> Before heading off for a break Alison asked me to post some detailed
> info about the concept virus because many readers did not have access
> to
> the world wide web.
>
> Some basic points
> - opening an email message will not activate a virus. Opening an
> attachment might.
> - the hoax virus message pollute more than virus' themselves. Do not
> pass them on unless you are certain it is genuine.
>
> Those with web access who are interested in learning more about
> viruses
> or getting virus scanning software are directed to:
>
> http://www.antivirus.com/
> http://www.mcafee.com
>
> The article that Shelley Banks found follows:
>
> "PC Magazine -- February 6, 1996
>
> The Winword.concept Virus
>
> M. David Stone
>
> As you may have already heard, there's a virus floating around that
> attaches itself to Microsoft Word for Windows documents and will
> infect
> every document you save with the Save As command. This Winword.concept
> virus--called the Word prank macro by Microsoft--represents a newly
> prevalent class of virus. And although this particular virus happens
> to
> be aimed at Word for Windows, it's something that even non-Word users
> should know about. Any program with a sufficiently sophisticated macro
> language is open to attack by similar viruses.
>
> While viruses have traditionally attached themselves to program files
> or
> boot records, this type of virus attaches itself to data files created
> by applications that associate macros with data files. That's what
> makes
> it so pernicious. The virus can infect any Word-format file saved by
> Word 6, Word 95, Mac Word 6, and Word NT.
>
> You can protect yourself from traditional viruses by simply not
> booting
> from floppy disks and not running new programs until you check them
> for
> viruses. But if you often exchange document files with others,
> particularly in a busy workgroup where documents regularly travel
> among
> many people, contamination may be difficult to avoid.
>
> An infected document is actually a template masquerading as a
> document.
> The virus can manage this trick because although Word uses a .DOT
> extension by default for templates, it doesn't require that .DOT
> extension. And a template, by any name, can store macros. The key to
> the
> Winword.concept virus is an AutoOpen macro, which runs each time you
> open the document. When you open an infected document, the virus
> modifies the Normal template, Normal.dot, which Word keeps loaded at
> all
> times--even when you're using another template. Once infected,
> Normal.dot will infect any file you save with the Save As command. And
> since WinWord calls on the Save As command every time you save a new
> document, that means every new document you create will be infected.
>
> The good news about the Winword.concept virus is that, in its original
> form at least, it's only annoying, not harmful. (The virus contains
> the
> comment "That's enough to prove my point." Obviously the anonymous
> author wanted to show that a virus could be transmitted via a macro,
> but
> didn't feel the need to be destructive about it.) The bad news is that
> the virus was unleashed on the world in unencrypted form. That means
> anyone who gets ahold of it and understands just a little Word Basic
> can
> modify it to do serious harm--like erasing files from your hard disk.
> (I
> won't get more specific for obvious reasons.)
>
> Fortunately, the virus is easy to spot. And it's easy to prevent, too,
> once you know to look out for it. The first thing to do is to make
> sure
> you're not infected yet. Load WinWord, choose Tools | Macro, and set
> the
> Macros Available In box to Normal.dot (Global Template). Then browse
> through the list of macros, looking for the names AAAZAO or AAAZFS.
> These are the virus's macros. If you see them, don't create any new
> files or use your Save As command until you've decontaminated your
> system.
>
> Microsoft has developed a set of tools for eliminating the
> Winword.concept virus and inoculating your copy of WinWord against it.
> You can find the tools on Microsoft's World-Wide Web site at
> http://www.microsoft .com/msoffice, on the Microsoft Network using the
> go word "wordprankfix," and on the Word forums on America Online and
> CompuServe. You can also call Microsoft product support at
> 206-462-9673.
>
> You'll find the tools--three macros--in a WinWord file generically
> called SCAN.DOC. (The file is actually named SCAN831.DOC as of this
> writing; 831 is a version number.) One macro, CleanAll, runs when you
> open SCAN .DOC, scanning a specific directory and all subdirectories.
> CleanAll looks for all documents and templates saved since January 1,
> 1995; it opens them and checks for the virus macros, then cleans these
> out if it finds any.
>
> SCAN.DOC installs the other two macros in your Normal template.
> AutoClose scans all documents when you save them, cleaning out any
> virus
> macros it finds. Payload prevents the virus from installing in your
> Normal template in the first place. (The virus needs to create a macro
> called Payload when it installs. If there's already a Payload macro
> there, the infection fails.)
>
> If you aren't infected, you can create your own Payload macro to guard
> against the virus. Simply choose Tools | Macro to open the Macro
> dialog
> box and set the Macros Available In box to Normal.dot. Then enter
> Payload as the name of the macro and choose Create. WinWord will open
> a
> macro-editing window, with Sub Main and End Sub statements already in
> place. Add a space on the blank line between the two statements or
> perhaps a comment like "Protection against Winword.Concept virus; do
> not
> delete." (If you don't add something, WinWord will close the window
> without saving the macro.) Select File | Close and answer Yes when
> WinWord asks whether to save the macro, then choose File | Save All to
> save the new macro to disk.
>
> Once you've installed the Payload macro in your Normal template,
> you're
> safe from the Winword.concept virus, but don't get overconfident.
> You're
> not protected from viruses that work on the same principle but change
> the details. A more general defense is to prevent an AutoOpen macro
> from
> running on a document unless you're absolutely sure it is virus-free.
> The easy way to do this is to hold down the Shift key when you open
> the
> document (that is, hold down the Shift key as you click OK in the File
> |
> Open dialog box). Lotus Notes users should also hold the Shift key
> down
> when using the Launch command to open a WinWord document attached to a
> Notes message.
>
> If you use Word 95 with Windows 95 and you've set up Word to act as
> your
> Exchange mail program using WordMail, be assured that you can't get
> infected by reading a message. But you can get infected by
> double-clicking on an attached Word file to open it and read it. Here
> again, hold the Shift key down when you double-click on the icon.
>
> Alas, these precautions will guard only against viruses that depend on
> an AutoOpen macro to spread. They still leave you vulnerable to a
> virus
> that waits until after you've opened the infected file and waits for,
> say, your first keystroke. The only way around that problem is to
> avoid
> opening any files that are supposed to be documents but are actually
> templates with macros.
>
> By the time you read this, Microsoft should have released a new Macro
> Virus Protection Tool to accompany SCAN.DOC. The tool--a macro--will
> warn you when a document you're about to load is actually a template
> with macros and will let you choose whether to load it. While this can
> protect you from accidentally loading a file that may contain macro
> viruses, you can't actually open the file to see the text inside.
> Luckily, there's a quick, easy workaround that uses the Organizer.
>
> To see a list of macros in a file, choose File | Template, then
> Organizer. Click the Close File button on either the left or right
> side
> of the Organizer dialog box and the button will become an Open File
> button. Click that button and use the Open dialog box to find and open
> the file you want to inspect.
>
> Now choose the Macros tab to see a list of the macros in the file. If
> the file purports to be a simple data file--rather than a template--it
> shouldn't contain any macros. If you see any, you can delete them and
> then safely open the file.
>
> One note of caution: Some third-party packages use templates to ease
> installation of their macros. So the fact that a file masquerades as a
> document when it's really a template doesn't necessarily mean it has a
> virus. Before you start deleting macros, make sure they really
> shouldn't
> be there.
> "