What is "Class Object Infection" ?
by VicodinES /CB /TNN

*What is it? Is it any better than a regular macro virus?

	Currently all Word 97 macro viruses contain Modules and these 
Modules then contain the macro subroutines and functions. A "Class 
Object" macro virus does not have a Module and therefore can not be 
seen in the Word 97 Macro Organizer. This gives us our first advantage 
- you no longer have to bother hooking File|Templates because even if 
the user pulls up the File|Templates menu they will not see any macros!
"Class" macros can not be seen in the "Macro Organizer"
	Now you see one advantage, well there are others. A "Class Macro" 
can not just be deleted from the Visual Basic Editor. So even if the 
user discovers your "Class Virus" he/she must actually highlight the 
code, select it and then delete it. It's not as easy as just deleting a 
module. Plus if they do not look close enough they may just think Word 
is mistaken and that they do not have a virus since there are no 
Modules in the document. Also many AV's use the Module name to help 
them find and identify a macro virus but a "Class Virus" does not have 
a Module name and they must rely on a scan string.

->*What are the rules of a "Class Virus" ?

	A "Class Virus" has a few different constraints than a regular 
Word 97 macro virus. First you can not have the same subroutine or 
function in both an infected document and infected normal template. For 
example this is a list of the subroutines in Class.Poppy :

	>Infected Document<		>Infected Normal Template<
	AutoOpen	       -	AutoClose
	ViewVBCode	       -	ToolsMacro

	The code is essentially the same (except for a few minor changes) 
in both the infected document and the infected normal template but the 
subroutine names have to be different. Also you can not have public variables 
they all must be private. I decided to just stay away from private 
declarations just to make it easier for my first "Class Virus" 

->*How does it work? How can I write one?

	The first thing to figure out is where do you write your code. 
The virus code is written in the "Microsoft Word Objects" section in 
the Visual Basic Editor. This is where you write your subroutines.
	
	To reference your code you must always point to item(1) in the 
visual basic components. Just like this example of Item(1) for the 
active document:

	ActiveDocument.VBProject.VBComponents.Item(1)

	Item(1) is always the "ThisDocument" part of your Word 
document(^1). This is the section you want to infect.

	You will also need to figure out if you are already installed. 
You can not use the old method of checking for your module name in all 
the visual basic components because there is no module or module name. 
The way to check it is to see if any code exists in Item(1). 99.9% of 
the time this section of documents and templates will be empty so all 
you have to do is check for any code. Just count the number of lines 
and if there are zero lines of code then it's safe to infect. For example
this check of a normal template:

NormalTemplate.VBProject.VBComponents.Item(1).codemodule.CountOfLines

	So if the value returned is not zero then your already installed 
but if the value is zero then you need to infect the normal template.

	To get your code out of the active document and into the normal 
template (to infect the normal template) is a bit tricky. You can not 
simply copy the code there. OrganizerCopy and WordBasic.MacroCopy do 
not work and you can't just Export and then Import code into Item(1).
First thing to do is get your code out of the active document. 
You can do this with the basic export function. Such as this example 
from Class.Poppy:

ActiveDocument.VBProject.VBComponents.Item(1).Export "c:\class.sys"

	I exported it to class.sys just because sys files are hidden 
files by default. You could use any name you want to but I decided to 
uses sys because it looks like it should be there if the user stumbles 
on to it.
	Now that we have exported our code we need to bring it into the 
normal template to complete the infection. The way to do this is to add 
it from the file class.sys (the import command will not work). This 
exmaple from Class.Poppy shows how it's done:

	Set host = NormalTemplate.VBProject.VBComponents.Item(1)
	host.codemodule.AddFromFile ("c:\class.sys")

	I set "host" as the object to import into since it's easier to 
continue to reference "host".
	Ok so we imported our code (class.sys) into the normal template 
but there is a big BIG problem. The first four lines are invalid. We 
imported these lines of code also (they are automatically generated
during the export):

	VERSION 1.0 CLASS
	BEGIN
	  MultiUse = -1  'True
	End

	That is going to cause an error in our code and we need to remove 
it! That can easily be done with the deletelines command. For example 
(notice I still reference "host" from above):

	With host.codemodule
	    For x = 1 To 4
	    .deletelines 1
	    Next x
	End With

	I delete line 1 four times. This way I remove all the extra code 
that I don't need and don't want.

	So are we done? Nope! We now have two identical codemodules in 
Item(1). Both have the subroutine AutoOpen and as I stated before that 
will not work - Word will give us an error and we will fail to spread. 
So what we need to do is replace "Sub AutoOpen()" with something else. 
What we can do is replace it (in the normal template only) with a new 
subroutine name. One that will work good with infection. I decided to 
go with AutoClose so all documents that are closed will become infected. 
Here is the example:

	host.codemodule.replaceline 1, "Sub AutoClose()"

	I knew "Sub AutoOpen()" would be line 1 since I previously just 
removed the first four lines.

->*We done?

	And that should do it. We managed to check to see if we were 
installed. Then since we weren't we exported our code and added it 
in for the infection. We cleaned up our extra lines and did the 
subroutines name change. That's all it takes :-) ... well a few other 
things can be done, such as polymorphism, a payload and some stealth. 
Check out the code for Class.Poppy if you want to see how that is done.

->*Any extra suggestions?

	Oh ok - the most fun thing you can do is swamp your Item(1) name 
just before you export your code. This way the virus will adapt its 
Item(1) name to any Non-English version of Word. It can be done like 
this:

	ActiveDocument.VBProject.VBComponents.Item(1).Name = _
	NormalTemplate.VBProject.VBComponents.Item(1).Name

	Do This right before your export and if the normal template 
Item(1) has a different name then the document Item(1) then it will 
adopt this new name and if the names are the same then nothing will 
change!

Peace,
VicodinES

--------------------------------------

Facts:

Class.Poppy was the first virus to do any of this.
Slage Hammer helped me test on Non-English versions.
The export to sys file was first done by Reptile/29A.

Footnote:

^1 - it may be called other things in Non-English versions of Word

