The first world true polymorphic macro virus infecting Word 7.x documents.
The virus ofthe next generation.
This decription brought to you by Nasty Lamer & Ugly Luser
Exclusively for the *-zine. (c) 1-mar-1997, Slovakia
Macro viruses for Word 6.0 and above infects Micro$oft Word documents and templates. The first macro virus for Word was written in fall of 1994. In the present there are over 500 known macro viruses and their number grows rapidly every day. But many of them are very similar each to other and do not offer anything new to the virus writing technology. They use almost the same infection techniques and their bodies are the same in each copy of the virus. Many of them are very lame and primitive. Authors of macro viruses very often use whole parts from other macro viruses in their macro, modify them a little bit and release them as new viruses. But almost all known macro viruses have for each copy the same binary image of the macro body (so-called static macros). This feature very simplifies the work of antivirus companies. They can detect these macros very exactly with high accuracy by using CRC method. They are able to add detection for several hundreds macro viruses a days by using programs for an automatic generation of the CRC for the macro bodies. Current macro virus writers are not too inventive and it looks like that only lamers write macro viruses. Do not forget, that macro virus writing is not for real virus writers as they prefer writing in assembler.
The first break through in macro virus writing technology has caused the Outlaw virus. It was the first semi-polymorphic virus. Why semi-polymorphic ? Because only the macro names were different in the each copy of the virus but its body has remained still static (some antiviruses used to detect the viruses by their names). However for peoples interesting in the antivirus industry it was a nice opportunity to flood various magazines with detailed description of this "new technology" in macro virus writing.
After a long time the macro virus writers have detected that Micro$oft Word Basic gives a possibility for macro editing and creating polymorphic macro viruses. In the present these possibilities are not used very often. There exists only few viruses which modify something in their source code and make the each generation a little bit different. Their most often used method is simply in inserting one or several dummy lines to the source code or changing names for some variable. The true polymorphic viruses was not known until WordMacro.SlovakDictator appears.
The antivirus programs uses different techniques to detect macro viruses. >From the point of view of used techniques, we can arrange them into the following categories:
1. The method based on looking for "virus strings"
This virus is the first real attempt how to write an macro virus undetectable by "search strings". It also fucks all scanner based on computing CRC, because it has almost unlimited mutation capability. We decided to write this virus to to illustrate some techniques, which offers MacroFuck Corporation and their Macro$Soft Word for macro viruses writers.
The virus contains only one unencrypted viral macro AutoClose and its size is from 14 kB to 16 kB (the size for variant B may overreach 16 kB). All names of variables, procedures, functions and constants are fully mutated and for this reason the final size of the macro is different for each copy of the virus.
The macro does not use any command for copying macros (MacroCopy or Organizer) for replicating. It uses simply only commands for creating and editing macros. Due to this feature it is not detectable by know virus scanners yet, even not by the heuristic scanners. The detection of this virus will probably cause problems to antivirus programs which use "search strings" for macro detecting.
The whole macro is divided into three parts. In the first part are declared all global variables, arrays and constants. In the second part is performed a check for the version of Word and it contains all procedures and functions needed for creating macro and its execution. The third and the final part contains two tables. In the first table is stored the whole macro body (its source lines) in an encrypted form. The source lines in this table does not contain two tables mentioned above because they are already present in the third part of the macro.
The actions of the macro virus is performed in several steps:
1. It checks whether of the Micro$oft Word in use is 7.x. If yes, the further steps are performed, otherwise the macro will finish.
2. It decrypts the first table in the third part of the macro. The choosen encryption method is very trivial. Each byte is decrypted with a constant which may have values from 4 to 13 (try to guess why ?). This value is added (or subtracted) to the each character in the strings that belong to the first table in the third part of the macro.
3. It creates temporary macro with a random name and inserts decrypted source lines of the macro (the first two parts of the macro) to it.
4. It replaces all occurrences of the string "@@" with """. The characters @@ are used to mark all places that have to be replaced with a quote.
5. It inserts both tables at the end of this macro - the table with decrypted source lines and the table with polymorphic names of variables, procedures, functions and constants.
6. It calls procedure which will mutate all names stored in table with polymorphic names. These names are from 10 to 19 characters long.
7. It runs this temporary macro When the macro is executed it first checks, whether it has to infect global template or document. If the global template and the closing document already contains macro named AutoClose nothing is done. Otherwise the macro creates a macro AutoClose in the global template or document and executes similar actions which were described in the previous paragraphs.
The macro contains the special payload. In the each 4th and 11th of the month it displays a message box with a special warning that you are infected by WordMacro.SlovakDictator virus.
8. It deletes the temporary macro, enables screen updating, enables interrupting a macro by pressing the ESC key and finishes.
The virus brings the new technology to macro viruses writing :)
It is the first Slovak macro virus :)
It is the first world true polymorphic virus :)
Its source lines are internally encrypted by a different encryption constant :)
It will be hard to detect it by "search strings", because it does not contain any typical virus strings.
It can not be detected by computing CRC (only lame researchers will do that) :)
The largest possible string is 15 bytes long, but this string can not be used as a virus string.
It does not use commands for copying macros :)
It does not contain an operation suspected for heuristic scanners :)
Known antivirus program does not detect it, even heuristic programs
The process of the infection is very slow, it may take over 15 seconds on slow PC's (on tested Pentium 166 Mhz it took 15 seconds) :|
Although the virus prevents the ESC key from interrupting the macro, pressing keys while the virus is running may cause a bug in creating mutated names of variables and due to this reason a bug in the executing macro may occur. (it will be fixed in the version for Word 8.0) :|
The virus is language dependent - it infects only English version of Word 7.x documents. Due to its special infection techniques it is not able to infect Word 8.0 documents.
We would like to show the big potential of the Micro$oft Visual Basic to all macro viruses writers by rewriting SlovakDictator for the Micro$oft Word version 8.0. We hope that the next version written in Visual Basic will be undetectable for a long time. We are planing also to write fully polymorphic macro virus infecting the Micro$oft Excel documents and a multiplatform virus infecting the Office documents.
The Lamer's Macro Engine and the source code generator of the described macro virus is not presented because each lamer, even Vesselin B. (well known as fucking pig and shithead), is able in 20 minutes analyze this virus and understand it. But we are not sure about that Vesselin B :). We wrote this virus within one day and we hope that the other lame macro virus writers are able to do it too.
And finally, we just invented the brand new method, how to speed up the internal encryption and decryption, so the next version will be much faster (and maybe it will be permutated !):)
Micro$oft Word is a registered trade mark of the ( MacroFuck Corporation)