More on the WinWord.Concept WordBasic Macro Virus by Paul Ducklin, Sophos, Plc (25 Aug 1995) We assume a default Word installation, with all necessary security holes open... Overview Infected documents contain a set of viral WordBasic macros, one of which is automatically invoked by Word when the document is loaded (hole 1). The virus then infects the Word environment by copying its macros into the global macro environment -- thus effectively "going resident". One of these viral macros is automatically invoked by Word when a document is saved (hole 2) and allows the virus to replicate itself into previously clean files when they are saved. Lastly, when Word exits, it automatically saves any changes to its global environment (hole 3). This means that the viral macros will automatically be resident and active during future Word sessions. Detection and Cleaning Start a new document based on the Normal template, then choose Tools/Macro. If you see (inter alia) the macros AAAZAO, AAAZFS, AutoOpen, PayLoad and FileSaveAs, then you probably have WinWord.Concept. Delete each of these macros to clean the current environment. By default, Word will save this cleaned environment for you when you exit. A document is infected if it contains these same macros. Clean infected files as above, by going into Tools/Macro and deleting the offending macros. Be sure to save the cleaned document. Once you have loaded, cleaned and saved an infected document, three of the viral macros will be left behind in your global environment. Although they will no longer replicate, you might want to remove them before exiting Word, to leave your global template totally clean. There is an obvious giveaway of WinWord.Concept's actuation when an infected document is loaded -- a dialogue box titled "Microsoft Word", containing the string "1" and an OK button, pops up. Note that this giveaway applies only to WinWord.Concept; don't rely on it as a generic anti-macro-virus measure! Prevention The Word for Windows manual claims that if you hold down Shift whilst double-clicking the Word icon in Program Manager, then Word will startup with file-related "auto-execute" macros disabled. This ought to inhibit the actuation of WinWord.Concept, which relies on this feature -- though it didn't work on my machine. Starting up WinWord with the command line "WINWORD.EXE /m" is supposed to achieve a similar effect, but failed similarly for me. You can also hold down Shift whilst opening a document to disable any automatic macros in that file -- though this too failed on my PC. A WinWord.Concept-specific fix is to create a macro in your global template called "PayLoad". If this macro is present, the virus assumes it is already active and aborts without infecting. Once again, this is not a generic anti-macro-virus fix. To prevent the transparent permanent modification of your global environment, go to Tools/Options/Save and switch on "Prompt to save NORMAL.DOT". Malicious macros could easily change this setting back, of course, but this is a safety measure which you might as well take. Finally, you might wish to use one of Word's auto-execute macros to your advantage. Under Tools/Macro, create a macro called AutoExec that looks like this: Sub MAIN DisableAutoMacros MsgBox "AutoMacros off!", "Safety First!", 64 End Sub This macro is triggered whenever WinWord starts (a serious potential hole!), and serves to disable the feature which WinWord.Concept uses to actuate.