Home / malware Virus:W32/Concept
First posted on 24 August 2010.
Source: SecurityHomeAliases :
There are no other names known for Virus:W32/Concept.
Explanation :
A malicious program that secretly integrates itself into program or data files. It spreads by integrating itself into more files each time the host program is run.
Additional DetailsVirus:W97M/Concept also known as Word Prank Macro or WW6Macro - is a macro virus which has been written with the Microsoft Word v6.x macro language. It has been reported in several countries, and seems to have no trouble propagating in the wild.
WM/Concept used to be extremely widespread during 1995-1997. Nowadays, it is almost (but not completely) extinct.
Distribution
Concept consists of several Word macros. Since Word macros are carried with Word documents themselves, the virus is able to spread through document files.
The situation is made worse by the fact that Concept is also able to function with Microsoft Word for Windows 6.x and 7.x, Word for Macintosh 6.x, as well as in Windows 95 and Windows NT environments. It is, truly, the first functional multi-environment virus, although it can be argued that the effective operating system of this virus is Microsoft Word, not Windows or MacOS.
Execution
The virus gets executed every time an infected document is opened. It tries to infect Word's global document template, NORMAL.DOT (which is also capable of holding macros). If it finds either the macro "PayLoad" or "FileSaveAs" already on the template, it assumes that the template is already infected and ceases its functions.
If the virus does not find "PayLoad" or "FileSaveAs" in NORMAL.DOT, it starts copies of the viral macros to the template and displays a small dialog box on the screen. The box contains the number "1" and an "OK" button, and its title bar identifies it as a Word dialog box. This effect seems to have been meant to act as a generation counter, but it does not work as intended. This dialog is only shown during the initial infection of NORMAL.DOT.
After the virus has managed to infect the global template, it infects all of the documents that are created with the "Save As" command. It is then able to spread to other systems on these documents - when a user opens an infected document on a clean system, the virus will infect the global document template.
The virus consists of the following macros:
€ AAAZAO € AAAZFS € AutoOpen € FileSaveAs € PayLoad
Note that "AutoOpen" and "FileSaveAs" are legitimate macro names, and some users may already have attached these macros to their documents and templates. In this context, "PayLoad" sounds very ominous and it contains these texts:
€ Sub MAIN € REM That's enough to prove my point € End Sub
However, the "PayLoad" macro is not executed at any time.Variant:Concept.FDescription:This is a Concept variant which displays a dialog box with this text: Parasite Virus V1.0Variant:Concept.GDescription:This is a Concept variant which displays a dialog box with this text: Parasite Virus V0.8Variant:Concept.BZDescription:This variant has following renamed macros: AAZAO AAZFS AutoOpen FileSave PayLoad Every Friday the 13th Concept.BZ activates by setting documents to be protected with the password "haifa". The virus contains string "Neskati te".Last update 24 August 2010