Concept | |
---|---|
Type | Word macro virus |
Creator | |
Date Discovered | 1995.07 |
Place of Origin | |
Source Language | Visual Basic |
Platform | MS Word |
File Type(s) | .doc |
Infection Length | 5 macro modules |
Reported Costs |
Concept is the first wild macro virus for Microsoft Word products. It was found to be preinstalled on some CD's released by some major corporations. It was not the first Word macro, which is actually DMV, just the first wild one.
Behavior
When an infected document is opened, Concept checks the document template NORMAL.DOT for macros named FileSaveAs and PayLoad. If it finds these, it will assume that NORMAL.DOT has already been infected and stops working. If not, it copies its macros to the template. The virus includes the following macros:
- AAAZAO
- AAAZFS
- AutoOpen
- FileSaveAs
- PayLoad
The virus displays a dialogue box with the number "1" and an "OK" button. Antivirus researchers think this may have been an attempt to count the generations of the virus, but it does not do anything but display the number "1". Once NORMAL.DOT has been infected, any file created using "Save As" will be infected with the virus.
The PayLoad macro actually contains no payload. In fact, it does absolutely nothing. The macro contains the text:
Sub MAIN
REM That's enough to prove my point
End Sub
Variants
Concept spawned a few variants of note. Concept.BZ, also known as Haifa password protects every infected file on Friday the 13th with the password haifa. It also contains the text string "Neskati te".
Effects
In addition to being the first Word macro virus, Concept was also the most common virus of its time. It started off a bit slow, accounting for less than 20% of all virus infections in the first half of 1996, then under one third in the second half of that year. Concept accounted for one half of all viruses reported at one point in the year 1997 and one third for the whole year, but started to decline by late in that year. It infected over 35,000 computers by the end of February 1997, a significant bulk of them in the first two months of that year.
The virus found its way into software that was shipped by a few different companies. Microsoft shipped a CD, Microsoft Windows 95 Software Compatability Test, with Concept preinstalled to hundreds of companies in 1995 in August. In the next year, the company shipped Concept in a Windows 95 business guide, and their Slovenia division made a press release that contained the virus. Another company shipped Snap-on Tools for Windows NT on 5,500 CD's.
Macro viruses became the most popular form of self-replicating malware for the rest of the 1990's. A later macro virus, Melissa, would mark the beginning of the era of mass-mailing programs that would plague the 2000's.
Other Facts
Concept caused some people to worry about viruses coming through email. This was probably a result of people sending Concept-infected document files through the email, not that the virus would send itself, as people had little concept of a mass mailing virus at the time. Still, with Concept being a sort of forefather of Melissa, the first major email-borne malware problem, this is a little prophetic.
The creator of the Nimda worm wanted it to be called Concept, but the name was already taken. He was even upset by the antivirus researchers naming his worm Nimda.
Sources
Mikko Hypponen, Katrin Tocheva. F-Prot Antivirus, F-Secure Virus Descriptions : Concept.
Nikolai Bezroukov. Softpanorama, CONCEPT virus. 1997.02.11
David Stang, Seven Locks Software, Inc. The Computer Virus Problem.
Norman De Forest. The Concept Virus.
Rober Vibert. Virus News, Issue 5, Page 2, E-MAIL Viruses. 1995.10
Dr. Solomon. MS-Word Macro Viruses. 1997.01.23
Attrition.org, Certified Pre-0wned.