Virus:WM/Concept.A

Virus:WM/Concept.A is the first widely known Word macro virus written for Microsoft Word 6.

File Infection
The virus spreads by infecting documents and templates, including the Normal template.

Infected documents contain the following 4 macros:

An infected Normal template contains the following 4 macros:

Note: Macros AAZAO and AAZFS are copies of the macros AutoOpen and FileSaveAs respectively.

 

When an infected document is opened the macro AutoOpen is executed. The virus checks the Normal template for the presence of macros named: Payload and FileSaveAs. If either of these macros are found the virus assumes that the template is already infected and exits.

 

Note: One of the early solutions for keeping one’s Word safe from a Concept virus infection was to keep an empty Payload macro in the Normal template.

If the Normal template is found to be uninfected, the virus infects it by copying four macros to it: AAAZAO, AAAZFS, Payload and FileSaveAs. Before exiting the virus attempts to increment its infection counter (“WW6I” stored in a file Winword6.ini) and to display it in a message box. Due to a bug the number showed is always “1”.

 

After the Normal template is infected, every time a user saves a document choosing the Save As option, the virus runs from the macro FileSaveAs from the template. It infects the saved document by copying four macros to it: AAAZAO, AAAZFS, Payload and AutoOpen. Also, since only templates can carry macros in Word 6, the virus makes sure that the document is saved as a template (i.e. with the internal format flag set to identify it as a template) without changing the document's original name.

When an infected document is opened on a clean system it infects the Normal template and the infection cycle continues.

The macro Payload contains the following text:

 

“That’s enough to prove my point”.

 

This text is never displayed.