Article on Spunk by ThE wEiRd GeNiUs. Well, Melissa hit the news big and the media is paying (way too!) much attention to the whole VX scene. At the time Melissa appeared I had just finished Spunk. I decided then that Spunk will be my last creation and some of you already know of my retirement, others probably guessed after my homepage disappeared. However I promised Spo0ky that Spunk would be in CB#5. So here it is... :^) Spunk is written entirely to perform real stealth and to stay undercover as long as possible. There are some anti-heuristic tricks in the code but that was only to fool some scanners like F-Macrow. There are some ways you can still view the code as you will learn further in this article, but to solve that I dare your programming skills and fantasy. First a description on what this virus does. We begin at the stage an infected document is opened on a clean PC. The Docuement_Open macro gets started and a little check is run to see if it is payload time. In this case not as it is the first infection of the system. Then the usual checks are done to see if the document / normaltemplate are already infected. Since the normaltemplate is not infected yet the following sequence of instructions are carried out: - check if the template _.dot exists in the temporary files directory (Will explain later) - check if the file Dyno107.fmt exists in the office program directory (The virus code in text) - If those files do not exist a new template is created (_.dot) in the temporary files directory - the code strating at 'Private Sub Loader' until the last line of the code will be copied in this template - Some of the Private Sub xxxxxxx lines of the code in the template will be replaced by: - Sub AutoExec() - Sub ToolsMacro() - Sub ViewVBCode() - Sub AutoExit() As you understand by now, this template is (almost) entirely dedicated to perform the stealth functions of this virus. At this time the template file is saved and then it is attached to put the stealth in place immediatly. What also has been done in the meantime is that the 'Templates and Add Ins...' toolbar is copied to a new (invisible) toolbar called 'wEiRd GeNiUs' and then the original menu is altered to point to the stealth routine to handle the hiding of the attached template. When the 'Templates and Add Ins...' menu is run now, the template will be unloaded and then the original menu (now called 'wEiRd GeNiUs') is run. After closing the template window, the stealth template gets reactivated. The following code creates the new and modifies the existing 'Templates and Add Ins...' menu item: x = CommandBars("Tools").Controls.Count Count the number of items in the menu bar "Tools' CommandBars("Tools").Controls("Templates and Add-&Ins...").OnAction = "TemplateStealth" Modify the menu to point at the viral code (Event hooker) If CommandBars("Tools").Controls(x).Caption = "wEiRd GeNiUs" Then GoTo Installed Skip the rest of the code when already installed :^) CommandBars("Tools").Controls.Add ID:=751: CommandBars("Tools").Controls(x + 1).Caption = "wEiRd GeNiUs" Add a new 'Templates and Add Ins...' in the menu bar and call it 'wEiRd GeNiUs' CommandBars("Tools").Controls("wEiRd GeNiUs").Visible = False Make it invisible When the 'Templates and Add Ins...' menu is chosen, the following Sub will be run: Private Sub TemplateStealth() System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Inrun") = True This sets a flag. Temp = Options.DefaultFilePath(wdTempFilePath) & "\_.dot": AddIns(Temp).Delete Here the stealth template is unloaded CommandBars("Tools").Controls("wEiRd GeNiUs").Execute The new 'Templates and Add Ins...' is executed, our template is not visible anymore... System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Inrun") = True Again the flag is set. When the template is loaded again, 'Sub AutoExec' will run, we don't want anything to happen so Autoexec knows to set the flag to false and exit the sub. AddIns.Add FileName:=Temp, Install:=True Here the stealth template is loaded again. End Sub So, that was the stealth for the template. I haven't seen it before and hopefully a creative programmer will develop this method to maturity. Some of you might have noticed the 'NT.ReplaceLine 76, "AD.AddFromString Code"' and 'AD.ReplaceLine 67, "ADT.AddFromString LoadCode" ' Lines. If you wonder why I did this and not hardcoded it in the virus: These lines trigger F-Macrow. If U use AddfromFile, AddFromString or InsertLines commands in your code, your finished. When a first infection of a system happens a counter is set, 1 month after the initial infection of the NormalTemplate there is a change of 1 out of 10 that page one in the document will have star shaped objects saved in it, they are easy to delete and do not damage the data in the document. It merely is there to make the user aware of something strange going on. One last note. If you have looked trough the code you will notice that the NormalTemplate does NOT get infected when opening an infected document, the NormalTemplate will become infected when Word is closed and started after initial infection by the viral template using the file 'Dyno107.fmt' which contains the whole virus in text. The rest of the infection code in "Private Sub Document_Open" is straight forward and does not need to be discussed. Over to the stealth functions within the template: 'Sub ViewVBCode' This is simple, when the VBEditor is started this macro is run. What we do in this sub is to delete any viral code existing in the Normaltemplate and an eventual document and unloads the viral template. At this moment the location of the startup directory is modified to reflect the directory where the viral template is located the original startup directory is stored. Now we launch the VBEditor and: No more virus... Be aware that if the code is located in more open documents this code will stay there and will be visible. Work on that! (Easy to fix) When the user restarts the computer the viral template loads, the NormalTemplate is re-infected and the startup directory is restored to it's original value. Just have a look at the code and you will see it is easy to understand. 'Sub ToolsMacro' Even more simple! Just unload the viral template and show the macro menu, no macro's are visible now as all remaining subs are 'Private' and thus invisible! There is one big BUT on this matter. The experienced user will notice that it is impossible now to CREATE a macro. This is also the item that I ment in my opening lines. Second one is that when you chose to RECORD a new macro and then choose the macro menu, you will see the macro you just created and you can edit that macro. When you choose to edit it the VBEditor will start and now it is possible to see the loaded viral template (_.dot) and the viral code in the ThisDocument section of the NormalTemplate / ActiveDocument. This is something I did not work on and will leave this to your creative minds to write an event hooker to catch this and go even further stealth. I showed you how to do it with the Templates and Add Ins, now do your best and write the code for it! To play around with the code simply copy all that is below the === lines and paste it in a Document. Save the document and when you open it now: You're Spunked! Hope you like it, it is only the beginning of this kind of stealth using a template. It needs development. Now go and experiment with it, write your own virus based on this and when you want to do a really cool bug: Take the encryption from Halfcross (By ThE wEiRd GeNiUs), Use Vicodin's poly to play around with the en-decryption module and take the stealth from Spunk. This would give people a hard time to find it, and oh, if you use the encryption from Halfcross, make sure you change the encryption key by using the system timer or the random function in VBA, this will make it even harder to trace! (Damned, should have done that with Halfcross :^) !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! OK, That's it. Now it is time to say goodbye. I really enjoyed my second appearance in the VX scene and who knows somewhere in the future you see my name pop up in another new bug. But it will always make a change :^) Greetings go: - To all my team members who made an impression to me that is the opposite of what we always read in the Anti-Virus scene: Friendly, not as insane as often suggested and certaintly not as A-social as people think of us to be. Thanks for all your help and especially for the fun time! I will not forget you and keep in touch with you! - Foxz and the NoMercy team. Damned guys! I wanted to have access to your site but you do not allow a hotmail E-mail address, I cannot help it I had it there :^) Good luck to you and keep on going. - Webmaster Virus. Hopefully you get your site back up. I enjoyed our conversations about going on holiday :^) - Vic, wherever you are and if you ever read this, all the best. - All other VX that I had contact with and that are not mentioned here. NEVER STOP! 'Until the colour of a man's skin is of no more significance then the colour of his eyes, this ya war!' Peace, WG