More on the WinWord.Concept WordBasic Macro Virus
by Paul Ducklin, Sophos, Plc (25 Aug 1995)

We assume a default Word installation, with all necessary security holes
open...

Overview

Infected documents contain a set of viral WordBasic macros, one of which is
automatically invoked by Word when the document is loaded (hole 1).

The virus then infects the Word environment by copying its macros into the
global macro environment -- thus effectively "going resident". One of these
viral macros is automatically invoked by Word when a document is saved (hole
2) and allows the virus to replicate itself into previously clean files when
they are saved.

Lastly, when Word exits, it automatically saves any changes to its global
environment (hole 3). This means that the viral macros will automatically be
resident and active during future Word sessions.

Detection and Cleaning

Start a new document based on the Normal template, then choose Tools/Macro.
If you see (inter alia) the macros AAAZAO, AAAZFS, AutoOpen, PayLoad and
FileSaveAs, then you probably have WinWord.Concept. Delete each of these
macros to clean the current environment. By default, Word will save this
cleaned environment for you when you exit.

A document is infected if it contains these same macros. Clean infected files
as above, by going into Tools/Macro and deleting the offending macros. Be sure
to save the cleaned document. Once you have loaded, cleaned and saved an
infected document, three of the viral macros will be left behind in your
global environment. Although they will no longer replicate, you might want to
remove them before exiting Word, to leave your global template totally clean.

There is an obvious giveaway of WinWord.Concept's actuation when an infected
document is loaded -- a dialogue box titled "Microsoft Word", containing the
string "1" and an OK button, pops up. Note that this giveaway applies only to
WinWord.Concept; don't rely on it as a generic anti-macro-virus measure!

Prevention

The Word for Windows manual claims that if you hold down Shift whilst
double-clicking the Word icon in Program Manager, then Word will startup with
file-related "auto-execute" macros disabled. This ought to inhibit the
actuation of WinWord.Concept, which relies on this feature -- though it didn't
work on my machine. Starting up WinWord with the command line "WINWORD.EXE /m"
is supposed to achieve a similar effect, but failed similarly for me.

You can also hold down Shift whilst opening a document to disable any
automatic macros in that file -- though this too failed on my PC.

A WinWord.Concept-specific fix is to create a macro in your global template
called "PayLoad". If this macro is present, the virus assumes it is already
active and aborts without infecting. Once again, this is not a generic
anti-macro-virus fix.

To prevent the transparent permanent modification of your global environment,
go to Tools/Options/Save and switch on "Prompt to save NORMAL.DOT". Malicious
macros could easily change this setting back, of course, but this is a safety
measure which you might as well take.

Finally, you might wish to use one of Word's auto-execute macros to your
advantage. Under Tools/Macro, create a macro called AutoExec that looks like
this:

   Sub MAIN
       DisableAutoMacros
       MsgBox "AutoMacros off!", "Safety First!", 64
   End Sub

This macro is triggered whenever WinWord starts (a serious potential hole!),
and serves to disable the feature which WinWord.Concept uses to actuate.

You are viewing proxied material from gopher.altexxanet.org. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.