Microsoft Word Macro Concept virus family
 
There is an ongoing debate in the virus research community about the extent to
which a virus could affect, and infect, a data file.  The discussion is
lengthy, but until this year the conclusion was that a "data file" virus was
possible, but highly unlikely.  That perception chagned with a message this
past summer.
 
The message subject was "Nightmare has arrived".  The report, from Sarah
Gordon, gave some detail from her examination of the beast.  Infected files
(data files, remember) contained a number of macros which worked in concert to
enable reproduction and spread.  Other reports were fairly quick to arrive. 
The Word Macro virus is quite definitely widespread, and plainly able to
replicate.
 
At the heart of the system are two macros named "AutoOpen" and "FileSaveAs". 
These names are important, since the name itself contributes to the function. 
A macro named AutoOpen contained in a Microsoft Word word processing file will,
by default, load itself and execute when the data file is opened.  In this
case, it was used to load itself and the other macros into what is known as the
global document template, stored in a file named NORMAL.DOT.  Once in the
global template, these macros become available during the processing of any
file.  (Two preventive measures can be taken to keep this from happening in
your Word system.  You can either program or reprogram an AutoExec macro in
Word's global document template to include the command "DisableAutoMacros". 
Under TOOLS/OPTIONS, you can open the Save folder and select "Prompt to save
Normal".  This will prevent the NORMAL.DOT file from being modified without
your being informed.  As a final resort, if you do not want to make regular
changes to the global template you can flag NORMAL.DOT as a "read only" file
under MS-DOS.)
 
The macro named FileSaveAs, when installed in the global document template,
modifies the "Save As" item in the "File" menu.  Thereafter, any file "saved
as" a different filename would also be stored as a document template,
containing the macros required by the virus.  This completed the replication
cycle.  An infected document would infect the Word system, and an infected Word
system would infect any file saved under a different name.
 
It is fairly obvious that this first variant was a "proof of concept", leading
to some of the alternatively proposed names such as Macro.Concept,
WinWord.Concept and just plain Concept.  One of the macros is named "PayLoad",
and contains only the remark "That's enough to prove my point".  The PayLoad
macro is, in fact, never called, but it could have been, and just about
anything could have been put in it.  Checking for a macro called PayLoad is one
possible way to detect the infection, but since the AutoOpen macro also checks
for it, writing an empty macro called PayLoad is also a means of prevention. 
(Writing a macro called FileSaveAs is another.)
 
(According to MS-Word documentation, holding down the shift key while the
program loads, or while a document is being opened, should prevent the
operation of AutoOpen macros.  In tests by a major antiviral research group, it
was found that this does *not* provide reliable protection against the Word
Macro virus.  Do *not* depend upon it.)
 
The proposed name of WinWord or WinWord.Concept is unfortunately misleading. 
The macros will operate under other compatible versions of Word, even on the
Macintosh.  The Word Macro virus is therefore one of the first (possibly the
very first, depending on how you define it) viral programs to successfully
cross platforms.
 
Microsoft, as could be expected, is none too happy to have one of their
products associated with a virus.  They have their own name, referring to it as
the "Macro Prank", thus avoiding both the product name and the deadly "virus"
appellation.  (Microsoft have, in fact, inadvertently spread the virus
themselves.  A British paper has reported that a Windows 95 promotional disk
for vendors had the macro in one of the documents.)  It is unlikely that mere
marketing can avoid the issue: this entity definitely has all the required
characteristics of a virus.  The first version may have been relatively
harmless, but the idea is so simple that new versions appeared within weeks.
 
In fact, within a month after the initial report of the original Word Macro in
the wild, the first malicious and damaging variant appeared.  It was openly
posted on the Netcom system, which has a policy of allowing free availability
to malicious software.  In a rather cruel jest, the "Nuclear" virus, as it has
been called, was contained in a document describing the prototype Word Macro. 
Nuclear attempts to turn off preventive measures, adds a political message to
the bottom of random documents, attempts to inject a more mundane file-
infecting virus into MS-DOS systems, and will delete the operating system files
on April 5th.
 
In addition, antoher macro virus has been found which does not use the AutoOpen
macro.  It also uses various functions of Word in order to hide itself, thus
using a kind of stealth technology.
 
As far as sole identification with Word goes, that may change.  The current
versions (this is being written not much more than a month after the first one
was seen) have been written in Word Basic.  I have recently read in a number of
books that Microsoft plans to replace the various macro and scripting languages
in its assorted products with Visual Basic for Applications.  This will mean
that a macro virus written in Word will work equally well in Excel, Access and
a wide range of other products.  The same reports state that Microsoft is eager
to license VBA to other developers for use in non-Microsoft products.  At which
point the virus would work in licensed and compatible products from a variety
of vendors.
 
At the same time that details of the Word Macro virus began to come out, we
also saw a fresh spate of reports of an email virus, tied to Microsoft. 
Although these reports are very short on fact, it appears that they relate to
both the Word Macro virus and the email file attachment and automatic setup
capability discussed earlier.  The new Microsoft Network makes this type of
activity particularly easy.  By default, one mouse click is all it takes to
download the attached file, invoke Word, read in the file, and infect your
system.