WordMacro.SlovakDictator

The first world true polymorphic macro virus infecting Word 7.x documents.
The virus ofthe next generation.

This decription brought to you by Nasty Lamer & Ugly Luser
Exclusively for the *-zine. (c) 1-mar-1997, Slovakia

    In this article will be described, how this macro virus works, what are its advantages in comparison with other existing Word 6.0, 7.0 macro viruses, its disadvantages and finally the plans of authors of this virus for the near future will be mentioned. Source code (2nd generation) is shown at the end of this article. The macro generator (Lamer's Macro Engine) itself is not presented intentionally.


    Introduction
    Macro viruses for Word 6.0 and above infects Micro$oft Word documents and templates. The first macro virus for Word was written in fall of 1994. In the present there are over 500 known macro viruses and their number grows rapidly every day. But many of them are very similar each to other and do not offer anything new to the virus writing technology. They use almost the same infection techniques and their bodies are the same in each copy of the virus. Many of them are very lame and primitive. Authors of macro viruses very often use whole parts from other macro viruses in their macro, modify them a little bit and release them as new viruses. But almost all known macro viruses have for each copy the same binary image of the macro body (so-called static macros). This feature very simplifies the work of antivirus companies. They can detect these macros very exactly with high accuracy by using CRC method. They are able to add detection for several hundreds macro viruses a days by using programs for an automatic generation of the CRC for the macro bodies. Current macro virus writers are not too inventive and it looks like that only lamers write macro viruses. Do not forget, that macro virus writing is not for real virus writers as they prefer writing in assembler.
    The first break through in macro virus writing technology has caused the Outlaw virus. It was the first semi-polymorphic virus. Why semi-polymorphic ? Because only the macro names were different in the each copy of the virus but its body has remained still static (some antiviruses used to detect the viruses by their names). However for peoples interesting in the antivirus industry it was a nice opportunity to flood various magazines with detailed description of this "new technology" in macro virus writing.
    After a long time the macro virus writers have detected that Micro$oft Word Basic gives a possibility for macro editing and creating polymorphic macro viruses. In the present these possibilities are not used very often. There exists only few viruses which modify something in their source code and make the each generation a little bit different. Their most often used method is simply in inserting one or several dummy lines to the source code or changing names for some variable. The true polymorphic viruses was not known until WordMacro.SlovakDictator appears.


    Behind the macro viruses detection techniques
    The antivirus programs uses different techniques to detect macro viruses. >From the point of view of used techniques, we can arrange them into the following categories:
    1. The method based on looking for "virus strings"
      Because a big part of the macros includes texts, strings must be enough long to avoid possible false alarms. The frequently used and also reasonable size for these strings is between 24 and 32 bytes. The advantage of this method is in the fact that by using one search string it can detect several variants of the big family of viruses. In the most cases this method can not detect viruses exactly.
    2. Method based on computing CRC's
      This is the only method which is able to detect all static macro viruses exactly. The big disadvantage of using this method is that it fails in those cases, that someone adds for example the tabulator mark after the end of macro :). In the present most of the antivirus programs use this method.
    3. Method based on heuristic analyzing of the macros
      This is good a method for detecting new and even unknown macro viruses.
    4. Other methods
      They use a combination of several methods mentioned above or some new techniques.



    Description of the WordMacro.SlovakDictator macro virus
    This virus is the first real attempt how to write an macro virus undetectable by "search strings". It also fucks all scanner based on computing CRC, because it has almost unlimited mutation capability. We decided to write this virus to to illustrate some techniques, which offers MacroFuck Corporation and their Macro$Soft Word for macro viruses writers.
    The virus contains only one unencrypted viral macro AutoClose and its size is from 14 kB to 16 kB (the size for variant B may overreach 16 kB). All names of variables, procedures, functions and constants are fully mutated and for this reason the final size of the macro is different for each copy of the virus.
    The macro does not use any command for copying macros (MacroCopy or Organizer) for replicating. It uses simply only commands for creating and editing macros. Due to this feature it is not detectable by know virus scanners yet, even not by the heuristic scanners. The detection of this virus will probably cause problems to antivirus programs which use "search strings" for macro detecting.
    The whole macro is divided into three parts. In the first part are declared all global variables, arrays and constants. In the second part is performed a check for the version of Word and it contains all procedures and functions needed for creating macro and its execution. The third and the final part contains two tables. In the first table is stored the whole macro body (its source lines) in an encrypted form. The source lines in this table does not contain two tables mentioned above because they are already present in the third part of the macro.

    The actions of the macro virus is performed in several steps:

    1. It checks whether of the Micro$oft Word in use is 7.x. If yes, the further steps are performed, otherwise the macro will finish.

    2. It decrypts the first table in the third part of the macro. The choosen encryption method is very trivial. Each byte is decrypted with a constant which may have values from 4 to 13 (try to guess why ?). This value is added (or subtracted) to the each character in the strings that belong to the first table in the third part of the macro.

    3. It creates temporary macro with a random name and inserts decrypted source lines of the macro (the first two parts of the macro) to it.

    4. It replaces all occurrences of the string "@@" with """. The characters @@ are used to mark all places that have to be replaced with a quote.

    5. It inserts both tables at the end of this macro - the table with decrypted source lines and the table with polymorphic names of variables, procedures, functions and constants.

    6. It calls procedure which will mutate all names stored in table with polymorphic names. These names are from 10 to 19 characters long.

    7. It runs this temporary macro When the macro is executed it first checks, whether it has to infect global template or document. If the global template and the closing document already contains macro named AutoClose nothing is done. Otherwise the macro creates a macro AutoClose in the global template or document and executes similar actions which were described in the previous paragraphs.






    The macro contains the special payload. In the each 4th and 11th of the month it displays a message box with a special warning that you are infected by WordMacro.SlovakDictator virus.






    8. It deletes the temporary macro, enables screen updating, enables interrupting a macro by pressing the ESC key and finishes.

    Advantages of the virus:

    The virus brings the new technology to macro viruses writing :)
    It is the first Slovak macro virus :)
    It is the first world true polymorphic virus :)
    Its source lines are internally encrypted by a different encryption constant :)
    It will be hard to detect it by "search strings", because it does not contain any typical virus strings.
    It can not be detected by computing CRC (only lame researchers will do that) :)
    The largest possible string is 15 bytes long, but this string can not be used as a virus string.
    It does not use commands for copying macros :)
    It does not contain an operation suspected for heuristic scanners :)
    Known antivirus program does not detect it, even heuristic programs


    Disadvantages:

    The process of the infection is very slow, it may take over 15 seconds on slow PC's (on tested Pentium 166 Mhz it took 15 seconds) :|
    Although the virus prevents the ESC key from interrupting the macro, pressing keys while the virus is running may cause a bug in creating mutated names of variables and due to this reason a bug in the executing macro may occur. (it will be fixed in the version for Word 8.0) :|
    The virus is language dependent - it infects only English version of Word 7.x documents. Due to its special infection techniques it is not able to infect Word 8.0 documents.


    There are two variants of this virus - WordMacro.SlovakDictator.A (described in this article) and WordMacro.SlovakDictator.B. In the variant B were done small changes but the basics has remained the same. This variant works similarily as the variant A, but it displays the following dialog box:









    Our plans for the near future

    We would like to show the big potential of the Micro$oft Visual Basic to all macro viruses writers by rewriting SlovakDictator for the Micro$oft Word version 8.0. We hope that the next version written in Visual Basic will be undetectable for a long time. We are planing also to write fully polymorphic macro virus infecting the Micro$oft Excel documents and a multiplatform virus infecting the Office documents.

    Conclusion

    The Lamer's Macro Engine and the source code generator of the described macro virus is not presented because each lamer, even Vesselin B. (well known as fucking pig and shithead), is able in 20 minutes analyze this virus and understand it. But we are not sure about that Vesselin B :). We wrote this virus within one day and we hope that the other lame macro virus writers are able to do it too.
    And finally, we just invented the brand new method, how to speed up the internal encryption and decryption, so the next version will be much faster (and maybe it will be permutated !):)

    Big thanks goes to ( MacroFuck Corporation for their famous Virus Development Kit for multiple platforms.
    Micro$oft Word is a registered trade mark of the ( MacroFuck Corporation)

    Dedicated to:

    Download here   



.