Column: Beware of a macro virus epidemic

Sometime this month, the Word Concept virus will become the most prevalent virus in the world.

Sometime this month, the Word Concept virus will become the most prevalent virus in the world.

Its rise to prominence is unprecedented since the emergence of self-perpetuating computer viruses. "It normally takes three to four years for a virus to climb in to the Top 10. Word Concept did it in six months," says Alex Haddox, a manager at Symantec's AntiVirus Research Centre in Santa Monica, California.

And it will reach No. 1 status in less than a year. Word Concept, so named because it infects the Microsoft Word 6 environment, was first discovered last August. It isn't particularly destructive, but it is part of a new class of viruses called macro viruses. Unlike their predecessors, which needed an executable file to replicate themselves, macro viruses are easily propagated in electronic-mail and word processing documents.

The threat of the macro virus isn't one of a few disabled users but one of a prairie fire epidemic through your organisation. Users previously needed to exchange unprotected disks or download unscanned executables (files with .exe or .com extensions). Now all they have to do is attach a Word document to email and press the "send" button.

When the Word Concept virus was found in one hospital of a chain, it was soon found in all its facilities nationwide. Macro viruses move over the Internet as easily as email. In one company, the PC manager's nightmare came true. The CEO sent out a "thank you" email message to all employees. He didn't realise his system was infected, and he spread 10,000 Word Concept-infected messages companywide, says Chris Harget, product marketing manager at McAfee, the maker of an antivirus program in Santa Clara, California.

The way Word Concept got its quick start also should be a warning to information systems managers. It became established "in the wild" or reached self-perpetuating status with the inadvertent help of Microsoft. The company shipped an infected CD-ROM, "Microsoft Windows 95 Software Compatibility Test", to thousands of OEMs last August. Another company distributed 5500 copies of an infected CD-ROM, "Snap on Tools for Windows NT", soon afterward, and Word Concept was out of the cage.

Macintosh users may think they are shielded by the usual low penetration of viruses into their environment, but Word Concept is different. It is the first cross-platform virus, and it can be spread from Intel-based machines to Macintoshes in Word documents. In effect, it can show up in any Word 6 environment, from Macintoshes to OS/2 to Windows 3.x, Windows 95 and Windows NT.

You know you've got it when a 1in-square dialogue box appears in the text field of a Word document, with the number "1" in it. At the bottom of the box is a button that says "OK". You are already infected by the time the dialogue box appears. Declining to click on OK won't stop the infection. Each time you "create", "open", "save" or "save as" a Word document, you are adding the virus to it. Infected documents cease to be files that you can add to or edit. In effect, the file has been frozen by being converted into a template.

That is an annoyance, but the damage can be undone manually by entering a short macro or by installing clean-up programs from Microsoft in Redmond, Washington, (, McAfee (Virus-Scan), Symantec (Norton Anti-Virus) NH&A in New York (Dr. Solomon's Anti-Virus Toolkit) and others.

But behind the Word Concept virus come more malicious strains of the macro breed. If you haven't guarded against Word Concept, then consider what the Nuclear macro might do. The Nuclear virus appeared last September on the heels of Word Concept. It adds the message, "Stop all French nuclear testing in the Pacific" to all documents sent to a printer during the last four seconds of a minute. This is harmless enough, but on April 5, it attempts to erase all system files.

IS managers need to understand the true nature of the macro virus. The relatively innocuous Word Concept is the first of what could be a long and, to the unprotected, destructive strain.

(Charles Babcock is Computerworld US's technical editor. His Internet address is

Join the newsletter!

Error: Please check your email address.
Show Comments