home *** CD-ROM | disk | FTP | other *** search
-
- INPHOZE
-
- I was going to make it stealth using the ToolsMacro menu
- option but I never got around to it (the weekend finished).
-
- All these macro's can be stuck into 1 or 2 macros they don't
- need to separated.
-
- These macro viruses are very easy to detect. XOR with 0E3h
- I think it was (or 0C3h). The AV know this so it doesn't
- matter that i'm telling you.
-
- If you want to make a virus dropper then do this:
- * Dump it to a file like I did in DropSuriv
- * Open "C:\AUTOEXEC.BAT" for Appending.
- * Write "C:\DOS\VIRNAME.COM"
- * Close it.
- And don't delete the .COM.
-
- There was a bug in the original dropper - don't blame me, I
- wasn't about to test ph33r on my very expensive PC when I had
- assignments due.
-
- I was also going to make it polymorphic with weird macro names
- etc. But then i saw the stupid microsoft stored the virus
- text into the .doc so that a macro label like:
-
- NoDropper:
-
- could be searched for. Meaning that I would need to also alter
- the macro source code. If that was even possible it would be
- rather lame - only be able to alter text case (AND 0DFh,OR 20h)
- and insert whitespace.
-
- The following function shows how easy is it to detect a label
- which has had the case altered.
-
- ScanText = (CipherText xor 0E3h) and 0DFh
-
- Pretty lame encryption from Microsoft if I do say so myself.
-
- So if you aim in making a document macro virus is for AV
- undetectability then there's no point.
-
- And we thought Micro$oft was the virus maker's friend
-
- I wouldn't be surprised if the AV have an ExecuteOnlyMacro
- to EditableMacro convertor made soon.
-
- an405337@anon.penet.fi
-
-
