159 lines
12 KiB
Plaintext
159 lines
12 KiB
Plaintext
D„eM†ˆn Virus ³
|
||
~~~~~~~~~~~~~ ³
|
||
³
|
||
This virus took me a while to write (about two weeks), because I was ³
|
||
writing a lot of it for the first time. Some of the code is a bit ³
|
||
overboard, like I don't think the SYS entry has to be quite that complex ³
|
||
in order to work... but never mind. At least it works and it's quite ³
|
||
well-behaved. ³
|
||
³
|
||
This virus is my first boot/file virus, and that also works perfectly. ³
|
||
I worked all my own routines from scratch (my virus collection is ³
|
||
extremely small, and I don't want to be influenced by other ³
|
||
implementations unless they're better). ³
|
||
³
|
||
It infects both floppy boot sectors, moving the original boot sector to ³
|
||
the 5th last sector of the disk and writing the virus code on the last ³
|
||
four. It also infects the Master Boot Record (partition table) on the ³
|
||
first physical hard disk. Booting off an infected floppy will infect ³
|
||
the MBR, as will the execution of an infected file. However, trying to ³
|
||
read the partition table results in the redirection of the call, ³
|
||
resulting in the original partition table (prior to infection) being ³
|
||
read/written. ³
|
||
³
|
||
Floppies are infected on read/write access, and won't be infected if the ³
|
||
drive is still spinning (ie. no disk change). It will take the boot ³
|
||
sector and use the BPB to calculate the last sectors of the disk, no ³
|
||
matter what format, be it 160k, 1.44meg, or even a 20meg floptical disk. ³
|
||
It makes sure it's a valid BPB by checking the OEM name to see if it's ³
|
||
valid alphanumeric characters, but I was a bit selfish in that I overwrite ³
|
||
the last word of OEM to mark infection. ³
|
||
³
|
||
Files ending with the extensions .COM, .EXE, .BIN, .OVL and .SYS will be ³
|
||
infected on every possible file handle access I could find, ie. they ³
|
||
will be infected on Open (3D), Close (3E), Attrib Change (43), Execution ³
|
||
(4B), Handle Rename/Move (56), and Extended Open (6C). It manages to ³
|
||
infect on file close by recording the filename by intercepting Create ³
|
||
(3C) call, and the handle if it was created successfully. ³
|
||
³
|
||
If resident off infected file, it will not hook int 13h directly, ³
|
||
instead searching segment 70h for DOS's call to the original interrupt ³
|
||
handler, then putting our address in there instead and using the old ³
|
||
address for our calls. It would have been possible to search the ROM ³
|
||
BIOS for the correct handler, but that would circumvent future ³
|
||
generations of boot/file viruses. ³
|
||
³
|
||
D„eM†ˆn employs a small decryption algorythm, however it is not variable ³
|
||
mutation, since a few registers have to be saved in order for the SYS ³
|
||
infection to work. The code is thoroughly encrypted, and McAfee and ³
|
||
friends will have to write a new disinfection engine for this baby. ³
|
||
However, disk infections are not encrypted, although it would have been ³
|
||
easily done. ³
|
||
³
|
||
The routine to load the virus off the disk has been altered to avoid ³
|
||
detection as Generic Boot Sector/Generic Partition virus. The changes ³
|
||
are trivial, and it makes it look as if I don't know what I'm doing. ³
|
||
The fact that I'm avoiding detection isn't readily apparent. Here is ³
|
||
a code comparison, take a look for yourself. ³
|
||
³
|
||
Generic D„eM†ˆn ³
|
||
mov si, 413h mov si, 412h ³
|
||
sub word ptr [si], 3 add word ptr [si+1], -3 ; take 3k ³
|
||
int 12h lodsb ³
|
||
lodsw ³
|
||
mov cl, 6 mov cl, 6 ³
|
||
shl ax, cl shl ax, cl ³
|
||
mov es, ax mov es, ax ³
|
||
xor bx, bx xor bx, bx ³
|
||
³
|
||
The one on the left will be detected by SCAN, the one on the right will ³
|
||
not. The differences are trivial. SCAN is such a stupid program, it's ³
|
||
just ridiculous that millions of PC users rely on it utterly for total ³
|
||
virus protection. That's great... ³
|
||
³
|
||
D„eM†ˆn is partially selective in which files it infects. Firstly, it ³
|
||
will scan the filename for the characters SC, VS, CL and F-, which ³
|
||
excludes a lot of scanners (eg SCAN, TBSCAN etc), VSHIELD, CLEAN and ³
|
||
F-PROT. ³
|
||
³
|
||
Nor will it infect programs which have internal overlays. This is a ³
|
||
great advantage since people running WinDoze won't have their favourite ³
|
||
XYZ program fuck up because a virus infected it. D„eM†ˆn simply will ³
|
||
not infect programs with internal overlays. Here is the code to detect ³
|
||
them: ³
|
||
³
|
||
chkovl: call file_end ³
|
||
push ax ; check for internal overlays ³
|
||
push dx ³
|
||
mov ax, word ptr [page_cnt] ³
|
||
mov cx, 512 ³
|
||
mul cx ³
|
||
pop cx ³
|
||
pop bp ³
|
||
cmp ax, bp ³
|
||
jb done ³
|
||
cmp dx, cx ³
|
||
jb done ³
|
||
[...] ³
|
||
done: ret ³
|
||
³
|
||
Pretty simple routine, huh? ³
|
||
³
|
||
The beauty of this beast is that one small mistake, like trying to boot ³
|
||
an infected disk by accident, or perhaps running an infected file, is ³
|
||
that next time you boot up your system, EVERY file in your CONFIG.SYS, ³
|
||
AUTOEXEC.BAT and everything henceforth will become infected! It is very ³
|
||
easy to expose a large number of files to the virus in a very short ³
|
||
space of time. Again, SCAN will probably help the spread of this virus ³
|
||
immensely, by stupid users scanning their HD habitually, with the virus ³
|
||
in memory... of course, EVERY file will then be infected. ³
|
||
³
|
||
As if that weren't enough for one virus, D„eM†ˆn will also hide the ³
|
||
increase of file size on the DOS directory. However, like most other ³
|
||
viruses which employ this stealth method, CHKDSK will not report any ³
|
||
allocation errors on these files. File size increase will be only 2048 ³
|
||
bytes, or 4096 bytes for SYS files. It will account for the different ³
|
||
increase of the SYS. ³
|
||
³
|
||
To hide the increase, D„eM†ˆn employs a little-exploited method, which ³
|
||
is by adding 100 years to the date of the file. This way, other ³
|
||
over-exploited methods (like setting the seconds field to a certain ³
|
||
value) will not interfere with D„eM†ˆn's stealth operation, and ³
|
||
vice-versa. ³
|
||
³
|
||
D„eM†ˆn also includes a number of text strings: ³
|
||
³
|
||
"[D„eM†ˆn] by T„L”N-{N–Kä}" 25 bytes ³
|
||
"Hugs to Sara Gordon" 19 bytes ³
|
||
"Hey John! If this is bad, wait for [VCL20]!" 43 bytes ³
|
||
"For Dudley" 11 bytes ³
|
||
"[VCL20á]/T„L”N" 15 bytes ³
|
||
total 113 bytes ³
|
||
³
|
||
(That stuff about VCL20á is áogus, just to make McAsshole shit his ³
|
||
pants. But AV researchers be warned: a fair few of the routines ³
|
||
contained in D„eM†ˆn will also appear in VCL 2.0, like the boot/file ³
|
||
infect capability!) ³
|
||
³
|
||
Virus Length = 2048 ³
|
||
Message Length = 113 ³
|
||
...Code Length = 1935 bytes!!! ³
|
||
³
|
||
Totally unheard of! ³
|
||
³
|
||
I seriously doubt anybody can beat that, at least not for a while yet. ³
|
||
³
|
||
For a quick rehash of what this virus does... ³
|
||
³
|
||
COM/EXE/BIN/OVL/SYS/MBR/BS Parasitic Self-Encrypting Stealth virus, a ³
|
||
mere 2048 bytes long... but I can say Patricia Hoffman will totally fuck ³
|
||
up her description of this virus, she is so pathetically brain-dead. ³
|
||
³
|
||
Anyway, look out for a FULL STEALTH, WILDLY POLYMORPHIC COM/EXE/MBR ³
|
||
INFECTOR coming soon to a computer installation near you! From T„L”N of ³
|
||
course! And another one minus the polymorphism, under 800 bytes! ³
|
||
³
|
||
Have fun! And good night, John! ³
|
||
³
|
||
T„L”N/NuKE ³
|