Microsoft Word Macro Concept virus family There is an ongoing debate in the virus research community about the extent to which a virus could affect, and infect, a data file. The discussion is lengthy, but until this year the conclusion was that a "data file" virus was possible, but highly unlikely. That perception chagned with a message this past summer. The message subject was "Nightmare has arrived". The report, from Sarah Gordon, gave some detail from her examination of the beast. Infected files (data files, remember) contained a number of macros which worked in concert to enable reproduction and spread. Other reports were fairly quick to arrive. The Word Macro virus is quite definitely widespread, and plainly able to replicate. At the heart of the system are two macros named "AutoOpen" and "FileSaveAs". These names are important, since the name itself contributes to the function. A macro named AutoOpen contained in a Microsoft Word word processing file will, by default, load itself and execute when the data file is opened. In this case, it was used to load itself and the other macros into what is known as the global document template, stored in a file named NORMAL.DOT. Once in the global template, these macros become available during the processing of any file. (Two preventive measures can be taken to keep this from happening in your Word system. You can either program or reprogram an AutoExec macro in Word's global document template to include the command "DisableAutoMacros". Under TOOLS/OPTIONS, you can open the Save folder and select "Prompt to save Normal". This will prevent the NORMAL.DOT file from being modified without your being informed. As a final resort, if you do not want to make regular changes to the global template you can flag NORMAL.DOT as a "read only" file under MS-DOS.) The macro named FileSaveAs, when installed in the global document template, modifies the "Save As" item in the "File" menu. Thereafter, any file "saved as" a different filename would also be stored as a document template, containing the macros required by the virus. This completed the replication cycle. An infected document would infect the Word system, and an infected Word system would infect any file saved under a different name. It is fairly obvious that this first variant was a "proof of concept", leading to some of the alternatively proposed names such as Macro.Concept, WinWord.Concept and just plain Concept. One of the macros is named "PayLoad", and contains only the remark "That's enough to prove my point". The PayLoad macro is, in fact, never called, but it could have been, and just about anything could have been put in it. Checking for a macro called PayLoad is one possible way to detect the infection, but since the AutoOpen macro also checks for it, writing an empty macro called PayLoad is also a means of prevention. (Writing a macro called FileSaveAs is another.) (According to MS-Word documentation, holding down the shift key while the program loads, or while a document is being opened, should prevent the operation of AutoOpen macros. In tests by a major antiviral research group, it was found that this does *not* provide reliable protection against the Word Macro virus. Do *not* depend upon it.) The proposed name of WinWord or WinWord.Concept is unfortunately misleading. The macros will operate under other compatible versions of Word, even on the Macintosh. The Word Macro virus is therefore one of the first (possibly the very first, depending on how you define it) viral programs to successfully cross platforms. Microsoft, as could be expected, is none too happy to have one of their products associated with a virus. They have their own name, referring to it as the "Macro Prank", thus avoiding both the product name and the deadly "virus" appellation. (Microsoft have, in fact, inadvertently spread the virus themselves. A British paper has reported that a Windows 95 promotional disk for vendors had the macro in one of the documents.) It is unlikely that mere marketing can avoid the issue: this entity definitely has all the required characteristics of a virus. The first version may have been relatively harmless, but the idea is so simple that new versions appeared within weeks. In fact, within a month after the initial report of the original Word Macro in the wild, the first malicious and damaging variant appeared. It was openly posted on the Netcom system, which has a policy of allowing free availability to malicious software. In a rather cruel jest, the "Nuclear" virus, as it has been called, was contained in a document describing the prototype Word Macro. Nuclear attempts to turn off preventive measures, adds a political message to the bottom of random documents, attempts to inject a more mundane file- infecting virus into MS-DOS systems, and will delete the operating system files on April 5th. In addition, antoher macro virus has been found which does not use the AutoOpen macro. It also uses various functions of Word in order to hide itself, thus using a kind of stealth technology. As far as sole identification with Word goes, that may change. The current versions (this is being written not much more than a month after the first one was seen) have been written in Word Basic. I have recently read in a number of books that Microsoft plans to replace the various macro and scripting languages in its assorted products with Visual Basic for Applications. This will mean that a macro virus written in Word will work equally well in Excel, Access and a wide range of other products. The same reports state that Microsoft is eager to license VBA to other developers for use in non-Microsoft products. At which point the virus would work in licensed and compatible products from a variety of vendors. At the same time that details of the Word Macro virus began to come out, we also saw a fresh spate of reports of an email virus, tied to Microsoft. Although these reports are very short on fact, it appears that they relate to both the Word Macro virus and the email file attachment and automatic setup capability discussed earlier. The new Microsoft Network makes this type of activity particularly easy. By default, one mouse click is all it takes to download the attached file, invoke Word, read in the file, and infect your system.