                       - Polymorphism in VBA/VBS virii-
                      By SMOOTHiE Da HuStla [Zer0Gravity]

.Intro

        There are several types of polymorphism, and different instances to
us them.  In this tute however, we're mainly going to go over the variable
changing poly's used in VBA and VBS virii.  I plan to go as so, and explain
everything as simple as possible, so that even the bum down the street with
an I.Q. of 3 can write one. ;)  So let's get to it, shall we...


.The steps

	There are certain steps that I take to write a poly.  Here they go
in a nice little table thingy:

 1. Figure out where the variables to be changed are
 2. Figure out what those variables are
 3. Raplace those old variables with some new "pretty" variables
 4. Replace the old code with the old variables, with the new "pretty" 
    code.

See, that's not that hard.  Here is my poly STP(SMOOTHiE's Tiny Poly), but
I edited it so that it's easier to see.


.The Poly
******************************** CODE ************************************

Private Function STP(ViRuSCoDe)
Dim VaR(6): On Error Resume Next: Randomize
VaR(1) = "ViRuSCoDe": VaR(2) = "STP": VaR(3) = "VaR": VaR(4) = "XxX"
VaR(5) = "WhereVarIs": VaR(6) = "NewVar"
For XxX = 1 To 6
XxX_XxX = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr( _
          Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int( _
          Rnd * 25) + 65)
While InStr(1, ViRuSCoDe, VaR(XxX), vbTextCompare)
      WhereVarIs = InStr(1, ViRuSCoDe, VaR(XxX), vbTextCompare)
      ViRuSCoDe = Mid(ViRuSCoDe, 1, WhereVarIs - 1) & NewVar & Mid( _
                  ViRuSCoDe, WhereVarIs + Len(VaR(XxX)), Len(ViRuSCoDe) _
                  - WhereVarIs)
Wend
Next
STP = ViRuSCoDe
End Function

******************************** CODE ************************************


.Line by line description

So now, I'm going to explain each line of code, and specify which step it
is.. :)

**************************************************************************
Private Function STP(ViRuSCoDe)
**************************************************************************

	This is simly the start of the poly function.  Notice that it says
'STP(ViRuSCoDe)', this means its the function STP, and it requires a 
variable which it calls ViRuSCoDe.  And ViRuSCoDe is where our virus code
will be.  This is step 1, because when you call the function, you are
allready suppling the code with the old variable names. :)

**************************************************************************
Dim VaR(6): On Error Resume Next: Randomize
**************************************************************************

	Here, we're declaring the array VaR with 6 elements.  In this
array is where the old variable names will be held.  (If you don't get it,
you'll see.)  Then we are saying if there is an error, which there
shouldn't, go to the next line.  This is a good line to put in all virii
because if the virus stops executing and prompts there's an error, you
might as well put a message box saying "There's a virus!!!!!!!". hehe
And the next is the random number initializing statement.  This will be
used the create the random characters which will be our new variable 
names.

**************************************************************************
VaR(1) = "ViRuSCoDe": VaR(2) = "STP": VaR(3) = "VaR": VaR(4) = "XxX"
VaR(5) = "WhereVarIs": VaR(6) = "NewVar"
**************************************************************************

	This is where we place our old variable names.  This will be used
by the function to find the variable names, and replace them.  Not much
else to say.  This is Step 2, because here is where all the variables that
we want to change are defined.

**************************************************************************
For XxX = 1 To 6
**************************************************************************

	Here is the start of the For/Next loop which will go through all
the old variable names.  Notice that in the previous step, there were six
variables, so this loop goes from 1 to 6.

**************************************************************************
XxX_XxX = Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr( _
          Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int( _
          Rnd * 25) + 65)
**************************************************************************

	This the new variable that we are going to replace the old one
with.  Now, let's take a closer look.  It says Chr(Int(Rnd * 25) + 65),
what the hell is that!?  Well, this is saying, I want a random ASCII
value from 65 to 90.  But you're asking, how is this going to give me
a random value and how does it know between 65 and 90.  Well, I will now
explain it.  The Chr(charcode) function returns the character for the
charcode entered.  So if you replaced charcode with 95, it would look like
Chr(65), and it would return "A".  The charcode are numeric representations
of the alphabet, bot captial and lower case, numbers, special characters
like $ and @, and other characters like Enter and Space.  If you want a
chart of these ASCII values, you can look it up in Word's help file, which
has a pretty table.  Just for a reference, characters 65 to 90 are all the
capital letters from A to Z.  So now we're going to go over what 
Int(Rnd * 25) + 65 means, but first, here is the layout for random 
characters: Chr(Int(Rnd * (MaxNumber - MinNumber)) + MinNumber). In the
code, 65 is the MinNumber, and our MaxNumber is 90, so 90 - 65 = 25, which
is what we would put in place of (MaxNumber - MinNumber).  If we wanted to
pick a random character from 90 to 150, it would look like this:
Chr(Int(Rnd * 60) + 90).  Ok?  If you want to know what every function does
in there, you can look in the Help file. :)

**************************************************************************
While InStr(1, ViRuSCoDe, VaR(XxX), vbTextCompare)
**************************************************************************

	This is the initallization of the While/Wend loop that will do the
actually do the replacing of the variables.  It lamens terms, it says do
this loop while VaR(XxX) is present within ViRuSCoDe.  The following is
the format for the InStr function, you can refer to it if you need to.

InStr([start, ]string1, string2[, compare])

Now, this loop will continue until VaR(XxX) is no longer present in
ViRuSCoDe.  So is ViRuSCoDe is 10,000 characters long, and VaR(XxX) is
present 20 times, this loop will repeat 20. :)  Now, if you didn't notice
earlier, VaR(XxX) will change after all the specified variables have been
replaced.  Ok, I may have lost you, let's try again.  When you first call
the function, XxX = 1, so when the While/Wend loop starts, it's looking
for VaR(1) within ViRuSCoDe (VaR(1) = "ViRuSCoDe", two steps up.).  So it
looks for "ViRuSCoDe" in ViRuSCoDe, and replaces each presence.  When all
the presences have been replaced, it exits the While/Wend loop.  Then the
original For/Next loop repeats, so now XxX = 2.  And the whole thing
starts over. :) I hope you atleast got it.

**************************************************************************
      WhereVarIs = InStr(1, ViRuSCoDe, VaR(XxX), vbTextCompare)
**************************************************************************

	Here, we're setting the variable WhereVarIs equal to the presence
of VaR(XxX).  If you got the previous part, you can skip to the next
section, if not, then continue reading.

	Well, I explained earlier that the InStr function returns the
position of a string2 within string1, well, we're simply putting what it
returns, which is a positive integer, into a variable.  
(ie. Position = Instr(1, "ABCDEFG", "C", vbTextCompare), position would
equal 3, because C is the third character.)  I hope that helped.

* Format of InStr function: InStr([start, ]string1, string2[, compare])
Where string1 is the parent string, and string2 is the string we are
looking for.  Note the [] around start and compare.  That means they
aren't required.  If start is ommited, then it automatically starts
looking from the first character, if the compare type is ommited, it'll
do a binary compare. *

**************************************************************************
      ViRuSCoDe = Mid(ViRuSCoDe, 1, WhereVarIs - 1) & NewVar & Mid( _
                  ViRuSCoDe, WhereVarIs + Len(VaR(XxX)), Len(ViRuSCoDe) _
                  - WhereVarIs)
**************************************************************************

	Now here's where the meat of the poly is.  Without this line of
code, you aint got squat.  So, let us disect it, shall we.
'Mid(ViRuSCoDe, 1, WhereVarIs - 1)' says we want the middle of string
ViRuSCoDe, starting from character 1, to WhereVarIs, which has been
defined in the previous step, minus 1.  ie(if we have the string String =
"My name is SMOOTHiE Da HuStla", and we want to replace SMOOTHiE with 
DoRk, and we didn't subtract one, this is what String would look likeL 
String = "My Name is SDoRk Da HuStla".  So we subtract 1 so that it'll go
to the character before the variable, so that String looks like this: 
String = "My name is DoRk Da HuStla") Here is the format for the Mid
function: Mid(string, start[, length]) Ok, string is the string we want 
the piece of.  start is from which character we want to get from, and
length is how many characters from the starting position we want.  In 
this step, we want to start from the 1st character, and we want all the
characters up to the variable minus 1. :) Ok, now we get to the part &
NewVar.  What we are saying up to this point is: I want all the characters
up to the old variable minus 1, and then add in the new variable.  So,
if for example we had "My name is SMOOTHiE Da HuStla" and we got up to
this point, we'd have "My name is DoRk".  But now you're saying, where
did Da HuStla go??!!  Well, that's the next part.  The next part is
& Mid(ViRuSCoDe, WhereVarIs + Len(VaR(XxX)), Len(ViRuSCoDe) - WhereVarIs)
This is saying we want all the characters in ViRuSCoDe from WhereVarIs
plus the length of our new variable, all the way to the end.  So now we
have "My name is DoRk Da HuStla", because now we've added the characters
after DoRk.  And this is the wonderful Step 3! :)

**************************************************************************
Wend
**************************************************************************

	This is simply the end of the While\Wend loop.

**************************************************************************
Next
**************************************************************************

	And this is the end of the For\Next loop.

**************************************************************************
STP = ViRuSCoDe
**************************************************************************

	Now, here is Step 4.  We are setting the function STP equal to
the virus code with the new pretty variable names.  Now, if you do not
know how this is possible, then continue reading this section, if not, you
may continue.

	Ok, I am know about to explain the differences between
Subrountines and Functions.  A subroutine, or sub, is where code is
located.  Now in VBS this isn't necessarily true, but in VBA, if you just
start typing away code, and it's not in a sub, then Word/Excel/whatever
will start to whine and cry.  That's all you need to know about subs.
The format of a sub is:

Sub SubName()

/--Code--/

End Sub

And that's all there is to it.  Now functions are a little different, in
the sence that functions can actually return values and equal values.
Now, a function can be used just like a sub, but like what we're are doing
in the poly, setting it equal to the viruscode, is the special thing about
functions.  So what happens is at the end of the poly, the function has
the value of "My name is DoRk Da HuStla", and you can then use this to
infect other files easily.  The format for a function is:

Function FuncName()

/--Code--/

End Function

I'm not really going to get in depth, but if you still dont understand,
play around with it.

**************************************************************************
End Function
**************************************************************************

	And this is the end of the poly function.


.The End

	Well kids, that's all there is to a basic poly engine.  I hope
this helped you get a better understanding on how to write one.  :)  Here
are some examples on how to use this poly:

WORD:
OurCode = STP(ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1,  _ 
          ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines))

EXCEL:
OurCode = STP(ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.Lines(1,  _
          ThisWorkbook.VBProject.VBComponents.Item(1).CodeModule.countoflines))

VBS:
A very simple example.  There are several ways of doing this, here is just one...

Set FSO = CreateObject("Scripting.FileSystemObject")
Set ThisFile = FSO.OpenTextFile(WScript.ScriptFullName, 1)
ThisFilesCode = STP(ThisFile.ReadAll)
ThisFile.Close

Okie Pokie... bye everyone!

URL   : http://SMOOTHiE.Gq.Nu
Email : SMOOTHiE@HeHe.com
Other : UnderNet chans #virus, #vxers, #vxtrader, #zerogravity
Greets: Jackie, WalRuS, Yello, VirusBuster, GigaByte, BSL4, Error, Perikles, 
        everyone in the scene, and in #virus, #vxers, and #vxtrader.

/----------------------- Another Zer0Gravity Production -----------------------/