Article on Spunk by ThE wEiRd GeNiUs.


Well,

Melissa hit the news big and the media is paying (way too!) much attention to
the whole VX scene. At the time Melissa appeared I had just finished Spunk. I
decided then that Spunk will be my last creation and some of you already know
of my retirement, others probably guessed after my homepage disappeared. 
However I promised Spo0ky that Spunk would be in CB#5. So here it is... :^)

Spunk is written entirely to perform real stealth and to stay undercover as 
long as possible. There are some anti-heuristic tricks in the code but that 
was only to fool some scanners like F-Macrow. There are some ways you can 
still view the code as you will learn further in this article, but to solve 
that I dare your programming skills and fantasy. First a description
on what this virus does.

We begin at the stage an infected document is opened on a clean PC. The 
Docuement_Open macro gets started and a little check is run to see if it is 
payload time. In this case not as it is the first infection of the system. 
Then the usual checks are done to see if the document / normaltemplate are 
already infected. Since the normaltemplate is not infected yet the following
sequence of instructions are carried out:

 - check if the template _.dot exists in the temporary files directory 
   (Will explain later)
 - check if the file Dyno107.fmt exists in the office program directory 
   (The virus code in text) 
 - If those files do not exist a new template is created (_.dot) in the 
   temporary files directory
 - the code strating at 'Private Sub Loader' until the last line of the code 
   will be copied in this template
 - Some of the Private Sub xxxxxxx lines of the code in the template will be 
   replaced by:

	- Sub AutoExec()
	- Sub ToolsMacro()
	- Sub ViewVBCode()
	- Sub AutoExit()

As you understand by now, this template is (almost) entirely dedicated to 
perform the stealth functions of this virus.

At this time the template file is saved and then it is attached to put the 
stealth in place immediatly. What also has been done in the meantime is that 
the 'Templates and Add Ins...' toolbar is copied to a new (invisible) toolbar
called 'wEiRd GeNiUs' and then the original menu is altered to point to the 
stealth routine to handle the hiding of the attached template. When the 
'Templates and Add Ins...' menu is run now, the template will be unloaded and
then the original menu (now called 'wEiRd GeNiUs') is run. After closing the 
template window, the stealth template gets reactivated.

The following code creates the new and modifies the existing 'Templates and 
Add Ins...' menu item:

x = CommandBars("Tools").Controls.Count
Count the number of items in the menu bar "Tools'
	
CommandBars("Tools").Controls("Templates and Add-&Ins...").OnAction = "TemplateStealth"
Modify the menu to point at the viral code (Event hooker)

If CommandBars("Tools").Controls(x).Caption = "wEiRd GeNiUs" Then GoTo Installed
Skip the rest of the code when already installed :^)
	
CommandBars("Tools").Controls.Add ID:=751: CommandBars("Tools").Controls(x + 1).Caption = "wEiRd GeNiUs"
Add a new 'Templates and Add Ins...' in the menu bar and call it 'wEiRd GeNiUs'
	
CommandBars("Tools").Controls("wEiRd GeNiUs").Visible = False
Make it invisible

When the 'Templates and Add Ins...' menu is chosen, the following Sub will be
run:

Private Sub TemplateStealth()
	
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Inrun") = True
This sets a flag.
	
Temp = Options.DefaultFilePath(wdTempFilePath) & "\_.dot": AddIns(Temp).Delete
Here the stealth template is unloaded
	
CommandBars("Tools").Controls("wEiRd GeNiUs").Execute
The new 'Templates and Add Ins...' is executed, our template is not visible anymore...
	
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Inrun") = True
Again the flag is set. When the template is loaded again, 'Sub AutoExec' will run, we don't want anything to 
happen so Autoexec knows to set the flag to false and exit the sub.
	
AddIns.Add FileName:=Temp, Install:=True
Here the stealth template is loaded again.	
	
End Sub

So, that was the stealth for the template. I haven't seen it before and 
hopefully a creative programmer will develop this method to maturity.  Some 
of you might have noticed the 'NT.ReplaceLine 76, "AD.AddFromString Code"' 
and 'AD.ReplaceLine 67, "ADT.AddFromString LoadCode" ' Lines. If you wonder 
why I did this and not hardcoded it in the virus:
These lines trigger F-Macrow. If U use AddfromFile, AddFromString or 
InsertLines commands in your code, your finished.

When a first infection of a system happens a counter is set, 1 month after 
the initial infection of the NormalTemplate there is a change of 1 out of 10 
that page one in the document will have star shaped objects saved in it, they
are easy to delete and do not damage the data in the document. It merely is 
there to make the user aware of something strange going on.

One last note. If you have looked trough the code you will notice that the 
NormalTemplate does NOT get infected when opening an infected document, the 
NormalTemplate will become infected when Word is closed and started after 
initial infection by the viral template using the file 'Dyno107.fmt' which 
contains the whole virus in text. 

The rest of the infection code in "Private Sub Document_Open" is straight 
forward and does not need to be discussed.

Over to the stealth functions within the template:

'Sub ViewVBCode'

This is simple, when the VBEditor is started this macro is run. What we do in
this sub is to delete any viral code existing in the Normaltemplate and an 
eventual document and unloads the viral template. At this moment the location
of the startup directory is modified to reflect the directory where the viral
template is located the original startup directory is stored. Now we launch 
the VBEditor and: No more virus... Be aware that if the code is located in 
more open documents this code will stay there and will be visible. Work on 
that! (Easy to fix) When the user restarts the computer the viral template 
loads, the NormalTemplate is re-infected and the startup directory is 
restored to it's original value. Just have a look at the code and you will 
see it is easy to understand.

'Sub ToolsMacro'

Even more simple! Just unload the viral template and show the macro menu, no 
macro's are visible now as all remaining subs are 'Private' and thus 
invisible! There is one big BUT on this matter. The experienced user will 
notice that it is impossible now to CREATE a macro. This is also the item 
that I ment in my opening lines. Second one is that when you chose to RECORD 
a new macro and then choose the macro menu, you will see the macro you just 
created and you can edit that macro. When you choose to edit it the VBEditor 
will start and now it is possible to see the loaded viral template (_.dot) 
and the viral code in the ThisDocument section of the NormalTemplate / 
ActiveDocument. This is something I did not work on and will leave this to 
your creative minds to write an event hooker to catch this and go even
further stealth. I showed you how to do it with the Templates and Add Ins, 
now do your best and write the code for it!

To play around with the code simply copy all that is below the === lines and 
paste it in a Document. Save the document and when you open it now: 
You're Spunked! 

Hope you like it, it is only the beginning of this kind of stealth using a 
template. It needs development. Now go and experiment with it, write your 
own virus based on this and when you want to do a really cool bug:

Take the encryption from Halfcross (By ThE wEiRd GeNiUs), Use Vicodin's poly 
to play around with the en-decryption module and take the stealth from Spunk.
This would give people a hard time to find it, and oh, if you use the 
encryption from Halfcross, make sure you change the encryption key by using 
the system timer or the random function in VBA, this will make it even harder
to trace! (Damned, should have done that with Halfcross :^)

!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

OK, That's it. Now it is time to say goodbye. I really enjoyed my second 
appearance in the VX scene and who knows somewhere in the future you see my 
name pop up in another new bug. But it will always make a change :^)

Greetings go:

- To all my team members who made an impression to me that is the opposite 
  of what we always read in the Anti-Virus scene: Friendly, not as insane as 
  often suggested and certaintly not as A-social as people think of us to be.

Thanks for all your help and especially for the fun time! I will not forget 
you and keep in touch with you!

- Foxz and the NoMercy team. Damned guys! I wanted to have access to your 
site but you do not allow a hotmail E-mail address, I cannot help it I had 
it there :^) Good luck to you and keep on going.

- Webmaster Virus. Hopefully you get your site back up. I enjoyed our 
conversations about going on holiday :^)

- Vic, wherever you are and if you ever read this, all the best.

- All other VX that I had contact with and that are not mentioned here. 
  NEVER STOP! 


'Until the colour of a man's skin is of no more significance then the colour 
of his eyes, this ya war!'

Peace,

WG