the latest advice in our Community Knowledge Base.
See the manual for your F-Secure product on the Help Center.
Submit a file or URL for further analysis.
Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files.
The situation is made worse by the fact that Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS.
The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro "PayLoad" or "FileSaveAs" already on the template, it assumes that the template is already infected and ceases its functions.
If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, it starts copies of the viral macros to the template and displays a small dialog box on the screen. The box contains the number "1" and an "OK" button, and its title bar identifies it as a Word dialog box. This effect seems to have been meant to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.
After the virus has managed to infect the global template, it infects all of the documents that are created with the "Save As" command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.
The virus consists of the following macros:
Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, "PayLoad" sounds very ominous and it contains these texts:
However, the "PayLoad" macro is not executed at any time.
This is a Concept variant which displays a dialog box with this text: Parasite Virus V0.8
This is a Concept variant which displays a dialog box with this text: Parasite Virus V1.0