Virus Protection > computer-virus-m-page1 > - macro.office.cross.a

macro.office.cross.a

Webroot Antivirus: The best protection against viruses, spyware data theft and hackers.

Description: Details
Macro.Office.Cross.A1

This virus infects MS Access databases and MS Word documents (Office97), as well as transfers infected files from Word to Access and back. This is the first known "multi-macro-partite" virus.
The original package that we got contained two infected files - Access database and Word document. The virus code in each file is able to replicate under native application (Word and Access), so in reality, we have two different viruses in the same package - each of them infects its native objects (documents or databases) without any problems. The common feature of both viruses is the ability to infect another Office application: the Access virus drops the Word macro virus, and the Word virus drops the Access infected database.
There is another common feature in both viruses: they have a similar structure - each virus contains three parts. The first part is a native infection routine, the second one is a routine that transfers the virus to another Office application, the third one is hexadecimal data that is converted to an infected file when the second part infects another Office application:
+--------------------+
|Native infection |
|routine |
| |
+--------------------+
|Transfer to another |
|Office application |
|routine |
+--------------------+
|Hexadecimal data |
| |
| |
+--------------------+

Hexadecimal data is present in the virus code in "standard" form for macro viruses - it is prepared to be converted by the DOS DEBUG to binary data file. Because of this standard way the virus writes these data to a temporary file, creates a DOS batch file that runs DEBUG to converts the data to binary disk file, and then deletes all temporary files (see "WM.Nuclear").
It's necessary to note that binary data dropped by the virus has CAB (MS Cabinet) format - it is a compressed file that can be unpacked by MS Extract utility that comes with MS Windows.
When we analyzed the hexadecimal data in both infected files, we found that these data contain two other viruses - Word and Access, that also are able to spread themselves under native application and drop infected objects to another application. The replication and transfer routines are identical, but hexadecimal data is not the same as in parent virus!
Going through the next layer of hexadecimal data we found that there is a pair of other Word and Access viruses that have no transfer routines and hexadecimal data, and these viruses are able to spread under native application only.
As a result we have "matreshka" of viruses, each of them has another one inside, and so on. Opening this package matreshka-by-matreshka we found that there are three layers of viruses. The first (root) virus contains a dropper of second-level (child) virus, the second level contains third one - pure Access or Word virus that is not able to spread cross applications.
Access root virus differs from Access child virus only in hexadecimal data part (as well as Word root virus differs from Word child virus only in hex data), both Infection and Transfer routines are the same command-by-command in both Access and Word root/child pairs.
So the original "matreshka"s have three levels of cross-incapsulation with the same routines:
Access root virus Word root virus
+----------------+ +----------------+
|Access Infection| <--\ /--> |Word Infection |
+----------------+ \ / +----------------+
|Transfer | <----\ /----> |Transfer |
+----------------+ \ / +----------------+
|Hexadecimal data| \ / |Hexadecimal data|
+------+---------+ \ / +-------+--------+
| \ / |
| \ / |
| \/ |
| /\ |
V / \ V
/ Word child virus / \ Access child virus
/ +----------------+ / \ +----------------+
|Word Infection | <----/ \----> |Access Infection|
+----------------+ / \ +----------------+
|Transfer | <--/ \--> |Transfer |
+----------------+ +----------------+
|Hexadecimal data| |Hexadecimal data|
+------+---------+ +-------+--------+
| |
| |
| |
V V
Access pure virus Word pure virus
+----------------+ +----------------+
|Access Infection| |Word Infection |
+----------------+ +----------------+

Looking back from pure Word and Access viruses up to the root (result) ones we found that both pair of Access/Word infection routines are very similar. The only one difference found - pure viruses do not have code and calls to Transfer routine, but both root and child viruses do have. So, the root viruses looks to be a result of two-steps extensions of pure ones to handle another application, and back to handling original ones.
The side effect of such extension is the virus size - the source code of Access stamp of virus is 370K file, the source of Word virus is near of 160K. So we have the largest macro virus that we have ever seen.
Spreading the Word
Infection routines in both Access and Word samples are the same as was found in already known viruses. In case of Word virus it replicates itself by using Import/Export ability of Office97 VBA. The virus saves its source code to the temporary file on the disk and then imports it to all opened documents. This is quite unusual way that was found in very few viruses. Anyway, this way exists, and these viruses do use it.
To complete this part of virus analysis that is necessary to say that the virus has one module named "X" with several subroutines inside: "AutoOpen", "AutoClose", "AutoExit", "AutoExec", "FindAx", "MakeBat", "DropKey", "DropDetox", "CheckKey", "Info".
AutoOpen macro contains infection routine. This routine at first removes "Tools/Macro", "Tools/Templates and add-ins" items from Word menus - this is stealth macro ability. The routine then exports its source code to the C:\X.VIC file. After that the virus checks for executing environment (document or normal template) and infects appropriate object by importing exported source code into.
AutoOpen routine in root/child and pure viruses has only one difference: in root and child versions this routine also calls CheckKey subroutine that infects the MS Access, if it is installed. The CheckKey routine tries to find files by the C:\*.YZV mask. If such files not found, the routine calls the FindAx routine (so *.YZV file presence means the system is already infected).
The FindAx routine tries to find the MS Access application in C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\ path. If MS Access found, this routine calls DropKey routine to create C:\AX.YZV file, then calls DropDetox (creates script for DOS DEBUG) and MakeBat (creates DOS batch file to create and unpack DATA.MDB file and execute MS Access with DATA.MDB as parameter) then FindAx routine execute created batch file in hidden window.
The rest of auto macros just call AutoOpen.
Info routine just contains following text:
Cross.Poppy Word Component
--[Cross is a blend of SexR-1 and Detox]--
by VicodinES / Sin Code IV (same person - mixed up letters)

Infected Access
To infect Access databases the virus uses the same way as was found in known Access macro viruses (AccessiV, Detox). TheDetoxUnit function searches for *.MDB files in current directory and affects them with virus code with TransferDatabase command. The unusual is that the virus disables Tools\Optionsall menu items and set several properties for infected database calling SetStartupProperties routine. Only difference between pure and root/child viruses is CheckKey routine call.
CheckKey routine checks for C:\*.YZV files. If such files not found CheckKey calls FindWd routine that tries to find MS Word application in C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\ path. If application found FindWd routine calls DropKey routine to create flag file (C:\AX.YZV), than calls DropSexr1 to create script file for DOS DEBUG, than calls MakeBat to create DOS batch file and execute it.
Accessing Word
For spreading into MS Word from MS Access the virus creates the infected DATA.DOT file in the MS Word startup directory. To do that the virus created the temporary DATA.COM file, converts to there its hexadecimal data with a help of DOS DEBUG utility, unpacks it with standard Windows EXTRACT utility and copies resulting DATA.DOT file into the C:\PROGRA~1\MICROS~1\OFFICE\STARTUP and C:\PROGRA~1\MICROS~2\OFFICE\STARTUP paths, if they exist. If there are no such directories, the virus fails to spread itself to the Word.
When MS Word starts, it loads from its startup directory templates including infected DATA.DOT, and the virus takes control.
Fortunately the root virus has a bug in hexadecimal data (script data overlaps 64K limit and cannot be converted by DEBUG correctly) and cannot infect MS Word. The child Access virus has correct hexadecimal data, and is able to spread from Access to Word.
The root virus is also not able to replicate under some system conditions: when MS Access is executing virus macros in some cases it displays an error message about low memory to execute the macro. This error appeared on PC with 24 megabytes of system memory installed, but there was no error to replicate the virus on PC with 64 megabytes of memory.
A Word for Access
To infect the MS Access from MS Word the virus uses similar way: by DOS DEBUG it creates the temporary DATA.COM file, writes to there its hexadecimal data, unpacks it with EXTRACT utility to the infected DATA.MDB MS Access database. The virus then executes MS Access with START command passing infected DATA.MDB file as parameter. As a result the virus takes control and infects other MS Access databases.