SR News: Macro Viruses Concept is spreading in the wild. Concept (AKA "Prank Macro",WinWord.Concept, and WordMacro.Concept) is a very recent virus (just discovered in August of 1995) which does some things that many people thought were impossible. Concept was been getting considerable publicity including a recent article in the Wall Street Journal. This virus has been confirmed to be spreading in the wild. (We have had reports from all over the world.) This virus spreads via MS Word documents. Even if you don't use MS Word, please read on; this type of virus is a threat to everyone. I'll explain exactly how the virus works, how to detect it, and how to remove it (without using an anti-virus product). THE FIRST MULTI-PLATFORM VIRUS? Concept can infect any computer that uses MS Word 6.0 (or later release). Since there is also a version of MS Word for Apple Macintosh computers as well as PCs, this virus will spread to (or from) a Macintosh if an infected document is exchanged. If you define a "platform" as being a type of computer, then yes, this is the first multi-platform virus. On the other hand, it's important to recognize this is a VERY limited virus. It will only spread to computers running MS Word. Actually it's more limited than that; it will only spread to computers using English language versions of MS Word 6.0. It will not spread to German, French, Spanish, or Russian versions of MS Word. A VIRUS THAT BREAKS ALL THE RULES? If you take a quick look at this virus, it seems to break the rules for viruses. Concept infects MS Word documents. Simply opening an infected document causes the virus to infect your PC. I mentioned previously that viruses infect only executable programs. It seems a contradiction that a virus could infect documents. I also stated that to become infected by a virus you must execute an infected program. Both these statements still hold true. To see how this is possible, let's take a close look at how Concept works. THE TRICKS USED BY A NEW VIRUS: Concept was written using the "Macro" capability built into MS Word. Actually it is somewhat of a misnomer to call this just a macro capability since it uses a full programming language called Word Basic that MicroSoft provides with each copy of Word. The virus was written in Word Basic. But MS Word documents can't contain macros so how does the virus attach itself to documents? It does this by creating a "template" rather than a document. Templates are special files supported by MS word that are used as a pattern for new documents. Templates, unlike documents can contain macros. Concept causes infected documents to be saved as templates but with the ".DOC" extension normally associated with documents. After this happens, the original document no longer exists as a document but rather as a template with a ".DOC" extension. Templates normally have ".DOT" extensions so the fact that the document has been converted to a template is not at all obvious. The virus consists of the macros that are stored inside of the template. But what causes the virus macros to be executed in the first place? AUTOMATIC VIRUS EXECUTION: MS Word provides the capability to automatically execute a macro (in this case a Word Basic program) when you open a new template. The infected templates contain such an AutoOpen macro; this is how the virus code (in the form of a Word Basic macro program) is executed when you open an infected document. This makes the virus very deceptive. Few users of MS Word realize that every time they open what they think is a document, they could be executing a viral program. This exposure is not unique to MS Word but it is also present in other environments that support macro languages such as MS Excel, Lotus 1-2-3, and Quatro Pro. HOW CONCEPT SPREADS: Concept creates a "FileSaveAs" macro. This is the code that executes when you select "File Save As" from the MS Word File menu. After opening an infected document, any use of "File Save As" will result in the document being saved as an infected template with the standard ".DOC" extension normally associated with documents. Since documents and templates are handled almost identically by MS Word, the user is not aware that anything unusual has happened when document is converted to an infected template by the "FileSaveAs" macro. THE SAGA CONTINUES--EVEN MORE VIRUS TRICKS: Another interesting aspect of this virus is that once you open an infected document, the MS Word environment itself becomes infected. This means that if you restart MS Word with no files open, you will already be infected; all files saved with "File Save As" will be infected templates. The virus accomplishes this by modifying the "NORMAL.DOT" file. This file contains the global macros used by MS Word. Essentially this makes the virus' macros always present (and active) in the MS Word environment. IS IT REALLY A VIRUS?: Microsoft is calling this "Prank Macro" and not referring to it as a virus. Does this really qualify as a virus? Yes, unfortunately it does. When you open an infected document (actually a template), you automatically execute the virus code. This code modifies the MS Word environment so that all future documents saved using "File Save As" will be infected templates. This transfers the infection from one host document to another and is actually spreading in the wild. THE FRIENDLY VIRUS?: This virus is fortunately VERY easy to spot. When you open an infected file for the first time, you will see a box appear containing the number "1" and nothing else. This apparently was intended by the author of the virus. The virus does not have a destructive payload but it creates a macro called "Payload" that could easily be modified to do something destructive. Several quickie removers leave the "Payload" macro in place since the presence of this macro will prevent reinfection by the virus. The virus checks for the presence of a macro called "Payload" and will not infect if it sees a macro called "Payload" already there. The virus also adds two other macros to the global macro pool: "AAAZA0" and "AAAZFS". These macros are very easy to spot and provide a quick way to check if you are infected. In MS Word, simply click on "Tools" and then "Macros" and check if these macros are listed. Beyond spreading, this virus does no real damage. The same may not be true for future viruses of this type. This virus is VERY easily modified (even by a non-programmer) and we expect to soon see new variants that may not be so easy to spot. HOW TO REMOVE THIS VIRUS: You could get one of the few anti-virus products that have been updated to detect and remove this virus (we have produced a prerelease upgrade to Integrity Master that detects this virus and is available for download from our support sites.) or you start MS Word and check for the "AAAZA0" and "AAAZFS" macros. If you see them, you are infected, if not, you are clean and don't need to check your existing documents. If you are infected, open all suspect files including NORMAL.DOT and delete the macros added by the virus. To do this, click on "Tools", then "Macros" and then delete the following macros "AAAZAO", "AAAZFS", "AutoOpen", "FileSaveAs". There is also a macro called "Payload" that you can delete but leaving this macro in place will prevent reinfection by this virus. THE FUTURE THREAT: Concept is fairly easy to deal with. Other viruses of this type will not be so easy. If you don't use MS Word you may think you are safe but any language that supports a similar macro language is vulnerable to a virus of this type. MS Excel, Lotus 1-2-3, and Quatro Pro contain languages which would allow writing of viruses that could spread in these environments. It's important to understand that such viruses would spread only within those specific environments rather than universally (the way existing executable and boot sector viruses spread). We now have additional viruses utilizing the macro capability. A recent virus (but not in the wild yet) is WordMacro.Nuclear (AKA WordMacro.Alert). This virus does not announce it's presence with a dialog box. Furthermore this virus drops a normal file infecting virus called Ph33r. The Ph33r virus is memory resident and infects .COM and .EXE files. You can spot the Nuclear virus since it contains the macros: AutoExec, AutoOpen, FileSaveAs, FilePrint, FilePrintDefault, InsertPayload, DropSuriv, FileExit, and Payload. If the system time is between 5PM and 6PM the macros will drop the Ph33r virus. Nuclear will occasionally append the following text when printing documents: And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! On April 5th of any year, the virus deletes files IO.SYS and COMMAND.COM. PROTECTION AGAINST FUTURE MACRO VIRUSES. There are steps you can take now to protect yourself against future macro viruses similar to Concept. If you click on "Options" under "Save" you can ask MS Word to get your approval before modifying NORMAL.DOT. This will disable one of the tricks used by Concept and likely used in future viruses of this type. It should be obvious to you that the reason this virus works is that it executes without your knowledge in the "AutoOpen" macro. Turning this off would eliminate this type of attack and the MS Word documentation provides a way to do this. Just start MS Word with the command: winword.exe /mDisableAutoMacros This supposedly disables all auto macros. UNFORTUNATELY IT DOESN'T WORK! I assume MicroSoft will soon fix this and we can use the above option. A technique which does work is to enter the following macro. Click on "Tools" and then "Macros" and create a new macro called "autoexec". (This macro will automatically execute every time you start MS Word.) Enter the following text as your macro (it's a short Word Basic program): SUB MAIN DisableAutoMacros 1 MSGBox "Automatic Macro Execution is now OFF",-1 END SUB Every time you now start up Word, it will turn off Automatic Macros effectively eliminating a viral attack using automatic execution macros Integrity Master and other anti-virus products are being updated to provide additional protection against this type of virus so it's helpful to keep your protection up-to-date. We have released a special prerelease update (2.60a) to Integrity Master to detect this virus by name. This update is available on CompuServe as file I-MUPD.ZIP (In the Stiller library, #6) and from our primary support BBS: First time callers can download and get support for Integrity Master from Wingit! Call 904-386-8693 for 9600 to 28.8kbps and HST modems or 904-385-0449 (for all but HST). For really fast access, you can log on as user: "Integrity Master" (without the quotes) and you will be offered the download of Integrity Master. The update is contained in file I_MUP26.ZIP. All later updates will, of course, detect these viruses also. Macro Viruses in perspective It's important to realize that Concept is easy to recognize and easy to remove if you do get infected. This virus is no cause for alarm. There is some reason for concern regarding future viruses using the techniques used by this virus. Make sure your anti-virus protection is prepared to handle this new threat.