65 lines
3.5 KiB
Plaintext
65 lines
3.5 KiB
Plaintext
|
||
The Smallest Virus I Could Manage
|
||
|
||
In Nuke InfoJournal #5 I foolishly boasted about a 387-byte TSR COM/EXE
|
||
parasitic infector I'd written.. well the days of semi-lameness are gone
|
||
(that was almost 2 years ago now) and I've come up with the goods.
|
||
|
||
This is the smallest virus I could figure out at this point in time.
|
||
In all respects it's a fully viable spreader in the wild, although it
|
||
does have serious 'security' problems - it doesn't trap i24 (critical
|
||
error handler), clean registers before returning control to the host, or
|
||
even use i21 functions by chaining on to the old vector (it calls i21
|
||
with an INT instruction). I have no pretences in that I fully don't
|
||
expect to see this in the wild, since it was only written for
|
||
investigative pleasure anyway, to see how small a virus could be
|
||
written.
|
||
|
||
There was another version of this virus which I gave out to a few people
|
||
on #virus, which had a slight bug (rather, hasty oversight) in it, where
|
||
I changed a bit of code and didn't change a corresponding line a few
|
||
lines later.. which results in the i21 vector being partially
|
||
overwritten and thus the machine will crash (bad side effect!), which
|
||
was 291 bytes. The difference between this virus and the 'old' one is
|
||
that this one doesn't change the target EXE file's stack, simply leaving
|
||
it and negating the need to carry the extra 4 bytes around with the
|
||
virus, as well as cutting code size. Also, the 'old' one didn't trigger
|
||
any heuristic flags whereas this one does. (see below)
|
||
|
||
This virus is a memory-resident parasitic infector of COM and EXE files
|
||
on execution, 263 bytes. It doesn't reinfect memory OR files.
|
||
|
||
The older revision (sm2.asm, and the bug-fix, sm2b.asm) avoided all
|
||
heuristic flags (except maybe suspicious stack); it inserted the delta
|
||
offset straight into the first instruction of the virus, instead of
|
||
doing the usual 'call $+3/pop si/sub si,3'. However this just took up
|
||
too much code and besides, it's going to get caught anyway, so why
|
||
bother. So in this version it was removed, but the lines are only
|
||
commented out. If, for some reason, you want to re-enable the old
|
||
system, uncomment the appropriate lines and delete the lines with only a
|
||
semicolon after them (ie not the ones with actual comments!). Enabling
|
||
this will bring the virus size up to all of 268 bytes.
|
||
|
||
In its current form I think it's as optimized as I can make it. Apart
|
||
from the odd 1-byte improvement, any difference would require a change
|
||
in viral architecture. Some hardcore processorhead would have to do it,
|
||
perhaps they'd get a virus of 260 bytes.. but below that, I'm sure it'd
|
||
have to be deficient or unreliable in some respect (as far as I can
|
||
rationally extrapolate, judging how limited this virus is in avoiding
|
||
detection). I'm certainly not saying that a smaller virus cannot be
|
||
written, however, because it's probably possible. If I could see how,
|
||
though, I'd do it! :) Making this smaller would require the removal of
|
||
'safety' checks (eg bailing if the file can't be opened, bailing if the
|
||
file is less than 24 bytes, etc). However I consider these checks to be
|
||
part of a viable virus, so I left them in.
|
||
|
||
There isn't a great deal of commenting on this virus. A few of the
|
||
techniques just aren't applicable to viruses of the normal kind, so
|
||
there's no real point. To gain anything much out of examining this
|
||
source you more or less have to have a good idea of what's going on
|
||
anyway.
|
||
|
||
Greets on this one go out to Dark Angel (you know why) :> ..
|
||
|
||
- T<>L<EFBFBD>N 01/95
|