
    INPHOZE

    I was going to make it stealth using the ToolsMacro menu
    option but I never got around to it (the weekend finished).

    All these macro's can be stuck into 1 or 2 macros they don't
    need to separated.

    These macro viruses are very easy to detect.  XOR with 0E3h
    I think it was (or 0C3h).  The AV know this so it doesn't
    matter that i'm telling you.

    If you want to make a virus dropper then do this:
        * Dump it to a file like I did in DropSuriv
        * Open "C:\AUTOEXEC.BAT" for Appending.
        * Write "C:\DOS\VIRNAME.COM"
        * Close it.
    And don't delete the .COM.

    There was a bug in the original dropper - don't blame me, I
    wasn't about to test ph33r on my very expensive PC when I had
    assignments due.

    I was also going to make it polymorphic with weird macro names
    etc.  But then i saw the stupid microsoft stored the virus
    text into the .doc so that a macro label like:

  NoDropper:

    could be searched for.  Meaning that I would need to also alter
    the macro source code.  If that was even possible it would be
    rather lame - only be able to alter text case (AND 0DFh,OR 20h)
    and insert whitespace.

    The following function shows how easy is it to detect a label
    which has had the case altered.

    ScanText = (CipherText xor 0E3h) and 0DFh

    Pretty lame encryption from Microsoft if I do say so myself.

    So if you aim in making a document macro virus is for AV
    undetectability then there's no point.

    And we thought Micro$oft was the virus maker's friend

    I wouldn't be surprised if the AV have an ExecuteOnlyMacro
    to EditableMacro convertor made soon.

    an405337@anon.penet.fi

